Legal obligation to implement a corporate whistleblowing program is on the horizon

By Pascal R. Kremp, LL.M. (Wake Forest), and Thomas Wiedmann

Beitrag als PDF (Download)

In the fourth edition of Labor Law Magazine, we emphasized that the lack of specific German legislation on whistleblowing gives employers scope for action. We concluded that employers are well advised to implement a corporate whistleblowing program, even though they are under no legal obligation to do so. It is potentially advantageous to include a whistleblowing hotline or online portal to encourage employees and third parties to disclose information, ensuring that suspicions about possible wrongdoings can be addressed internally.
In the meantime, a lot has happened: Most importantly, on April 23, 2018, the European Commission published a “proposal for a Directive on the protection of persons reporting on breaches of Union law” (draft legislation), which, in the future, may result in a legal obligation for companies to implement corporate whistleblowing programs.
In addition, since May 25, 2018, the General Data Protection Regulation (GDPR) has had to be applied. In a nutshell, prior to the GDPR, the German authorities recommended that companies create corporate whistleblowing programs that favor disclosures with the discloser’s name attached; now they recommend structuring the program to encourage anonymous disclosures.
To complete this picture, the EU Trade Secrets Directive will soon be implemented in German law, including rudimentary rules on whistleblowing. In answer to these rudimentary rules and in the spirit of the draft legislation, on September 26, 2018, a parliamentary party introduced a bill providing for comprehensive whistleblower protection in Germany.

Background of the draft legislation

Whistleblowers face a high risk of retaliation, which has a chilling effect on whistleblowing. In this context, whistleblowers are people who speak up when they encounter wrongdoing in the course of their work that can harm the public interest.
In answering the 2017 Special Eurobarometer on corruption, 81% of respondents said they did not report corruption they had experienced or witnessed. Fear of legal and financial consequences was the most widely cited reason. Moreover, according to the EU Commission, 49% of EU citizens do not know where to report corruption, and only 15% know about existing rules protecting whistleblowers.
An EU-wide standard does not yet exist. Only ten EU countries (France, Hungary, Ireland, Italy, Lithuania, Malta, the Netherlands, Slovakia, Sweden and the UK) have comprehensive laws protecting whistleblowers; Germany is not one of them.
Some of the areas of law mentioned in the draft legislation are already addressed with some requirements in German law –
there are, for example, regulations in the financial services sector and laws concerning the reporting of violations in connection with money laundering and terrorist financing. There are also regulations covering cases of discrimination according to sections 13 and 27, para­-graph 1, of the General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz, or AGG) and laws addressing abuses in the area of occupational safety according to section 17 of the Workplace Protection Act (Arbeitschutzgesetz, ArbSchG).

Key features of the draft legislation

According to the draft legislation, in the future, a minimum level of protection will be guaranteed to whistleblowers. These are, however, only minimum standards, as the draft’s limited scope of application demonstrates. Even so, violations of the GDPR, for example, should be in scope.
In contrast, the definition of a “whistleblower” is interpreted very broadly. In addition to employees in the private and public sectors, suppliers, independent contractors, shareholders, management bodies, unpaid interns, volunteers and applicants should also benefit from the draft legislation.
A reporting person will qualify for protection under the draft legislation provided that he or she had reasonable grounds to believe that the information reported was true at the time of reporting, and provided that the information reported falls within the scope of the draft. This is an essential safeguard against malicious or calumnious reports. At the same time, this qualification ensures protection where the reporting person made an inaccurate report in honest error.
One of the main points of the draft legislation is to obligate companies to establish an internal procedure for dealing with whistleblower reports — in other words, companies should now be obligated to set up a corporate whistleblowing program. This affects companies with more than 50 employees and/or an annual business turnover or annual balance sheet totaling more than €10,000,000. However, even if a business reaches neither of those thresholds, it may be worth considering implementing a whistleblowing program, given that the reporting person may otherwise disclose wrongdoings to the authorities directly.
Within this framework, a department responsible for responding to whistleblowing must be appointed. This department is to be organized either internally or externally. The identity of a whistleblower must be treated confidentially and protected from access by unauthorized persons.
A three-stage escalation procedure is prescribed for employees. Whistleblowers must first report violations of EU law to the internal whistleblower department to give the company an opportunity to investigate the grievances itself. If the company does not respond to the information within three months, in the second stage, the whistleblower can approach the competent authorities. Once again, there is then a three-month deadline for re-registration. If appropriate measures are not taken during the first two stages, in the third and final stage, the whistleblower can approach the public, for example by means of journalists and the media.
The company will be prohibited from carrying out personal retaliatory measures against the whistleblower (including demotion, withholding promotion or training, etc.), provided that the whistleblower has followed the prescribed procedure. The company must bear the burden of proof. This may also impact wrongful dismissal lawsuits in the future.
The draft legislation has yet to be adopted by the heads of state and government. If this happens, the draft already provides a deadline for transposition into German law: on May 15, 2021 the moment may come.

Some GDPR implications

Prior to the GDPR, the prevailing principle was that whistleblowers should not be encouraged to submit anonymous reports. In some EU countries, such as Portugal, anonymous reporting was even banned.
The opinion of the German data protection authorities reverses this position: whistleblowers must now be encouraged to blow the whistle anonymously.
The authorities also require that a whistleblower who submits a disclosure under his or her name must be clearly informed that his or her identity will also be disclosed to the persons mentioned in the disclosure as the source of the personal data (article 14 GDPR).
For the authorities, disclosure tied to a name is only permissible if the whistleblower agrees to the above condition. It remains unclear how companies should apply this in practice.
In order to implement an anonymous corporate whistleblowing program and adhere to the consent requirement for non–anonymous disclosures, companies should only allow submission through an online form. E–mail addresses usually disclose the identity of the whistleblower. In addition, disclosures by e-mail or telephone require the company to take additional steps to obtain documented consent if the whistleblower wishes to disclose his or her identity.


All these developments demonstrate that the need to protect whistleblowers is acknowledged by both society and political leaders. Current developments will certainly bring the issue to the foreground for companies that have not yet set up a whistleblowing system.
However, even exemplary companies that have already established corporate whistleblowing systems urgently need to review these systems (unless they already re-examined their systems in the course of their GDPR review).
Regardless of their circumstances, companies should keep a close eye on further whistleblowing developments in ­Germany.

27 replies on “When the whistle blows 2.0”

Comments are closed.

Aktuelle Beiträge