What should be considered in a whistleblowing system? The Whistleblowing Directive (EU DIRECTIVE (EU) 2019/1937 of 23 October 2019) sets out minimum requirements for the protection of persons reporting breaches of Union law. The EU Whistleblowing Directive requires transposition into national law by 17.12.2021 or 17.12.2023 at the latest.
Article 8 regulates that legal persons in the private and public sectors must establish channels and procedures for internal reporting and follow-up.
The channels and procedures must allow workers of the legal person to report information on violations.
This obligation applies to legal persons in the private sector with 50 or more employees and takes effect from 17.12.2021. For companies with 50 to 249 employees, it is still open whether this obligation will only take effect from 17.12.2023 (Art. 26 para. 1,2 of the Whistleblowing Directive).
Legal entities in the private sector with 50 to 249 employees may share resources for receiving reports and for investigations that may be carried out. This is without prejudice to the obligation imposed on these legal persons by this Directive to maintain confidentiality, provide feedback and take action against the reported breach.
Article 2 of the Whistleblowing Directive regulates a reporting obligation for the following violations
public procurement
financial services, financial products and financial markets, and the prevention of money laundering and terrorist financing,
Product safety and conformity
Transport safety
Environmental protection
Radiation protection and nuclear safety
Food and feed safety, animal health and welfare
public health
Consumer protection
Protection of privacy and personal data and security of network and information systems
Infringements of the Union’s financial interests within the meaning of Article 325 TFEU and as more precisely defined in relevant Union measures
Infringements of internal market rules within the meaning of Article 26(2) TFEU, including infringements of Union rules on competition and State aid, as well as infringements of internal market rules in relation to acts which breach corporate tax rules or in relation to agreements aimed at obtaining a tax advantage contrary to the object or purpose of the applicable corporate tax law
Article 16 sets out the following minimum requirements to ensure the confidentiality of a whistleblower when implementing a whistleblowing system:
It shall be ensured that the identity of the whistleblower is not disclosed to any person other than to the authorised staff responsible for receiving reports or taking follow-up action on reports, without the whistleblower’s express consent. This also applies to any other information from which the identity of the whistleblower can be directly or indirectly inferred.
Competent authorities receiving information on infringements and containing business secrets shall not use or disclose such business secrets for purposes beyond what is necessary for proper follow-up.
It is still open whether the German legislator will implement the possibility contained in the EU Whistleblower Directive to delay the obligation to introduce an internal reporting channel for legal entities with a number of employees between 50 and 249 by two years. It should therefore be noted that the obligation for companies with more than 250 employees will in any case come into force from December 2021.
Article 19 explicitly regulates the prohibition of reprisals. A whistleblowing system must also include measures prohibiting any form of reprisals against the persons referred to in Article 4, including threats of reprisals and attempts at reprisals. This includes in particular the following reprisals:
With the future VerSanG, stricter rules apply to internal investigations. The combination of internal association investigations and corporate defence, according to the explanatory memorandum, weakens the credibility of the results of internal association investigations and can lead to conflicts with the criminal defence mandate.
Internal association investigations serve to objectively clarify the facts of the case, including all incriminating and exculpating circumstances. Due to the potential conflicts arising from a combination of internal association investigations and criminal defence, the separation of internal association investigations and representation in administrative offence proceedings is already widespread today (cf. Leitner/Rosenau-Wimmer, Wirtschafts- und Steuerstrafrecht, § 152 StPO marginal no. 16).
Update: With the Securities Institutions Act, the provisions of § 13 Whistleblower system and record-keeping obligation are now also
(1) Securities institutions shall be obliged to establish a procedure that enables employees, while maintaining the confidentiality of their identity, to report possible breaches of supervisory law and potentially criminal acts within the company to appropriate bodies. The procedure may be provided by social partners, provided that the same level of protection is granted to the reporters as under § 4d of the Financial Services Supervision Act.
(2) Securities institutions shall record all transactions and document the systems and procedures subject to this Act and Regulation (EU) 2019/2033 in such a way that the Bundesanstalt or a person authorised by it can verify at any time whether the securities institution complies with this Act and Regulation (EU) 2019/2033. The internal control procedures and the administrative and accounting procedures of the investment institution shall enable the supervisory authority to verify compliance with these provisions at any time.
We need your consent before you can continue on our website. If you are under 16 and wish to give consent to optional services, you must ask your legal guardians for permission. We use cookies and other technologies on our website. Some of them are essential, while others help us to improve this website and your experience. Personal data may be processed (e.g. IP addresses), for example for personalized ads and content or ad and content measurement. You can find more information about the use of your data in our privacy policy. You can revoke or adjust your selection at any time under Settings. Some services process personal data in the USA. With your consent to use these services, you also consent to the processing of your data in the USA pursuant to Art. 49 (1) lit. a GDPR. The ECJ classifies the USA as a country with insufficient data protection according to EU standards. For example, there is a risk that U.S. authorities will process personal data in surveillance programs without any existing possibility of legal action for Europeans.
If you are under 16 and wish to give consent to optional services, you must ask your legal guardians for permission. We use cookies and other technologies on our website. Some of them are essential, while others help us to improve this website and your experience. Personal data may be processed (e.g. IP addresses), for example for personalized ads and content or ad and content measurement. You can find more information about the use of your data in our privacy policy. Some services process personal data in the USA. With your consent to use these services, you also consent to the processing of your data in the USA pursuant to Art. 49 (1) lit. a GDPR. The ECJ classifies the USA as a country with insufficient data protection according to EU standards. For example, there is a risk that U.S. authorities will process personal data in surveillance programs without any existing possibility of legal action for Europeans. Here you will find an overview of all cookies used. You can give your consent to whole categories or display further information and select certain cookies.