Whistleblower Procedure Template: § 15 HinSchG Reporting Process
TL;DR
- HinSchG s. 15 obliges employers to a written, documented reporting office procedure
- Mandatory deadlines: 7-day acknowledgment, 3-month feedback, 3-year retention
- Mandatory channels: written + oral (telephone), in-person on request
- Confidentiality: identity of reporter + affected persons + third parties mandatory (s. 8)
- Anonymous reports: must be processed since 2024-07-01
- Effectiveness self-review (recommended, not mandatory): e.g. every 2 years from 250+ staff
- Fines: up to EUR 50,000 for breaches
Context: Germany's Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG) implements EU Directive 2019/1937. It applies to all employers and is the German national equivalent of the EU whistleblower regime.
1. What HinSchG s. 15 Requires
HinSchG s. 15 compels employers to set up and operate an internal reporting office. The requirements:
- s. 15(1): designate persons or an operational unit acting independently and with required expertise
- s. 15(2): ensure required expertise (training, continuing education)
- s. 15(3): avoid conflicts of interest; dual roles allowed but must not compromise independence
Section 12(1) requires this procedure to be documented in writing. Supervisory authorities — in Germany the Bundesamt für Justiz (BfJ) — request this written procedure during inspections.
2. Mandatory Content (ss. 12-22)
2.1 Scope + Definitions (ss. 1-3)
The procedure must clarify which violations are reportable (material scope under s. 2): criminal offences, certain administrative offences punishable by fine relating to protection of life/limb/health/employee rights, breaches of EU law areas (anti-money laundering, financial markets, environment, food safety etc.). Purely private disputes are not covered.
2.2 Protected Persons (s. 1(1))
Employees, former employees, applicants, self-employed, shareholders, management members, interns, agency workers, persons from the supplier network, their family members in case of reprisals. The procedure must name this scope.
2.3 Reporting Channels (s. 16)
Mandatory: written (post box, postal address, email, online platform), and oral (phone, recording, voicemail). On reporter's request: in-person meeting within reasonable time.
2.4 Procedural Steps (s. 17 + s. 18)
- Acknowledgment of receipt: within 7 days (s. 17(1) no. 1)
- Plausibility check: is the report covered by the material scope, is there enough information for investigation
- Stay in contact: ask reporter for additional information if needed
- Follow-up actions (s. 18): internal investigation, refer reporter to another competent body, close case for lack of evidence or because issues have been remedied, inform law enforcement
- Feedback: inform reporter about follow-up actions within 3 months of acknowledgment (s. 17(2))
2.5 Confidentiality (s. 8)
Identity of reporter, affected persons and third parties mentioned in the report must be treated confidentially. Disclosure only in narrowly defined cases: in case of wilfully false reports, with consent, vis-à-vis law enforcement where there is a disclosure duty.
2.6 Anonymity (s. 16(1) sentence 4 — 2024 amendment)
Anonymous reports must be accepted and processed. The procedure must allow the reporter to remain anonymous while still communicating with the reporting office (e.g., anonymous inboxes in online platforms).
2.7 Prohibition of Reprisals (ss. 33 ff.)
Measures against reporters because of their report are prohibited. Reverse burden of proof: if a disadvantage occurs after a report, the employer must prove it is not retaliation. The procedure must transparently set out this protection.
2.8 Documentation (s. 11)
Each report must be documented — for oral reports either by recording with reporter's consent or by minutes; otherwise by permanently retrievable record. Retention: 3 years after case closure, longer if necessary.
3. Structure of the Procedure Document
Recommended structure (in this exact order):
3.1 Scope
Which entities / sites / employee groups, which violations. Reference to s. 2 HinSchG.
3.2 Roles + Responsibilities
Internal reporting office officer, deputy, escalation addresses (management, supervisory board). Note: in corporate groups, BfJ FAQ 2024 clarified that a central group reporting office is only sufficient if it is organizationally clearly designated as the internal reporting office of the subsidiary.
3.3 Reporting Channels
Phone number, email address, postal address, online portal, optionally in-person meeting. Availability times. Multilingual support for multinational companies.
3.4 Procedural Steps (detail workflow)
Step by step: intake → acknowledgment (day 1-7) → plausibility → investigation → follow-up actions → feedback to reporter → closure + documentation.
3.5 Confidentiality Protection
Technical separation of reporting office data from HR systems, access restriction (need-to-know), encryption, audit logging.
3.6 Data Protection (Art. 6(1)(c) GDPR + s. 10 HinSchG)
Legal basis for processing, right-of-access restriction towards data subjects (s. 29(1) no. 4 German Federal Data Protection Act), data processing agreement with external service providers.
