With the entry into force of the German Whistleblower Protection Act (HinSchG) in July 2023, the landscape for handling whistleblower reports in companies and public institutions has fundamentally changed. In response to the EU Whistleblower Directive, the law now requires companies to provide internal reporting channels that not only comply with legal requirements but also strengthen the trust of their employees.
Starting in December 2023, this will also apply to SMEs—we have also created an infographic on this topic.
Whereas previously only larger companies were required to comply, the Whistleblower Protection Act now requires all organizations with 50 or more employees to implement a whistleblowing system. These channels are designed to enable whistleblowers to report misconduct both in writing and verbally—whether through digital platforms, telephone hotlines, or, upon request, even through in-person meetings. One principle is central to this: the protection of whistleblowers. Their identity must remain strictly confidential throughout the entire process, and technical and organizational measures are designed to ensure that no one gains unauthorized access to sensitive data.
But the law goes beyond simply providing channels: Companies are now required to acknowledge receipt of a report within seven days and provide a response within three months that documents not only the handling of the report but also the measures taken. The goal is not only efficiency but also transparency—an indispensable foundation for securing the trust of whistleblowers.
Employee trust in internal reporting systems is the linchpin for their use. No one will be willing to report wrongdoing if they fear retaliation. That is why the Whistleblower Protection Act requires not only legal consequences for retaliatory measures but also a culture of trust and openness within companies.
Whistleblowers should be able to rely on remaining anonymous—if they so desire. At the same time, it must be ensured that their reports are not ignored or treated with bias. Independent handling of reports, whether by internal compliance departments or external ombudspersons, further strengthens this trust. In this way, the internal reporting channel becomes the first point of contact rather than the last resort before taking the step of going public.
However, the requirements for whistleblowing systems go beyond legal mandates. Technical solutions must equally ensure security, user-friendliness, and traceability. An efficient system is more than just a platform for data collection—it becomes an integral part of the corporate structure.
Incoming reports should be easy to capture and manage clearly. Intuitive user interfaces lower the barrier to entry for both whistleblowers and case handlers. Audit trail integrity is equally important: every change to a report must be fully documented to prevent manipulation or misuse. Modern encryption technologies also ensure that sensitive information is protected from unauthorized access.
An internal reporting system should capture reports clearly and anonymously, enable simple management, and fully document compliance with deadlines and actions taken. Technical measures must ensure audit trail integrity, while user-friendly forms and an intuitive interface make it easier for both whistleblowers and case handlers to use the system.
These very factors were the focus during the development of our whistleblowing module. The module is based on four core principles: security, transparency, audit compliance, and user-friendliness.
Although the whistleblower’s anonymity is not explicitly required by the whistleblower policy, it is the most important factor in encouraging employees to come forward. We have therefore implemented numerous technical measures to ensure anonymity. For example, all metadata is proactively removed from reports so that no personal data of the whistleblower is processed.
In addition to the system’s inherent prevention of personal identification, our secure transmission protocol prevents the unintended publication of reports and unauthorized access by third parties. The module also features a flexible rights and roles concept, which prevents unauthorized access from within the organization. Thanks to effective provider shielding, even we cannot view or edit the reports or the whistleblower’s data.
Submitting a report regarding internal corporate misconduct through an internal whistleblowing channel requires courage and determination. Trust in the whistleblowing platform is therefore essential. For this reason, our module allows the whistleblower to access their report at any time, review the content, and add to it without altering the original report. Additions to the original report are listed as separate entries.
Furthermore, the whistleblower can view the status of their report at any time and—if necessary—communicate anonymously with the case handler. Our two-way communication system ensures the whistleblower’s permanent anonymity.
Transparent reports can be generated regarding received reports and their processing, which can be objectively verified by anyone through the audit-proof stamp of our notarization solution. The data is encrypted and notarized in an unreadable format.
For whistleblowing systems to be actually used, usability must be right for both companies and whistleblowers. In this context, our module stands out in particular for its intuitive and consistent menu navigation, well-designed features such as the anonymous two-way communication system, the customizability of menus and forms, and the built-in translation function.
Are you curious and would like to learn more about our
whistleblowing module?