Übersetzung durch den Sprachendienst des Bundesministeriums der Justiz
Translation provided by the Language Service of the Federal Ministry of Justice
Stand: Die Übersetzung berücksichtigt die Änderung(en) des Gesetzes durch Artikel 16 des Gesetzes vom 27. Dezember 2024 (BGBl. 2024 I Nr. 438)
Version information: The translation includes the amendment(s) to the Act by Article 16 of the Act of 27 December 2024 (Federal Law Gazette 2024 I, no. 438)
Zur Nutzung dieser Übersetzung lesen Sie bitte den Hinweis unter "Translations".
For conditions governing use of this translation, please see the information provided under "Translations".
Act for the Better Protection of Whistleblowers
(Hinweisgeberschutzgesetz – HinSchG)
Full citation: Whistleblower Protection Act of 31 May 2023 (Federal Law Gazette 2023 I no. 140) as last amended by Article 16 of the Act of 27 December 2024 (Federal Law Gazette 2024 I, no. 438)
Section 1
Purpose and personal scope
(1) This Act governs the protection of natural persons who, in the context of their work-related activities or prior to taking up work, acquire information on breaches and who report this information to the reporting offices provided for under this Act or who publicly disclose such information (reporting persons).
(2) Protection is also granted to persons who are the subject of reporting or public disclosure and other persons concerned.
(1) This Act applies to the reporting (section 3 (4)) and public disclosure (section 3 (5)) of information on
1. breaches that carry criminal sanctions,
2. breaches that are subject to fines, insofar as the breached provision serves to protect life, limb or health or the rights of employees or their representative bodies,
3. other breaches of any federal law, Land law or directly applicable legal act of the European Union or the European Atomic Community
a) serving to prevent money laundering and terrorist financing, particularly including the Money Laundering Act (Geldwäschegesetz) and Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (OJ L 141 of 5 June 2015, p. 1) as amended by Regulation (EU) 2019/2175 (OJ L 334 of 27 December 2019, p. 1), in the currently applicable version in each case,
b) containing requirements for product safety and compliance,
c) containing road safety requirements that concern road infrastructure safety management, safety standards for road tunnels, and licensing for road haulage operators and road passenger transport operators (bus and coach operators),
d) containing railway safety requirements,
e) containing maritime safety requirements that concern European Union rules on the recognition of ship inspection and survey organisations, liability and insurance of carriers of passengers by sea, approval of marine equipment, maritime safety inspection, training of seafarers, registration of persons sailing on board passenger ships, and European Union rules and procedures for the safe loading and unloading of bulk carriers,
f) containing safety requirements for civil aviation with regard to operational and technical safety and with regard to air traffic control,
g) containing safety requirements for the transport of dangerous goods by road, rail and inland waterway,
h) containing requirements for environmental protection,
i) containing requirements for radiation protection and nuclear safety,
j) promoting the use of energy from renewable sources and energy efficiency,
k) concerning food and feed safety, organic production and the labelling of organic products, the protection of geographical indications for agricultural produce and foodstuffs (including wine, aromatised wine products, spirits and traditional specialities guaranteed), the placing on the market and use of plant protection products, as well as animal health and animal welfare insofar as they address the protection of agricultural livestock, the protection of animals at the time of killing, the keeping of wild animals in zoos, the protection of animals used for scientific purposes and the transport of animals and related operations,
l) concerning quality and safety standards for organs and substances of human origin, medicinal products for human and veterinary use, medical devices and cross-border patient care,
m) concerning the manufacture, presentation and sale of tobacco and related products,
n) governing consumer rights and consumer protection in connection with contracts between traders and consumers, and serving to protect consumers in the area of payment accounts and financial services, price indications and unfair commercial practices,
o) serving to protect privacy in electronic communications, to protect the confidentiality of communications, to protect personal data in the field of electronic communications, to protect the privacy of user terminal equipment and of the information stored in such terminal equipment, to protect against unreasonable advertising harassment by means of telephone calls, automatic calling machines, fax machines or electronic mail as well as via caller identification and number suppression, and governing the inclusion in subscriber directories,
p) serving to protect personal data within the scope of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119 of 4 May 2016, p. 1; L 314 of 22 November 2016, p. 72; L 127 of 23 May 2018, p. 2; L 74 of 4 March 2021, p. 35) in accordance with Article 2 thereof,
q) concerning the security of information technology within the meaning of section 2 (2) of the BSI Act (BSI-Gesetz) for providers of digital services within the meaning of section 2 (12) of the BSI Act,
r) governing the rights of shareholders and stock companies,
s) concerning the statutory audit of public-interest entities in accordance with section 316a sentence 2 of the Commercial Code (Handelsgesetzbuch),
t) concerning the accounting (including the bookkeeping) of companies that are publicly traded within the meaning of section 264d of the Commercial Code, of credit institutions within the meaning of section 340 (1) of the Commercial Code, of financial services institutions within the meaning of section 340 (4) sentence 1 of the Commercial Code, of securities institutions within the meaning of section 340 (4a) sentence 1 of the Commercial Code, of institutions within the meaning of section 340 (5) sentence 1 of the Commercial Code, of insurance undertakings within the meaning of section 341 (1) of the Commercial Code, and of pension funds within the meaning of section 341 (4) sentence 1 of the Commercial Code,
4. breaches of federal and uniformly applicable rules for contractors on the procedure for public procurement and the award of concessions and for legal protection in these procedures once the relevant EU thresholds have been reached,
5. breaches covered by section 4d (1) sentence 1 of the Act Establishing the Federal Financial Supervisory Authority (Finanzdienstleistungsaufsichtsgesetz), unless otherwise provided under section 4 (1) sentence 1,
6. breaches of tax provisions that apply to corporations and commercial partnerships,
7. breaches in the form of arrangements whose purpose is to abusively obtain a tax advantage that defeats the object or purpose of the applicable tax law for corporations and commercial partnerships,
8. breaches of Articles 101 and 102 of the Treaty on the Functioning of the European Union and breaches of the legislative provisions listed in section 81 (2) nos. 1, 2 (a) and 5 and section 81 (3) of the Competition Act (Gesetz gegen Wettbewerbsbeschränkungen),
9. breaches of provisions in Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (OJ L 265 of 12 October 2022, p. 1),
10. statements by civil servants that constitute a breach of the duty of loyalty to the Constitution.
