Ombudspersons for whistleblowing and compliance in Germany – internal reporting channel under the HinSchG

The core of a professional compliance system

Due to different legal requirements and at the same time a growing awareness of the practical necessities, companies are increasingly devoting more attention to the topic of compliance. Part of this attention is particularly directed at fighting corruption and other business criminal acts through professional preventative measures. Therefore, the appointment of external ombudspersons as recommended by Transparency International and other independent experts is of the utmost importance.

Ombudsman Dr. Rainer Buchert and ombudswoman Dr. Caroline Jacob are fighting corruption and other business criminal acts in about 70 corporations and medium-sized enterprises from various sectors.

Confidential point of contact for reporting persons (whistleblowers)

An essential aspect of the ombudsman system is that informants can approach the ombudsperson confidentially. A lawyer’s obligation to maintain secrecy, the right to refuse to give evidence and supplementary contractual obligations combine to guarantee that the identity of the informant is protected and his name will not be disclosed. It is only with the informant’s explicit agreement that information can be divulged to the company’s investigative bodies. Protection begins with and includes the first contact with the ombudsperson. The informant incurs no costs.

Submit a report

Initial information for informants

FAQ for informants

Introduction to the German Whistleblower Protection Act (HinSchG)

The German Whistleblower Protection Act (HinSchG) implements the EU Whistleblowing Directive into German law and, for the first time, establishes statutory protection for whistleblowers (albeit with limitations). The purpose of the HinSchG is to protect reporting persons from negative consequences when they report violations within companies or public authorities (Section 1 HinSchG). Ultimately, this is also intended to protect the German economy from attacks and harm.

The Act has been in force since mid-2023 and, for the first time, expressly obliges companies to establish internal reporting channels (Section 12 HinSchG), to receive reports, to operate reporting channels and to initiate follow-up measures in response to reports of suspected misconduct.

Legal basis and purpose of the Whistleblower Protection Act (Section 1 HinSchG)

Under Section 1(1) HinSchG, the aim is to protect persons who obtain knowledge of violations in a professional context or even prior to commencing a professional activity. This is intended to ensure that misconduct is identified early and remedied.

Protected reporting persons include all individuals who, in connection with their professional activity or in preparation for such activity, have obtained information about violations and report this information to the reporting channels designated under the Act.

Material scope of the Whistleblower Protection Act (Section 2 HinSchG)

The Act applies only to criminal offences and administrative offences, as well as to certain other legal violations of federal and state laws and (directly applicable) EU legal acts.

Areas covered under EU law include, among others (Section 2(1) nos. 3–9 HinSchG):

• Money laundering and terrorist financing
• Product safety and consumer protection
• Environmental protection and radiation protection
• Data protection (GDPR)
• Food safety

National provisions (Section 2(1) nos. 1, 2 and 10 HinSchG) include:

• Violations relevant under criminal law (Section 2(1) no. 1 HinSchG)
• Administrative offences subject to fines protecting life, health or employees’ rights (Section 2(1) no. 2 HinSchG), e.g. violations of minimum wage rules (Section 20 MiLoG – Minimum Wage Act), working time rules (ArbZG – Working Time Act) or the law on temporary agency work (Section 16(1) AÜG – Temporary Employment Act).

Purely internal compliance breaches without a connection to these legal areas do not fall within the scope of protection under the HinSchG (Section 2 HinSchG).

Practical tip

Potential reporting persons can rarely assess with certainty whether their report falls within the protective scope of the HinSchG. This need for guidance must be addressed appropriately. Attorney ombudspersons, in particular, can provide such advice.

Establishing internal reporting channels (Sections 12 and 14 HinSchG)

Companies with at least 50 employees are required to establish internal reporting channels (Section 12(2) HinSchG). Companies in the financial sector are subject to this obligation regardless of the number of employees (Section 12(3) HinSchG).

