.svg)
.svg)
Co-Founder & CPO
June 9, 2023
10 min
.svg)
Exposing wrongdoing is a social phenomenon that runs throughout human history. Deep Throat, who forced U.S. President Nixon to resign by triggering the Watergate affair in 1974, is one of the most prominent examples of whistleblowing. Wikileaks founder Edward Snowden has also demonstrated that tips can lead to striking social changes. In modern society, it is of utmost importance that alert individuals can point out wrongdoings at companies, in authorities and institutions in order to bring about necessary changes.
For this reason, the Whistleblower Protection Act (HinSchG) formulated by the EU is about to be introduced in Germany. Here you can read about the options for installing a functioning whistleblower system, the legal principles to be observed, and how a whistleblower system can satisfy companies' need for security.
In the meantime, the EU has brought corporate whistleblowing to legislative maturity: "The German Bundestag is thus transposing the European Union's Whistleblower Protection Directive ((EU)2019/1937, (EU) 2020/1503) into German law, said the draft law, which is now available but still has to be ratified by a decision of the Bundesrat.
This EU Whistleblower Directive requires companies, private organizations and public authorities with more than 49 employees to establish secure whistleblowing channels and take precautions to protect whistleblowers from reprisals." (Quote: DSB advice portal) These channels can be analog (telephone hotline) or digital (email address) in design.
A whistleblower system is a communication concept that offers employees or outsiders of a company the opportunity to report wrongdoing, violations of applicable law or other incidents that could cause damage to the company, while being protected by law against reprisals.
Since December 16, 2020, the Whistleblower Protection Act (HinSchG) has been in force in Germany, which was enacted "to protect natural persons who have obtained information about violations in connection with their professional activities or in the run-up to professional activities and report or disclose such information to the reporting bodies provided for under this Act (whistleblowers)."
While the core intention of whistleblowing is to inform the public, for example by involving the press or other media, the company's internal whistleblowing system is a closed circle. The information remains within the company and is translated into action accordingly by the responsible departments. Only if the seriousness of a violation or a grievance entails a legal duty to publish does an internal whistleblower also reach the public (example: data breaches that must be reported to the responsible supervisory authority).
Pursuant to Section 12 of the Whistleblower Protection Act (HinSchG), employers with at least 49 employees must set up and operate an internal reporting office. Violations of this obligation to set up a reporting office can be punished with fines of up to 20,000 euros. The employers named in Section 12 (3) HinSchG (companies in the financial sector, such as securities service companies, stock exchange operators, credit institutions, capital management companies, etc.) must set up such a reporting office regardless of the number of employees.
According to § 14 HinSchG, one or more employees of the employer or a third party can be entrusted with the tasks of the reporting office. Several private employers with, as a rule, 50 to 249 employees can also operate a joint reporting office. This is suitable, for example, for companies in a group of companies or companies belonging to a group. (Source: DPO Guide Portal)
The open whistleblower system is literally "open" and can be used by any "whistleblower", regardless of whether they belong to the company. Employees, but also suppliers or service providers are thus protected. Whistleblowers can be anyone, without exception, who works for or comes into contact with a company, authority or organization. The prerequisite is that the whistleblower has a justified suspicion that a dangerous maladministration is taking place that is damaging the institution or poses a risk to the general public.
The law stipulates that in the future, whistleblowers will not have to put up with any reprisals or disadvantages because they have reported something sensitive. Whistleblowers are therefore protected by law from having to fear disadvantages such as dismissal, a warning, denial of promotion, a change in the assignment of duties, damage to their reputation, disciplinary measures, discrimination or mobbing because they have uncovered an irregularity in the company. Appropriate compensation must be paid to the whistleblower for any financial losses incurred as a result of his or her disclosure.
On the one hand, digitalization has played a significant role in presenting companies with new legal challenges. Attacks from outside, such as cyberattacks or hacker attacks, are often initiated through channels that are inadequately protected. In many cases, it is also gullible employees who unknowingly open gates to the company, thus giving cybercriminals access to the company's internal information.
On the other hand, it is the criminal phenomena of international terrorism, money laundering and white-collar crime that shamelessly use digital channels to harm companies.
