Person concerned

The German Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG) uses the term person concerned for the natural or legal person who is named in an internal or external report, or in a public disclosure, as the person accused of a breach or who is otherwise associated with a reported breach. This person is therefore not the whistleblower but the party against whom the report is directed. The concept matters because the Act protects not only whistleblowers but also expressly safeguards the rights of those who are the subject of a report.

Throughout the procedure, the presumption of innocence applies to the person concerned. The reporting office must treat their identity as confidentially as that of the whistleblower and of third parties named in the report; Section 8 HinSchG explicitly extends the confidentiality requirement to all three groups. As a rule, the reporting office may not disclose the identity of the person concerned to anyone outside the competent body. At the same time, Section 33 HinSchG guarantees the right to an effective procedure and to be heard, so that an accusation is not processed one-sidedly.

The person concerned also enjoys data protection under the GDPR. Their data subject rights, in particular the right of access under Art. 15 GDPR, may however be restricted for as long as this is necessary so as not to jeopardise the investigation of the facts and the protection of the whistleblower (Section 29 HinSchG). If allegations turn out to be unfounded or to constitute a deliberate false report, the person concerned can assert claims for damages; intentional or grossly negligent false reports are not covered by the Act under Sections 32 and 38 HinSchG and may give rise to fines or liability.