Germany's whistleblower law, the Hinweisgeberschutzgesetz

The Hinweisgeberschutzgesetz (HinSchG) is Germany's whistleblower law. It protects people who report breaches at work from payback. It turns EU Directive 2019/1937 into German law, and on several points it goes further than the directive asks. The law has been in force since 2 July 2023. It tells companies and public bodies to run a safe reporting channel. Below we explain who it covers, what you must prepare, and the fines it carries.

Who must comply with the Hinweisgeberschutzgesetz?

The duty starts at 50 employees. As a rule, every employer with 50 or more staff must set up and run an internal reporting office. Headcount decides, not legal form. The rule binds companies, clubs, foundations, and public bodies alike.

Some employers are covered whatever their size. They include banks, insurers, investment firms, and other players in finance. For them the duty applies from the first employee.

Smaller companies got more time. Employers with 50 to 249 staff had until 17 December 2023 to set up their office. Larger companies were already bound on 2 July 2023, the day the law took effect. Several private employers of that size may also run a joint reporting office and share the work.

How do you set up the internal reporting office?

The internal channel is the first stop. The law wants staff to try it first, as long as the company can fix the breach in-house and no payback is likely. It must be open to your own staff and to agency workers. You can also open it to others who deal with the company through their work.

The reporting office must meet several rules:

• allow reports in writing and by voice, by phone or voice message;
• offer an in-person meeting on request;
• keep the identity of the whistleblower and the people named secret;
• put a qualified person in charge who works on their own and free of conflicts;
• log every report and delete the record three years after the case is closed;
• handle personal data in line with the GDPR.

Anonymous reports are a special case. The office should handle reports that come in without a name. But the law does not force you to build the channel for anonymous use. If you allow it, you earn the trust of your staff and hear about problems sooner.

The process is not the same as the tool. The channel sets the steps. The system behind it must be reliable, store data safely, and limit who can see it. As a whistleblowing system, Wemoral does all of this. You roll it out without building a tool from scratch. If you start from zero, we help with a template for a whistleblowing policy and a guide to setting up the system.

Which breaches can be reported?

The scope is wide on purpose. Germany went beyond the EU baseline. Through the reporting office you can report, among other things:

• all criminal offences, that is, acts that count as a crime;
• offences that carry a fine, where the rule guards life, health, or the rights of staff;
• breaches in many fields: money laundering, product safety, the environment, data protection (GDPR), food safety, public tenders, tax, and competition and antitrust law.

The list keeps growing. Lawmakers have widened the scope since the law took effect. Since late 2025 it also covers breaches of the rules for digital markets and for crypto-assets, among others.

Some areas stay out of scope. The law leaves out anything that touches national security or classified files. It also keeps lawyer and doctor confidentiality, and the secrecy of judges' rulings, fully protected.

Who can be a whistleblower?

Not just the permanent employee. A whistleblower is any person who learns of a breach through their work and reports it. We explain this at length in our post on who a whistleblower is. Under the law that can be:

• the employee, including trainees;
• the civil servant, judges, and members of the armed forces;
• the employee-like person, such as a home worker;
• the person with a disability who works in a sheltered workshop;
• the agency worker, and people on the way into a job, such as applicants.

Protection also covers people who help the whistleblower. It reaches close colleagues and relatives who could face payback because of it.

How is the whistleblower protected?

The heart of the law is protection against payback. Cover starts the moment a report or disclosure is made. There is one condition. At the time of the report, the whistleblower must have had good reason to believe the information was true and covered by the law. Anyone who reports false information on purpose or through gross negligence, by contrast, gets no protection and is liable for the resulting damage.

Ban on retaliation

Payback is banned. A reprisal is any unfair harm at work that follows a report: dismissal, a written warning, a blocked promotion, a transfer, a pay cut, bullying, or a poor review. The ban also covers the threat or the attempt to do any of this.

Reversed burden of proof

The whistleblower does not have to prove the payback. If they suffer harm after a report, the law assumes it was payback. The employer must then prove the step rested on other, fair grounds. Break the ban, and the employer owes the whistleblower damages.

"If a whistleblower suffers a disadvantage in connection with their professional activity and claims to have suffered it as a result of a report or disclosure under this Act, it is presumed that this disadvantage is a reprisal for that report or disclosure."
Section 36(2) of the Hinweisgeberschutzgesetz

Rights you cannot sign away

You cannot contract out of the whistleblower's rights. Any agreement that limits them is void, whether it sits in an employment contract, a confidentiality clause, or a settlement agreement. A clause that forbids reporting will not hold up in court.

Reporting routes

The law gives three ways to report the same breach:

The whistleblower is free to choose internal or external. The law suggests an internal report first, but does not require it. The Federal Office of Justice runs the central external office for the whole country. It too confirms a report within seven days and gives feedback within three months, or within six months for complex cases. Going public is protected only when the office failed to act in time, or there is an urgent danger to the public.

What fines does the law set?

Breaking the law is costly. The amount tracks how serious the breach is. Lawmakers first planned fines of up to €100,000, but the mediation committee cut the ceiling to €50,000.

For a company the ceiling climbs. Section 30 of the Act on Regulatory Offences (OWiG) lets the top fine against a company rise tenfold. €50,000 then becomes up to €500,000, for example when managers block a report or break confidentiality.

Three years past the deadline, the question is no longer whether the law applies. It is whether your reporting channel would survive a check. The Federal Office of Justice hands out the fines, and a missing or token office shows the moment a worker complains on the outside. See where Germany sits next to the rest of Europe in our list of whistleblowing laws by country, and build a reporting office that is more than a box on a checklist.