Whistleblower Protection Kit (HinSchG)
55 ready-to-use documents. Reporting office (§ 12), confidentiality (§ 8), anti-retaliation (§ 36), DPIA + effectiveness self-review. Personalised with your company name, audit-ready.
Concrete risks & enforcement practice
Fines up to EUR 500,000
Confidentiality breaches or retaliation: up to EUR 500,000 for legal entities (§ 40(2) HinSchG → § 30 OWiG).
Reversal of burden of proof
Adverse treatment after a report is presumed retaliation — employer must prove the opposite.
Anonymous reports mandatory
Since 01.01.2025: Anonymous reports must be processable.
Everything you need
Internal Reporting Office Setup (§ 12)
Officer appointment, written/oral/in-person channels, anonymous reporting capability (§ 16 para. 1 sentence 4 HinSchG: SHOULD-provision; § 42 HinSchG requires processing of anonymous reports since 1 Jan 2025 if submitted).
Confidentiality Concept (§ 8)
Identity protection, RBAC with need-to-know, audit-trail with 3-year retention, separation reporting office / HR / IT.
Reporting Channel Architecture
Concept document, software vendor comparison (EQS Integrity Line, Whistlelink, NAVEX), DPIA for the system.
Anti-Retaliation (§ 36-37)
Retaliation prohibition policy, HR-measures-after-report checklist, independent-decision-evidence template.
Case Handling Playbook
Decision tree, interview guide, plausibility check, case closing report template.
GDPR Bridge
DPIA for the reporting system, RoPA entry, privacy notice for whistleblowers and accused persons.
Effectiveness Self-Review (best practice)
12-point self-review template for compliance officers — deadlines, training, anonymous handling, retention, DPA. Voluntary, not a statutory duty.
Training Materials
Interactive HTML e-learning module, PowerPoint training presentation (49 slides), 50-question knowledge quiz, participation certificate template.
3 steps to your kit
Fill out the order form
Company details, VAT ID (optional, for reverse-charge), select your tier. You receive an immediate order confirmation by email.
Invoice & bank transfer
Within 24 hours (business days) you receive a proper invoice. Payment term 14 days by bank transfer. For EU B2B with valid VAT ID: reverse-charge.
Download by email
Once payment is received, you get a signed download link to all personalised professional templates. Link valid for 7 days, extendable once.
Choose your tier
One-time payment · Instant download · Buy once, always up-to-date
Purchase as a business under § 1 KSchG / § 14 BGB. By clicking "Order" you accept our Terms and Privacy Policy.
- 55 editable templates
- Personalised with your company name
- Buy once, always up-to-date
- 60-day money-back guarantee*
- License for buyer + corporate group (§ 15 AktG)
- 55 editable templates
- Personalised with your company name
- Buy once, always up-to-date
- 60-day money-back guarantee*
- License for buyer + corporate group (§ 15 AktG)
- E-learning module (employee training)
- 55 editable templates
- Personalised with your company name
- Buy once, always up-to-date
- 60-day money-back guarantee*
- License for buyer + corporate group (§ 15 AktG)
- E-learning module (employee training)
- Trainer pack (PowerPoint + trainer materials for in-house training)
All documents are pre-filled with your company name and license ID. Download link via email.
Multi-company license for corporate groups
Multiple independent sister companies without group affiliation (§ 15 AktG)? +50% surcharge extends the license to 3 companies in total (main customer + 2 sister companies).
Example: Plus 1,290 EUR × 1.50 = 1,935 EUR. Choose the multi-company license at checkout. Details in our Terms § 6.
Note: Templates are based on current case law and source-verified before delivery. Customisation to your specific company situation and final legal review are recommended. 60-day money-back guarantee* per Terms § 8.
Frequently bought together
What we stand for
Money-back guarantee
If you find any errors, we refund the full purchase price. Details in Terms § 8.
Always current
Updates without time limit within the major version: new regulatory guidelines, CJEU rulings, known follow-up phases of a regulation. Terms § 7.
Source-based + documented
Every document is based on EU regulatory text, BfDI/DSK/BSI/EDPB guidelines, and supreme court case law — the as-of date is noted in each document.
Frequently asked questions
Does HinSchG apply to my company?
Yes, from 50 employees you must set up an internal reporting channel — regardless of sector. Securities firms, capital management companies and other sector-specific entities are covered even below this threshold.
