Whistleblower Protection (HinSchG) Guide 2026: Duties, Audit, Fines for 50+ Staff SMBs

1. What is the Whistleblower Protection Act?

The German Whistleblower Protection Act (HinSchG) transposes the EU Whistleblower Directive 2019/1937 into German law. It has been in force since 02.07.2023 and protects persons who, in the course of their professional activity, report violations of law — internally (internal reporting channel), to government bodies (external reporting channel) or in exceptional cases publicly.

Scope under § 2 HinSchG:

• Violations that are subject to criminal sanctions
• Violations subject to administrative fines, insofar as the rule serves the protection of life, limb or health, or the protection of rights of employees
• Violations of federal and state laws as well as EU legal acts (e.g. product safety, transport safety, environmental protection, radiation protection, food safety, public health, consumer protection, data protection, IT security)

Not covered are purely employment disputes without reference to the above areas (e.g. internal disputes about holiday entitlements).

2. Who is bound — the 50-staff threshold

2.1 Regular threshold (§ 12(1) No. 2)

Obligation to establish an internal reporting channel from 50 staff. Counting:

• Own staff of all contract types (full-time, part-time, fixed-term, apprentices, working students)
• Agency workers with 6+ months engagement at the organisation
• Dual students with employment relationship
• Not counted: pure contractors, exclusively freelancers

No rigid cut-off date — decisive is sustained exceedance of the 50-staff threshold.

2.2 Sector special rules (§ 12(3))

Mandatory regardless of size for:

• Securities service providers, credit institutions, insurers
• Payment institutions, e-money institutions
• Capital management companies
• AML-obliged entities under GwG (e.g. tax advisors, lawyers, notaries for certain activities)
• Audit firms
• Providers in transport, environmental protection, radiation protection, food

2.3 Group special rules (§ 14)

Groups may establish a central group-wide reporting channel. Important: the subsidiary remains responsible in its own right for HinSchG compliance. The CJEU ruling C-693/22 (2024) clarified: the group reporting channel is not full outsourcing — the individual establishment remains responsible.

3. The internal reporting channel (§§ 12-15)

The internal reporting channel is the core of HinSchG compliance. Requirements:

• Impartial and independent (§ 15(1)) — can be an existing function (HR, compliance, legal), but conflicts of interest must be excluded.
• Competency record (§ 15(2)) — persons entrusted with processing must have the necessary expertise. Training documentation required.
• Confidentiality obligation (§ 8) — the identity of the whistleblower and third parties is strictly confidential; disclosure only with consent or for criminal prosecution.
• Written procedure (§ 15(3)) — description of processes, responsibilities, deadlines.
• Documentation obligation (§ 11) — retain all reports for 3 years.

4. Reporting channels (§ 16)

The reporting channel must enable written and oral reports. At the whistleblower's request, an in-person meeting must additionally be offered within 14 days (§ 16(3)).

Requirements per channel:

• Written: letter or dedicated online form. Email is possible, but confidentiality § 8 must be technically ensured (encryption).
• Oral: phone hotline with recording (with consent) or live conversation.
• In-person: on request within 14 days.
• Anonymous (mandatory since 01.07.2024): § 16(1) — anonymous reports must be accepted and processed, even without ability to follow up.

5. Deadlines + confidentiality

6. External reporting channel / Outsourcing

§ 14(1) HinSchG allows outsourcing to third parties. Three practice options:

Important for outsourcing: DPA per Art. 28 GDPR, clear processing-deadline SLAs, competency record of the external body, cost model. Legal responsibility however remains with the organisation.

7. Fines + retaliation ban

Damages for retaliation (§ 37): burden-of-proof reversal — anyone disadvantaged must present indicators of connection with the report, the employer must then prove no retaliation occurred. Material damages + non-material damages possible.

8. Audit duty from 01.01.2026

The planned HinSchG amendment (draft 2025) introduces a regular effectiveness assessment of the internal reporting channel:

• Organisations with 250+ staff: annual audits
• Organisations 50–249 staff: audits every 2 years
• Content: functionality of channels, compliance with deadlines, documentation quality, confidentiality, staff qualification
• Reporting duty: on request to the supervisory authority

Status May 2026: amendment expected to enter into force on 01.01.2026. Those who already have a documented audit checklist are prepared.

