HinSchG Group Reporting Channel: What is Permissible (2026)

· Category: Whistleblower Protection· As of: 2026-05-02· Reading time: ~6 min
Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

  • Section 14 Whistleblower Protection Act (HinSchG) permits a shared group reporting channel — but the EU Commission has challenged this as non-compliant with the Directive
  • Three models: centralized (risky), decentralized (expensive), hybrid (recommended)
  • Hybrid model: formal reporting channel at every subsidiary, operationally delegated to group HQ
  • GDPR: Joint Controller agreement under Art. 26 GDPR required between group entities
  • DACH groups: separate consideration for Austria (Section 4(4) HSchG) and Switzerland (no whistleblower act, OR confidentiality)

1. Section 14 HinSchG: Group Reporting Channel

Section 14(1) HinSchG: "Affiliated companies may set up and operate a joint internal reporting channel." This was added to the original 2023 act in response to large-group efficiency demands.

Requirements: affiliated companies under Sections 15 et seq. of the German Stock Corporation Act (AktG); written participation agreement; local intake points per subsidiary (disputed, see EU objection); Section 8 confidentiality preserved across the group.

2. EU Commission Objection

In infringement proceeding INFR(2024)0157 (23.05.2024), the EU Commission found that Section 14 allows outsourcing of the internal reporting channel from subsidiary to group HQ — contrary to EU Directive 2019/1937, which requires a reporting channel per legal entity with 50+ employees. Status as of 04/2026: the Federal Ministry of Justice defends Section 14; CJEU action is possible. Section 14 remains nationally legal but EU compliance is uncertain.

3. Three Models Compared

ModelEU complianceEfficiencyCostSuitable for
CentralizedUNCERTAIN (EU Commission objection)HighLowGroups with high risk tolerance
DecentralizedEU compliantLowHighGroups with <5 subsidiaries
HybridEU compliantMedium-HighMediumRECOMMENDED for groups with ≥5 subsidiaries

4. Hybrid Model — Practical Recommendation

  1. Group reporting channel at HQ — operationally active, with a qualified team
  2. Local intake point per subsidiary — formally established, can be a single person (HR head, compliance officer) or external trusted advisor
  3. Delegation agreement between subsidiary and group HQ — operational handling delegated, formal responsibility stays with the subsidiary
  4. Joint Controller agreement under Art. 26 GDPR for cross-entity data exchange
  5. Free choice for whistleblowers — they may approach the local intake or the group channel

5. Group Reporting in AT/CH

Austria: Section 4(4) of the Austrian Whistleblower Act (HSchG) imposes stricter group rules than Section 14 HinSchG. Each subsidiary's standalone obligation persists; group solutions are an additional option only.

Switzerland: no dedicated whistleblower act. Article 321a (confidentiality) and Article 336 (wrongful dismissal) of the Swiss Code of Obligations (OR) apply. A group channel is possible but does not provide the same employment-law protection as in DE/AT.

6. 6-Step Group Setup Checklist

  1. Map group structure: identify all legal entities with 50+ employees — HinSchG triggers
  2. Choose model: hybrid recommended; weigh centralized vs. decentralized risk
  3. Group policy: procedures, responsibilities, escalation, feedback workflows
  4. Appoint local intake points: per subsidiary, at least 1 person trained per Section 15(2) HinSchG
  5. Joint Controller + DPIA agreements: the GDPR interface
  6. Workforce information: Section 13 HinSchG — both reporting paths (local + group) communicated and documented

Summary

Section 14 HinSchG permits group reporting channels but the EU Commission disputes its compliance with Directive 2019/1937. The hybrid model is the safest practical answer until the dispute is resolved at CJEU level: each subsidiary keeps a formal channel while operations centralize at HQ. Build the architecture so that fully decentralized fallback is one config switch away.

View Whistleblower Kit →

Frequently Asked Questions

Does Section 14 HinSchG (German Whistleblower Protection Act) permit a group-wide reporting office?
Yes, explicitly: Section 14(1) HinSchG allows affiliated companies to operate a shared reporting office. Prerequisite: an agreement among the participating companies; the obligation to maintain internal contact points remains in place. In practice: 70% of DAX corporate groups use a group-wide reporting office.
What does the European Commission criticize?
In infringement proceedings INFR(2024)0157, the European Commission objected that the German corporate group solution is not directive-compliant. Reasoning: Section 14 allows internal reporting offices to be outsourced from subsidiaries to the corporate group headquarters — but EU Directive 2019/1937 requires one reporting office per legal entity. The dispute is still pending.
How can I implement this in a legally compliant manner?
Hybrid model: central group-wide reporting office (for efficiency) plus a local contact point per subsidiary (for EU compliance). Each subsidiary formally has its own reporting office, which is operationally delegated to the group-wide reporting office. Advantage: EU-compliant and efficient. Disadvantage: higher initial setup costs.
Must all subsidiaries of a corporate group have a reporting office?
Per the EU directive: yes, every legal entity with ≥50 employees. Per Section 14 HinSchG: no, a corporate group solution is permissible. In the hybrid model: each subsidiary formally has a reporting office, while operations are centralized. Until the EU dispute is resolved, the hybrid model is the safest option.
What is the GDPR situation for a group-wide reporting office?
Complex. Cross-group data exchange of report contents requires either a joint controller agreement under Art. 26 OR a data processing agreement (DPA) under Art. 28 between the subsidiaries and the headquarters. For third-country subsidiaries (e.g. a Swiss subsidiary of a German corporate group): SCC or DPF are additionally required.
What does a group-wide reporting office cost?
SaaS platform for a corporate group: EUR 8,000-25,000/year (eclectic, EQS, Whistlebox). External ombudsperson for the group: EUR 15,000-60,000/year. Internal team: from EUR 80,000/year (1 FTE). Compliance-Kit HinSchG Kit: one-time fee of EUR 990 — all templates for group policy plus hybrid model.

Sources

Related Reading