Since July 2023, companies with 50 or more employees must operate an internal reporting channel. We explain the technical requirements of the HinSchG, the data protection framework and compare common software solutions.
Whistleblowing via App: What the German Whistleblower Protection Act Requires Technically
A compliance violation in accounting, a tip about corruption in procurement or the suspicion of a data protection breach -- anyone who uncovers such misconduct needs protection. That is precisely the protection the Whistleblower Protection Act (Hinweisgeberschutzgesetz -- HinSchG) is intended to provide, having entered into force on 2 July 2023. Yet beyond the legal framework, the Act also imposes tangible technical requirements on companies: Who must set up a reporting channel? Which channels are permissible? And how do you choose the right software solution? This article provides a practice-oriented overview.
Background: From the EU Directive to German Law
The HinSchG transposes the EU Whistleblower Directive 2019/1937 into German law. Germany was by no means an early adopter: the Directive should have been transposed by 17 December 2021. It was only after a mediation procedure between the Bundestag and Bundesrat and infringement proceedings by the European Commission that the Act finally entered into force in mid-2023. In March 2025, the CJEU ordered Germany to pay a penalty of EUR 34 million for the late transposition. The full text of the Act is available on gesetze-im-internet.de.
Who Must Set Up an Internal Reporting Channel?
The 50-Employee Threshold (Section 12 HinSchG)
Under Section 12 HinSchG, employers with generally at least 50 employees are required to establish and operate an internal reporting office. Special rules apply:
- Temporary agency workers count if they are deployed on a regular basis
- Group solutions are possible: a group company may operate the internal reporting office for all subsidiaries (Section 14(1) HinSchG)
- Municipalities with fewer than 10,000 inhabitants may set up a shared reporting office
Timeline
The obligation has applied to companies with 250 or more employees since 2 July 2023. Companies with 50 to 249 employees had until 17 December 2023 to comply.
Technical Requirements for the Reporting Channel (Section 16 HinSchG)
Mandatory Channels: Oral, Written and In Person
Section 16 HinSchG requires the internal reporting office to be able to receive reports in oral form or in text form. Specifically, this means:
- Text form (written): A digital reporting system, a letterbox or a dedicated email address. However, a simple email address is considered insufficient according to the prevailing view, as confidentiality cannot be adequately guaranteed.
- Oral: By telephone or by other means of voice transmission (e.g. voice message via a digital system).
- In person: At the request of the whistleblower, a face-to-face meeting must be arranged within a reasonable period.
Confidentiality Requirement (Section 8 HinSchG)
The Act requires that the identity of the reporting person and the persons who are the subject of a report be treated confidentially. In technical terms, this means:
- Access restrictions: Only the persons responsible for processing may access incoming reports (Section 16(2) HinSchG)
- Encryption: Data transmission and storage should be end-to-end encrypted
- Audit logging: Access to the system must be documented in an audit-proof manner
- Organisational separation: The reporting office should be organisationally separated from the rest of the company
Anonymity: Not Mandatory but Recommended
The HinSchG does not mandate anonymous reporting. However, Section 16(1) sentence 5 stipulates that internal reporting offices should also process anonymously received reports. In practice, anonymous channels significantly increase willingness to report -- many whistleblowers will only come forward if they do not have to reveal their identity.
Data Protection Framework
GDPR Compliance as a Fundamental Requirement
Operating a whistleblower system inevitably involves processing personal data -- both of the reporting person and the accused. The General Data Protection Regulation (GDPR) therefore provides the overarching framework.
