Germany & Spain Respond to GDPR with Guidance & Legislation on Anonymous Whistleblower Reporting

Two of Europe’s largest economies are embracing anonymous whistleblower reporting for the first time – triggering organizations operating in those countries to review and evaluate their internal reporting and investigations.

Authorities in Germany and Spain pivoting on the matter is significant, particularly since for decades the ghosts of World War II have cast a pall over anonymous reporting. This is starker when compared with the relative commonality of whistleblowing in the United States. But even if anonymous reporting is becoming more accepted in Europe, the particulars of how it will be accepted and enforced differ.

Organizations need to make sure they have the capabilities to adapt to the nuances of various jurisdictions, especially when operating across international borders. 

New Internal Whistleblower Reporting Guidance in Germany

In early 2018, data protection authorities in Germany issued guidance on whistleblowing hotlines, which broke with the country’s previous stance that whistleblowers should be strongly encouraged to disclose their identities.

The genesis of the change was Europe’s General Data Protection Regulation (GDPR), which took effect last May. Under Germany’s new guidance, whistleblowers are encouraged to report anonymously. If they wish to disclose their identity, they must be informed that it will be kept confidential during the investigation – but that the accused person must be informed of the identity, at the latest, within a month after notification. The only exception comes if notifying the accused could put the investigation at significant risk.

Under Germany’s new guidance, whistleblowers are encouraged to report anonymously.

This is going to be an interesting global practice to watch develop, as anonymous reporting can generally make investigations more difficult to substantiate and resolve. The inability to follow up directly with the initial reporter is typically not as efficient, as shown by NAVEX Global’s 2018 Hotline & Incident Management Benchmark Report (p. 20). But under Germany’s new guidance, organizations are best served to encourage anonymity, because even getting consent from whistleblowers to share their identities is tricky. If the whistleblower provides consent to disclose their identity to the accused, the whistleblower can actually withdraw consent at any time. Further complicating this process, the whistleblower would have to be informed that withdrawing consent after a period of time, typically within a month, would likely be too late as their identity may have been already disclosed to the accused. Thus, in addition to informing a reporter of the risk of their identity being shared, encouraging anonymity puts a premium on ensuring you gather as much information from a reporter in the intake process as possible.

And, of course, providing the whistleblower’s name to the accused also poses safety issues. Imagine Jane reports financial fraud committed by John. Having to eventually tell John that he has been reported by Jane might create an unsafe, or at least an uncomfortable, work environment for Jane.

New Whistleblower Law in Spain

Spain is also opening up anonymous whistleblowing via the new Spanish Data Protection Act (Spanish DPA) that came into force last month, including provisions permitting anonymity among whistleblowers for the first time.  

Any organization operating in Spain must be able to scrub personal data from its reporting system after three months.

While there are a handful of obligations laid out in the Spanish DPA around whistleblower report management, it notably sets out a maximum retention period for personal data collected in reporting systems. This retention period is three months unless the purpose for preservation is to leave evidence for the prevention of the commission of crimes by a legal entity. Thus, any organization operating in Spain that wants to stay in compliance with the new law must be able to scrub personal data from its reporting system after three months.

How to Stay Ahead of the Global Whistleblower Hotline Changes

The fact that Europe is embracing anonymous reporting is probably a good thing. The practice can encourage speak-up cultures, but different rules in different countries with respect to whistleblowing across Europe means a lack of uniformity in application persists. The different approaches show a side effect of the new data-protection rules: The EU’s efforts toward uniform data requirements are actually causing a patchwork of related laws across the continent.

Organizations should be regularly educating employees on all the steps needed for successful anonymous reporting.

Organizations should be regularly educating employees on all the steps needed for successful anonymous reporting. With this in mind, it’s important to make sure anonymous reporters understand their role not only in reporting but also in the ensuing investigation. Low substantiation rates and longer case closure times are often associated with anonymous reporting because investigators aren’t able to follow up with the reporter for additional information. To combat this, whistleblower hotline and incident management administrators must make the most out of their initial interaction with the whistleblower. During the first report, the organization’s hotline system should provide the reporter with a case number to track the report. It should also communicate the importance of following up with the report and provide guidance on how to do so.

Organizations in both countries that want to remain in compliance must have the ability to change the talk tracks they use when informing potential whistleblowers of the rules and limitations when they make reports. Being able to do this nimbly for employees in different countries is incredibly important – and could become more so if other countries find different ways to react to GDPR.

We could see more changes to how European countries view anonymous reporting – possibly even refinements to the new moves in Germany and Spain – especially considering the scope of GDPR. That means it’s important for organizations to keep pace with regulations and have whistleblower hotline systems in place that can adapt to changing requirements.


If you are a current NAVEX Global customer and would like to review and potentially update your EthicsPoint Incident Management configuration for Germany and Spain, please reach out to your account executive.

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

"Informed Consent" – Pivotal Concept in First Major GDPR Enforcement Against U.S. Company

On Monday, January 21, we saw the first major GDPR penalty since the General Data Protection Regulation launched last May. What’s more is that it was levied against one of the largest U.S. tech giants, Google. Here's what we can learn about the future of GDPR enforcement. 

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Globalization of Anti-Corruption: The World Is Getting Better at Collaborating Against Crime

Enforcement agencies are getting more sophisticated at what they do, and that efficacy is compounded by the growing collaboration between global agencies. Let's discuss what this globalization of enforcement means for anti-bribery and corruption programs.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.