Based on the draft legislation, the obligation to set up internal reporting channels for whistleblowers will eventually apply to organizations with 50 employees. Smaller organizations with 50 employees or more have an extension period, but organizations with 250 employees or more are expected to comply by December 2023. This affects around 5,500 corporations, institutions and foundations in Germany.
Highlights of this new proposed legislation worth noting include the following:
The law is intended to protect not only regular employees, including civil servants, but also interns, volunteers and shareholders. This has been further expanded to include external contractors and suppliers, previous employees (even if their employment relationship has already ended), as well as individuals who have become aware of violations even before the start of their employment relationship. This protection has been expanded to cover the broadest sense of employer/employee relationships aiming to encourage an increase in reporting at all levels.
Whistleblowers are free to choose whether to report a violation internally first or to report externally by contacting an authority designated as competent by the respective member state. Historically the process has been for whistleblowers to report internally first before addressing observed misconduct outside of their organization. The freedom of choice will most likely enhance the number of hints on potential misconduct including those where in the past an incident will have gone unreported, when they felt they will not be heard or cannot report internally. The whistleblower not only can choose where to report but also they don’t have to justify why they have made this choice, which broadens their protection and makes reporting even more accessible.
The law defines requirements for the design of, and procedures to operate, internal and external reporting channels with confidentiality for the identity of the whistleblower at the core. For the new protection system to be effective and functional, it is essential that the identities of all persons affected by a report are protected. This enhanced confidentiality means that organizations need to ensure that their processes and procedures protect everyone involved not just the whistleblower. In smaller organizations, of just a few employees, providing confidentiality could prove tricky in practice.
To protect whistleblowers, the law specifies prohibitions on retaliatory measures, such as disciplinary action, suspension and dismissal. This is consistent with previous approaches, and will continue to help encourage observations made in good faith.
The law does not provide for mandatory requirements to enable anonymous reporting. This highlights a culture difference between the US/UK and mainland Europe. Historically reporting anonymously was sometimes perceived as not as credible. The US/UK approach encourages anonymous reporting taking the view that all reports anonymous or not should be reviewed. Although not required by law, this could be an additional option that organizations could include to help potentially increase the number of reports.
To support this effort, two external reporting offices will be established at the federal level, one at the Federal Commissioner for Data Protection and Freedom of Information (BfDI), and the other at the Federal Financial Supervisory Authority (BaFin).
The law does not only intend to protect individuals who file reports or disclose violations, but it also protects individuals who are affected by the report or disclosure. For example, the law also protects those that are named in the report as they could be a potential witness. The protection is also afforded to those who are the subject of the report or disclosure, i.e. those who are accused of misconduct in the report or disclosure.