Food for thought in advance: If the initiative of one individual alone could be enough to endanger the existence of a company (with possibly even several hundred employees) through its misconduct, then that company has a much bigger problem than just setting up a whistleblower system.
But let's start with a little background info. What is the German Whistleblower Protection Act and why does it affect someone with a relatively small business? The Whistleblower Protection Act is the German implementation of the EU Whistleblower Directive, which aims to establish standardized protection for whistleblowers across the EU for the first time. The Act regulates the protection of natural persons (as you and I) who have obtained information about violations in the course of their professional activities and pass this information on to internal or external reporting bodies. The Whistleblower Protection Act prohibits any reprisals and retaliation against these so-called whistleblowers (you should already be familiar with the term since Snowden at the latest), so far whistleblowers are only insufficiently protected from negative consequences.
The EU member states should have transposed the directive into national law by December 17, 2021. This has already failed in Germany. In this case, however, whistleblowers could now invoke the EU directive and, if necessary, claim damages from the Federal Republic of Germany, as the Süddeutsche Zeitung, for example, suggests.
What does "whistleblower protection" mean and why do we need it?
Whistleblower protection means that people (whistleblowers) who uncover illegal wrongdoing by reporting it and thus support society are protected from reprisals by a law. For example, the cashier at the supermarket who notices that the store manager is relabeling spoiled food; the accountant who discovers that the CEO is financing his private trips through the company account - both are probably asking themselves the same question: Should they report the wrongdoing and thus endanger their future? Whistleblowers not only lose their jobs, they often don't find new ones. Whistleblowers do not yet enjoy comprehensive protection, even though they often take great professional and personal risks to inform society about grievances. The stigmatization of the "whistleblower" is still too widespread, although it takes a lot of courage to expose grievances.
Despite or precisely because of current scandals such as the mask affair (the incidents in 2020 and 2021 of alleged advantage-taking by several members of the Bundestag and state parliaments of the CDU and CSU, in other words: CORRUPTION), it was the CDU/CSU-led ministries that have so far put on the brakes and rejected the existing draft law on whistleblower protection. But slowly the implementation of the EU Directive is picking up speed with the new government in Germany, at least the new coalition of SPD, Greens and FDP has clearly positioned itself in favor of whistleblower protection. In their coalition agreement, the three "traffic light" parties agreed to implement the EU Whistleblower Directive in a "legally secure and practicable" manner. And even if the German law does not yet exist, the judges will take the EU directive or the existence of preventive compliance measures in the company into account in case of doubt in a lawsuit.
But what do companies now need to know about the Whistleblower Protection Act in order to be prepared?
Here are the key points:
Companies and organizations with 50 or more employees must implement secure whistleblower systems, e.g., an electronic whistleblower system, through contact with employees from the internal compliance department or an external ombudsperson (often a digital system is also combined with a, external consultant, i.e., not an employee of the company due to lack of capacity).
The procedure for submitting a report must be possible orally, in writing and, if desired, also in person.
The internal reporting office must confirm receipt of the report to the whistleblower within 7 days.
Within three months, the reporting office must inform the whistleblower what action has been taken as a result, such as initiating internal investigations or forwarding the report to the competent authority.
The law also seeks to establish two equivalent reporting channels for whistleblowers. In addition to the internal reporting channel, there will be an external body, which is expected to be located at the Federal Data Protection Commissioner. In the case of violations of accounting rules, shareholder rights and the like, the Federal Financial Supervisory Authority (BaFin) is to become the external reporting body. Whistleblowers will have a right of choice, i.e. they will be free to decide whether to submit internal reports or tips via the external reporting office. Internal reporting offices thus no longer have priority over external reports as before. The EU directive explicitly recommends creating incentives so that whistleblowers prefer to use internal whistleblowing systems. The advantage for your company is, of course, that this enables you to learn of violations at an early stage (before the public prosecutor's office does, for example!) and to initiate appropriate countermeasures and investigations. In this respect, companies should take care to set up professional compliance structures in good time to prevent whistleblower reporting through external reporting channels. MLM Ethics & Compliance is of course available to provide advice in this regard.
Practice shows that a whistleblower system is particularly successful when it is embedded in a trusting and transparent corporate culture. We have already talked about the topic of corporate culture and ethics & compliance management in the previous blog post and the necessity for this is absolutely confirmed by the topic of the Whistleblower Protection Act. Again, as a reminder, here are the benefits of investing (time, thought and maybe some money) in a compliance management system and, as an essential part of it, an internal reporting system. Your organization
complies with legal requirements,
protects itself and its employees from fines or imprisonment,
improves your attractiveness to business customers, partners, investors, banks and employees,
increases its own professionalism,
promotes a modern speak-up culture
protects your reputation
identifies risks earlier
and can thus take early and proactive action against violations.
All right, so what does this mean for practical implementation?
Which whistleblowing channels are suitable for the type and size of your company, does it cost a lot, does it have to be anonymous, and who should process the cases that may be reported?
There should be no obligation to process anonymous tips. However, there is much to be said for an anonymous reporting option, given by the establishment of a digital whistleblower system. There are also already cost-effective solutions for medium-sized companies or small businesses. Many organizations have long recognized the advantages of anonymous reporting channels and use them to increase the number of valuable reports. After all, only those who receive valuable tips can take proactive and early action against grievances as a company, minimize risks and thus ensure the long-term success of the company. With digital whistleblowing systems, case processing can also be handled and documented in compliance with data protection requirements, which is why it is advisable to choose this option as a whistleblowing channel in any case.
Small companies in particular do not have the (financial and time) capacity to hire someone full-time for the topic of compliance and thus also whistleblower management and to manage the channels. Involving external consultants is therefore a common approach at this point (such as MLM Ethics and Compliance).
Last but not least, the law does not yet exist, so is it really necessary to take action here?
The answer is clear: Yes. Regardless of the German law, firstly, the EU directive can also apply directly, secondly, the law will come in any case, thirdly, the advantages of internal reporting channels described above are too great to want to do without them, and fourthly, whistleblowing management is an essential component of a trusting, fair, transparent corporate culture. Only with ethically correct behavior in everyday business will your company be successful in the long term. MLM Ethics and Compliance is available to advise not only on the establishment of effective whistleblowing management, but also on all other issues relating to active and intentional business ethics & compliance management.
I hope this post has provided you with some food for thought, please get in touch if there are any questions!