Update Compliance No. 6/2021
The Draft Supply Chain Act – New Compliance Requirements for Companies
After a lengthy dispute, the coalition government has reached a compromise on the German Supply Chain Act. Released in mid-February, the initial draft of the law had been widely amended by a second draft at the end of February. As of 2023, larger companies are to be obliged to comply with human rights and environmental requirements in their supply chains. In the event of violations, substantial fines may be imposed.
More specifically, the draft law, also referred to as the “Due Diligence Act”, provides for the following regulations:
Who is affected?
In the drafting of the bill, it was feverishly discussed whether medium-sized companies would also have to implement the new regulations. The draft bill now provides for the scope of application of the Supply Chain Act to initially only extend to companies with at least 3,000 employees (as a rule) and a registered office or principal place of business in Germany. As of 2024, this number will drop to 1,000 employees. Temporary workers working at a company for more than six months need to be included in the headcount. If the group parent company has its registered office or principal place of business in Germany, all employees worldwide from all group companies need to be included. According to the justification given for the draft law, between 2,000 and 3,000 companies will be affected by the new regulations. This number is likely to be significantly higher, however, once the regulations relating to worldwide staff become effective.
The new corporate due diligence requirements
With the draft law, companies are obliged to comply with due diligence obligations on human rights, making it clear that these due diligence obligations particularly relate to the supply chains of the companies. The “supply chain” within the meaning of the law starts with the extraction of raw materials and ends with the delivery to the end customer. Within the meaning of the Act, Companies are, however, generally only responsible for their own business operations and for their direct suppliers. The authorities are asked to support the companies and to offer assistance in meeting their obligations.
Risk management and risk analysis
Companies must introduce and effectively implement appropriate risk management systems to comply with their due diligence obligations. These systems should be designed to identify risks and to prevent violations of protected rights (including life, health, fair working conditions, freedom of association, and protection against child labor, slavery, forced labor, and torture, etc.). Companies must also designate individuals or departments responsible for monitoring compliance with their due diligence obligations, such as a human rights officer. Management must regularly, but at least once a year, obtain information about the human rights officer’s work.
Risk management must also include an appropriate risk analysis: Companies will be obliged to identify threats to protected legal assets in their own business areas and those of their direct suppliers. The government thus initially opts for a weakened form of risk analysis. Companies will not have to monitor and analyze the entire supply chain, including indirect suppliers, as had been previously discussed.
Declaration of principle and preventive measures
Companies that identify risks must take appropriate preventive measures. This primarily includes the adoption of a declaration of principle by management, which should describe the process by which a company intends to meet its due diligence obligations, identify the relevant risks and international agreements to which the company needs to adhere. It will also have to formulate the expectations the company places on its employees and suppliers in the supply chain.
The draft law also explicitly mentions training in the relevant business areas as another appropriate preventive measure.
Where protected rights have been violated, companies must take appropriate remedial action in their own business area with undue delay. For the elimination of grievances with direct suppliers, a concept must be created and implemented. In serious cases, in which it is impossible to eliminate grievances., it may be required to terminate the business relationship as a last resort. At least once a year, all preventive measures must be reviewed in terms of their effectiveness
Internal complaint procedures
Each company subject to the law must set up its own complaints procedure (such as a whistleblower hotline) or participate in an external complaints system whose effectiveness needs to be continually reviewed and updated as necessary. This should enable all affected individuals to point out human rights risks and violations in the supply chain. Once the company becomes aware of a violation, it must take action, irrespective of whether the perpetrator is a direct supplier or a more distant link in the supply chain.
The new transparency requirements
Companies must consistently document that they meet their due diligence obligations. Any such documentation must be kept for seven years. In addition, a report on meeting the due diligence obligations in the previous fiscal year must be published on the company’s websites no later than four months after the end of the fiscal year. The report that needs to comply with the legally stipulated structure and content must also be submitted to the competent authority for review and evaluation. If the requirements for the report are not met, the authority may require the company to make improvements.