(2) This Act also applies to the reporting and public disclosure of information on
1. breaches affecting the financial interests of the European Union as referred to in Article 325 of the Treaty on the Functioning of the European Union, and
2. breaches relating to the internal market as referred to in Article 26(2) of the Treaty on the Functioning of the European Union, including breaches of European Union competition and state aid rules that go beyond subsection (1) no. 8.
(1) For the purposes of this Act, the definitions in the following subsections apply.
(2) ‘Breaches’ means acts or omissions in the context of work-related, business-related or official activities that are unlawful and that relate to provisions or areas of law falling within the material scope referred to in section 2. This may also include abusive acts or omissions that defeat the object or purpose of the rules in the provisions or areas of law falling within the material scope referred to in section 2.
(3) ‘Information on breaches’ means reasonable suspicions or knowledge about actual or potential breaches that have occurred or are very likely to occur at the employer where the reporting person works or has worked or at another entity with which the reporting person is or was in contact through their work, and about attempts to conceal such breaches.
(4) ‘Reporting’ means the providing of information on breaches to an internal reporting office (section 12) or external reporting office (sections 19 to 24).
(5) ‘Public disclosure’ means the making of information on breaches available to the public.
(6) ‘Retaliation’ means any act or omission that occurs in a work-related context in response to a report or public disclosure and that causes or may cause unjustified detriment to the reporting person.
(7) ‘Follow-up’ means any measures taken by an internal reporting office under section 18 or an external reporting office under section 29 to assess the accuracy of a report, address the reported breach or close the procedure.
1. persons employed under an employment contract,
2. persons employed as part of their vocational training,
4. judges, with the exception of honorary judges,
6. persons regarded as ‘employee-like persons’ on account of their economic dependence, including home workers and persons of equivalent status,
7. persons with disabilities who are employed in a workshop for the disabled or by another service provider in accordance with section 60 of Book 9 of the Social Code (Sozialgesetzbuch).
(9) On the proviso that they employ at least one person, ‘employers’ are
1. natural persons or public and private legal entities,
2. partnerships with legal capacity, and
3. other associations of persons with legal capacity not mentioned in nos. 1 and 2.
(10) ‘Private employers’ are employers with the exception of public legal entities and employers owned or controlled by a public legal entity.
Section 4
Relationship with other provisions
(1) The following provisions containing specific rules on the communication of information on breaches take precedence over this Act:
1. section 6 (5) and section 53 of the Money Laundering Act,
2. section 25a (1) sentence 6 no. 3 of the Banking Act (Kreditwesengesetz) and section 13 (1) of the Securities Institutions Act (Wertpapierinstitutsgesetz),
3. section 58 of the Securities Trading Act (Wertpapierhandelsgesetz),
4. section 23 (6) of the Insurance Supervision Act (Versicherungsaufsichtsgesetz),
5. section 28 (1) sentence 2 no. 9 and section 68 (4) sentence 3 of the Investment Code (Kapitalanlagegesetzbuch),
6. sections 3b and 5 (8) of the Stock Exchange Act (Börsengesetz),
7. section 55b (2) no. 7 of the Code for Auditors (Wirtschaftsprüferordnung),
8. Article 32 of Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (Market Abuse Regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC (OJ L 173 of 12 June 2014, p. 1; L 287 of 21 October 2016, p. 320; L 348 of 21 December 2016, p. 83) as last amended by Delegated Regulation (EU) 2021/1783 (OJ L 359 of 11 October 2021, p. 1), in the currently applicable version in each case,
9. Articles 4 and 5 of Regulation (EU) No 376/2014 of the European Parliament and of the Council of 3 April 2014 on the reporting, analysis and follow-up of occurrences in civil aviation, amending Regulation (EU) No 996/2010 of the European Parliament and of the Council and repealing Directive 2003/42/EC of the European Parliament and of the Council and Regulations (EC) No 1321/2007 and (EC) No 1330/2007 of the Commission (OJ L 122 of 24 April 2014, p. 18) as last amended by Delegated Regulation (EU) 2020/2034 (OJ L 416 of 11 December 2020, p. 1), in the currently applicable version in each case, and the ordinances issued on the basis of section 32 (1) no. 1 of the Civil Aviation Act (Luftverkehrsgesetz),
10. sections 127 and 128 of the Maritime Labour Act (Seearbeitsgesetz),
11. section 14 (1) of the Ship Safety Act (Schiffssicherheitsgesetz) in conjunction with Division D no. 8 of the Annex to the Ship Safety Act and the ordinances issued on the basis of sections 9, 9a and 9c of the Maritime Shipping Responsibilities Act (Seeaufgabengesetz) with regard to complaints concerning the safety of a foreign-flagged ship, including the safety and health of its crew, the living and working conditions on board and the prevention of pollution from foreign-flagged ships, and
12. ordinances issued on the basis of section 57c sentence 1 no. 1 and section 68 (2) in conjunction with section 68 (3) and sections 65, 66 and 67 nos. 1 and 8 and sections 126, 128 and 129 of the Federal Mining Act (Bundesberggesetz).
