Retention period

The retention period for a report governs how long an internal or external reporting office may store the documentation of incoming disclosures. The German Whistleblower Protection Act (HinSchG) requires the reporting office to document every report in a durable and retrievable form while observing the confidentiality requirement (Section 11(1) to (4) HinSchG). This documentation duty ensures that proper handling can be demonstrated, safeguards the defence rights of persons concerned, and allows follow-up measures to be evaluated later. At the same time, the law sets a clear time limit on storage.

Under Section 11(5) HinSchG, the documentation must be deleted three years after the procedure has been concluded. The relevant trigger for the start of the period is therefore not the receipt of the report, but the point at which the reporting office has closed the procedure and completed any follow-up measures. Deletion is the outcome envisaged by law as the rule; longer storage is only permissible by way of exception, where this is necessary and proportionate to fulfil other legal obligations, for instance to comply with statutory retention duties or to assert or defend legal claims.

The retention period is closely linked to the data protection principles of storage limitation and data minimisation (Article 5(1) GDPR). Personal data that is plainly not required for handling the specific report must be deleted without delay (Section 11(1) HinSchG). Controllers should therefore maintain an audit-proof deletion concept that documents, for each case, the start of the period, the retention duration and the deletion date, and that triggers deletion in a verifiable manner, in order to satisfy both the HinSchG requirements and the accountability obligation under the GDPR.