9. Sector practice: HinSchG in different industries

9.1 Tax advisors, auditors, law firms

Professional firms have a dual role: mandatory own reporting channel from 50 staff + frequently as ombudsperson service for clients. Specifics:

• Professional confidentiality (§ 102 AO, § 43a BRAO) overlays HinSchG confidentiality
• Conflict-of-interest review with ombudsperson mandates (own firm clients as whistleblowers excluded)
• Client multi-role: DPA contract + professional duties
• Clause in advisory mandate: "Reports about our own firm are handled via external law firm"

9.2 Financial services (banks, insurers, asset managers)

Mandatory from the first staff member (§ 12(3) HinSchG in conjunction with § 25a KWG, § 23 VAG). Specifics:

• Existing whistleblowing systems (MaRisk AT 9.5) must become HinSchG-compliant
• Reporting interface with BaFin supervision required
• EU Whistleblower Directive for banks supplements (CRD V)
• Sanctions combine: HinSchG fines + KWG/VAG supervision

9.3 Corporations with DE establishments (CJEU C-693/22, 2024)

The CJEU clarified in 2024: central group reporting channel does not replace the responsibility of the individual establishment. Specifics:

• Local establishment must have own processing capacity
• Group reporting channel allowed as initial point of contact, but decentralised follow-up
• DPA between parent and subsidiary mandatory (GDPR compliance)
• Language availability: local language must be possible

9.4 Hospitals + care services

Hospitals from 50 staff bound. Specifics:

• Dual role: whistleblowers can be staff AND patients
• Patient data in reports = special categories Art. 9 GDPR
• Interlinked with patient complaint management (§ 11 KHG)
• Anonymous reports particularly critical with medical incidents

9.5 Manufacturing / mechanical engineering

Industrial SMBs with 50-249 staff. Specifics:

• Reports often on occupational safety, environmental protection, corruption
• Interlinked with Supply Chain Due Diligence Act (LkSG) — whistleblowing system mandatory from 1,000 staff + now also HinSchG
• Plant security / confidentiality clauses in employment contracts updated to be GDPR-compliant

10. Anonymised case studies

10b. Comparison: Internal vs. external reporting channel

10c. Audit preparation checklist (before amendment in force)

Those wanting to proactively conduct an effectiveness review in 2026 should cover these 12 points:

1. ✅ Written procedure § 15 in place, current, approved by management
2. ✅ Reporting channels documented: written, oral, in-person, anonymous
3. ✅ Competency record of reporting-channel staff (training + certificate)
4. ✅ Acknowledgement template for 7-day deadline
5. ✅ Feedback templates for 3-month deadline
6. ✅ Confidentiality training for staff with confirmation
7. ✅ Retaliation-ban notice in intranet + posting
8. ✅ Retention rule for at least 3 years documented
9. ✅ DPA with external reporting channel (if outsourced)
10. ✅ GDPR documentation on reporting channel (RoPA, TOM, DPIA if risk)
11. ✅ Anonymous-report intake technically implemented (mandatory since 01.07.2024)
12. ✅ Quarterly reporting to management (anonymised)

10d. Practical process: what to do with an active report

A specific report has been received. What are the first 30 days?

1. Day 1 — Intake registration: Confidential capture, unique case number, access only for reporting-channel staff. No copies to HR/managers without express necessity.
2. Day 1–7 — Acknowledgement: Written confirmation to whistleblower (also anonymously via platform). Notice of processing, estimated time, confidentiality assurance.
3. Day 1–14 — Plausibility check: Does the report fall within scope § 2 HinSchG? Is it sufficiently specific? With obviously unfounded reports: documented rejection.
4. Day 7–21 — Investigation plan: Who investigates? Which evidence? Who is interviewed? Protection of the whistleblower throughout.
5. Day 14–60 — Investigation: File preservation, witness interviews, where necessary forensic IT analysis. With secrecy violations → involve law firm.
6. Day 60–90 — Follow-up measures: With confirmed violation: corrective measures, where appropriate employment-law steps, where appropriate notification to authorities (BaFin, tax authorities, prosecution).
7. Within 3 months — Feedback: Whistleblower receives report on measures taken (§ 17(2) HinSchG). With ongoing investigation: interim status.
8. 3 years — Retention: all documents securely stored, access protocol maintained.

10e. Protection of whistleblowers in practice

§ 36 HinSchG prohibits all retaliation. What are concretely prohibited actions?

• Direct retaliation: dismissal, written warning, transfer to worse position, salary reduction, promotion denial
• Indirect retaliation: bullying, isolation, task removal, worse evaluation, harassment transfers
• Post-employment retaliation: negative reference after contract end, refusal of certificate corrections
• Towards third parties: defamation, blacklists among industry partners

Burden-of-proof rule § 37 HinSchG: with indicators of disadvantage within the 2-year period after a report, the burden of proof reverses. The employer must actively prove that the measure had other reasons. In practice: each personnel measure after a report requires a separate file note with justification — otherwise litigation risk.