Insofar as the specific rules listed in sentence 1 do not stipulate any requirements, the provisions of this Act apply.
(2) The Consumer Information Act (Verbraucherinformationsgesetz), the Freedom of Information Act (Informationsfreiheitsgesetz) and the rules of Land law governing access to official information do not apply to the procedures under this Act. Sentence 1 does not apply to the rules of federal and Land law governing access to environmental information.
(3) Sections 81h to 81n of the Competition Act remain unaffected.
(4) The rules of criminal procedure are not affected by the provisions of this Act.
Section 5
Precedence of security interests and secrecy obligations
(1) A report or public disclosure does not fall within the scope of this Act if it contains the following information:
1. information relating to national security or to essential security interests of the state, in particular military or other sensitive interests within the remit of the Federal Ministry of Defence or critical infrastructure within the meaning of the BSI Critical Infrastructure Ordinance (BSI-Kritisverordnung),
2. information from federal or Land intelligence services or from federal or Land authorities and other public bodies insofar as they perform duties under section 10 no. 3 of the Security Clearance Check Act (Sicherheitsüberprüfungsgesetz) or under the corresponding Land provisions, or
3. information relating to public procurement and the award of concessions falling within the scope of Article 346 of the Treaty on the Functioning of the European Union.
(2) A report or public disclosure also does not fall within the scope of this Act if it conflicts with:
1. a secrecy obligation regarding the material and organisational protection of classified information, except in cases where a breach under section 2 (1) no. 1 is reported to an internal reporting office (section 12), the tasks of the internal reporting office have not been entrusted to a third party under section 14 (1), and the secrecy obligation in question relates to federal classified information under section 4 (2) no. 4 of the Security Clearance Check Act or to corresponding classified information under Land law,
2. the secrecy of judicial deliberations,
3. the legal professional privilege of lawyers, defence counsel in proceedings governed by statute, non-lawyer providers of legal services who have been admitted to a bar association, patent attorneys and notaries,
4. the medical professional privilege of physicians, dentists, pharmacists and members of other medical professions which require state-regulated training to engage in the profession or to use the professional title, with the exception of veterinarians insofar as the matter concerns breaches of provisions for protecting agricultural livestock held for commercial purposes that are covered by section 2 (1) no. 3 (k), or
5. the obligations to maintain secrecy applicable to persons who, on account of a contractual relationship including the joint exercise of a profession or due to activity in preparation of a profession or in some other auxiliary capacity, assist in the professional activities of persons subject to professional secrecy listed in nos. 2, 3 or 4.
Section 6
Relationship with other secrecy obligations
(1) If an internal or external report or public disclosure contains a trade secret within the meaning of section 2 no. 1 of the Act on the Protection of Trade Secrets (Gesetz zum Schutz von Geschäftsgeheimnissen), the reporting of that trade secret to a competent reporting office or its public disclosure is permissible provided that
1. the reporting person had reasonable grounds to believe that reporting or publicly disclosing the information was necessary to reveal a breach, and
2. the conditions of section 33 (1) nos. 2 and 3 are met.
(2) Subject to the requirements of section 5, information that is subject to contractual secrecy obligations, to any federal law, Land law or directly applicable legal act of the European Union that sets out secrecy obligations, to tax secrecy under section 30 of the Fiscal Code (Abgabenordnung) or to the secrecy of social security data under section 35 of Book 1 of the Social Code may be reported to a competent reporting office or publicly disclosed under the conditions set down in section 32 provided that
1. the reporting person had reasonable grounds to believe that reporting or publicly disclosing the information was necessary to reveal a breach, and
2. the conditions of section 33 (1) nos. 2 and 3 are met.
(3) Persons who, in the context of working for a reporting office, acquire information that is subject to contractual secrecy obligations, to federal law that sets out secrecy obligations, to tax secrecy under section 30 of the Fiscal Code or to the secrecy of social security data under section 35 of Book 1 of the Social Code must, from the time of receiving the report,
1. apply these secrecy provisions subject to subsection (4), and
2. respect the protected interests of the persons concerned in the same way as the person who reported the information to the reporting office is obliged to respect them.
(4) Reporting offices may use or forward secrets within the meaning of subsections (1) and (2) only to the extent necessary for follow-up.
(5) With regard to information that is subject to contractual secrecy obligations, subsections (3) and (4) apply from the time at which knowledge of the secrecy obligations is obtained.
Section 7
Right to choose between internal and external reporting
(1) Persons who intend to report information on a breach may choose between contacting an internal reporting office (section 12) and contacting an external reporting office (sections 19 to 24). Generally, such persons are to prioritise the option of reporting the information to an internal reporting office in cases where the breach can be effectively addressed internally and where the reporting person considers that there is no risk of retaliation. If an internally reported breach is not remedied, the reporting person is free to contact an external reporting office.
(2) It is prohibited to hinder or attempt to hinder a report or any subsequent communication between the reporting person and the reporting office.
(3) As a rule, employers who are obliged to establish an internal reporting office in accordance with section 12 (1) and (3) must create incentives that encourage reporting persons to first contact their respective internal reporting office before reporting through an external reporting office. These employers must provide employees with clear and easily accessible information on how to use the internal whistleblower system. The possibility of external reporting may not be restricted or impeded as a result.
Section 8
Duty of confidentiality
(1) Reporting offices are obliged to protect the confidentiality of the identity of the following persons:
1. the reporting person, where the reported information concerns breaches falling within the scope of this Act or where the reporting person had reasonable grounds to believe that this was the case at the time of reporting,
2. persons who are the subject of a report, and
3. other persons named in the report.
