HinSchG: Setting Up an Internal Reporting Office 2026

· · Category: HinSchG · Compliance
Practitioner note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information, please consult a licensed attorney.

TL;DR

  • Mandatory from 50 employees under Section 12 (2) HinSchG (headcount-based)
  • 3 mandatory channels: written, oral, in person on request + anonymous (mandatory since 01 January 2025)
  • Deadlines: 7 days to acknowledge receipt, 3 months for follow-up feedback
  • External reporting offices: BfJ (Section 19), BaFin (Section 21), Federal Cartel Office (Section 22 — competition law/DMA, NO audit obligation for companies)
  • Fines up to EUR 500,000 (legal entities via Section 30 OWiG)

1. Mandatory from 50 Employees

Section 12 (2) HinSchG (German Whistleblower Protection Act) requires all employers with at least 50 employees to set up an internal reporting office. The count is by heads — not full-time equivalents.

Employee groupCounting
Full-time, part-time, fixed-termFull count
Apprentices/traineesFull count
Marginally employed (mini-jobs)Full count
Temporary agency workers ≥ 6 monthsFull count
Self-employed subcontractorsNot counted (as a rule)
InternsFull count
If you would rather not build a whistleblower system from scratch, the HinSchG Kit provides procedural rules, training and all templates — one-time EUR 390-990.

2. 8 Steps to an Audit-Ready Reporting Office

Short answer: An audit-ready internal reporting office is built in eight steps: a management resolution, appointment of the reporting officer with an independence declaration, documented procedural rules (7 days / 3 months), three reporting channels plus anonymous case handling, expert training for the reporting officer under Section 15 (2) HinSchG, DPIA and ROPA entry, employee information notice under Section 13 HinSchG, and an annual effectiveness self-assessment as best practice.

  1. Management resolution: formal establishment of the reporting office. In practice: managing director's minutes or board resolution.
  2. Appoint reporting officer: appointment certificate plus independence declaration. The role can also be combined with other functions (compliance officer, in-house counsel).
  3. Document procedural rules: 7-day receipt, 3-month feedback, escalation to the external reporting office (BfJ).
  4. Set up 3 reporting channels: written (email/web form), oral (telephone hotline), in person on request, plus anonymous case handling.
  5. Expert training for the reporting officer: 5-8 teaching units under Section 15 (2) HinSchG. With certificate.
  6. DPIA and ROPA entry: include the processing activity 'reporting office' in the ROPA and carry out a DPIA under Art. 35 GDPR.
  7. Employee information notice: posted notice or intranet entry under Section 13 HinSchG with a clear explanation of the reporting routes.
  8. Effectiveness self-assessment: documented annually (best practice, NOT a statutory obligation) — deadline compliance, confidentiality, anonymous case handling, training status.

3. 3 Reporting Channels + Anonymous Case Handling

Short answer: Three reporting channels are mandatory: written (email, web form or postal address), oral (telephone hotline or voicemail mailbox) and in person on request (appointment within 14 days). Since 01 January 2025, anonymous case handling has additionally been mandatory — typically via a web form without login plus an anonymous return channel.

ChannelMandatory featurePractical solution
WrittenText input optionEmail, web form, postal address
OralVoice inputTelephone hotline, voicemail mailbox
In person (on request)Appointment optionOffer an appointment within 14 days
AnonymousMandatory since 01 January 2025 — receipt + handlingWeb form without login + anonymous return channel

4. Procedure: 7 Days / 3 Months

Short answer: The HinSchG procedure has two hard deadlines: receipt of a report must be acknowledged within 7 days (with a confidentiality notice), and substantive feedback on follow-up measures or case closure must be provided within 3 months. Where required, escalation goes to management or to the external reporting office (BfJ).

DeadlineObligationContent
ImmediatelyDocument receiptReporting form, confidentiality level, allocation to reporting officer
7 daysAcknowledgement of receiptConfirmation letter with confidentiality notice
Within 3 monthsFeedback to the whistleblowerFollow-up measures or case closure
Where requiredEscalationManagement, external reporting office BfJ

5. Section 8 Confidentiality

Identity protection for the whistleblower AND the accused AND third parties. Breach is subject to fines of up to EUR 50,000 (legal entity EUR 500,000).

6. Section 36 Protection Against Reprisals

Prohibited reprisals: termination, transfer, formal warning, salary reduction, mobbing. Reversal of the burden of proof under Section 36 (2): where a disadvantage occurs, a reprisal is presumed — the employer must provide counter-evidence.

The Lower Saxony Higher Labor Court (LAG Niedersachsen, 11 November 2024, 7 SLa 306/24) confirmed the two-step review framework. For every HR measure following a report: document evidence of independence from the report.

7. GDPR Obligations of the Reporting Office

Short answer: A HinSchG reporting office must meet six GDPR obligations: ROPA entry, DPIA under Art. 35 GDPR (mandatory in Germany; in Austria not required under Section 8 (13) HSchG), data protection notices for the whistleblower and the accused, a DPA where IT is outsourced, a reporting-office-specific TOM concept, and 3-year retention after case closure (Section 11 (5) HinSchG; 5 years in Austria).

  1. ROPA entry for the processing activity 'reporting office'
  2. DPIA under Art. 35 GDPR (in Germany; in Austria not required under Section 8 (13) HSchG)
  3. Data protection notices for the whistleblower and the accused
  4. DPA with the IT service provider where outsourced
  5. TOM concept specifically for the reporting office
  6. Retention 3 years after case closure (Section 11 (5) HinSchG); Austria 5 years

8. 30-Point Audit Checklist (Excerpt)

  1. Management resolution in place
  2. Reporting officer appointment certificate
  3. Reporting officer independence declaration
  4. Procedural rules up to date
  5. 3 reporting channels active
  6. Anonymous return channel functional
  7. Acknowledgement-of-receipt template
  8. Feedback template
  9. Reporting officer expertise evidence <3 years old
  10. ROPA entry
  11. DPIA carried out
  12. Data protection notices for whistleblower + accused
  13. Reporting office TOM concept
  14. Confidentiality concept
  15. Reprisals log template
  16. HR-measures workflow following a report
  17. Employee information notice current
  18. Report statistics
  19. Escalation workflow to management
  20. External reporting office (BfJ) interface documented
  21. 3-year retention rule
  22. Deletion concept
  23. Internal or external audit annually
  24. Conflict-avoidance concept
  25. Case-handling playbook
  26. Follow-up measures catalogue
  27. Fact-finding guideline
  28. Works council agreement (where a works council exists)
  29. Group mapping (where part of a corporate group)
  30. Annual report to management

Sources

  1. German Whistleblower Protection Act (HinSchG), BGBl. 2023 I No. 140
  2. HinSchG amendment, BGBl. 2024 I No. 438
  3. HinSchGOWiZustV, BGBl. 2025 No. 111
  4. Directive (EU) 2019/1937
  5. LAG Niedersachsen (Lower Saxony Higher Labor Court), Judgment 11 November 2024 — 7 SLa 306/24
  6. BfJ Activity Report 2025

Sources

Related Reading