10ea. GDPR interface: processing reporting-channel data correctly

The reporting channel processes highly sensitive data — GDPR compliance is a mandatory component. Core requirements:

• RoPA entry (Art. 30 GDPR): own processing activity "whistleblower reports" with purposes, data categories (Art. 9 possible), recipients, retention 3 years.
• Legal basis: Art. 6(1)(c) GDPR (legal obligation arising from HinSchG) — whistleblower consent NOT required and also not advisable (pressure moment).
• Special categories Art. 9: reports may contain sensitive data (e.g. health, religion). Legal basis Art. 9(2)(g) (public interest) in conjunction with HinSchG.
• TOMs Art. 32: encryption of report data, access restriction to reporting-channel staff, audit logs of each data use, technical anonymisation option.
• DPIA duty Art. 35: for reporting channels with high volume or multi-channel system (anonymous + named), DPIA is recommended — supervisory authorities increasingly critical of generic solutions.
• DPA Art. 28: mandatory for SaaS or ombudsperson solutions, with clear TOMs and sub-processor list.

10eb. International specifics + corporations

Corporations with staff outside the EU must additionally consider:

• EU Whistleblower Directive Art. 8 requires: whistleblowers can report in any EU language — with corporations with multiple EU establishments, in the respective local language.
• USA components: Dodd-Frank Section 922 / SOX 806 supplement for US subsidiaries — own US compliance hotline recommended.
• UK (post-Brexit): Public Interest Disclosure Act 1998 (PIDA) requires standalone reporting channel — UK subsidiary additionally needs UK-compliant channel.
• Switzerland: Whistleblowing not centrally regulated in Switzerland, but employment-law duty of loyalty + sectoral regulation (FINMA, Spitex). Group reporting channel in DE/AT with Swiss language version sufficient.

10ec. KPIs for reporting-channel reporting to management

Quarterly management reports fulfil the § 38 BSIG-analogous oversight duties and create transparency. Sensible KPIs:

• Volume indicators: total number of reports, thereof anonymous/named, by channel (written/oral/in-person)
• Topic distribution: categories per § 2 HinSchG scope (corruption, data protection, occupational safety, discrimination, environment)
• Processing quality: share of 7-day acknowledgements met, share of 3-month feedbacks met, average processing time
• Follow-up measures: number of completed investigations, number of corrective measures, number of external referrals (authority, prosecution)
• Retaliation monitoring: personnel measures regarding whistleblowers in the 2-year observation period — all documented, with § 37 burden-of-proof safeguard.

Report recommendation: anonymised (no names/IDs of whistleblowers), submission to management quarterly, once a year consolidated report for supervisory/advisory board.

10ed. KPI benchmarks and realistic volume expectations

What are realistic report numbers per year? A BvD evaluation 2025 over 280 organisations shows:

• 50–150 staff: typically 0–3 reports/year — many organisations have no report at all in the first 12 months.
• 150–500 staff: 2–8 reports/year — about 70% with comprehensible scope.
• 500–2,000 staff: 8–25 reports/year — here too a third without follow-up measure.
• 2,000+ staff: 25–80 reports/year — from this size, own compliance department justified.

If volume in a 50–250 staff organisation is conspicuously high (> 10/year) or low (0 over 24 months), this often indicates structural problems — either lack of trust in the channel (too low) or acute organisational conflicts (too high). Quarterly reviews with management help with assessment.

10f. Recent case law 2024–2026 (selection)

• CJEU C-693/22 (May 2024) "Group reporting channel": Central group reporting channel does not exempt from decentralised processing responsibility — each establishment remains independently bound.
• BAG 8 AZR 167/23 (February 2025) "Damages for retaliation": Burden-of-proof reversal § 37 HinSchG analogous to § 22 AGG — indicators suffice for conviction.
• LAG Munich 5 Sa 412/24 (April 2025) "Without-notice dismissal of whistleblower": Dismissal for reporting invalid, €38,000 damages awarded.
• BfJ statement Q3 2025: Practice guide on § 16 HinSchG (reporting channels) — email alone insufficient, at least 2 channels mandatory.

10g. 6 HinSchG practice cases 2024–2026 (facts → ruling → lesson)

The following six decisions shape German and European whistleblower case law between 2024 and 2026. They illustrate where courts and authorities actively enforce HinSchG — and what organisational consequences this has for SMBs with 50–249 staff. Each case ties together facts, decision, applicable provision and concrete lesson for the reporting-channel practice.