Legal Basis for Data Processing
The following legal bases are particularly relevant:
- Article 6(1)(c) GDPR (legal obligation): For companies with 50 or more employees that are legally required to establish a system
- Article 6(1)(f) GDPR (legitimate interest): For companies below the threshold that operate a system voluntarily
Key Data Protection Obligations
According to the FAQ of the Data Protection Commissioner of Baden-Wuerttemberg, companies must observe the following requirements in particular:
- Data Protection Impact Assessment (DPIA): Generally required due to the high risk for the data subjects
- Information obligations: Employees and external reporters must be informed about data processing pursuant to Articles 13 and 14 GDPR
- Retention periods: Reports and related documentation must be deleted no later than three years after the conclusion of proceedings (Section 11(5) HinSchG)
- Processing agreement: Where an external service provider is engaged, a data processing agreement under Article 28 GDPR must be concluded
- Data minimisation: Only data necessary for processing the report may be collected (Article 5(1)(c) GDPR)
Comparing Software Solutions
Market Overview
The market for whistleblower software has grown significantly in recent years. The following three solutions have become particularly established in the German-speaking region:
BKMS System (EQS Group)
The BKMS System is a solution designed for corporations and public institutions, offering:
- Highly secure anonymity through a special mailbox system without IP tracking
- Certification to ISO 27001 and SOC 2
- Multilingual support in over 80 languages
- Best suited for: Large enterprises and public administrations
Hintbox
Hintbox positions itself as a user-friendly solution focused on the German SME sector:
- End-to-end encryption and two-factor authentication
- ISO 27001-certified hosting in Germany
- Audit-proof logging of all activities
- Best suited for: Medium-sized companies with 50 to 1,000 employees
LegalTegrity
LegalTegrity sees itself as a compliance partner for SMEs and offers outsourcing options alongside the software:
- OmbuTegrity: Full outsourcing of the reporting office function to external ombudspersons
- Intelligent workflow automation for case management
- Over 2,500 organisations already use the solution
- Best suited for: Companies that wish to operate the reporting office externally
A comprehensive comparison of various whistleblower software solutions is available on OMR Reviews.
The External Reporting Office at the BfJ
In addition to the internal reporting channel, whistleblowers may also contact the external reporting office of the federation at the Federal Office of Justice (BfJ). Under the HinSchG, reporting persons have a free choice between internal and external reporting channels. Companies should therefore have an interest in making their internal channel as attractive and trustworthy as possible.
Implementation Guide: Five Steps to a Reporting System
Step 1: Stocktaking and Planning
- Determine the number of employees and verify the obligation
- Define the material scope (HinSchG violations only or also internal policies?)
- Decide whether the reporting office will be operated internally or externally
Step 2: Organising the Reporting Office
- Appoint the reporting office officer(s) (internal or external)
- Ensure expertise and independence (Section 15 HinSchG)
- Obtain written confidentiality commitments
Step 3: Technical Implementation
- Select and implement the software solution
- Set up reporting channels (digital, telephone, in person)
- Conduct a Data Protection Impact Assessment
- Conclude a data processing agreement with the software provider
Step 4: Documentation and Processes
- Draft procedural rules for the reporting office
- Define processing deadlines: acknowledgement of receipt within 7 days, feedback within 3 months (Section 17 HinSchG)
- Establish escalation procedures for serious violations
Step 5: Communication and Training
- Inform all employees about the reporting office and available channels
- Train reporting office officers in interview techniques and case management
- Publish the reporting office on the company website and intranet
Penalties for Non-Compliance (Section 40 HinSchG)
Companies that fail to comply risk significant fines:
- Up to EUR 50,000 for failing to establish an internal reporting channel
- Up to EUR 50,000 for retaliation against reporting persons
- Up to EUR 20,000 for breaching the confidentiality requirement
In practice, retaliation against whistleblowers represents a particularly high liability risk, as affected persons may also claim damages (Section 37 HinSchG).
Conclusion
The Whistleblower Protection Act presents companies with a dual challenge: they must not only comply with the legal framework but also implement a technically robust and data-protection-compliant solution. The good news is that the market now offers mature software solutions for every company size. The key is not to view implementation as a burdensome obligation but as an opportunity to foster an open compliance culture. A well-implemented whistleblower system protects not just the whistleblowers -- it protects the entire company.
At compleneo, we support you in the legally compliant implementation of your whistleblower system -- from selecting the right software through data protection documentation to training your reporting office officers. Get in touch with us.
