Austria's whistleblower law, the HinweisgeberInnenschutzgesetz
The HinweisgeberInnenschutzgesetz (HSchG) is Austria's whistleblower law. It shields people who report breaches at work from payback. It brings EU Directive 2019/1937 into Austrian law. The law has been in force since 25 February 2023. It tells companies and public bodies to set up a safe reporting channel. Below we explain who it covers, what you must prepare, and what the fines are.
Key facts
- It applies to firms and public bodies with 50 or more workers, and to the financial sector whatever its size.
- You must set up an internal reporting channel and give feedback within 3 months.
- External reports go to the Federal Bureau of Anti-Corruption (BAK).
- Acts of retaliation are void, and the burden of proof shifts to the employer.
- Fines reach up to 20,000 €, and up to 40,000 € on a repeat; the law does not require handling anonymous reports.
Who must comply with the HSchG?
The duty starts at 50 workers. Every firm and every public body with 50 or more workers must let staff report inside the organisation. The headcount decides, not the legal form. It covers limited companies, associations, foundations, and public bodies alike.
The financial sector is covered whatever its size. In finance, the law applies below the 50-person mark. That takes in financial services, financial products, and the fight against money laundering. If the workforce changes with the seasons, you count the average over the past year.
Smaller employers got more time. Firms and public bodies with fewer than 250 workers only had to set up their internal channel from 17 December 2023. Larger employers had to act soon after the law took effect, with a six-month window. Several employers may also share one office, or hire a third party to take the reports, to split the work.
How do you set up the internal reporting channel?
The internal channel is the first port of call. The law wants staff to use it before the external body, as long as the breach can be fixed inside the firm and there is no risk of payback. It must be open to your own workers and to leased staff.
The internal office has to meet several rules:
- take reports in writing or by voice, by phone or voice message;
- offer an in-person meeting within 14 days on request;
- keep the identity of the whistleblower and any named third parties confidential;
- act fairly and without bias, and handle the case free from instructions;
- confirm any additions within 7 days and report on the follow-up within 3 months;
- build the system to meet Article 25 of the GDPR.
Anonymous reports are a special case. Unlike some neighbours, the HSchG does not force the office to handle reports that come in anonymously. Anonymity is kept only where other, kinder rules demand it. An employer who allows anonymous reports anyway earns the trust of the staff and hears of problems sooner.
The procedure is not the same as the tool. The channel sets out the steps. But the system must be reliable, store data safely, and lock down who can see it. Wemoral, as a whistleblowing system, meets those needs. You roll it out without building a tool from scratch. If you start from zero, we help you with a whistleblowing policy template and a guide to set up the system.
What breaches can be reported?
The scope is wide. Through the internal or the external office you can report breaches in these areas:
- public procurement, plus financial services and the fight against money laundering and terrorist financing;
- product safety, transport safety, and food and feed safety, animal and plant health;
- the environment, radiation and nuclear safety, and public health;
- consumer protection, the privacy of personal data, and the security of network and information systems;
- corruption offences under sections 302 to 309 of the Criminal Code, plus breaches that harm the EU's money or the single market.
The law leaves some things out. It does not touch the secrecy duties of health workers, or the privilege of lawyers and notaries. It also skips classified security tenders, criminal cases once a formal suspicion exists, and the seal of confession.
Who can be a whistleblower?
Not just the worker on the payroll. A whistleblower is anyone who learns of a breach through their work and reports it. We explain it in full in our piece on who is a whistleblower. Under the law, it can be:
- the employee or salaried worker of the organisation;
- the leased worker, and job candidates applying for a post;
- the intern, the volunteer, and other trainees;
- the self-employed person, and people who work for contractors and suppliers;
- the former worker, even after the job has ended.
Protection also reaches people in the whistleblower's circle, such as colleagues and relatives, who could face payback because of it.
How is the whistleblower protected?
The heart of the law is protection from retaliation. It starts with a justified report. There is one condition. At the time of the report, the whistleblower must have had good reason to believe the facts were true and that the law covered them.
Acts of retaliation are void
The list of reprisals is open-ended. It covers suspension and dismissal, a fixed-term contract left unrenewed, demotion, and a blocked promotion. It also covers a change to your workplace, pay, or hours, denied training, a bad review, discipline, and the loss of a licence. On top of that come coercion, mobbing, harm to your name, and blacklisting. Whoever is behind such a step must put things right, repay the financial loss, and pay damages for the personal harm.
The burden of proof shifts
The whistleblower does not have to prove the payback. They only need to make it credible that the step followed from their report. It is then up to the employer to make a different, decisive motive credible. If they cannot, the step counts as retaliation.
"Measures taken in retaliation for a justified report are legally void."
Section 20(1) of the HinweisgeberInnenschutzgesetz
Reporting routes
The law sets out three routes to report the same breach:
| Route | To whom | When |
|---|---|---|
| Internal channel | To the reporting office of your own organisation | Preferred route when the breach can be solved inside |
| External channel | To the Federal Bureau of Anti-Corruption (BAK) | Free to choose, even without an internal report first |
| Public disclosure | To the public, for example the media | Only under the narrow conditions of Section 14 of the law |
The whistleblower may choose between internal and external. The law suggests an internal report first, but does not demand it. Austria named its existing anti-corruption authority, the BAK, as the one external office. Going public is only safe when the offices fail to act in time, or when there is an immediate danger to the public.
What penalties does the law set?
A breach is an administrative offence. The district authority sets the fine, unless another rule sets a higher one. Unlike several neighbours, the range stays fairly low, and it falls on the person who acted.
| Conduct | Maximum fine | On a repeat |
|---|---|---|
| Blocking a whistleblower or hounding them with pointless lawsuits | Up to 20,000 € | Up to 40,000 € |
| Taking an act of retaliation under Section 20 | Up to 20,000 € | Up to 40,000 € |
| Breaching confidentiality under Sections 7 or 17 | Up to 20,000 € | Up to 40,000 € |
| Knowingly filing a false report | Up to 20,000 € | Up to 40,000 € |
The range is lower than next door. Where Spain threatens firms with up to a million euros, Austria keeps a modest fine on the person at fault. That does not soften the duty. A missing or sham reporting office shows up the moment a worker turns to the BAK.
Austria took its own path. Rather than build a new authority, it gave oversight to its existing anti-corruption bureau. It left anonymity optional. It even made a point with the gender-inclusive name HinweisgeberInnenschutzgesetz in the title. A review for 2026 is already written into the law. See how Austria fits into the rest of Europe in our list of whistleblowing laws by country, and set up a reporting office before the first report arrives.
Legal advisor specializing in business, commercial and IP law. Writes on whistleblower legislation, the EU Directive, and implementing reporting procedures.