The Whistleblower Protection Act and the resulting liability risks

In recent years, the protection of whistleblowers, i.e. individuals who report corporate wrongdoing, has become increasingly important. In Germany, the Whistleblower Protection Act (“Hinweisgeberschutzgesetz” or “HinSchG”), which requires companies to establish mechanisms to protect whistleblowers, came into force on 2 July. The Whistleblower Protection Act aims to protect whistleblowers from potential reprisals and to facilitate the reporting of wrongdoing in companies. To achieve this, companies above a certain size are required to establish internal reporting channels and ensure that whistleblowers can remain anonymous. This raises questions about the liability of companies and, in particular, whistleblowers in this context.

Duty to establish internal reporting channels

As of 2 July 2023, companies with 250 or more employees are required to establish an internal reporting channel. However, companies with 50-249 employees will not be subject to this obligation until 17 December 2023 due to a transitional provision in Section 42 (1) HinSchG. However, certain industries, such as financial services companies, must establish internal reporting channels regardless of the number of employees.

If the internal reporting channels are not established by the companies concerned within the specified period, fines of up to EUR 20,000 may be imposed from 1 December 2023.

Personal scope

The scope of protection under the Whistleblower Protection Act is broad and covers all natural persons who, in connection with their professional activities, obtain information about violations and report them (whistleblowers). This includes

  • Employees, including former employees, job applicants, trainees, temporary workers
  • Self-employed individuals providing services, freelancers, contractors, subcontractors, suppliers and their employees
  • Shareholders and directors

In addition, protection extends to people who support the whistleblower and those who do not make the report themselves but are the subject of or otherwise affected by the report.

Material scope

Not every report of a violation of law falls within the scope of the Whistleblower Protection Act. However, the scope of protection under Section 2 HinSchG is extensive.

The material scope includes reports and disclosures of information about offences that are punishable under criminal law. Administrative offences, on the other hand, are reportable only in certain cases, namely when the provision violated serves to protect the life, body, health or rights of employees or their representative bodies. This includes occupational health and safety regulations and laws such as the Minimum Wage Act.

It also covers all violations of federal and state regulations implementing certain European directives, as well as violations of directly applicable EU legislation in various areas, such as environmental protection, money laundering or product safety.

Legal consequences for violations of the Whistleblower Protection Act

Violations of the essential requirements of the Whistleblower Protection Act are considered administrative offences under Section 40 HinSchG. Accordingly, it is an administrative offence if:



  • knowingly providing false information
  • obstructing a report
  • Failing to ensure the establishment and operation of an internal reporting channel
  • taking reprisals
  • Failure to maintain confidentiality
  • An attempt to commit the above administrative offence may also be punished.


The range of fines for company managers for preventing reports, taking reprisals or breaching confidentiality is up to EUR 50,000. However, due to the reference to Section 30 (2) sentence 3 of the Administrative Offences Act, the range of fines for companies is multiplied by ten, so that fines of up to EUR 500,000 are possible in these cases.

Compensation for breach of the prohibition on retaliation

In addition to the aforementioned fine, companies face civil claims from the whistleblower for violating the prohibition of reprisals. Under Section 37 (1) HinSchG, the party responsible for the reprisal is obliged to compensate the whistleblower for the resulting damage. However, non-material damages (e.g. pain and suffering) are not compensable.

In order to ensure effective protection for the whistleblower, Section 36 (2) HinSchG provides for a reversal of the burden of proof in favour of the whistleblower. Accordingly, the employer must prove that there is no connection between the reprisal, such as the dismissal of an employee, and a previous report made by the employee.

Liability of executives and employed internal reporting officers

In principle executive bodies – such as directors and board members – are liable to the company for damages caused by their negligent conduct with unlimited liability and to the full extent of their private assets. The standard of liability is that of an ordinary and conscientious businessperson, i.e. even slight negligence is sufficient to be considered a breach of duty. In addition, directors are jointly and severally liable for the faults of all the members of the bodies to which they belong.

Therefore, if a company is fined or ordered to pay damages under the Whistleblower Protection Act for violating the prohibition of retaliation, the executive body may be held liable by the company.