The internal reporting channel may either be operated internally or outsourced to third parties (Section 14(1) HinSchG). In larger companies and corporate groups, this may take the form of central reporting channels or external third parties – in particular qualified attorneys, i.e. ombudswomen or ombudsmen. These ombudspersons are treated as an internal whistleblowing system, i.e. an internal reporting channel under the HinSchG. In principle, the Act also permits other persons.

However, any third party must meet the statutory requirements and provide reporting persons with full protection. It is important that the third party acts independently and can ensure anonymity in order to strengthen trust in the system. In addition, the HinSchG requires that the persons working in a reporting channel:

• are independent in the performance of their duties, and
• have the necessary expertise.

Practical tip

Companies must decide whether to build an internal reporting channel with their own qualified personnel or to appoint attorneys for this task. In particular, Certified Specialist Lawyers for Criminal Law with relevant professional experience are suitable. Due to attorneys’ professional duty of confidentiality, they can protect the identity of reporting persons in an optimal manner.

Procedure and deadlines for internal reports (Sections 16 and 17 HinSchG)

Internal reporting channels must meet at least the following minimum requirements:

• Acknowledgement of receipt within 7 days (Section 17(1) no. 1 HinSchG).
• Review of the merits/plausibility and, if necessary, initiation of follow-up measures (Section 17(1) no. 2 HinSchG).
• Feedback to the reporting person within three months of the acknowledgement (Section 17(2) HinSchG).

Reports must be clearly documented (Section 11 HinSchG) and may not contain audio recordings without the reporting person’s consent (Section 11(2) HinSchG).

External state reporting channels (Sections 19–29 HinSchG)

Alternatively, reporting persons may contact external state reporting channels (Section 7(1) HinSchG). There is no obligation to choose the internal route first.

The central external reporting channel is the Federal Office of Justice (Bundesamt für Justiz) (Section 19 HinSchG). In addition, there are other specific reporting channels (e.g. the Federal Financial Supervisory Authority (BaFin) pursuant to Section 21 HinSchG, or the Federal Cartel Office (Bundeskartellamt) pursuant to Section 22 HinSchG). External reporting channels are also subject to strict confidentiality and feedback obligations (Sections 27 and 28 HinSchG).

Public disclosure (Section 32 HinSchG)

The HinSchG regulates separately the situation in which reporting persons go public:

So-called “public disclosure” (for example information provided to the media or via social media channels) is permissible only in exceptional cases (Section 32(1) HinSchG), namely only if:

• no appropriate follow-up measures are taken in response to an external report, or
• there is an immediate danger of irreversible damage to the public interest, or
• retaliation is threatened, or there is reason to suspect that the external body will remain inactive.

Because reporting persons usually cannot assess whether these narrowly defined exceptions apply, this is a high-risk area. Anyone considering going directly to the public should obtain legal advice beforehand. Otherwise, sanctions and substantial damages claims may be a possibility.

Confidentiality and data protection (Sections 8 and 9 HinSchG)

The Act requires that the confidentiality of the identity of reporting persons, accused persons and third parties be maintained (Section 8(1) HinSchG).

Reporting persons often feel a false sense of security regarding the protection of their identity, because there are a number of exceptions to confidentiality (Section 9 HinSchG), for example:

• in cases of intentionally or grossly negligent false reports (Section 9(1) HinSchG);
• where law enforcement authorities require disclosure of the identity (Section 9(2) HinSchG).

The interface with data protection remains particularly critical: GDPR access requests (Art. 15 GDPR) can undermine confidentiality. Put plainly: if a person accused of misconduct asserts an access right under the GDPR, the company may have to disclose the reporting person unless it can rely on an exception.

Protection against retaliation (Sections 33–37 HinSchG)

The core element of the Act is the prohibition of retaliation (Section 36 HinSchG). Any work-related disadvantage (termination, transfer, demotion, negative performance assessment) following a report is initially treated as retaliation. Employers must then prove that the disadvantage is not connected to the report (reversal of the burden of proof under Section 36(2) HinSchG).

Employers should consider in particular:

• documenting all employment-related measures to support evidence in the event of a dispute;
• updating employment contract clauses (confidentiality obligations must not restrict rights under the HinSchG, Section 39 HinSchG).