Therefore, a whistleblower system that is initially designed to be anonymous to the whistleblower is an important part of any company's security system, regardless of its size, and improves the compliance management system.When evaluating the advantages and disadvantages of whistleblower systems, it is important to note that an ideal whistleblower system ensures that information from employees is kept 100 percent confidential.
Whistleblower systems should be set up completely systematically within the company. First of all, the appointment of responsible persons, for example an ombudsman or an ombudsman panel, is necessary. An external service provider can also be appointed by SECJUR.
It must be ensured that these appointees can be reached through secure channels to which no one else in the company has access. Furthermore, it must be ensured that any submissions are sifted immediately, at the latest within 24 hours. In addition, the whistleblower system must also include an external line that is connected to a governmental reporting office (after the law comes into force; a report from competent public bodies will become part of the law).
All submissions and associated personal data must be handled in accordance with the principles of the GDPR.
A whistleblower system that meets today's requirements is naturally digital, ideally as an e-mail communication channel with its own, clearly delimited e-mail address. As with all digital processes, the whistleblower system also faces special challenges in terms of data protection. The system must be able to protect the personal data of any whistleblower in accordance with the GDPR.
Precisely because of the explosive nature for the whistleblower of turning against his own company by sending a tip, he must be guaranteed the highest level of confidentiality. Only persons designated for the task may obtain knowledge of the whistleblower's personal data.
Furthermore, the incident must be deleted after an appropriate period of time. Protection of identity, protection against dismissal and discrimination must endure. Employees entrusted with investigating tips are required by law to follow up even anonymous tips conscientiously and confidentially. The obligation to report to supervisory authorities must be observed.
Ideally, the introduction of a whistleblower system is accompanied by open communication. This should include making all employees aware of the possibility of using the whistleblower channel. However, as part of training, you should also be informed about the consequences of submitting a report in order to avoid misuse.
Seven typical examples of reports:
SECJUR has developed a whistleblower system that helps to fulfill the requirements of the law. In the Digital Compliance Office, you will find an integrated module for the whistleblower system, which means that the implementation of compliance for companies can be digitalized immediately and easily.
The system acts as an early warning system that protects your business, reputation, employees and stakeholders. Using this system can reduce the damage caused by white-collar crime by 50 percent.In addition, implementing the whistleblower system increases your company's attractiveness as an employer by promoting transparency and integrity.
The system is available 24 hours a day, 7 days a week, 365 days a year. A major advantage of the integrated system is that tips can be transmitted in real time while maintaining the highest security standards. In addition, the system is 100 percent DSGVO-compliant. The incoming reports are handled by professional case managers, and the tip system enables anonymous contact, including reachability by phone.SECJUR takes over the case management in connection with the reported tips.
Whistleblower systems are important pillars of quality management in the long termWhen the Whistleblower Protection Act comes into force in June of this year, companies initially required by law should not be unprepared. Initially, this will affect companies with 50 or more employees and companies in the financial sector. However, it is expected that in the near future smaller companies will also be required by law to introduce a whistleblower system.
It is recommended that the legal requirement should not be viewed solely as a new "scourge" from Brussels, but that the issue of the whistleblower system is considered as part of the company's internal quality management. And a part of a healthy company culture.
Attentive employees who identify with the company will make valuable contributions to protecting the company externally by reporting wrongdoing or dangerous developments. Furthermore, tips that are actively perceived and transformed into change processes can contribute to significant improvements in the company's processes as well as its corporate culture.
The HinSchG naturally entails some effort and costs, but after its introduction it can be regarded as an important part of quality management after only a short time. It is advisable to define the responsibilities, the technical presentation and the necessary processes at an early stage on the basis of a concrete project in order to install a whistleblowing system that meets the legal requirements.
A lawyer with many years of experience as a data protection and IT law attorney, Simon knows the answer to just about every question in the field of digital compliance. He has worked in the past for Fieldfisher and Taylor Wessing, among others. As co-founder and Chief Product Officer of SECJUR, Simon applies his experience primarily to product development.
SECJUR stands for a world where companies are always compliant, but never have to think about compliance. With the Digital Compliance Office, companies automate time-consuming work steps and achieve compliance standards such as GDPR, ISO 27001 or TISAX® up to 50% faster.
Automate and streamline your compliance processes with our Digital Compliance Office
Everything you need to know about the product and billing.