The identity of the persons referred to in sentence 1 may be disclosed only to the persons responsible for receiving and following up on reports and to the persons assisting them in carrying out these tasks.
(2) The duty to protect the confidentiality of identity must be observed irrespective of whether the reporting office is competent for the received report.
Section 9
Exceptions from the duty of confidentiality
(1) The identity of a reporting person who, either intentionally or through gross negligence, reports incorrect information on breaches is not protected under this Act.
(2) In derogation from section 8 (1), information on the identity of a reporting person or on other circumstances that allow conclusions to be drawn about the identity of this person may be forwarded to the competent body
1. in criminal proceedings at the request of the criminal prosecution authorities,
2. on the basis of an order in the administrative proceedings conducted following a report, including the administrative fine proceedings conducted by an administrative authority,
3. on the basis of a court decision,
4. from the Federal Financial Supervisory Authority in its capacity as an external reporting office in accordance with section 21 to the competent directorates within the Federal Financial Supervisory Authority and, in the case of the activities listed under section 109a of the Securities Trading Act, to the bodies listed under section 109a of the Securities Trading Act, or
5. from the Bundeskartellamt in its capacity as an external reporting office in accordance with section 22 to the competent divisions within the Bundeskartellamt and, in the cases of section 49 (2) sentence 2, section 49 (4) and section 50d of the Competition Act, to the competition authority with competence in the particular case.
Prior to forwarding the information, the reporting office must notify the reporting person. This does not apply if the criminal prosecution authority, competent authority or court has informed the reporting office that the information would jeopardise the relevant investigations, enquiries or court proceedings. When notification is given, the reporting person must also be provided with an explanation, in paper or electronic form, of the reasons for forwarding the information.
(3) Beyond the cases referred to in subsection (2), it is permissible to forward information on the identity of the reporting person or on other circumstances that allow conclusions to be drawn about the identity of this person if
1. forwarding the information is necessary for follow-up and
2. the reporting person has given their prior consent to the information being forwarded.
The consent referred to in sentence 1 no. 2 must be separately obtained in writing for each particular instance in which identity information is forwarded. Section 26 (2) of the Federal Data Protection Act (Bundesdatenschutzgesetz) remains unaffected.
(4) In derogation from section 8 (1), information on the identity of persons who are the subject of a report and of other persons named in the report may be forwarded to the competent body
1. if the relevant consent has been given,
2. from an internal reporting office if this is necessary within the scope of internal investigations carried out by the respective employer or organisational unit,
3. if this is necessary for follow-up,
4. in criminal proceedings at the request of the criminal prosecution authorities,
5. on the basis of an order in the administrative proceedings conducted following a report, including the administrative fine proceedings conducted by an administrative authority,
6. on the basis of a court decision,
7. from the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht) in its capacity as an external reporting office under section 21 to the competent directorates within the Federal Financial Supervisory Authority and, in the case of the activities listed under section 109a of the Securities Trading Act, to the bodies listed under section 109a of the Securities Trading Act, or
8. from the Bundeskartellamt in its capacity as an external reporting office under section 22 to the competent divisions within the Bundeskartellamt and, in the cases of section 49 (2) sentence 2, section 49 (4) and section 50d of the Competition Act, to the competition authority with competence in the particular case.
Section 10
Processing of personal data
Reporting offices are authorised to process personal data insofar as this is necessary to carry out their tasks as specified in sections 13 and 24. In derogation from Article 9(1) of Regulation (EU) 2016/679, the processing of special categories of personal data by a reporting office is permitted if such processing is necessary to carry out its tasks. In this case, the reporting office must take specific and appropriate measures to safeguard the interests of the data subject; section 22 (2) sentence 2 of the Federal Data Protection Act is to be applied accordingly.
Section 11
Record keeping of the reports
(1) The persons responsible for receiving reports in a reporting office must keep records of every received report in permanently retrievable form while complying with the duty of confidentiality (section 8).
(2) Where a telephone line or another voice messaging system is used for reporting, a permanently retrievable audio recording of the conversation or a complete and accurate transcript thereof (verbatim transcript) may only be made with the consent of the reporting person. If such consent is not given, the report must be documented in the form of a summary of the content (summary transcript) written by the person responsible for handling the report.
(3) Where the reporting takes place through the framework of a meeting pursuant to section 16 (3) or section 27 (3), a complete and accurate recording of the meeting may be made and kept with the consent of the reporting person. The recording may take the form of an audio recording of the conversation in a permanently retrievable form or a verbatim transcript of the meeting written by the person responsible for handling the report.
(4) The reporting person must be given the opportunity to check, rectify and agree the transcript with their signature or in electronic form. If an audio recording is used to prepare a transcript, it must be deleted as soon as the transcript has been finalised.
(5) The records must be deleted three years after the procedure is concluded. The records may be kept for a longer period as long as this is necessary and proportionate in order to comply with the requirements imposed by this Act or other legal provisions.
Section 12
Obligation to establish an internal reporting office
(1) Employers must ensure that at least one internal reporting service that employees can contact (internal reporting office) is established and operated within their organisation. If the employer is the Federation or a Land, the supreme federal or Land authorities must designate organisational units in the form of individual or joint authorities, administrative bodies, companies or courts. The obligation under sentence 1 then applies to the establishment and operation of an internal reporting office within each organisational unit. For municipalities, associations of municipalities, and employers owned or controlled by municipalities or associations of municipalities, the obligation to establish and operate an internal reporting office is governed by the respective Land law.