Reporting persons are entitled to compensation for disadvantages suffered (Section 37 HinSchG), whereas liability for damages may arise in cases of grossly negligent or intentional false reports (Section 38 HinSchG).

Retention and deletion of reports (Section 11(5) HinSchG)

Documentation must be retained for at least three years and must then, as a rule, be deleted. Longer retention is permissible in order to fulfil protective duties and to address the reversal of the burden of proof.

Sanctions for breaches (Section 40 HinSchG)

Breaches of the HinSchG (e.g. failure to establish a reporting channel, obstruction of reporting, breach of confidentiality) may be sanctioned with significant administrative fines (Section 40 HinSchG).

Practical tip

The HinSchG contains a number of pitfalls and can create risks both for those responsible within organisations and for reporting persons.

When implementing the statutory requirements, small and medium-sized organisations should seek advice.

Reporting persons are well advised to contact attorney ombudspersons who protect their identity through attorneys’ professional duty of confidentiality.

Advising compliance officers in connection with internal reporting channels

Operate your whistleblowing system safely – with training and day-to-day support from professionals

Advising internal reporting channels

Buchert Jacob Peter Attorneys-at-Law strengthens your internal reporting channel: we train your responsible persons, establish clear processes compliant with the HinSchG and GDPR, and provide fast, reliable answers for day-to-day operations. We enable your team to receive confidential reports securely, assess them, and document them properly.

Why us? 20+ years of ombudsperson experience from real cases / 24+ years of criminal defence practice

For more than two decades, we have acted as ombudspersons / trusted lawyers alongside organisations – always solution-oriented. We have received reports in the four-digit range.

We have extensive experience handling sensitive reports: conducting secure and appropriate conversations with reporting persons, consistently protecting identities, and managing critical constellations with confidence.

As Certified Specialist Lawyers for Criminal Law and as a former Chief of Police, we also bring deep expertise to matters with potential criminal-law relevance.

This makes the difference in the daily work of your internal reporting channel.

For more than 20 years, we have supported well-known corporate groups and medium-sized companies – from training internal reporting channels and answering complex individual questions to optimising compliance structures and reviewing existing compliance management systems (CMS). We translate this experience into concrete, clear guidance for your day-to-day operations so that your reporting channel works safely, quickly and practically. You will be supported exclusively by the firm’s partners.

What we do for your internal reporting channel

Training that truly works

• Roles and independence of the reporting channel; clear responsibilities
• Confidentiality and identity protection (HinSchG) – secure and workable in practice
• Deadlines and process reliability: acknowledgement of receipt (≤ 7 days), feedback (≤ 3 months)
• Documentation and deletion – evidentially robust and GDPR-compliant
• Conducting conversations and drafting texts: guides, wording, do’s and don’ts
• Case practice: role plays (phone/portal/e-mail), decision trees, checklists

Ongoing support and fast answers

• Office hours / Q&A: short-notice support for individual cases
• Review service: have responses and letters checked before sending
• Quality input: sampling, KPI suggestions, lessons learned for your process

Templates and tools that make everyday work easier

Guidance for tool-independent implementation (by phone, digitally, in person)

Typical questions we clarify

• Does the report fall within the material and/or personal scope of application? (and what to do if it does not)
• How can confidentiality be maintained when multiple internal functions are involved?
• Anonymous reports: permissible, advisable, how to implement?
• GDPR tension: what information may/must we provide, and when?
• Sensitive cases: senior manager involved, multiple reports, self-involvement
• Communication: how do we phrase it properly – transparent, legally sound, de-escalating?
• Feedback: how do we formulate the feedback to the reporting person after the review is completed? What must we disclose, and what may we disclose?

Your benefit in three words: safe, fast, practical

Practical: less theory, more craft. What do we do now – step by step.

Safe: compliant with the HinSchG and GDPR – with robust templates.

Fast: short response times, clear assessments, immediately applicable.