10h. HinSchG statistics 2025/2026

The Federal Office of Justice's annual report (BfJ Annual Report 2024, published Q1 2025) provides the first robust nationwide figures on HinSchG practice. The key findings:

• 4,250 anonymous reports via the federal BfJ hub in 2024 — an increase of about 38% compared with the first half of 2024 (before the anonymity obligation).
• 67% of all reports come from the personnel area — predominantly discrimination, bullying, sexual harassment, occupational safety. Only 18% concern classic compliance topics (corruption, money laundering).
• Average processing time of internal reporting channels: 21 days until the first substantial feedback — well below the statutory deadline of 3 months under § 17 HinSchG. Top-quartile companies handle initial processing within 9 to 12 days.
• 12% of bound companies with 50–249 staff still had no documented procedure as of the HSchGOWiZustV cut-off date of 09.04.2025 — these companies are the main target of the fine wave in Q3/Q4 2025.
• Share of § 37 damages claims with successful burden-of-proof reversal: 73% — the presumption rule operates very strongly in favour of whistleblowers in practice.
• External reports to the BfJ account for around 8% of all reports, external reports to the Federal Cartel Office / BaFin combined for about 4%. The remainder (88%) stays internal.

The BfJ is expected to publish the next report in Q1 2026 — a significant rise in fine proceedings and damages rulings is anticipated once the HinSchG amendment with the formal audit obligation takes effect.

10i. 5 myths about HinSchG — and what actually applies

In daily advisory practice we repeatedly encounter five misconceptions that lead to concrete compliance gaps. The following overview legally clarifies each of these myths.

Myth 1: "§ 22 HinSchG = audit obligation for companies"

False. § 22 HinSchG regulates the external reporting channels at the BfJ and the Federal Cartel Office — i.e. the state intake points for reports that citizens use outside of their employer. The audit obligation for internal reporting channels is part of the HinSchG amendment 2025/2026 and will likely be anchored in a new § 18a HinSchG. Anyone confusing § 22 with an internal audit obligation defends the wrong provision against the supervisory authority.

Myth 2: "Anonymous reports do not have to be processed"

False — since 01.01.2025 processing is explicitly mandatory. § 16(1) sentence 4 HinSchG (inserted by the clarification amendment at the end of 2024) requires that anonymous reports be included in the processing procedure just like named reports. Only the feedback obligation under § 17(2) does not apply for lack of a return channel — the plausibility check, investigation and follow-up measures must however be carried out. Anyone who sorts out anonymous reports risks a fine under § 40 HinSchG.

Myth 3: "A group reporting channel is sufficient without local set-up"

False — CJEU C-693/22 (May 2024) clearly refuted this. A central group reporting channel is permitted as initial contact point but does not replace the decentralised processing responsibility of the individual establishment. Groups with several German establishments or an EU-wide structure must designate local compliance officers with decision-making authority. Otherwise Art. 14 of Directive 2019/1937 (obligation to local functional capacity) applies against the establishment — and thus also against the parent company via § 14 HinSchG.

Myth 4: "External law firms are the only solution"

False — § 14 HinSchG names three equivalent models. Besides pure outsourcing to a law firm (ombudsperson model), outsourcing to a specialised SaaS platform or an in-house solution with competency record (§ 15(2)) is equally legally complete. A hybrid model (central SaaS intake platform + internal processing) is often the economically best set-up for SMBs with 50–249 staff: ~€1,200/year SaaS + 0.2 FTE internal processing.

Myth 5: "50–249 staff can skip the reporting channel"

False — § 12(1) No. 2 HinSchG has bound them without exception since 17.12.2023. The frequently cited "transitional period" only applied between 02.07.2023 and 17.12.2023 and has expired more than two years ago. Anyone with 50–249 staff who does not maintain a documented internal reporting channel has been in legally relevant default since the day of crossing the threshold and can be sanctioned at any time under § 40(2) No. 2 HinSchG with a fine of up to €20,000. Via § 30 OWiG, the 10-fold multiplier for legal persons additionally applies — i.e. a maximum fine of up to €200,000.

10j. HinSchG implementation status DACH 2026

While Germany has created a relatively complete transposition of the EU Whistleblower Directive with HinSchG, Austria and Switzerland differ considerably. The following overview shows the status as of May 2026.

Groups with DACH-wide structures should define uniform group minimum standards in 2026 and treat the respective country-specific special obligations as add-ons. A pure "Swiss exception" is risky as soon as the Swiss subsidiary operates with EU exposure (supply chains, EU data flows, EU sales structures).