The question of whether a company’s fines can be recovered from the executive bodies is controversial. Some have denied such recourse, citing the intended deterrent effect of corporate fines. However, the discussion on this issue has gained momentum with the decision of the Regional Court of Dortmund of 21 June 2023 – Case No. 8 O 5/22 – in which recourse is expressly affirmed. A detailed summary of the legal situation can be found in the blog post by Finlex colleagues Beata Drenker and Marcel Straub here (Button: blog post).

However recourse to the internal reporting officer, on the other hand, is more difficult, at least if the company has decided to assign the tasks of the internal reporting channel to an internal employee rather than to an external service provider. If the internal reporting officer is an employee of the company, his or her liability to the employer is limited to the principles of internal damage compensation. The limitation of liability depends on the degree of negligence of the employee. In cases of slight negligence, the employee’s liability is excluded. In cases of moderate negligence, the employee and the employer are liable in proportion to each other. If the employee has acted with gross negligence or intent, there is no limitation of liability.


There is no statutory limit on the amount of liability. However, various courts tend to limit the employee’s share of liability, e.g. to half to a full month’s salary in cases of slight negligence, and to three months’ salary in cases of gross negligence.

Insurability of liability risks arising from the Whistleblower Protection Act

Directors’ and officers’ liability insurance (D&O insurance) covers the liability risks of directors and officers. D&O insurance is a special form of liability insurance designed to protect directors and officers against personal liability arising from their business decisions and actions. The insured event occurs when an insured person is first held liable in writing for damages due to a breach of duty committed in the course of their activities for insured companies during the policy period or within the retroactive period.

For example, if a company holds an executive liable for a breach of duty in connection with a violation of the Whistleblower Protection Act, an insured event exists. With respect to the coverage provided by the insurance policy, a distinction must be made between defence costs – the costs of defending the claim – and indemnification up to the amount of the fine.

The prevailing view is that defence costs are insurable. Strong coverage concepts explicitly include the recourse of corporate fines in the insurance coverage.

The extent to which the indemnification of the corporate body in the amount of the fine is also insured depends on whether there is a legal prohibition on insuring fines. Due to the lack of legislation and Supreme Court jurisprudence, there is uncertainty in this regard. However, according to the prevailing legal opinion, a fine imposed in Germany is currently not insurable because insurance coverage would defeat the statutory preventive purpose.

Indemnification for individual fines imposed directly on the directors and officers is generally not possible.

The scope of D&O insurance has been expanded in recent years. It is common practice to include in the policy employees designated by compliance or required by law or industry standards as special agents. Due to the obligation to establish an internal reporting channel in Section 12 of the German Act on the Protection of Minors from Harassment (HinSchG), the employed internal reporting officer is included in the group of insured persons under this provision. Insurance cover for the employed internal reporting officer is therefore provided in accordance with the above, taking into account the employee’s liability privilege. It should be noted that damages that cannot be claimed against the employed internal reporting officer under the internal damage compensation may be reimbursed under a possible self-insured retention clause.


In summary, the Whistleblower Protection Act (HinSchG), which came into force in Germany on 2 July, represents a significant step towards strengthening whistleblower protection. The law requires companies above a certain size to establish internal reporting channels to protect whistleblowers from reprisals and facilitate the reporting of misconduct.

The obligation to establish internal reporting channels creates liability risks for companies and, in particular, for whistleblowers. Companies that fail to comply with this obligation within the prescribed timeframe may be subject to fines. The law applies to a wide range of individuals who become aware of violations in the course of their work and provides for the protection of individuals who assist whistleblowers.


There are various legal consequences for violations of the Whistleblower Protection Act, including fines and claims for damages. Corporate officers, such as managing directors and board members, face unlimited liability with their entire private assets. The ability of directors and officers to recover corporate fines is controversial but has been upheld by some courts.

D&O insurance plays a crucial role in protecting directors and officers from personal liability arising from their business decisions and actions. The insurance can cover defence costs in relation to claims for damages, but the insurability of fines is unclear due to the preventive purpose of the legislation.

In summary, the Whistleblower Protection Act is a necessary development in whistleblower protection, but it also raises complex legal issues and liability risks that companies and their directors must carefully consider.