As mentioned in our recent blog post, the transposition deadline is fast approaching for the EU Whistleblowing Directive (Directive 2019/1937/EU), which aims to encourage individuals to report misconduct and protect these whistleblowers from reprisals for doing so.

Every company with more than 50 employees will be obliged to set up an internal (or commission an external) system to receive and manage reports of violations of specific EU law. However, the Directive also allows whistleblowers to report violations directly to state authorities, which means that the current requirement in Germany to first report internally will no longer exist.

EU Member States have to transpose EU directives into national legislation. The Directive sets out certain principles, such as the obligation for companies to set up an internal whistleblowing system. However, national legislators have the freedom to add to the Directive’s basic requirements.

In Germany, the Federal Ministry of Justice and Consumer Protection has presented a first draft version of the German implementation law (‘the draft law’), entitled the Whistleblower Protection Act (Hinweisgeberschutzgesetz - HinSchG). The law is intended to both implement the Directive and bundle Germany’s current fragmentary whistleblower-protection rules into a single piece of legislation.

Although the draft law has yet to receive input from other interested ministries, it still provides some insight into what can be expected and the way the German legislator is likely to use the implementation leeway it has been granted. Against this background, an initial analysis of the draft law is worthwhile.

The scope of the draft law 

The Directive protects whistleblowers only in those areas of the law that fall within the EU’s competence. However, when the Directive was adopted, the EU legislators wanted to encourage member states to give whistleblowers even more protection than the Directive itself offers.

The present draft law takes up this suggestion to cover the reporting of all infringements of – and abusive actions or omissions that are contrary to – criminal and administrative German law.

However, purely unethical conduct does not qualify as a violation/infringement and is therefore out of scope. The draft law’s explanatory memorandum does not give any examples of the difference between abusive actions and purely unethical behaviour, so this distinction still has to be fleshed out in practice.

Concerning individuals, the draft law protects a wide range of people as per the Directive. These include not only employees but also self-employed persons, shareholders and employees of suppliers, i.e. anyone who might obtain information about (potential) misconduct in relation to the company in the course of their professional or official activities.

Establishment and promotion of internal reporting systems 

The draft law, as intended by the Directive, requires every company to set up an internal (or commission an external) system to receive and manage reports of infringements.

The draft law requires each legal entity to have its own reporting system. However, companies with fewer than 250 employees may generally share a single system with other companies. It remains unclear whether the draft law allows group entities to use their parent company’s reporting channel if the parent company and/or the group entity has 250 or more employees.

Both the Directive and the draft law also require member states to set up external reporting bodies, i.e. state authorities that receive and process information about infringements.

Whistleblowers are free to decide whether to make their initial report via the internal or external channel, which means that companies could face an unexpected investigation from an enforcement authority – and possibly unwanted publicity in the media.

The Directive leaves it up to member states whether and, if so, how to promote the use of internal channels for making initial reports. The draft law does not provide for any government support to promote internal reporting but merely states that it is the responsibility of the companies. The draft law’s explanatory memorandum says that the equal treatment of internal and external reporting should incentivise companies to encourage internal reporting. It also says that it is up to companies to convince potential whistleblowers that effective action will be taken against violations reported internally without the whistleblower fearing any reprisals. However, companies’ promotion of internal reporting must not in any way impede external reporting.

Therefore, companies should design and promote their internal reporting system as effectively as possible. Freshfields’ whistleblowing report 2020 suggests that there is still room for improvement in the way internal reporting channels work, stating that only one in seven employees in France and Germany felt that their employer actively supported internal whistleblowing.

No compulsory processing of anonymous reports 

The Directive leaves it to national legislators to decide whether anonymous complaints should be processed. In line with this, the draft law does not oblige external reporting authorities to process anonymous reports.

For internal reporting channels, the draft law is silent but its explanatory memorandum seems to suggest that companies are not obliged to process anonymous reports either due to the potential administrative burden of having to deal with a large volume. However, companies may want to promote anonymous reporting as it might encourage people to report internally in the first instance.

Protection of the whistleblower 

In line with the Directive, the draft law prohibits employers from taking any detrimental action against a whistleblower. Whistleblowers who suffer a detriment may make a claim to compensate them for any resulting financial loss, and hurt, humiliation or distress they may have suffered. 

During any proceedings, the company will have to prove that there was no connection between the whistleblower’s report and the detrimental treatment (the ‘reverse burden of proof’). As such, companies should carefully document their own actions and the reasons for them.

Confidentiality and the GDPR 

Companies must protect the identity of the whistleblower – failure to do so can result in a fine.

At the same time, the EU General Data Protection Regulation (GDPR), among other things, gives data subjects (e.g. an individual under investigation following a report) the right to access information concerning them, which could lead to the identification of the whistleblower.

The Directive says member states should limit the data-protection rights under the GDPR in an appropriate manner in order to ensure the whistleblower’s identity remains confidential and the Directive remains effective.

The draft law only deals with this issue in its explanatory memorandum, which states that the German Data Protection Act (Bundesdatenschutzgesetz – BDSG) strikes the right balance between the protection of confidentiality, and the data-access and -information rights under the GDPR.

According to the BDSG, a data subject’s right to information under the GDPR does not apply if it is outweighed by the rights of third parties, although the decision should ultimately be made on a case-by-case basis. 


Given that the various involved German ministries have not yet fully coordinated on the draft, the law is still very much ‘work in progress’, so the requirements may well change during the implementation process.

Nevertheless, the law clearly aims to be broad in scope, and will have a sizeable impact on companies by granting whistleblowers comprehensive protection.

Companies should assess how their existing structures compare against the requirements of the Directive and draft law. In particular, they should develop a reporting system that complies with the new requirements and has the confidence of not only employees but also potential whistleblowers from outside the organisation.