Contrary to the initial proposals in the benchmark paper issued in spring 2020, those affected by a breach in the supply chain cannot take legal action before German courts. Instead, they may authorize a trade union or a non-governmental organization to pursue their claims and to file legal action.
The Federal Office of Economics and Export Control is set to act as a supervisory authority (that may also impose fines) to monitor the implementation of these obligations.
The supervisory authority should adopt a risk-based approach, meaning that (in addition to opening investigations on the basis of specific indications or requests) it will not only carry out spot checks ex officio but will focus on cases with the most serious risks.
Moreover, the draft law creates a basis for the competent authority to issue necessary orders to companies, such as appropriate obligations to act or a plan of action.
Where necessary, persons commissioned by the authority or authorized third parties may enter and inspect company and business premises to examine business documents and records. Correspondingly, companies and their representatives may be obliged to provide information to the competent authority and to hand over the relevant documents – including those relating to affiliated companies, foreign subsidiaries, and (in)direct suppliers. Companies or their representatives are to support the authority in implementing the measures.
In addition, the competent authority also has the investigative powers set out in the Administrative Offenses Act so that it may also carry out searches in the company and seize evidence found.
Penalty payments and fines
In addition to the aforementioned measures, the supervisory authorities may also impose penalty payments of up to EUR 50,000.00 to enforce rules of conduct.
Certain intentional or negligent breaches of the due diligence obligations stipulated in the Act may be sanctioned with fines. The bill provides for fourteen different breaches of duty, covering different factual variants that may result in fines such as the failure or the incorrect or untimely meeting of obligations relating to due diligence, risk analysis, or the complaints procedure.
Fines may reach a maximum of up to EUR 8,000,000.00 or up to 2% of average (worldwide) annual revenue (of the three fiscal years preceding the authority’s decision) of the legal entities or affiliations operating as an economic unit. The extent to which the maximum limit is exhausted is governed, among other things, on the basis of considering the significance of the administrative offense, the nature of the charge (intent/negligence, consideration of assistance), the motives and objectives of the perpetrator, the performance (number and position of individuals in the company) and effects of the administrative offense, as well as pre- and post-offense conduct (previous offenses or steps to resolve the issue and compensate for damage). The financial circumstances of a company may also be taken into account
Exclusion from public contracts
Companies that have been fined with a minimum of EUR 175,000.00 (as a rule) for a serious infringement by a final court decision may also be sanctioned by exclusion from participating in a competition and the award of a public contract for three years (and until proven self-purification). Under the draft law, this exclusion is supposed to be mandatory above a certain contract value.
What is next?
The draft bill of the Supply Chain Act was approved by the German Cabinet on March 2, 2021. The legislative process is to be completed by summer recess and thus before the general elections. If this timeline is upheld, the law can enter into force on January 1, 2023 as planned. According to press reports, however, there are still discussions in the ministries, for example on the issue of whether trade unions and non-governmental organizations will be allowed to represent victims of human rights violations before German courts.
In parallel, legislative proposals for mandatory social standards in supply chains are expected in the EU this year. On January 27, 2021, the Legal Affairs Committee of the European Parliament voted in favor of a specific proposal for a supply chain law. Moreover, the EU Commission is currently developing its own concept for corporate due diligence in the supply chain, which is to be presented in the summer of 2021.
Advice for use in practice
Although it is not yet certain whether the Supply Chain Act will enter into force in accordance with the current draft, the direction of the law is clear: companies subject to the law will soon be subject to far-reaching due diligence and transparency obligations whose implementation will require organizational effort. In the event of omitted, delayed, or inadequate implementation of the relevant obligations, companies risk not only penalty payments and fines but also the exclusion from awarding public contracts. Civil liability cannot be ruled out either.
Against this background, companies should already examine whether and which obligations they are facing and how they will be able to implement them in a legally and technically sensible manner.