3.7 Reprisal Protection
Protection statement, contact to independent body in case of impairment, escalation to external reporting office (BfJ) remains available.
3.8 Documentation + Archive
Minutes template, storage location, access rights, deletion deadlines (3 years + extension).
3.9 Quality Assurance
Annual effectiveness self-evaluation as voluntary best practice — there is no statutory audit obligation.
3.10 Annexes
Acknowledgment template, investigation protocol, feedback template, documentation template, reprisal protection statement.
4. Interfaces to Other Departments
4.1 HR
When a report concerns an employee: labour-law follow-up actions (warning, dismissal) go through HR — but the reporting office only passes on information necessary for the measure, not the reporter's identity without consent.
4.2 Compliance / Legal
Criminal complaint, informing law enforcement, external legal advice in complex cases. Reporting office escalates, compliance/legal decides on external communication.
4.3 Management / Board
Escalation route in cases where management itself is involved (mandatory alternative escalation: supervisory board, group compliance officer). Annual report on reporting office statistics (anonymized).
4.4 Data Protection Officer
DPIA for reporting-office processing (Art. 35 GDPR), consultation for particularly sensitive cases, clarification of interfaces with GDPR rights of access.
4.5 Works Council
Co-determination under s. 87(1) no. 1 Works Constitution Act when introducing the reporting office. Participation in the procedure but no access to individual reports (confidentiality s. 8).
5. Reporting Channels in Practice
| Channel | Mandatory? | Anonymity possible | Typical cost |
|---|---|---|---|
| Online platform (SaaS) | No (recommended) | Yes, anonymous mailbox | EUR 3-12k / year |
| Email inbox | Optional | Limited (server logs) | EUR 200 setup |
| Phone hotline | Yes (oral required) | Yes, no caller ID | EUR 500-3,000 / year |
| Postal address | Yes (written required) | Yes | marginal |
| External ombudsperson | Optional | Yes | EUR 5-15k / year |
| In-person meeting | Yes (on request) | Limited | internal resource |
6. Effectiveness review of the reporting office — best practice, not a legal obligation
Clarification: A statutory "HinSchG audit obligation from 1 January 2026" does not exist — Section 22 HinSchG governs the external reporting office at the Federal Cartel Office, not an effectiveness check for companies. A regular effectiveness self-review is nonetheless recommended best practice (voluntary, modelled on ISO 37301):
- Recommendation: 250+ staff annually, 50–249 every 2 years — voluntary, no statutory deadline
- Subject: effectiveness of the internal reporting office (availability, deadline adherence, confidentiality protection, reprisal protection, documentation)
- Reviewer: internal (management reporting) or voluntarily external — no statutory requirement
- Report: self-review report to management (internal steering instrument)
- Note: the s. 40 fines apply to real breaches (e.g. s. 12 reporting office not set up, s. 8 confidentiality, s. 36 reprisals) — NOT to a missing self-review
For smaller employers (50-249 staff) a voluntary self-review is equally useful — it creates evidence in case of supervisory inquiries.
7. Common Mistakes in Practice
- "We don't have any" — no documented procedure. BfJ requests document. Fine up to EUR 20,000 (s. 40(2) no. 2).
- Only email as reporting channel. Breach s. 16(3) (oral channel missing).
- Anonymous reports not processed. Prohibited since 2024-07-01.
- Compliance officer is simultaneously HR head. Conflict-of-interest risk for HR-related reports.
- Deadlines not met. 7-day acknowledgment forgotten, 3-month feedback skipped. Direct breach.
- Intake logs on shared mail server. Confidentiality s. 8 not maintained.
- No training of reporting office officers. Breach s. 15(2) (expertise).
Summary
The written procedure under s. 15 is the document any supervisory authority will request first. It is not optional and it is not satisfied by a SaaS platform alone — the platform delivers channels, but the procedure itself defines roles, deadlines, escalation, confidentiality and documentation. Build it once thoroughly, then keep it under annual review.
Frequently Asked Questions
What does HinSchG s. 15 require?
Which deadlines must the procedure include?
Which reporting channels must I offer?
Who can be the reporting office officer?
Is there an audit obligation?
What happens in case of reprisals?
Sources
- HinSchG — German Whistleblower Protection Act (consolidated) (As of: 2026-05-17)
- Directive (EU) 2019/1937 — Whistleblower Directive (As of: 2026-05-17)
- BfJ — German Federal Office of Justice, external reporting office (As of: 2026-05-17)