Operation of an internal or external whistleblower reporting point in accordance with the HinSchG

As soon as your company has 50 or more employees, you are legally obligated to establish an internal whistleblower reporting center. The final transition period ended on December 17, 2023 – companies without an appropriate whistleblower structure have been in violation of applicable law since then.

To operate the whistleblower center, a responsible person or department must be appointed to review and process incoming reports. This can be done internally or externally—for example, by an ombudsman or a specialized service provider.

Every tip received must be treated with the utmost confidentiality. The identity of whistleblowers is protected by law. Furthermore, all processes must fully comply with the requirements of the GDPR to ensure data protection and legal certainty.

Companies are required to provide confidential and protected channels for reporting information – both in writing and verbally, such as by telephone or voicemail. Personal discussions must also be possible upon request. All reporting channels must be technically and organizationally secure to prevent unauthorized access.

The department responsible for handling reports must be able to act completely independently. It must not be subject to any instructions and must examine reports impartially and objectively. Conflicts of interest—for example, within internal departments such as Compliance—must be avoided at all costs to maintain the integrity of the reporting process.

After receiving a tip, an acknowledgement of receipt must be sent to the person providing the tip within 7 days. Feedback on the status or outcome must be provided within 3 months at the latest. Furthermore, all tips must be documented in compliance with data protection regulations and retained for a period of at least 3 years.

The whistleblower system should be transparently defined in an internal procedural instruction or whistleblower policy. These must clearly and comprehensibly define the reporting channel, existing protective measures, and the responsible contact persons – to ensure legally compliant processes and build trust among employees.

Company management is responsible for creating a framework that effectively protects whistleblowers from reprisals. At the same time, an open, trusting culture of error should be fostered so that employees can report grievances without fear of negative consequences.

The internal reporting center should not be viewed as an isolated element, but rather as an integral part of the overall compliance system. Close integration with risk management and internal control mechanisms strengthens its effectiveness and creates sustainable structures for detecting and preventing violations.

Company management is obligated to regularly review whether the internal reporting office is operating effectively and in compliance with the law. A lack of or inadequate monitoring may be considered a breach of supervisory duties under Section 130 of the German Administrative Offenses Act (OWiG)—and thus pose significant personal liability risks for managing directors.

All employees must be clearly and understandably informed about the existence, purpose, and potential uses of the internal reporting center. Furthermore, professional training of the responsible reporting center officers is required by law – this is the only way to ensure legally compliant and trustworthy reporting.

The effectiveness of the internal whistleblower system must be reviewed regularly. In the event of legal changes or operational changes, the system must be adapted accordingly – this is the only way to ensure that the reporting system remains legally compliant, practical, and effectively embedded in everyday company operations.