(2) The obligation under subsection (1) sentence 1 only applies to employers that normally employ at least 50 people.
(3) In derogation from subsection (2), the obligation under subsection (1) sentence 1 applies, irrespective of the number of employees, to
1. investment services enterprises within the meaning of section 2 (10) of the Securities Trading Act,
2. data reporting services providers within the meaning of section 2 (40) of the Securities Trading Act,
3. stock exchange operators within the meaning of the Stock Exchange Act,
4. institutions within the meaning of section 1 (1b) of the Banking Act and institutions within the meaning of section 2 (1) of the Securities Institutions Act,
5. counterparties within the meaning of Article 3(2) of Regulation (EU) 2015/2365 of the European Parliament and of the Council of 25 November 2015 on transparency of securities financing transactions and of reuse and amending Regulation (EU) No 648/2012 (OJ L 337 of 23 December 2015, p. 1) as last amended by Regulation (EU) 2021/23 (OJ L 22 of 22 January 2021, p. 1), in the currently applicable version in each case,
6. asset management companies pursuant to section 17 (1) of the Investment Code,
7. companies pursuant to section 1 (1) of the Insurance Supervision Act, with the exception of companies under sections 61 to 66a of the Insurance Supervision Act which have their registered office in another Member State of the European Union or another signatory state to the Agreement on the European Economic Area,
8. institutions within the meaning of section 2 (4) of the Crypto Markets Supervision Act (Kryptomärkteaufsichtsgesetz), and
9. institutions within the meaning of section 1 (3) of the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz).
(4) Employers bound by subsection (1) sentence 1 must provide the internal reporting office with the powers necessary to carry out its tasks, in particular to assess and follow up on reports. If the employer is the Federation or a Land, sentence 1 applies accordingly to the respective organisational units.
Section 13
Tasks of internal reporting offices
(1) Internal reporting offices must operate reporting channels in accordance with section 16, conduct the procedures in accordance with section 17 and follow up in accordance with section 18.
(2) Internal reporting offices must provide employees with clear and easily accessible information on external reporting procedures in accordance with Subdivision 3 and on the relevant reporting procedures of institutions, bodies, offices and agencies of the European Union.
Section 14
Organisational forms of internal reporting offices
(1) An internal reporting office may be established by entrusting the tasks of an internal reporting office to an employee at the respective employer or organisational unit, to a unit consisting of several employees or to a third party. Entrusting a third party with the tasks of an internal reporting office does not release the employer concerned from the obligation to take appropriate measures to remedy any breach. If the employer is the Federation or a Land, sentence 2 applies accordingly to the respective organisational units.
(2) Several private employers that normally employ between 50 and 249 people may establish and operate a joint service for the receipt of reports and for carrying out the other measures provided for under this Act. The obligation to take measures to remedy a breach and to provide the reporting person with feedback remain with the individual employer.
Section 15
Independence; necessary expertise
(1) The persons entrusted with carrying out the tasks of an internal reporting office must be independent in the exercise of their activities. They may perform other tasks and duties in addition to their activities for the internal reporting office. It must however be ensured that such tasks and duties do not result in conflicts of interest.
(2) Employers must ensure that the persons entrusted with carrying out the tasks of an internal reporting office have the necessary expertise. If the employer is the Federation or a Land, sentence 1 applies accordingly to the respective organisational units.
Section 16
Reporting channels for internal reporting offices
(1) Employers obliged to establish an internal reporting office under section 12 must establish reporting channels through which employees and temporary agency workers assigned to the employer can contact the internal reporting office to report information on breaches. If the employer is the Federation or a Land, sentence 1 applies accordingly to the respective organisational units. Internal reporting channels may be designed so that they can also be used by natural persons who, in the context of their work-related activities, are in contact with the respective employer obliged to establish an internal reporting office or with the respective organisational unit. Generally, internal reporting offices are to also handle anonymously received reports. However, there is no obligation to design the reporting channels in a way that enables the submission of anonymous reports.
(2) The reporting channels must be designed in such a way that only the persons responsible for receiving and handling reports and the persons supporting them in carrying out these tasks have access to the received reports.
(3) Internal reporting channels must enable reporting in writing or orally. Oral reporting must be possible by telephone or through other voice messaging systems. Upon request by the reporting person, a physical meeting with the persons responsible for receiving reports at the internal reporting office must be made possible within a reasonable timeframe. With the consent of the reporting person, the meeting may also take place by way of audio-visual transmission.
Section 17
Procedures for internal reporting
(1) The internal reporting office
1. provides the reporting person with acknowledgement of receipt of the report within no more than seven days,
2. assesses whether the reported breach falls within the material scope of section 2,
3. maintains contact with the reporting person,
4. assesses the accuracy of the received report,
5. asks the reporting person to provide further information where necessary, and
6. carries out appropriate follow-up in accordance with section 18.
(2) The internal reporting office provides the reporting person with feedback within three months of acknowledging receipt of the report or, if no acknowledgement was given, within three months and seven days of receiving the report. The feedback must include notification of any follow-up planned or already carried out and the reasons therefor. Feedback may be provided to the reporting person only to the extent that this does not affect internal enquiries or investigations and does not impair the rights of persons who are the subject of a report or who are named in the report.
Section 18
Follow-up by internal reporting offices
In terms of follow-up, the internal reporting office may in particular
1. conduct internal investigations at the employer or the respective organisational unit and contact the persons and units concerned,
2. refer the reporting person to other competent bodies,
3. close the procedure due to lack of evidence or other reasons, or
4. hand over the procedure for further investigation to
a) a unit competent to conduct internal investigations at the employer or respective organisational unit, or
Subdivision 3
External Reporting Offices
Section 19
Establishment and remit of the Federal External Reporting Office
(1) The Federation is to establish an external reporting office (Federal External Reporting Office) at the Federal Office of Justice (Bundesamt für Justiz). The Federal External Reporting Office is organisationally separate from the remaining remit of the Federal Office of Justice.
