Skip to content.

Secondary navigation

Get Your Demo
Two colleagues sit at a desk in a modern office, looking at a tablet together. The man wears glasses and a black shirt; the woman, in a white blouse with black polka dots, listens attentively. A plant is visible in the foreground.

The Germany Whistleblower Protection Act

Explore the Whistleblower Protection Act, including compliance requirements, scope, and how to support and protect reporting in your organization

See our Germany Compliance Guide
Close-up of evenly spaced, diagonal blue paper sheets or slats creating a geometric, abstract pattern with varying shades of blue and teal, fading from light to dark.

Germany Whistleblower Protection Act overview

Germany enacted amendments to the country’s existing whistleblower protection laws in May 2023. The amendments transposed the EU Whistleblower Protection Directive’s requirements into German law, and expanded the scope of the directive as well. The new law protects not just reports of breaches of Union law, but also breaches of German national law and other “administrative” offenses of German regulations. Breaches of a company’s own policies and procedures are not protected under the law.

The Whistleblower Protection Act covers all organizations with at least 50 employees (including both full- and part-time employees), as well as government agencies and private organizations that receive public funding, such as those operating in healthcare, education or transportation. However, there are exceptions for entities with fewer than 50 employees; for detailed information on these exceptions, visit this webpage.

The law requires employers to establish internal reporting channels and to provide training to employees on the protection of whistleblowers. Employers must also appoint a person or department responsible for receiving and processing reports of wrongdoing. The law protects whistleblowers and those assisting them from retaliation for submitting a report, and allows them to report their concerns to external state authorities as well.

A man sits on a gray sofa holding papers in one hand and a laptop on his lap. He wears a green shirt and jeans. Theres a yellow pillow beside him and a plant in the background, creating a cozy living room ambiance.

What does the German Whistleblower Protection Act cover?

The Act adopts the minimum standards for whistleblower protection outlined in the EU Whistleblower Protection Directive. These requirements include: 

  1. A secure and confidential channel for receiving whistleblower reports must be in place. 
  2. Acknowledgment of the receipt of every whistleblowing report must be provided to the whistleblower within seven days. 
  3. An impartial person or department must be appointed to follow up on the reports. 
  4. Records must be kept of every report received in compliance with confidentiality requirements. 
  5. There must be diligent follow-up of the report by the designated person or department. 
  6. Feedback on the follow-up or investigation must be given to the whistleblower within three months of receiving the report. 
  7. All processing of personal data must be done in accordance with GDPR.
A group of medical professionals walking and smiling. Two women in white coats are in the foreground, one with curly hair and the other with short hair. In the background, a woman and a man in blue scrubs are partially visible.

What are the rules outlined in the German Whistleblower Protection Act?

The Whistleblower Protection Act (known in German as Hinweisgeberschutzgesetz, or abbreviated as “HinSchG,”) covers all German organizations with at least 50 employees; or any financial services business at all, regardless of the number of employees. Multinational companies can operate one enterprise-wide reporting system, so long as that system complies with the EU Whistleblower Directive. 

The Act requires all covered businesses to (1) set up a whistleblowing channel with comprehensive whistleblower protection; (2) adopt a policy on reporting legal violations and other misconduct; and (3) designate a person who can receive and investigate internal reports. Large companies (those with 250 or more employees) must implement their whistleblower systems by 30 June 2023. Smaller companies must comply by 17 Dec. 2023. 

The whistleblower protections include confidentiality, a prohibition against retaliation and no liability for disclosing necessary information to the report. The person who receives internal reports can be either a direct employee of the company, such as an HR or compliance officer; or an outside third party such as a service provider. In all cases, the person must protect the whistleblower’s identity and other personal information at all times. 

The German whistleblower law does not require companies to allow anonymous reporting, but if an anonymous report does arrive, the company is still expected to process and investigate that report as the company would do with any other submission. Companies are also free to allow anonymous reporting if they choose. 

In the event of a violation as the result of retaliation the perpetrator is obliged to compensate the Whistleblower. Companies or people found to be in violation of the whistleblower protection law can be subject to fines as high as €50,000.

Explore more resources on whistleblowing and regulatory compliance in the EU

Stay ahead of Germany’s evolving compliance landscape

Germany’s regulatory environment is complex and constantly evolving. Get the insights you need to strengthen your compliance program, reduce risk, and build a culture of transparency.

See our Germany Compliance Guide