While the Whistleblower Directive had to be implemented into national law by the end of 2021 many EU Member States – including Germany – have failed to do so. Now an increasing number of EU Member States are expected to have national Whistleblower Acts in place by the end of 2022. Companies having 50 or more employees will then need to implement a whistleblower hotline. Read here for more information on what to consider now and how to comply with these new obligations.

Who will be affected by the law?

Both public and private organisations with 50 or more employees must establish a whistleblower hotline according to the Whistleblower Directive. The Whistleblower Directive’s implementation in the Member States’ laws may impose such obligations for smaller entities as well.

When will the Whistleblower Directive apply?

The Whistleblower Directive needs to be implemented into the Member States’ laws to become effective. This process is ongoing at the moment. In Germany, for example, the implementation of the “Hinweisgeberschutzgesetz” (HinSchG) is expected by the end of 2022. Companies with 250 or more employees will then have three months to implement a whistleblower hotline. For companies with fewer than 250 employees, there is a longer transition period until 17 December 2023.

For publicly owned companies and municipalities with more than 10,000 inhabitants, the obligations from the directive already apply since December 2021.

What are the specific obligations – example: German law?

The law imposes an obligation to protect persons reporting violations of the law internally. Companies must therefore take measures to protect these “whistleblowers” from consequences of any kind. This refers in particular to disciplinary measures under labour law and includes, warnings, dismissals or salary cuts. These measures are inadmissible as a reaction to a report. Accordingly, companies and authorities must protect whistleblowers against such measures.

In case companies take disciplinary measures against whistleblowers, requirements for burden of proof will be more strict. Companies must then prove it was not the whistleblowing but rather another conduct on the part of the whistleblower causing the disciplinary measure.

Most prominent organisational obligation under the German Whistleblower Act is setting up the whistleblower hotline enabling employees to confidentially report legal breaches and ensuring reports are handled according to the German Whistleblower Act’s requirements. In particular, operating a whistleblower hotline requires the following:

  • Ensuring confidentiality to the whistleblower.
  • Treating the reports confidential.
  • Retention of reports for 2 years.
  • Ensuring the whistleblower hotline to being easily accessible without language barriers.
  • Ensuring independence for the staff operating the whistleblower hotline.
  • Providing adequate resources for the operation.
  • Confirming receipt of reports within 7 days.
  • Review of reports; in particular assessment as to whether the alleged violation falls within the scope of the German Whistleblower Act.
  • Maintaining contact with the whistleblower.
  • Assessing the validity of reports.
  • Where required requesting additional information from the whistleblower.
  • Taking appropriate follow-up actions and provide feedback on the actions taken to the whistleblower within 3 months from the report.

What are the sanctions for non-compliance?

According to the German Whistleblower Ac, violations – including failure to set up a whistleblower hotline is subject to fines of up to EUR 20,000. Preventing reports or related communications or infringing the confidentiality of communications is subject to fines of up to EUR 100,000. Failures to implement the German Whistleblower Ac will typically be of a structural nature and hence lead to a multitude of violations. Fines may therefore also exceed these amounts.

How can the requirements of the law be implemented?

Like every measure of the compliance organisation, the implementation of the Whistleblower Directive or the Member States’ respective Acts begins with the commitment of the management. The next steps are to analyse legal requirements, implement measures and improve the system. The protection of whistleblowers can most effectively be increased by informing the relevant stakeholders and raising their awareness. The stakeholders need to know that whistleblowers are protected in order to comply. This applies to HR managers and HR departments in particular and to others as well.

In order to prevent discrimination of whistleblowers on a small and large scale, the “tone from the top” is crucial in addition to information and awareness-raising. Whistleblowers must no longer be considered “traitors”. Rather, whistleblowing must be recognised as an opportunity to learn about compliance issues and being able to investigate internally first to prevent the worse. Protection whistleblowers will then be a piece of cake.

Implementing the whistleblower hotline is the biggest organisational challenge in this context. One option is setting up an independent team internally to operate the whistleblower hotline. The challenge here is ensuring the team being fully independent and free of any instructions. Obviously, this may become a tricky issue since there is a lot of communication and interdependencies in any corporate organisation that needs to be neutralised for the operation of the whistleblower hotline by implementing so-called “Chinese walls”. An alternative to setting up the team internal is to outsource operation to an external service provider.

What advice should be given to companies?

The Whistleblower Directive will be implemented into EU Member States’ laws soon. Therefore companies are well advised to prepare for the new requirements. As with any compliance measure, it is important to understand legal obligations and make the stakeholders aware of their role and duties. That is half the battle. The other half is implementing the whistleblower hotline. If you want to avoid building up internal resources, consider outsourcing the operation. An innovative provider is our partner eagle lsp (www.eagle-lsp.de). The Hamburg-based legal tech start-up specialises in legal services including the operation of digital whistleblower systems. Feel free to be in touch. We are happy to make contact.