(2) The tasks of the Federal External Reporting Office are performed independently of the other tasks of the Federal Office of Justice. The President of the Federal Office of Justice exercises administrative supervision over the Federal External Reporting Office. The Federal External Reporting Office is subject to supervision only insofar as this does not interfere with its independence.
(3) The Federal External Reporting Office must be provided with the necessary personnel and material resources for the performance of its tasks.
(4) The Federal External Reporting Office is competent unless an external reporting office under sections 20 to 23 is competent.
Section 20
Establishment and remit of external reporting offices of the Länder
Each Land may establish its own external reporting office for reports that concern their respective Land administration or local authorities.
Section 21
The Federal Financial Supervisory Authority as an external reporting office
The Federal Financial Supervisory Authority is the competent external reporting office for
1. reports covered by section 4d of the Act Establishing the Federal Financial Supervisory Authority, including reports that concern the provisions of the Securities Acquisition and Takeover Act (Wertpapiererwerbs- und Übernahmegesetz),
2. reports of information on breaches
a) under section 2 (1) no. 3 letter a, where the Federal Financial Supervisory Office is the competent authority within the meaning of section 50 (1) nos. 1 or 2 of the Money Laundering Act,
b) under section 2 (1) no. 3 letters r to t.
Insofar as detailed aspects of the Federal Financial Supervisory Authority’s organisational and procedural design as an external reporting office go beyond the scope of this Act, they are governed by section 4d of the Act Establishing the Federal Financial Supervisory Authority.
Section 22
The Bundeskartellamt as an external reporting office
(1) The Bundeskartellamt is the external reporting office competent for reports of information on breaches under section 2 (1) nos. 8 and 9. Section 7 (1) sentence 3 applies with the proviso that the reporting person may contact the Bundeskartellamt at any time and irrespective of the outcome of the internal reporting procedure.
(2) The powers of the Bundeskartellamt under other provisions remain unaffected.
Section 23
Additional external reporting offices
(1) The Federation is to establish an additional external reporting office for external reports concerning the Federal External Reporting Office within the meaning of section 19.
(2) For reports concerning an external reporting office within the meaning of sections 20 to 22, the additional reporting office is the Federal External Reporting Office within the meaning of section 19.
Section 24
Tasks of external reporting offices
(1) External reporting offices must establish and operate reporting channels in accordance with section 27, assess the accuracy of reports and conduct the procedures in accordance with section 28.
(2) External reporting offices must provide natural persons who are contemplating reporting with comprehensive and independent information and advice on the remedies and procedures available to protect against retaliation. In particular, external reporting offices must also provide information on the possibility of internal reporting.
(3) In a separate, easily identifiable and accessible section of their website, external reporting offices must publish
1. the conditions for qualifying for protection in accordance with this Act,
2. statements explaining the reporting procedures and the nature of the possible follow-up under section 29,
3. the confidentiality regime applicable to reports, and information on the processing of personal data,
4. information on the remedies and procedures available for protection against retaliation, and the availability of confidential advice for persons contemplating reporting,
5. a statement clearly explaining the conditions under which persons reporting to the external reporting office are protected from incurring liability for breaches of secrecy obligations,
6. their contact details, in particular their email address, postal address and telephone number, as well as information as to whether telephone conversations are recorded.
(4) External reporting offices must provide clear and easily accessible information regarding their respective reporting procedures so that internal reporting offices can access or refer to this information in order to comply with their duty under section 13 (2). The Federal External Reporting Office must also provide clear and easily accessible information regarding the reporting procedures referred to in section 13 (2) so that internal reporting offices can access or refer to this information in order to comply with their duty under section 13 (2).
Section 25
Independence; training
(1) Within the framework of their tasks and powers, the external reporting offices operate with functional independence and separately from the internal reporting offices. The supervision exercised over them extends to ensuring compliance with parliamentary legislation and other legal instruments.
(2) The persons responsible for handling reports are to receive regular training for the task. They may perform other tasks and duties in addition to their activities for an external reporting office. It must however be ensured that such tasks and duties do not result in a conflict of interest.
Section 26
Reporting obligations of external reporting offices
(1) External reporting offices must prepare an annual report in summarised form on the reports received. The report may not provide any indication of the persons or companies involved. It must be made publicly available.
(2) External reporting offices must record the following data and include it in the report:
1. the number of reports received,
2. the number of cases in which internal investigations were initiated at the companies or authorities concerned,
3. the number of cases that resulted in investigations by a public prosecutor’s office or in court proceedings, and
4. the number of cases that resulted in a transfer to another competent authority.
(3) The Federal External Reporting Office within the meaning of section 19 must additionally submit its annual report to the German Bundestag, the Bundesrat and the Federal Government and must forward a summary of the reports under subsections (1) and (2) to the European Commission.
Section 27
Reporting channels for external reporting offices
(1) Reporting channels are to be established for external reporting offices through which reporting persons can report information on breaches. Section 16 (2) applies accordingly. Generally, external reporting offices are to also handle anonymous reports. However, subject to provisions in more specific legislation, there is no obligation to design the reporting channels in a way that enables anonymous reports to be submitted.
(2) If a report is received at the external reporting office by persons other than those responsible for handling reports, the report must be forwarded directly, promptly and without modification to the persons responsible for handling reports.
