How to implement the new whistleblower law

After much back and forth, the Whistleblower Protection Act (HinSchG) has now finally been passed and announced. By the time it comes into effect on July 2, 2023, companies with 250 or more employees must establish internal reporting channels. Companies with 50 to 249 employees have a transitional period until December 17, 2023.

The reporting procedures set up are used to report grievances and violations of the law in the company by employees, customers, service providers, business partners and other people in the business context. Companies must protect the identity of the whistleblower and comply with GDPR requirements.

What does whistleblower protection mean?

Whistleblower protection means that persons (whistle-blowers) who uncover grievances with a report and thus support society are protected from reprisals by law. For example, the employee who observes that a supervisor disadvantages certain employees on the basis of gender, race or other discriminatory reasons. The chemical worker who notices that the production manager is using environmentally harmful substances to save costs – both are probably asking the same question: should they report the situation and thus jeopardize their future?

This is exactly where the new law wants to start: It is intended to protect whistleblowers from reprisals such as dismissal, warnings, refusal of promotion, damage to reputation, discrimination and bullying.

Who can be a whistleblower?

In addition to employees, customers, service providers, suppliers or shareholders can also be considered whistleblowers.

What violations can whistleblowers report?

The EU directive provides that whistleblowers who report violations of national and EU law are protected. This includes legislation in the following areas:

  • Osh
  • health protection
  • environmental Protection
  • data protection
  • competition law
  • information technology
  • money laundering
  • product safety
  • accounting
  • Carriage of dangerous goods
  • Quality and safety standards for drugs and medical devices
  • Other Fines and Penalties

Which companies are affected?

Companies with at least 250 employees must implement the provisions of the law immediately after the law comes into force. For companies with 50 to 249 employees, the implementation deadline is December 17, 2023.

What obligations does the company have?

Companies must set up internal reporting channels that allow reports to be made verbally, in text form and, if desired, in person. The confidentiality of the whistleblower and third parties should be protected in all reporting channels.

Companies must also appoint at least one registration office officer. The latter receives the reports and confirms receipt of the report to the whistleblower within the seven-day period. The hotline officer reviews the report and informs the whistleblower within three months of any follow-up action taken.

What does whistleblower protection have to do with data protection?

The whistleblower’s reports regularly contain personal data in the form of the accused’s first and last name. This justifies data processing within the meaning of the General Data Protection Regulation. Against this background, companies should observe the following practical data protection tips:

  • The business process via internal reporting channels must be added to the list of processing activities.
  • Data protection information for whistleblowers must be drawn up and acknowledgment must be made possible.
  • When using an external IT-supported whistleblower system (e.g. SaaS), it is regularly necessary to conclude an order processing contract.
  • Retention/deletion periods must be specified.
  • A data protection impact assessment will be required in most cases.
  • Appropriate technical and organizational data security measures must be defined.
  • It is advisable to involve the (external) data protection officer at an early stage in order to clarify questions. Further information is provided by the Orientation guide of the data protection conference.

The works council must also be involved at an early stage in the introduction of the whistleblower system. Co-determination rights are affected due to questions of the organization of the company and the behavior of the employees in the company. As part of the introduction of an IT-supported whistleblower system, the right to co-determination is also affected due to the introduction and use of technical equipment (cf. Section 87 I No. 1 and 6 BetrVG ).

Almost finished!

Please click on the link in the confirmation email to complete your registration.

Would you like more information about the newsletter? Find out more now

Leave a Reply

Your email address will not be published. Required fields are marked *