• Safe: compliant with the HinSchG and GDPR – with robust templates.
• Fast: short response times, clear assessments, immediately applicable.
• Practical: less theory, more craft. What do we do now – step by step.

Who is this service for?

• Organisations that want to set up or professionalise a new internal reporting channel
• Organisations that need professional support or guidance when handling specific reports
• HR/Compliance/Legal teams that need certainty in cases and wording
• Organisations that want to increase acceptance of and trust in the whistleblowing system

Next step

In a personal conversation, we will clarify where your team stands and how we can support you in a targeted manner: training, ongoing support, or both – flexibly combinable.

Contact

E-mail: kanzlei@dr-buchert.de
Telephone: 069 710 33 330

Important: our goal is to strengthen your internal reporting channel – sustainably, trustworthily and in a legally robust manner.

FAQ – Training and support for whistleblowing systems

What is the objective of your service for whistleblowing systems?

We strengthen the internal reporting channel through training, clear processes compliant with the HinSchG and GDPR, and fast, reliable day-to-day support so that reports can be received securely, assessed and documented properly.

What experience do you bring to operating a reporting channel?

We have worked alongside organisations as ombudspersons / trusted lawyers for more than two decades and have received reports in the four-digit range. In addition, we bring 24+ years of criminal-law expertise from practice, including Certified Specialist Lawyer competence and experience as a former Chief of Police.

Who will support our organisation in practice?

You will be supported exclusively by the firm’s partners.

Which topics do the trainings cover?

The trainings cover the role and independence of the reporting channel, clear responsibilities, confidentiality and identity protection (HinSchG), deadlines and process reliability (acknowledgement of receipt ≤ 7 days; feedback ≤ 3 months), GDPR-compliant documentation and deletion, as well as conversation management and drafting work with guides, wording, and do’s and don’ts.

Is your approach practice-oriented or more theoretical?

The focus is explicitly on case practice, including role plays (phone/portal/e-mail), decision trees and checklists.

Do you also provide ongoing support in individual cases?

Yes. We provide short-notice support via office hours / Q&A and fast assessments for specific case constellations.

Can you review letters and responses before we send them?

Yes. Through our review service, responses and letters can be checked prior to dispatch.

Do you offer quality control for our process?

Yes. We provide quality input, including sampling, KPI suggestions and lessons learned for your workflow.

Which templates and materials do we receive for everyday use?

We provide a policy and intranet FAQ, text modules (receipt, feedback, closure), process posters and checklists, as well as guidance for tool-independent implementation (by phone, digitally, in person).

Which typical practical questions do you clarify with us?

We clarify, among other things, the material/personal scope of application (and what to do if a matter is outside scope), confidentiality when multiple internal functions are involved, anonymous reports (permissible/useful/implementation), the GDPR tension, sensitive cases (senior manager involved, multiple reports, self-involvement), as well as legally robust and de-escalating communication including feedback after the review is completed.

Who is this service particularly suitable for?

It is suitable for organisations setting up or professionalising an internal reporting channel, organisations needing professional guidance in individual cases, HR/Compliance/Legal teams requiring certainty in cases and wording, as well as organisations aiming to increase acceptance and trust in the whistleblowing system.

How do we best get started?

In a personal conversation, we clarify where your team stands and whether training, ongoing support or a combination is the most sensible option.

Buchert Jacob Peter Attorneys-at-Law – Partnerschaftsgesellschaft mbB

E-mail: kanzlei@dr-buchert.de
Telephone: 069 710 33 330

Would you like to submit a report?

Please use our encrypted contact form.

Whistleblower protection in Frankfurt

Buchert Jacob Peter – attorney ombudspersons since 2000. Confidential, HinSchG-compliant, anonymous reporting possible, 25+ years of experience.