(3) External reporting channels must enable reporting in writing or orally. Oral reporting must be possible by telephone or through other voice messaging systems. Upon request by the reporting person, a physical meeting with the persons responsible for receiving a report at the external reporting office must be made possible within a reasonable timeframe. With the consent of the reporting person, the meeting may also take place by way of audio-visual transmission.
Section 28
Procedures for external reporting
(1) External reporting offices must acknowledge receipt of a report promptly, but no later than seven days after receipt of the report. Receipt of the report is not acknowledged if the reporting person explicitly waives the right to such acknowledgement or if there are reasonable grounds to believe that acknowledging receipt of the report would jeopardise the protection of the reporting person’s identity. In cases suitable for an internal reporting procedure, external reporting offices must inform the reporting person, when acknowledging receipt of the report, about the possibility of submitting an internal report.
(2) External reporting offices must assess whether the reported breach falls within the material scope set out in section 2 and none of the exceptions to the scope of this Act listed in section 5 applies. Where this is the case, they must assess the accuracy of the report and carry out appropriate follow-up in accordance with section 29.
(3) As regards the inspection of files by parties within the meaning of this Act, section 29 of the Administrative Procedure Act (Verwaltungsverfahrensgesetz) applies. Secrecy obligations within the meaning of section 6 (3) must be observed. For the reporting person, sentences 1 and 2 apply accordingly; it must be ensured that this does not impair the rights of the persons who are the subject of a report or persons who are named in a report.
(4) The reporting person must be provided with feedback on their report within a reasonable timeframe. Feedback must be provided within three months at the latest. In cases requiring extensive examination, this period is six months. The grounds for extending the time limit must be communicated to the reporting person. Section 17 (2) sentence 2 and 3 applies accordingly.
(5) Reports of particularly serious breaches may be dealt with as a matter of priority. This does not affect the time limits referred to in subsection (4).
Section 29
Follow-up by external reporting offices
(1) External reporting offices may, at their duty-bound discretion, request information from the natural persons concerned, from the employer concerned, from third parties and from authorities, insofar as this is necessary to assess the accuracy of the report. A reasonable time limit is to be granted for responding to the information request. For information requests under sentence 1, the right to refuse testimony under sections 53 and 53a and the right to refuse to give information under section 55 of the Code of Criminal Procedure (Strafprozessordnung) apply accordingly. Upon application, compensation for responding to information requests is to be granted in accordance with the provisions of the Judicial Remuneration and Compensation Act (Justizvergütungs- und -entschädigungsgesetz) on the compensation of witnesses. Section 23 (2) sentence 2 of the Judicial Remuneration and Compensation Act applies accordingly.
(2) In terms of further follow-up, external reporting offices may, at their duty-bound discretion,
1. contact the employers concerned,
2. refer the reporting person to other competent bodies,
3. close the procedure due to lack of evidence or other reasons, or
4. hand over the procedure to the competent authority for further investigation.
Section 30
Cooperation with other public bodies
External reporting offices and other public bodies competent for the investigation, prevention and prosecution of breaches within the scope of this Act are to work together and provide mutual support in the implementation of this Act. This does not affect special statutory rules on cooperation between public bodies.
Section 31
Closure of the procedure
(1) Once an external reporting office has assessed the accuracy of a report and conducted the procedure in accordance with section 28, it closes the procedure.
(2) If an external reporting office is not competent for a report or is unable to investigate the reported breach within a reasonable timeframe, it must promptly forward the report to the body competent for investigating, preventing and prosecuting the breach while ensuring that the identity of the reporting person remains confidential. This also applies to reports for which, pursuant to section 4 (1), the external reporting office is not competent for follow-up. The external reporting office must promptly notify the reporting person that the report has been forwarded. If it is not possible to forward the report while ensuring that the identity of the reporting person remains confidential, section 9 (3) must be observed.
(3) Where an external reporting office concludes that a reported breach is minor, it may close the procedure at its duty-bound discretion.
(4) If a report concerns a matter in respect of which a procedure under this Act has already been closed, an external reporting office may close the procedure at its duty-bound discretion if the report does not contain any new facts. This does not apply if new legal or factual circumstances justify a different follow-up.
(5) Where an external reporting office closes the procedure in accordance with subsection (3) or subsection (4), it must promptly notify the reporting person of the decision and the reasons for the decision. If the employer concerned has previously been contacted by the external reporting office in accordance with section 29 (2) no. 1, the external reporting office must notify the employer of the decision taken in accordance with sentence 1 while ensuring that the identity of the persons listed in section 8 (1) remains confidential.
(6) An external reporting office must notify the reporting person of the outcome of the investigations triggered by the report once they have been completed, insofar as this is compatible with statutory secrecy obligations. Subsection (5) sentence 2 applies.
(7) For disputes arising from decisions taken by an external reporting office under subsections (1) to (6), recourse to the administrative courts is available. Prior to filing an action, no re-examination in preliminary proceedings is required.
(1) Persons who publicly disclose information on breaches are covered by the protective measures of this Act if they
1. first reported externally in accordance with Division 2 Subdivision 4 and
a) no appropriate follow-up under section 29 was carried out within the timeframes for feedback referred to in section 28 (4) or
b) they have not received feedback on such follow-up or
2. had reasonable grounds to believe that
a) the breach may constitute an imminent or manifest danger to the public interest due to an emergency, risk of irreversible damage or comparable circumstances,
b) in the case of external reporting, there is a risk of retaliation or
c) evidence may be concealed or destroyed, or the competent external reporting office may be in collusion with the perpetrator of the breach or, due to other particular circumstances, there is a low prospect of the external reporting office carrying out effective follow-up under section 29.
