Whistleblower System from 50 Employees: SME Requirements

Context: Germany's Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG) implements EU Directive 2019/1937. This article addresses German SMEs, but the EU directive sets the same 50-employee threshold across member states (Art. 8).

1. The 50-Employee Threshold (s. 12(1) no. 2)

HinSchG s. 12(1) no. 2 obliges all employers with usually at least 50 employees to establish an internal reporting office. The threshold has applied since 2023-12-17 (second stage of HinSchG implementation).

"Usually": not the exact headcount on a cut-off date, but the typical staffing level. Seasonal fluctuations are smoothed (12-month average). With 47 permanent staff and a seasonal peak of 60: the obligation arises only with permanent exceedance.

Special cases:

• Banks, insurers, securities firms: mandatory regardless of headcount (sector-specific rules remain valid, s. 12(3))
• Groups: each subsidiary > 50 staff is itself obliged to set up — a group-level central reporting office only suffices under narrow conditions (see section 4)
• Public bodies: sector-specific rules, BfJ serves as external reporting office

2. Who Counts as an "Employee"?

HinSchG s. 3(8) defines broadly:

• Own employees: full-time counts as 1, part-time also 1 regardless of hours (different from the KSchG dismissal threshold, which weights 0.75 / 0.5)
• Apprentices, dual-study students, working students: yes
• Interns: yes, where mandatory + paid
• Agency workers: where deployed > 6 months at the user undertaking
• Self-employed performing professional activity for the employer: only relevant for reprisal protection, NOT for the headcount threshold
• Managing directors without shares: yes
• Pure contract-for-work parties and freelancers: no
• Employment relationships in notice period: yes, until actual exit

Tip: for borderline cases (47-55 staff) always document the past 12 months — supervisory authorities will ask.

3. External vs. Internal Reporting Office

HinSchG provides two parallel reporting routes:

3.1 Internal Reporting Office (ss. 12-18)

Inside the company, statutorily required for 50+ staff. Employees should report internally first (s. 7(1) sentence 2) if internal action will be effective and no reprisals are threatened — but they retain free choice.

3.2 External Reporting Office (ss. 19-31)

Authorities:

• BfJ (Federal Office of Justice): for all breaches without sector-specific competence
• BaFin: for financial-services breaches
• BKartA (Federal Cartel Office): antitrust
• State authorities: civil service law, state-level topics

Reporters can approach the external office at any time — if the company offers a well-functioning internal route, external reports are rare (BfJ 2024 experience: ca. 90% internal share).

4. Four Setup Options for SMEs

4.1 Option 1: External Ombudsperson (Lawyer)

Pros:

• Employees trust a lawyer more than an internal compliance officer (statutory duty of confidentiality, ss. 43a Federal Lawyers' Act)
• Clear separation from management
• Lower conflict-of-interest risk
• Lawyer also assesses legal plausibility of report

Cons:

• Extra cost EUR 5-15k/year base + per-case fee
• Availability often limited to business hours
• In-person meeting harder logistically

Suitable for: mid-sized companies 50-300 staff, traditional industries.

4.2 Option 2: SaaS Platform (Online Reporting System)

Providers (selection 2026): EQS Integrity Line, Whistlelink, LegalTegrity, hintbox, otris compliance.

Pros:

• Multilingual support (often 20+ languages) — important for international workforce
• Anonymous mailbox for 2-way communication even after anonymous report
• Built-in deadline reminders (7-day acknowledgment, 3-month feedback)
• ISO 27001, EU hosting (GDPR-compliant)
• Audit logs for effectiveness review

Cons:

• Phone channel must be organized separately (s. 16 obligation!)
• Platform does not replace the written procedure (still mandatory)
• License only, no personnel — internal processing still required

Typical costs: EUR 3-12k/year depending on staff count, language pack, premium features.

4.3 Option 3: In-house Compliance Officer

Designated own person (compliance officer, person of trust, possibly dual role with DPO).

Pros:

• Full control over data and process
• Direct company knowledge helps with plausibility check
• If a compliance function already exists: marginal extra cost

Cons:

• High conflict-of-interest risk (employees may doubt confidentiality)
• Sick leave / vacation: strict deputy rules needed (else deadline breach)
• Annual expertise training (s. 15(2))
• Dual function with HR is risky — strict conflict in personnel cases

Suitable for: companies that already have a compliance officer, or those with strong internal trust culture.

4.4 Option 4: Group Hybrid

One central reporting office at the parent company for several subsidiaries — only possible under narrow conditions:

• BfJ FAQ (May 2024): central group reporting office only where organizationally clearly designated as the reporting office of the respective subsidiary
• EU Commission Q&A 2.5 (June 2021): subsidiary above 250 staff must have its own reporting office, but can outsource to an external body (including the group parent)
• For 50-249-staff subsidiaries, outsourcing to the group parent is possible without formal restriction
• Data-processing agreement between subsidiary and parent is mandatory

Suitable for: groups with clear subsidiary structure. Watch out for international groups — third-country transfers (GDPR Chapter V).

5. Cost Comparison (as of 2026)

SME recommendation 50-200 staff: combination of SaaS platform + phone hotline + documented procedure. Typical cost EUR 5-8k/year. In particularly sensitive sectors (banking, critical infrastructure) add an external ombudsperson.

6. Mandatory Channels under HinSchG s. 16

At minimum these three (on request):

1. Written: letter, email, online platform — at least one of these routes
2. Oral: phone, voicemail, other voice-transmission system — mandatory in addition
3. In-person meeting: on reporter's request, within reasonable time

Frequent mistake: only setting up an email inbox. That is only written — the oral channel is missing. Breach of s. 16(3).

Frequent mistake 2: the phone number is the normal switchboard. Confidentiality (s. 8) not preserved. Solution: separate voicemail number or external hotline.

7. Anonymous Reports since 2024-07-01

The HinSchG amendment of 2024-07-01 clarified: anonymous reports must be accepted and processed (s. 16(1) sentence 4). Implications:

• System must enable anonymous 2-way communication (platform with anonymous mailbox, anonymized callbacks)
• Acknowledgment still runs (7-day deadline) — via the anonymous channel
• Feedback after 3 months also via anonymous channel
• Plausibility check harder without identity, but still mandatory

SaaS platforms solve this elegantly. A pure email inbox cannot deliver anonymous 2-way communication — so even for IT-savvy SMEs it is rarely sufficient.

8. Sanctions for Breach (HinSchG s. 40)

In addition: civil damages claims from the reporter in case of reprisal (s. 37). Reverse burden of proof — employer must show no reprisal occurred.

Summary

For SMEs in the 50-200 range, the practical sweet spot is a combination of a SaaS platform (covers the written, anonymous and documentation requirements) plus a dedicated phone number for the oral channel, governed by a properly written procedure. Total cost typically EUR 5-8k per year. Don't build everything in-house unless you have a robust compliance function — the conflict-of-interest risk is real and visible to employees, which kills trust in the system.

View Whistleblower Kit →