Update Compliance 18/2021
Whistleblowing and Complaint Procedure: Need for Action for Companies and Public Organizations according to the German Supply Chain Due Diligence Act [Lieferkettensorgfaltspflichtengesetz] and the EU Whistleblower Directive
Companies and authorities must take precautions in order to be able to identify legal and economic risks at an early stage, react quickly and, if necessary, avoid far-reaching damage. A reporting system is a central component of such an early warning system and, therefore, effective compliance. The legal basis for the obligation to introduce such whistleblower systems and complaint procedures are the principles of principle liability, the German Supply Chain Due Diligence Act, the EU Whistleblower Directive (still to be implemented in German law) and other economic regulatory acts for specific industries.
When establishing and operating a whistleblower system, the following points must be observed:
Obligation to introduce a reporting system
Certain companies in the banking, insurance and finance sectors, as well as federal authorities, are already required to maintain reporting systems with specific functions. In addition, private companies with more than 50 employees and all legal entities in the public sector must soon establish such an internal reporting system due to the Whistleblower Directive respectively the German Whistleblower Protection Act [Hinweisgeberschutzgesetz] that is still to be expected.
The Supply Chain Due Diligence Act (LkSG), which will come into force for companies with 3,000 or more employees from January 1, 2023, which will also apply to companies with at least 1,000 employees from 2024, also provides for an “appropriate” complaint procedure.
Since a German Whistleblower Protection Act has not yet come into force, there is still uncertainty as to when whistleblower hotlines will have to be introduced. For legal entities in the public sector, the obligation should already apply today. The private sector should be allowed to wait for the German implementation law. However, this is expected in the spring.
However, whistleblower hotlines are part of a comprehensive compliance management system regardless of the implementation of the EU Directive. Whistleblower systems help management in particular to fulfill its supervisory duties under Section 130 of the German Administrative Offenses Act.
Establishment of a reporting/complaint system
Companies must ensure that a complaint facility is established that can be used to draw attention to violations or risks of breaches of duty in their own business, but also, for example, in the area of the immediate suppliers. The LkSG provides for the involvement of employees in the design of the reporting process.
Designation of those responsible
Companies must appoint independent and impartial persons who are not bound by instructions as reporting points right from the start. Employees from the compliance office, the legal department or external consultants, such as trusted lawyers or ombudspersons, are suitable in this regard.
Public announcement and notification procedure
Companies must make public the information about availability, responsibility and implementation of the reporting process. They should compile a set of rules of procedure for dealing with incoming reports, which clearly show the processes and, above all, also contain legally stipulated deadlines (e.g. for reporting back to the whistleblower). Depending on the size, type and activity of the company, special features must be observed with regard to the reporting procedure: The whistleblower systems must be explicitly open for certain sensitive topics, and communication with the whistleblower must be ensured.
Access to and use of the reporting system
Potential whistleblowers must be ensured access to and use of the reporting mechanism, for example, by the provision of a website or complaint forms and email addresses. Support must be offered to people with poor language skills, impaired reading and writing skills or other barriers to access.
Confidentiality and protection of the whistleblower
According to the legal requirements, whistleblowers must be protected from the negative consequences of whistleblowing of any kind. This applies in particular to disadvantages and punishments, such as measures under labor law (dismissal, transfer or wage reduction) as well as other reprisals such as bullying. For this purpose, too, the confidentiality of the whistleblower's identity and data protection must be ensured:
The whistleblower is to be instructed — as far as possible via the reporting channel selected by them — of how and by whom their data will be processed, what rights they have in this regard, and that it may also be possible to submit the report anonymously. Any forwarding, processing or even deletion of a whistleblower report by the reporting point shall also represent data processing (since it will usually also contain personal data, at least from third parties). If the report relates to a subject area for which a company is required by law to maintain a whistleblower system, the data may be processed. In the case of reports regarding other subjects, a weighing of interests under data protection law must be carried out to determine whether data processing is permissible in individual cases.
Review of the effectiveness of the complaints process
The effectiveness of the reporting system, once established, must also be checked regularly, at least once a year, and on an ad hoc basis. Occasional reviews will be necessary in particular if the company expects a significantly changed or significantly expanded risk situation in its own business area (or with the immediate supplier), as is the case, for example, when a new business area is being introduced.
Consequences of disregarding legal requirements
Failure to establish and operate a legally required whistleblower system can lead to severe fines. An indirect consequence is that companies overlook critical issues, are damaged over a period of months or a considerable liability risk builds up towards third parties. In this respect, a whistleblower mechanism always serves to identify situations at an early stage that could lead to damages in order to remedy them. In addition, reputational risks are also significantly reduced. A functioning whistleblower system is the best indicator of a company’s integrity towards employees, customers and other business partners.
What we do for you
- We advise on the introduction of an in-house reporting point, taking into account the relevant legal regulations.
- We prepare the organizationally-required documents, in particular registration forms and the rules of procedure.
- If necessary, we provide confidential reporting channels. Our experts are available to you as trusted lawyers and ombudspersons.
- We handle the reports received and treat them in accordance with the relevant legal regulations, in particular in accordance with data protection law, the LkSG, the German Banking Act [Kreditwesengesetz] or the EU Whistleblower Directive.
- In particular, we guarantee the anonymity of whistleblowers as required by law.
- We assess every report for any possible need for action on the part of the company and provide information in this regard. We provide clear options for action and, if necessary, advise on further investigations.