What is the current status of the German Whistleblower Protection Law?
There is currently no German Whistleblower Protection Law, and whistleblower protection is still somewhat limited relative to the EU Directive. National regulations on whistleblower protection currently only exist for the financial services sector and regarding the protection of business secrets.
A somewhat controversial draft proposal provided by the new German government at the end of 2021 indicates that the German Whistleblower Protection law may go further than the EU Directive. As is the case in Sweden, it proposes that whistleblowers will also be protected for sounding the alarm not only on breaches of EU law, but also breaches of regulations or other significant misconduct, the disclosure of which is in the public interest. Implementation of the German Whistleblower Law is not expected until mid-2022.
The German Whistleblowing Protection Law draft is indicated to go further than the EU Whistleblower Protection Directive’s requirements. The controversial draft is to be reviewed and transposed into German national laws mid-2022.
What to do while awaiting the German Whistleblower Protection Law
There is good news for companies with operations in Germany who would prefer to start preparations for compliance now rather than wait for the new German law. The EU Directive sets a number of minimum standards that will apply in all member states and to all organisations with more than 50 employees. We recommend that you investigate these minimum requirements (see below) already now, and identify solutions that can help you fulfil them.
- A secure channel for receiving whistleblower reports must be put in place.
- Acknowledgment of the receipt of the report must be provided to the whistleblower within seven days.
- An impartial person or department must be appointed to follow up on the reports.
- Records must be kept of every report received, in compliance with confidentiality requirements.
- There must be diligent follow-up of the report by the designated person or department.
- Feedback about the report follow-up must be given to the whistleblower within three months.
- All processing of personal data must be done in accordance with the GDPR.