(2) It is prohibited to publicly disclose incorrect information on breaches.
Section 33
Conditions for protection of reporting persons
(1) Sections 35 to 37 are applicable to reporting persons provided that
1. they reported either internally in accordance with section 17 or externally in accordance with section 28 or made a public disclosure in accordance with section 32,
2. they had reasonable grounds to believe that the information reported or publicly disclosed by them was true at the time of making the report or public disclosure, and
3. the information concerns breaches that fall within the scope of this Act, or the reporting person had reasonable grounds to believe that this was the case at the time of making the report or public disclosure.
(2) Under the conditions of subsection (1), sections 35 to 37 are also applicable to persons who report breaches of Union law falling within the scope of this Act to competent institutions, bodies, offices or agencies of the European Union.
Section 34
Other protected persons
(1) Sections 35 to 37 apply accordingly to natural persons who confidentially provide the reporting person with assistance in making an internal or external report or a public disclosure in a work-related context, provided that the reported or publicly disclosed information
1. is accurate, or the assisting person had reasonable grounds to believe that the information reported or publicly disclosed by the reporting person was true at the time of the assistance, and
2. concerns breaches that fall within the scope of this Act, or the assisting person had reasonable grounds to believe that this was the case at the time of the assistance.
(2) If the requirements of section 33 are met, sections 35 to 37 apply accordingly to
1. third parties who are connected with the reporting person and who have suffered retaliation in a work-related context, unless the retaliation is not linked to the report or public disclosure made by the reporting person, and
2. legal entities, partnerships with legal capacity and other associations of persons with legal capacity that are legally connected to the reporting person by virtue of being owned in whole or in part by the reporting person, or for which the reporting person works, or with which the reporting person is otherwise connected in a work-related context.
Section 35
Exclusion of liability
(1) Reporting persons cannot be held legally responsible for acquiring or accessing the information which they reported or publicly disclosed, provided that such acquisition or access does not constitute a self-standing criminal offence.
(2) Reporting persons do not violate any restriction on the disclosure of information and cannot be held legally responsible for forwarding the information contained in a report or public disclosure, provided they had reasonable grounds to believe that forwarding such information was necessary to reveal a breach.
Section 36
Prohibition of retaliation; reversal of burden of proof
(1) It is prohibited to take retaliatory action against a reporting person. Threats of retaliation and attempts of retaliation are also prohibited.
(2) If a reporting person suffers a detriment in connection with their work-related activities and claims to have suffered this detriment as a result of a report or public disclosure under this Act, it is presumed that the detriment was made in retaliation for the report or public disclosure. In such cases, the person who took the detrimental measure against the reporting person must prove that the measure was based on duly justified grounds or that it was not linked to the report or public disclosure.
Section 37
Compensation for damages in the event of retaliation
(1) Where the prohibition of retaliation is violated, the retaliating party is obliged to compensate the reporting person for any resulting damage.
(2) Violations of the prohibition of retaliation do not establish claims to an employment relationship, a vocational training relationship, any other contractual relationship or to promotion.
Section 38
Compensation for damages in the event of false reports
The reporting person is obliged to pay compensation for any damage resulting from the intentional or grossly negligent reporting or public disclosure of incorrect information.
Section 39
Prohibition of deviating agreements
Agreements that restrict the rights afforded to reporting persons and other persons under this Act are invalid.
Section 40
Provisions on regulatory fines
(1) It is a regulatory offence to knowingly publicly disclose incorrect information in contravention of section 32 (2).
(2) It is a regulatory offence to
1. hinder a report or communication in contravention of section 7 (2),
2. fail to ensure, in contravention of section 12 (1) sentence 1, that an internal reporting office is established and operated, or
3. engage in retaliation in contravention of section 36 (1) sentence 1, also in conjunction with section 34.
(3) It is a regulatory offence to intentionally or recklessly fail to maintain confidentiality in contravention of section 8 (1) sentence 1.
(4) It is a regulatory offence to negligently commit an act specified in subsection (3).
(5) In the cases specified in subsection (2) nos. 1 and 3, attempted regulatory offences may be sanctioned.
(6) Regulatory offences in the cases specified in subsection (2) nos. 1 and 3 and subsections (3) and (5) may be sanctioned with a regulatory fine not exceeding 50,000 euros, in the cases specified in subsections (1) and (2) no. 2 with a regulatory fine not exceeding 20,000 euros, and in all other cases with a regulatory fine not exceeding 10,000 euros. Section 30 (2) sentence 3 of the Act on Regulatory Offences (Gesetz über Ordnungswidrigkeiten) applies in the cases specified in subsection (2) nos. 1 and 3 and subsections (3) and (4).
Division 6
Concluding Provisions
Section 41
Authorisation to issue statutory instruments
The Federal Ministry of Justice is authorised, by way of statutory instrument not requiring the consent of the Bundesrat and in agreement with the Federal Ministry for Economic Affairs and Climate Action, the Federal Ministry of Finance, the Federal Ministry of the Interior and Community, the Federal Ministry of Labour and Social Affairs, the Federal Ministry of Defence, the Federal Ministry of Health and the Federal Ministry for the Environment, Nature Conservation, Nuclear Safety and Consumer Protection, to
1. regulate the details of the Federal External Reporting Office’s organisational and procedural design, and
2. designate an additional external reporting office pursuant to section 23 (1).
Section 42
Transitional provision
(1) In derogation from section 12 (1), private employers that normally employ between 50 and 249 people are only required to establish their internal reporting offices from 17 December 2023. Sentence 1 does not apply to the employers specified in section 12 (3).