What lasts long will finally be good? The issue of whistleblower protection has not only been fiercely discussed on social media in recent months, but politicians have also struggled to reach an agreement.
Now the time has finally come: After a long drafting process, the Bundestag and the Federal Council reached an agreement on 12.05.2023 Finally on to the new Whistleblower Protection Act. With that, finally, the already 2019 Outcome EU Whistleblower Directive implemented.
The stated aim of the Act is to protect whistleblowers who draw attention to violations of law within their company from professional disadvantages. The new law is already in force on 02.07.2023 in force.
In order to find out what this is all about in detail and what employers need to do now, we have Dr. Thomas Altenbach, CEO of LegalTegrity into following interview spoken:
Dear Dr. Altenbach, what obligations do employers have now, when do the new regulations apply and does the size of the company make a difference?
Employers in companies with 250 employees or more are required to implement a whistleblower system as of July 2, 2023. Smaller companies with more than 50 employees are also affected by the law, but they still have until December 17 this year to implement it.
Are there any specific requirements for the whistleblower system? How do we have to imagine something like that?
Confidentiality is paramount. This applies to the identity of the whistleblower but also to the persons named in a report. Accordingly, only persons responsible for the reporting office may have access to this information. The reporting channel or the documentation of reports must comply with the GDPR and personal data may only be processed insofar as this is necessary to fulfill the tasks of the reporting office. Data protection and data security requirements are top priority. To do this, a reporting channel must be available for both oral and text reports.
What type of information or misconduct should be reported via the system? Could you give us one or two examples?
The scope of the Act is limited to administrative offenses and criminal offences. This means that only reports of this kind fall under the protection of the law. An example of a criminal offence would be theft, for example. Over a longer period of time, an employed person observes how expensive inventory is regularly stolen from the warehouse by another employed person. Something like this can quickly cost a company tens of thousands of euros a year.
An example of an administrative offense: someone from a company's workforce regularly unloads garbage from the company at locations not intended for this purpose. Such incidents can not only cause major environmental damage — they can also cause lasting damage to the company's reputation.
How should the information received be dealt with?
Receipt of a notification must be confirmed to the reporting person within 7 days. The reporting office then checks whether the report falls within the scope and is valid. Throughout this process, the reporting office manager maintains constant contact with the whistleblower. After three months at the latest, the reporting person must be notified of the results of the audit and the resulting follow-up measures. The entire process must be documented in accordance with GDPR and stored securely.
We are often asked whether a mailbox or a telephone is not sufficient as reporting channels. Both in terms of process simplification and confidentiality as well as documentation and storage, these channels are anything but practicable — in our opinion, a digital reporting channel is the only useful and up-to-date tool in 2023.
What about the anonymity of whistleblowers? Can violations be reported anonymously?
Unfortunately, there were amendments to the original draft law in the Conciliation Committee. According to the law, anonymous reports should, but do not have to be allowed. However, for liability reasons alone, we strongly recommend that anonymous reports be allowed. Management is personally responsible for ensuring that the organization of their company is set up in such a way that no infringements of rights can be committed in the company and that there is no damage. If anonymous reports contain evidence of such legal violations, the company quickly runs into liability risk if it does not allow these reports. Studies also show that anonymous reports contain an above-average number of relevant reports on serious cases of economic crime.
What should be considered when dealing with whistleblowers?
If whistleblowers fall under the protection of the law, i.e. the person provides true information that falls within the scope of application, then they must not suffer any discrimination. It is important to convey trust and to reassure whistleblowers that their report will be taken seriously. As a rule, it is even the case that anonymous reporters reveal their identity during the process if they feel that their concern is being taken seriously.
What happens if employers do not comply with the new obligations, are there sanctions?
According to the Whistleblower Protection Act, there are sanctions of up to 50,000 euros. If a reporting office is not set up, fines of up to 20,000 euros may apply. It can be more expensive, for example, if a whistleblower experiences reprisals from the employer. When it comes to confidentiality in particular, you also have to be very careful — because fines under the GDPR can also be imposed here. These GDPR fines are many times higher than the fines under the HinSchG, usually 5% of the group's turnover.
Thank you for clarifying this!
By the way: You do not yet have a partner by your side when it comes to whistleblower protection? Legaltegrity's digital whistleblower system for SMEs protects your company from breaches of rules and violations of the law!
Interest aroused? Just let us know at support@twinwin.org!