Whistleblower Procedure Template: § 15 HinSchG Reporting Process

Q: What does HinSchG s. 15 require?

HinSchG s. 15 (German Whistleblower Protection Act) requires employers to establish an internal reporting office with a written, documented procedure. The procedure must reflect obligations under ss. 12-22: reporting channels, 7-day acknowledgment deadline, 3-month feedback deadline, confidentiality, anonymity, prohibition of reprisals, documentation.

Q: Who can be the reporting office officer?

Own employees (compliance officer, HR head, DPO, legal counsel), third parties (ombudsperson, external lawyer, SaaS provider) or several persons. Prerequisite: required expertise (s. 15(2)), no conflicts of interest, independence in role, confidentiality.

May 17, 2026· Category: Whistleblower· As of: 2026-05-17· Reading time: ~8 min

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

HinSchG s. 15 obliges employers to a written, documented reporting office procedure
Mandatory deadlines: 7-day acknowledgment, 3-month feedback, 3-year retention
Mandatory channels: written + oral (telephone), in-person on request
Confidentiality: identity of reporter + affected persons + third parties mandatory (s. 8)
Anonymous reports: must be processed since 2024-07-01
Audit from 2026-01-01: external effectiveness review every 2 years (250+ staff)
Fines: up to EUR 50,000 for breaches

Context: Germany's Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG) implements EU Directive 2019/1937. It applies to all employers and is the German national equivalent of the EU whistleblower regime.

1. What HinSchG s. 15 Requires

HinSchG s. 15 compels employers to set up and operate an internal reporting office. The requirements:

s. 15(1): designate persons or an operational unit acting independently and with required expertise
s. 15(2): ensure required expertise (training, continuing education)
s. 15(3): avoid conflicts of interest; dual roles allowed but must not compromise independence

Section 12(1) requires this procedure to be documented in writing. Supervisory authorities — in Germany the Bundesamt für Justiz (BfJ) — request this written procedure during inspections.

2. Mandatory Content (ss. 12-22)

2.1 Scope + Definitions (ss. 1-3)

The procedure must clarify which violations are reportable (material scope under s. 2): criminal offences, certain administrative offences punishable by fine relating to protection of life/limb/health/employee rights, breaches of EU law areas (anti-money laundering, financial markets, environment, food safety etc.). Purely private disputes are not covered.

2.2 Protected Persons (s. 1(1))

Employees, former employees, applicants, self-employed, shareholders, management members, interns, agency workers, persons from the supplier network, their family members in case of reprisals. The procedure must name this scope.

2.3 Reporting Channels (s. 16)

Mandatory: written (post box, postal address, email, online platform), and oral (phone, recording, voicemail). On reporter's request: in-person meeting within reasonable time.

2.4 Procedural Steps (s. 17 + s. 18)

Acknowledgment of receipt: within 7 days (s. 17(1) no. 1)
Plausibility check: is the report covered by the material scope, is there enough information for investigation
Stay in contact: ask reporter for additional information if needed
Follow-up actions (s. 18): internal investigation, refer reporter to another competent body, close case for lack of evidence or because issues have been remedied, inform law enforcement
Feedback: inform reporter about follow-up actions within 3 months of acknowledgment (s. 17(2))

2.5 Confidentiality (s. 8)

Identity of reporter, affected persons and third parties mentioned in the report must be treated confidentially. Disclosure only in narrowly defined cases: in case of wilfully false reports, with consent, vis-à-vis law enforcement where there is a disclosure duty.

2.6 Anonymity (s. 16(1) sentence 4 — 2024 amendment)

Anonymous reports must be accepted and processed. The procedure must allow the reporter to remain anonymous while still communicating with the reporting office (e.g., anonymous inboxes in online platforms).

2.7 Prohibition of Reprisals (ss. 33 ff.)

Measures against reporters because of their report are prohibited. Reverse burden of proof: if a disadvantage occurs after a report, the employer must prove it is not retaliation. The procedure must transparently set out this protection.

2.8 Documentation (s. 11)

Each report must be documented — for oral reports either by recording with reporter's consent or by minutes; otherwise by permanently retrievable record. Retention: 3 years after case closure, longer if necessary.

3. Structure of the Procedure Document

Recommended structure (in this exact order):

3.1 Scope

Which entities / sites / employee groups, which violations. Reference to s. 2 HinSchG.

3.2 Roles + Responsibilities

Internal reporting office officer, deputy, escalation addresses (management, supervisory board). Note: in corporate groups, BfJ FAQ 2024 clarified that a central group reporting office is only sufficient if it is organizationally clearly designated as the internal reporting office of the subsidiary.

3.3 Reporting Channels

Phone number, email address, postal address, online portal, optionally in-person meeting. Availability times. Multilingual support for multinational companies.

3.4 Procedural Steps (detail workflow)

Step by step: intake → acknowledgment (day 1-7) → plausibility → investigation → follow-up actions → feedback to reporter → closure + documentation.

3.5 Confidentiality Protection

Technical separation of reporting office data from HR systems, access restriction (need-to-know), encryption, audit logging.

3.6 Data Protection (Art. 6(1)(c) GDPR + s. 10 HinSchG)

Legal basis for processing, right-of-access restriction towards data subjects (s. 29(1) no. 4 German Federal Data Protection Act), data processing agreement with external service providers.

3.7 Reprisal Protection

Protection statement, contact to independent body in case of impairment, escalation to external reporting office (BfJ) remains available.

