Whistleblower Protection Act for Law Firms: Professional Rules + Confidentiality
TL;DR
- Law firms with 50+ employees fall under the Whistleblower Protection Act (HinSchG) — partners and non-lawyer staff count toward the threshold
- Section 203 Criminal Code (StGB) confidentiality overrides whistleblower disclosure for client-related information
- External reporting channel recommended — an independent law firm reduces insider risk
- beA (lawyer's electronic mailbox) is not a valid reporting channel — its purpose differs; separate software required
- BRAO Section 43a professional duties remain unaffected — lawyers may only whistleblow within tight limits
1. 50-Employee Threshold
Under Section 12 of the Whistleblower Protection Act (HinSchG), an internal reporting channel is mandatory from 50 employees. Both qualified lawyers and non-lawyer staff count. In practice, mid-sized and large German law firms are almost always within scope.
2. Section 203 Criminal Code vs. Whistleblower Duty
Client confidentiality under Section 203 of the German Criminal Code (StGB) remains protected. A whistleblower at a law firm cannot disclose client secrets through the HinSchG channel — the duty of professional secrecy prevails. Reports may concern internal misconduct (e.g. billing fraud, money laundering compliance gaps) without naming clients.
3. External Reporting Channel Recommended
For law firms in particular, an external reporting channel run by an independent specialist law firm reduces insider risk and increases trust among employees. Section 14 of the German Federal Lawyers' Act (BRAO) on professional independence supports this allocation.
4. beA Integration
The "besonderes elektronisches Anwaltspostfach" (beA, special electronic lawyer mailbox) must NOT be used as a HinSchG reporting channel. It serves a different purpose (court communication) and lacks anonymous return-channel functionality. Use dedicated whistleblower software instead.
5. BRAO Section 43a Professional Duties
Lawyers' professional duties under BRAO Section 43a remain untouched. A lawyer-employee may only "whistleblow" within narrow professional limits — disclosure of client mandates is generally barred even when reporting internal violations.
6. Practical Implementation
- Engage an external reporting channel at a specialist law firm
- Train lawyers and non-lawyer staff on the dual regime (HinSchG + BRAO)
- BRAO-compliant investigation workflow with privilege safeguards
- Consult the regional Bar Association (Rechtsanwaltskammer / RAK) on professional-rules concerns
Summary
Law firms must implement the HinSchG regime once they reach 50 employees, but Section 203 StGB and BRAO professional duties carve out client information from the scope of disclosure. An external reporting channel run by independent specialist counsel is the cleanest setup; beA cannot substitute for compliant software.
Frequently Asked Questions
Whistleblower protection for lawyers?
Is BeA sufficient?
Sources
- Whistleblower Protection Act (HinSchG), Sections 5, 8, 12, 19, 36, 40, gesetze-im-internet.de/hinschg (As of: 2026-05-02)
- Federal Lawyers' Act (BRAO) Sections 43, 43a (professional confidentiality), gesetze-im-internet.de/brao (As of: 2026-05-02)
- Criminal Code Section 203 (breach of private secrets), gesetze-im-internet.de/stgb/__203 (As of: 2026-05-02)
- Directive (EU) 2019/1937 of 23 October 2019 (Whistleblower Directive), eur-lex.europa.eu (As of: 2026-05-02)
- Regulation (EU) 2016/679 (GDPR), eur-lex.europa.eu (As of: 2026-05-02)