Important scope clarification: HinSchG protects ONLY reports on certain legal areas — GDPR breaches, EU financial fraud, money laundering, food/product safety, competition, consumer protection, environmental/radiation protection and similar EU law areas (§ 2 HinSchG). NOT protected: generic whistleblowing on all topics like personal conflicts or purely employment-law matters.
Which tier fits me — Basis, Plus or Komplett?
Basis (EUR 990 net) — You have internal compliance staff (DPO/CISO/HR lead) who can adapt and implement all documents themselves. No employee e-learning required.
Plus (EUR 1,290 net) — most popular — You want to train employees interactively (e.g. to fulfil the AI literacy obligation under Art. 4 EU AI Act or the Section 12 AGG protective measures for the liability privilege). Includes a ready-made e-learning module with quiz and attendance certificate.
Komplett (EUR 1,490 net) — You want to run the trainings internally and repeatedly (e.g. for new hires) without booking an external trainer every time. Additionally includes the Trainer Pack: PowerPoint slides with notes, trainer handbook and quiz pool.
What is included in the kit?
55 editable templates covering the full HinSchG / Whistleblower Protection scope: reporting-office setup (§ 12), confidentiality concept (§ 8), reporting-channel architecture (anonymous incl. since 1 Jan 2025), case-handling playbook, anti-retaliation policies (§ 36-37), GDPR bridge (DPIA, RoPA entry, privacy notice), effectiveness self-review, training materials with quiz and certificate.
Can I keep the templates forever?
Yes. After purchase you receive a download link containing all personalised professional templates. The files belong to you completely — you can store, integrate, edit and archive them. No cloud dependency, no per-device license activation, no internet connection required for use.
What does "buy once, always up-to-date" mean?
You receive all updates of the kit as long as the kit is maintained in its current major version. Updates arrive when authorities publish new guidance, new case law is published, or known follow-up phases of a regulation kick in. If a substantially new regulation supersedes the existing one, a new major version emerges — existing customers receive a 50% discount. Details in Terms § 7.
What does the 60-day money-back guarantee cover?
If a template content is provably legally incorrect (proven by a lawyer's letter or authority statement), we refund the purchase price. Deadline: 60 days from delivery. Details in Terms § 8.
From how many employees is the reporting office mandatory?
From 50 employees (§ 12 HinSchG). Below 50: not required, but recommended. For corporations: § 14 special rules apply (hybrid models).
50 employees — headcount or full-time equivalents?
Per § 12 para. 2 HinSchG: headcount — full-time, part-time, trainees, fixed-term contracts, all counted without differentiation. Temporary agency workers count if placed "for an assignment typically exceeding 6 months". Marginally employed staff (mini-jobbers) also count.
Are anonymous reports mandatory?
No, but strongly recommended. § 16 para. 1 sentence 4 HinSchG is a SHOULD-provision ("reporting channels should be designed to also receive and process anonymous reports"), not a strict duty. § 42 HinSchG has, since 1 January 2025, added an obligation to process anonymous reports if they are submitted. Practice: supervisory and audit standards expect an anonymous return channel — making it de facto required.
Are group subsidiaries with under 50 staff also obliged?
Yes, if the parent company has 50 or more employees (German Federal Labour Court line on case-by-case group treatment). Practical recommendation: set up a dedicated reporting channel at each subsidiary OR use the group solution per § 14 HinSchG — noting that the EU Commission considers the German group solution non-compliant with the EU Directive.
Is a centralised group reporting channel permitted?
Per § 14 HinSchG: yes — but the EU Commission has objected to this as non-compliant with the EU Whistleblowing Directive. Until clarified: a group solution remains possible, but additional local reporting points per subsidiary are recommended. A hybrid model is the most robust from a regulatory-risk perspective.
What does a whistleblowing system cost monthly?
SaaS solutions: EUR 1,200–6,000 per year (ongoing), sometimes including a trust person. In-house implementation: EUR 5,000–15,000 one-time. Compliance-Kit HinSchG Kit: one-time EUR 390–990 — all templates, no recurring subscription. Does not scale with the number of reports.
Can I use an external reporting office?
Yes, from 50 employees you can choose between internal or external (e.g. law firm, BMJ federal office). External often offers higher confidentiality and lower insider risk. § 14 HinSchG permits engaging external ombudspersons (typically lawyers specialising in compliance). Cost: EUR 5,000–25,000 per year depending on volume. A data processing agreement (DPA) per Art. 28 GDPR is required.
