We see ourselves as experts in designing and developing legally compliant whistleblowing systems in a national and international context.

Whistleblower Protection

Protection of Whistleblower

Companies have the duty to ensure that their organizations act in accordance with all applicable rules and regulations. Due to the ever-increasing regulatory requirements for companies worldwide regarding the protection of whistleblower, the design, implementation and adaptation of appropriate systems are becoming increasingly important. Due to our interdisciplinarity and internationality, we can provide the best possible advice to companies of any size and in any industry, both in a national and international context.

Whistleblower protection is an essential instrument for reporting suspected compliance violations and for being able to adequately react to them. At both national and international levels, regulatory requirements are increasing for companies to establish a compliance management system that makes it possible to report potential or actual compliance violations in an appropriate manner and to deal with them. Since such violations – whether of criminal laws or internal company guidelines – are increasingly the focus of official investigations and, not least, are subject to severe penalties, preventive measures that are in line with regulatory requirements are more important than ever.

It is always in the interest of the company itself to counter the considerable cost and reputational risk resulting from possible fines and other repressive measures. Therefore, legally compliant and user-friendly reporting channels as well as comprehensive internal investigations to uncover, process and punish identified compliance violations are essential, whether in the form of specially designated employees of the company or external, specialized consultants, are essential. This applies irrespective of legal obligations, which previously applied only to regulated industries, now due to the successive implementation of the EU Whistleblower Directive in many European countries. For larger companies, there are corresponding requirements based on the Supply Chain Due Diligence Act.

In addition to the conceptual design of the whistleblower system, the aspect of compliance culture also plays an essential role. Companies would do well to create a speak-up culture to promote the open handling of suspicious circumstances. Executives in particular – as Tone from the Top – are expected to establish an environment within their team that encourages employees to openly address compliance-relevant issues and report suspected misconduct.

We support you in the conceptual design and implementation of whistleblowing systems suitable for your company, not only to meet the legislative requirements, but also to find an appropriate and effective solution. In addition, we also advise on the adaptation of existing whistleblower protection concepts to future national legal frameworks. This includes not only the design of the system as such and the receipt of reports, but also the further handling of such reports with regard to plausibility checks and evaluation of the allegation, its internal allocation as well as the clarification and elucidation of the facts. Rules and processes are needed for this.

Following receipt of a report, we advise companies and their employees on how to deal with reported allegations. In addition to the legally compliant processing of the reported allegations, this also includes their punishment, mitigation and improvement measures and ensuring that the whistleblowing person is not disadvantaged.


General conception of whistleblowing systems
  • Whistleblowing channels should allow, among other things, the submission of anonymous reports and communication with the whistleblowing person. Internal reporting offices must be independent and have the necessary expertise. From a systemic perspective, acknowledgment of receipt of the report to the reporting person must be provided within seven days for reports received via the system. Within further three months, the reporting person must be informed about the actions envisaged or taken as follow-up and the grounds for these actions.
Reporting channels and addressees
  • Companies must decide strategically, on the one hand, which channels they implement within their organization and, on the other hand, whether and, if so, which channels they also make available to external third parties. Within the organization, reporting channels must be publicized on the intranet; in addition, there is an obligation to provide employees with clear and easily accessible information about external reporting procedures. This obligation does not apply to third parties – such as customers or business partners – at least not under the Whistleblower Protection Act. However, it may arise from requirements under Supply Chain Due Diligence Act. The Code of Conduct can contain a reference to the reporting channels that are also available to third parties.
Regulatory requirements and co-determination

When designing and structuring their whistleblower protection concept, companies must take into account the regulatory requirements as well as the requirements of corporate co-determination – in particular the participation of the works council. For example, we provide support in assessing whether a co-determination situation exists and in drafting a works agreement.

Data Protection aspects
  • Since personal data is processed both when reports are received and when they are handled and followed up, data protection aspects must be taken into account when designing whistleblower systems, especially for national and European issues. Every whistleblower system must follow a defined retention and deletion concept. The data received and collected must be passed on exclusively in accordance with the need-to-know principle and may only be retained for the period in which the purpose of their retention continues.
Particularities for SMEs and external outsourcing
  • As the legal regulations will become mandatory for employers with 50 to 249 employees according to the current German draft law, companies of this size must have whistleblower systems in place for the long term that are designed in accordance with the legal regulations. As a possible form of organization, the draft law provides for the transfer of the tasks of an internal reporting office to third parties. This requires tight contractual regulations, which we can advise on. However, it remains the duty of the company itself to take appropriate measures to put an end to the infringement.
Group-wide solutions
  • In line with the delegation of the tasks of internal reporting channels to third parties, the draft law currently published for Germany opens up the possibility of setting up independent and confidential resources within a group company that act on behalf of several group companies. In particular, the implementation laws for all EU countries in which the respective group companies are located must be examined. With regard to the concrete design and organization as well as the responsibilities in detail, a clear, transparent, efficient and legally compliant concept is required, laid down in internal regulations. Any group-wide reporting channels must always be independent and equipped with sufficient and expert personnel resources.
  • If a company operates globally, it must also observe international legal standards in compliance matters that go beyond the national context. Since legal requirements diverge not only in the European legal area, but also – and above all – worldwide, a whistleblower protection concept that is geared to the fundamental international requirements is useful. In addition, the concept must make it possible to react flexibly to the regulations applicable in the specific individual case and to adapt to the respective legal framework.