In just under a month, a deadline will expire that could bring Germany into infringement proceedings. The EU member states have until December 17th to implement an EU directive into national law that is supposed to better protect whistleblowers – people who point out abuses.
However, the federal government did not manage to agree on a draft law in the past legislative period. It is very unlikely that a new attempt will be successful by next month. Nevertheless, it makes sense for companies to take action now. After all, whistleblowers can still invoke the directive from the reference date and, under certain circumstances, sue the Federal Republic of Germany for compensation: an individual may not suffer any damage simply because a state misses a deadline.
How does the protection apply?
The directive protects all thosewhich, to the best of their knowledge, point out abuses that fall under EU law, such as environmental and animal welfare, product safety, data protection, money laundering and terrorist financing and much more. It applies to both the private and public sectors, such as employees and civil servants. On the other hand, it does not apply to violations of German laws – this would require the national regulation, which is particularly controversial on this point.
Whistleblowers may not be dismissed, downgraded, coerced or discriminated against if they have reported a violation. Article 19 of the directive lists 15 retaliations that are prohibited and also prohibited in national law. This means that employers are threatened with fines and compensation payments in the future if they harass their employees or reveal their identity against their will. The exact sanctions must be determined by German law.
What do companies have to adjust to?
Above all, that a whistleblower protection law comes, even if it takes a few months longer. “Companies are well advised to start preparing,” says Rainer Buchert, lawyer and ombudsman. “That needs a certain amount of lead time – also in order to avoid errors such as the introduction of the General Data Protection Regulation.” At that time there was a two-year transition period that allowed a large number of companies to pass unused and thus risked fines.
The EU directive already specifies essential points, such as: Companies with more than 250 employees must set up whistleblower systems, as well as authorities and municipalities with 10,000 inhabitants or more. The same applies to companies with 50 to 249 employees, but only from December 17, 2023. They can also share resources when it comes to reporting systems and investigations.
What is meant by the whistleblower system?
The EU directive speaks of reporting channels. A person or a machine can hide behind it. Contact persons in the company are possible, for example someone from the compliance or legal department who can be reached by telephone and in writing. Alternatively, external contacts are possible, such as arbitrators such as Buchert, who are impartial and are commissioned by the company.
A third possibility are electronic whistleblowing systems that can be accessed on the intranet and on a company’s website. Reporters enter what they want to communicate in a mask, can upload documents and decide whether to do so anonymously or with real names. This report is then either received by an internal department or by an external lawyer. Corporations in particular often offer several options.
How many reports do companies have to expect?
Critics of whistleblowing systems like to claim that the effort for companies is too high. But this has already been refuted many times, often there are annual reports in the single-digit range.
Buchert and his partner have more than 50 mandates as ombudspersons for corporations, medium-sized companies and non-governmental organizations. In 20 years, says Buchert, he has spoken to 3,000 whistleblowers and processed around 8,000 reports – in other words, 400 a year. “Many need advice, for example whether they have to fear consequences under labor law. Or whether they have made themselves liable to prosecution because they have known about the grievance for a long time. Many also worry about the consequences for the perpetrators: ‘I don’t want him is dismissed, just that the behavior stops. ‘”
Which providers are there?
The pioneer and market leader among digital whistleblowing systems is Business Keeper, whose BKMS software has been on the market since 2001. The Berlin company was taken over in June by its competitor, the EQS Group from Munich. The Business Keeper brand will remain, EQS also sells its own reporting software Integrity Line. Other providers include Hintbox and Otris.
Some software companies have even been founded with a view to the EU directive, including Legaltegrity. Founder Thomas Altenbach is a lawyer and has worked as a compliance expert for Evonik, Daimler and Deutsche Bank. The Legaltegrity Tool was specially developed for medium-sized companies in 2019 and costs 49 euros per month in the smallest solution.
Altenbach advertises that companies take care: “If I have an internal reporting office, I can solve the problem internally and it stays in-house.” This is also important because the new directive enables whistleblowers to contact external bodies such as investigative authorities or the media. This is an important innovation, because previously an employee could be dismissed if he did not first report his allegations internally to the company.
What is useful for whom?
The companies can decide that. The EU directive only specifies how to deal with a report. The whistleblower must receive confirmation of receipt within seven days; in addition, the recipients must take “proper follow-up”, i.e. not ignore the message. The member states should decide whether anonymous reports must also be processed.
It doesn’t always have to be an electronic reporting system, says Altenbach. “In companies with 50 to 100 employees, managers know most of their employees. It can be enough to set up an internal telephone number for reports and a kind of suggestion box.” If the company is larger or has many employees who work mobile, a digital system could be better.
Ombudsman Buchert agrees. He advises viewing reporting channels as part of compliance management. The latter includes examining tasks and functions in a company for their risk of unethical behavior and creating and communicating a code of conduct for the entire workforce.