Whistleblower protection (reporting persons) – ombudspersons in Frankfurt am Main

Buchert Jacob Peter Attorneys-at-Law | confidential, legally robust, experienced since 2000

Why whistleblower protection matters – protecting reporting persons from retaliation

An effective whistleblowing system works only if reporting persons can submit a report without fear of personal, professional or financial disadvantages. The German Whistleblower Protection Act (HinSchG) provides central protection mechanisms for this purpose:

Confidentiality of identity, a prohibition of retaliation, compensation claims in the event of disadvantages, and clear deadlines for acknowledgement of receipt and feedback. In practice, this means: a lower threshold to report, higher willingness to report, better clarification of facts – and therefore active protection of people and organisations.

The history of whistleblowing – from taboo to compliance standard

Whistleblowing has undergone a long and eventful development: from morally stigmatised “disloyalty” to a recognised instrument of modern compliance and the rule of law.

Early roots (19th century)

• In 1809, Sweden introduced the ombudsman as a parliamentary oversight body – not whistleblowing in today’s sense, but an important precursor of independent supervision.
• In the USA, the False Claims Act (“Lincoln Law”) was enacted in 1863 with qui tam provisions protecting and financially incentivising reporting persons in cases of fraud against the state – an early whistleblower protection system.

Turning points of the 1970s

• Pentagon Papers (1971): Daniel Ellsberg published classified government documents – sparking a global debate about “public disclosure” versus state secrecy.
• Watergate (1972/74): information from an insider (“Deep Throat”) led to the resignation of a US President – whistleblowing became synonymous with accountability.

Professionalisation in companies (1990s–2000s)

• UK Public Interest Disclosure Act (1998): Europe’s first comprehensive whistleblower protection law.
• Enron (2001), WorldCom (2002): major scandals demonstrated the importance of internal reporting systems and independent review functions.
• Germany (from 2000): Deutsche Bahn AG, as the first major company, appointed two ombudspersons and established an early compliance system – a pioneering step in the internal fight against corruption and white-collar crime. Dr. Rainer Buchert (now Buchert Jacob Peter) was one of the first two ombudspersons in Germany.
• Siemens (2007) and further cases accelerated the expansion of internal corporate whistleblowing systems.

Legal frameworks and cultural change (2010s–today)

• Dodd-Frank Act (USA, 2010): strengthened financial-market whistleblower programmes (including the SEC).
• High-profile disclosures such as Snowden (2013), LuxLeaks (2014), Panama Papers (2016) made whistleblowing globally visible; protection needs and procedures moved into focus.
• EU Directive 2019/1937: harmonised minimum standards for whistleblower protection in Europe.
• Germany: HinSchG (2023) requires companies above a certain size to establish an internal reporting channel.
• Supply chain due diligence (from 2023 onwards): complaints procedures for human-rights and environmental risks became embedded; reporting channels are now a fixed component of responsible corporate governance.

Today, whistleblowing is best practice – technically, legally and culturally. Attorney ombudspersons have proven particularly effective as confidential, independent points of contact for reporting persons. At Buchert Jacob Peter Attorneys-at-Law, this role is combined with decades of pioneering and practical experience: acting as ombudspersons since 2000 and today serving more than 70 organisations across industries. Reporting persons can choose whether they wish to approach an ombudswoman or an ombudsman. We also provide personal, confidential guidance in one-to-one conversations.

Ombudspersons: the safest point of contact for whistleblowers

Ombudspersons are external, independent points of contact. We receive reports concerning suspected criminal offences, serious irregularities, misconduct, administrative offences and other relevant compliance breaches in strict confidence, review them for plausibility, substantiate the facts and report to the responsible compliance function within the organisation only with the reporting person’s consent. If the reporting person wishes, the report can be forwarded without naming the reporting person. We advise reporting persons confidentially in personal conversations.

Our attorney status provides maximum protection for reporting persons

• Legal professional privilege (duty of confidentiality and right to refuse to give evidence) – protection from the first contact. We may not report without the reporting person’s explicit consent.
• No disclosure obligations comparable to those that in-house reporting channels may be subject to in certain constellations.
• Identity-protecting reports: details that could allow conclusions about the reporting person are passed on only with the reporting person’s consent.
• No costs for reporting persons.