3.8 Documentation + Archive

Minutes template, storage location, access rights, deletion deadlines (3 years + extension).

3.9 Quality Assurance

Annual self-evaluation of effectiveness, external audit obligation for large entities from 2026.

3.10 Annexes

Acknowledgment template, investigation protocol, feedback template, documentation template, reprisal protection statement.

4. Interfaces to Other Departments

4.1 HR

When a report concerns an employee: labour-law follow-up actions (warning, dismissal) go through HR — but the reporting office only passes on information necessary for the measure, not the reporter's identity without consent.

4.2 Compliance / Legal

Criminal complaint, informing law enforcement, external legal advice in complex cases. Reporting office escalates, compliance/legal decides on external communication.

4.3 Management / Board

Escalation route in cases where management itself is involved (mandatory alternative escalation: supervisory board, group compliance officer). Annual report on reporting office statistics (anonymized).

4.4 Data Protection Officer

DPIA for reporting-office processing (Art. 35 GDPR), consultation for particularly sensitive cases, clarification of interfaces with GDPR rights of access.

4.5 Works Council

Co-determination under s. 87(1) no. 1 Works Constitution Act when introducing the reporting office. Participation in the procedure but no access to individual reports (confidentiality s. 8).

5. Reporting Channels in Practice

Channel	Mandatory?	Anonymity possible	Typical cost
Online platform (SaaS)	No (recommended)	Yes, anonymous mailbox	EUR 3-12k / year
Email inbox	Optional	Limited (server logs)	EUR 200 setup
Phone hotline	Yes (oral required)	Yes, no caller ID	EUR 500-3,000 / year
Postal address	Yes (written required)	Yes	marginal
External ombudsperson	Optional	Yes	EUR 5-15k / year
In-person meeting	Yes (on request)	Limited	internal resource

6. Audit Obligation from 2026-01-01

The 2025 HinSchG amendment introduced an external effectiveness review:

Scope: from 2026-01-01 for employers with more than 250 staff (same threshold as GDPR DPO obligation)
Cycle: every 2 years
Subject: effectiveness of the internal reporting office (availability, deadline adherence, confidentiality protection, reprisal protection, documentation)
Auditor: independent external person with expertise — auditor, external compliance auditor or lawyer with relevant practice
Report: written audit report to management, supervisory board to be informed
Fine for breach: up to EUR 50,000 (s. 40(2))

For smaller employers (50-249 staff) not mandatory, but voluntary internal audits recommended — they create evidence in case of supervisory inquiries.

7. Common Mistakes in Practice

"We don't have any" — no documented procedure. BfJ requests document. Fine up to EUR 20,000 (s. 40(2) no. 2).
Only email as reporting channel. Breach s. 16(3) (oral channel missing).
Anonymous reports not processed. Prohibited since 2024-07-01.
Compliance officer is simultaneously HR head. Conflict-of-interest risk for HR-related reports.
Deadlines not met. 7-day acknowledgment forgotten, 3-month feedback skipped. Direct breach.
Intake logs on shared mail server. Confidentiality s. 8 not maintained.
No training of reporting office officers. Breach s. 15(2) (expertise).

Summary

The written procedure under s. 15 is the document any supervisory authority will request first. It is not optional and it is not satisfied by a SaaS platform alone — the platform delivers channels, but the procedure itself defines roles, deadlines, escalation, confidentiality and documentation. Build it once thoroughly, then keep it under annual review.

View Whistleblower Kit →

Frequently Asked Questions

What does HinSchG s. 15 require?

HinSchG s. 15 requires employers to establish an internal reporting office with a written, documented procedure. The procedure must reflect obligations under ss. 12-22: reporting channels, 7-day acknowledgment deadline, 3-month feedback deadline, confidentiality, anonymity, prohibition of reprisals, documentation.

Which deadlines must the procedure include?

Acknowledgment of receipt: 7 days (s. 17(1) no. 1). Feedback to reporter: 3 months from acknowledgment (s. 17(2)). Document retention: 3 years from case closure (s. 11). Anonymous reports: must be processed since 2024-07-01.

Which reporting channels must I offer?

At minimum written AND oral (s. 16(3)). Oral: telephone or other voice transmission system. On request from the reporter: in-person meeting within reasonable time. Online platform recommended but not mandatory.

Who can be the reporting office officer?

Own employees, third parties (ombudsperson, external lawyer, SaaS provider) or several persons. Prerequisite: required expertise (s. 15(2)), no conflicts of interest, independence in role, confidentiality.

Is there an audit obligation?

The 2025 HinSchG amendment provides for external effectiveness review every 2 years from 2026-01-01 (for employers with more than 250 staff). Breach: fines up to EUR 50,000.

What happens in case of reprisals?

HinSchG s. 36 protects whistleblowers against disadvantages. Reverse burden of proof: the employer must show the measure was not retaliatory. Breach: damages + fine up to EUR 50,000.

Sources

HinSchG — German Whistleblower Protection Act (consolidated) (As of: 2026-05-17)
Directive (EU) 2019/1937 — Whistleblower Directive (As of: 2026-05-17)
BfJ — German Federal Office of Justice, external reporting office (As of: 2026-05-17)

Tools & self-tests

HinSchG Readiness Check Assess your HinSchG maturity in 10 minutes. HinSchG Self-Test Are we in scope? Check thresholds and obligations.