On Friday, December 16, 2022, members of the German Bundestag passed the Whistleblower Protection Act (HinSchG). The aim of the law is to better protect whistleblowers in the professional environment. The law is primarily intended to protect whistleblowers from reprisals. At the same time, the law is also intended to ensure that grievances are first addressed internally before whistleblowers go public, which could result in a company suffering a reputational damage Act has been passed.
Who must set up a whistleblower protection system? Act has been passed
In principle, employers with 50 or more employees are required to establish at least one internal reporting center starting in 2023. The law stipulates a staggered introduction obligation.
- From the date the law comes into force, germany business fax list which is expected in the second quarter of 2023, employers with 250 or more employees must set up at least one internal reporting point.
- Private employers with between 50 and 249 employees have a transitional period until December 17, 2023, to establish a whistleblower protection system.
- Employers with fewer than 50 employees are not required to set up internal reporting channels.
However, this does not apply to companies in the financial sector. These companies must implement an internal reporting channel as soon as the law comes into force, regardless of their number of employees. Therefore, smaller investment services companies with fewer than 50 employees are also affected.
Internal and external reporting points
The law differentiates between internal and external reporting points. Internal reporting points are particularly relevant for companies. Affected companies must set up at least one internal reporting point to which employees can turn. Within the company, 13 steps to improve crawling and indexing of your website the internal reporting point can be set up, for example, within the compliance department. However, the law also provides for the possibility of entrusting third parties with the operation of an internal reporting point. These are usually consulting firms or lawyers who are appointed as ombudspersons. They act as controllers within the meaning of Art. 4 (7) GDPR. The controller of an internal reporting channel (employer and/or ombudsperson) can use a service provider that provides an application for receiving reports and for further communication. In this case, a contract for order processing must be concluded in accordance with Art. 28 GDPR.
What else do those responsible for internal reporting bodies need to consider?
Internal reporting centers must also accept and process anonymous reports and enable further communication in anonymous form. However, botswana business directory the requirement to allow anonymous reports will not come into force until January 1, 2025.
The reporting person must receive an acknowledgement of receipt within seven days and feedback on the measures taken and planned within three months of the acknowledgement. The legal basis for the processing of personal data is Art. 6 (1) (c) GDPR in conjunction with Section 10 of the HinSchG (Information Protection Act). This standard also covers the processing of special categories of personal data under Art. 9 GDPR. The report must be documented, and the documentation must be deleted three years after the conclusion of the procedure.