Internal report, external report, public disclosure

• Internal report (to the ombudsperson / internal reporting channel): confidential and identity-protecting. The ombudsperson conducts personal consultations upon request and provides guidance. Reporting persons are free to choose whether they prefer the ombudswoman or the ombudsman.
• External report (competent authority): reporting to a public authority is available as an alternative.
• Public disclosure (e.g. to the media): disclosure to the public is legally permissible only in narrowly defined exceptional cases; otherwise, protection against disadvantages may be lost.

Who is protected?

Protected persons include those who have obtained information about violations in a professional context (or in preparation for such a context) and who report properly – i.e. to internal or external reporting channels under the HinSchG, or, in exceptional cases, via public disclosure. The protected group includes, among others, employees, applicants, interns, corporate officers, freelancers, suppliers and other persons connected professionally to the organisation.

Anonymous reports

We handle anonymous and identified reports equally – with structured clarification of facts and protection of everyone involved.

Deadlines, documentation and data protection – legally robust in detail

• Acknowledgement of receipt: within 7 days
• Feedback: no later than 3 months
• Documentation
• Data protection: confidentiality under the HinSchG, with simultaneous compliance with the GDPR

Double trust: ombudswoman and ombudsman – your free choice

Trust is strengthened by freedom of choice: reporting persons can approach ombudswoman Dr. Caroline Jacob (Certified Specialist Lawyer for Criminal Law) or ombudsman Dr. Rainer Buchert. Especially in sensitive situations (e.g. sexual misconduct, discrimination, bullying), this can lower the threshold to report and allows reporting persons to speak with the ombudsperson of their choice.

Organisations use this diversity either as a single mandate or as a tandem solution (both ombudspersons, with clear case allocation and mutual cover).

How a report works

• Confidential initial report (by telephone, in person, in writing, or via a confidential SSL-secured contact form; anonymous upon request).
• Acknowledgement of receipt within the HinSchG deadline.
• Plausibility review of the report.
• Identity-protecting report to the organisation – only with the reporting person’s consent.
• Follow-up and feedback to reporting persons within the statutory time frame.

Why Buchert Jacob Peter Attorneys-at-Law?

• Pioneer since 2000 (Deutsche Bahn AG; Dr. Rainer Buchert as one of the first ombudspersons in Germany).
• 25+ years of ombuds practice, 70+ ongoing mandates, cross-industry.
• Attorney-level protection standard instead of a pure “hotline” or “form” solution.
• Reliable availability – also outside normal office hours.
• Clear governance and training: processes, templates, awareness, KPI reporting.

FAQ – Whistleblower protection

Who qualifies as a whistleblower / reporting person?

Any person who, in a professional context (or prior to it), obtains information about violations and properly reports it to internal or external reporting channels – for example employees, applicants, interns, corporate officers or suppliers.

How is my identity protected?

Through attorneys’ professional duty of confidentiality, the right to refuse to give evidence, and identity-protecting reports. Information is passed on only after your explicit approval. Identifying details may be transmitted only with your consent.

Can I report anonymously?

Yes, we enable anonymous reports.

Which deadlines apply to feedback?

Acknowledgement of receipt within 7 days and feedback no later than 3 months – on the status and measures taken, insofar as legally permissible.

Which forms of retaliation are prohibited?

Any work-related disadvantages connected to a report, such as termination, transfer, salary reduction, bullying or negative evaluations.

May I go directly to authorities or the media?

External reporting to authorities is available as an option. Public disclosure is legally permissible only in narrowly defined exceptional cases. We provide individual, confidential advice on this.

Do I need evidence?

No. A well-founded initial suspicion is sufficient. We help you structure and present information in a legally robust manner.

Will I incur any costs?

No. The mandated organisation bears the costs. Contact is free of charge for reporting persons.

What distinguishes ombudspersons from in-house contacts within internal reporting channels?

Ombudspersons are external attorneys, objective and independent – with a higher protection standard (legal professional privilege: duty of confidentiality and right to refuse to give evidence) and a lower threshold to report.