Outsourcing the reporting office

Outsourcing the reporting office is expressly permitted under Section 14(1) of the German Whistleblower Protection Act (HinSchG): the employer may entrust the operation of the internal reporting office to a third party. Suitable external providers include law firms, external ombudspersons, specialised compliance service providers or vendors of digital whistleblowing systems. Outsourcing is often economically sensible for small and medium-sized enterprises, because building internal capacity, training case handlers professionally and ensuring the required independence involve considerable effort.

Despite delegating day-to-day operations, the employer remains responsible for complying with the obligations of the HinSchG (Section 14(1) sentence 2). Outsourcing does not relieve the company of the duty to take appropriate follow-up measures, to uphold the confidentiality requirement, or to meet the seven-day and three-month deadlines. The external third party must satisfy the same requirements regarding independence, confidentiality and professional competence as an internal designated person. The contract should precisely define responsibilities, escalation paths, data protection arrangements and the interface to the internal decision on follow-up measures.

From a data protection perspective, outsourcing typically qualifies as processing on behalf of the controller under Article 28 GDPR, requiring a data processing agreement; depending on the actual division of tasks, joint controllership or the third party acting as an independent controller may also apply. For companies with 50 to 249 employees, Section 14(2) HinSchG additionally permits several companies to operate a shared reporting office, a particular form of resource-efficient pooling. In every case, the decisive factor is that the outsourced office is integrated organisationally in such a way that whistleblowers are protected and reports are handled properly.