Fine risk for non-compliance?
Up to EUR 50,000 per offence (legal entity, § 40 HinSchG). A tenfold increase to EUR 500,000 via § 30 OWiG applies only to the offences listed in § 40 para. 6 HinSchG (§ 40 para. 2 nos. 1 and 3, paras. 3 and 4); failure to establish an internal reporting office (§ 40 para. 2 no. 2) is NOT covered. Multiple offences in concurrence (e.g. confidentiality breach affecting several persons): fines add up. Damages under § 37 HinSchG apply independently.
How long must HinSchG records be retained?
Per § 11 para. 5 HinSchG: 3 years after case closure. Austria (HSchG): 5 years. For ongoing criminal proceedings or lawsuits: until conclusion. GDPR interface: deletion obligation after the retention period (Art. 17 GDPR).
Is there a HinSchG audit obligation from 1 January 2026?
No. § 22 HinSchG governs the external reporting channel at the Federal Cartel Office (competition law/DMA), not an audit duty for companies. An annual effectiveness self-review of the reporting channel is best practice for management reporting (ISO 37301 model) — NOT a statutory obligation and no 1 January 2026 deadline.
Are AGG (anti-discrimination) violations also reportable under HinSchG?
Yes, where the violation concerns §§ 1, 7 AGG — these fall under § 2 para. 1 no. 2 HinSchG. Interface with the AGG complaints office per § 13 AGG: procedures can be combined or run in parallel. Important: § 8 HinSchG confidentiality also applies in the AGG complaints office.
Is a central email address sufficient as a reporting channel?
Not sufficient. § 16 HinSchG requires three channel types: written (email is acceptable), oral (telephone or voicemail), in-person on request. Plus, since 1 January 2025: anonymous handling capability (which email alone cannot provide without additional measures). Practical recommendation: web form with anonymous option plus telephone hotline.
Knowingly false report — how do I defend myself?
§ 33 para. 1 no. 2 HinSchG: in the case of a knowingly false report, protection against retaliation does not apply. Fine up to EUR 20,000 (§ 40 HinSchG). Damages claim per § 38 HinSchG for any harm incurred. Burden of proof for "knowingly" lies with the employer — clean documentation of the fact-finding process is mandatory.
Municipalities under 10,000 inhabitants — also obliged?
No. Per § 12 para. 1 HinSchG, municipalities with fewer than 10,000 inhabitants are exempt from the obligation. They may set up a reporting channel voluntarily. Larger municipalities (10,000 inhabitants or more) are obliged — regardless of the size of the administrative staff.
HSchG Austria vs. HinSchG Germany — what are the differences?
Both transpose EU Directive 2019/1937. Differences: AT has a narrower material scope (no domestic criminal-law reference), AT requires DPIA by statute (§ 8 para. 13 HSchG), AT retention period is 5 years (DE 3 years). German fines are higher (EUR 50,000 / EUR 500,000 for legal entities) than Austrian (EUR 20,000 / EUR 40,000).
Must the reporting officer be a fully qualified lawyer?
No. § 15 para. 2 HinSchG requires "the necessary expertise" — no legal qualification mandated. Training (e.g. TÜV, GDD, Compliance-Kit) is sufficient qualification. For external ombudspersons, lawyer status is standard but not required.
Must employees be trained on HinSchG?
No explicit training obligation in the HinSchG, but de facto required: § 13 HinSchG requires that the reporting channel is publicly known, managers must understand retaliation protection under § 36 HinSchG, and an annual effectiveness self-review (best practice, not a statutory obligation) builds on documented training records. At least annually, documented.
Does the works council have co-determination rights when setting up the reporting channel?
Yes — on the design of the procedure and the technical systems used, per § 87 para. 1 nos. 1 and 6 BetrVG (Works Constitution Act). The duty to establish a reporting channel is statutory and not co-determined as such. In practice: a works agreement covering the reporting-channel provider, confidentiality rules, data flow, and evaluation.
Which records must I have ready for a regulatory audit?
Seven core documents: appointment letter for the reporting officer plus proof of expertise, written procedure with deadlines, confidentiality concept including DPIA, posting/announcement of the reporting channels, training records for employees, anonymised case register with deadline compliance, and the annual effectiveness self-review (best practice for management reporting).