Documentation obligation
The duty of a reporting channel under the German Whistleblower Protection Act to record incoming reports and every procedural step in a permanent, confidential and traceable manner, and to retain them for a limited period.
The documentation obligation requires internal and external reporting offices to permanently record every incoming report and to keep a traceable account of the entire handling process. It is a central element of the German Whistleblower Protection Act (HinSchG) because it secures accountability for the reporting procedure and, in the event of a dispute, proves that the statutory deadlines and duties were observed. The record must be made in a form suitable for later use and at the same time permanently retrievable, while the confidentiality requirement of Section 8 HinSchG must be strictly maintained.
For oral reports, Section 11 HinSchG provides two routes: with the consent of the reporting person, the conversation may be documented by a permanently retrievable audio recording or by a complete and accurate transcript; without consent, documentation is limited to a written summary of the content. Where a report is made at a physical meeting, minutes must be produced on request. The reporting person must be given the opportunity to review the transcript, to correct it if necessary, and to confirm it by signature or in electronic form.
Under Section 11(5) HinSchG, the documentation must be deleted three years after the procedure has been concluded, while observing the confidentiality requirement; longer retention is only permissible where it is necessary and proportionate to meet other legal obligations. At the same time, the data protection principles of the GDPR apply, in particular storage limitation and data minimisation. Careful documentation that is deleted on time therefore protects the reporting person, affected persons and the organisation alike, and is a prerequisite for legally sound case management.
Legal Basis
Section 11 HinSchG; Section 8 HinSchG (confidentiality requirement); Art. 5(1)(e) GDPR
Practical Example
A compliance officer receives a telephone report about suspected corruption payments through the internal whistleblowing system. As the reporting person does not consent to an audio recording, the officer prepares an accurate summary of the content and offers the person the chance to review and confirm it. She records all further steps – acknowledgement of receipt, plausibility check, follow-up measures and feedback – in the case-related file note. Three years after the procedure is concluded, the system automatically deletes the entire documentation and logs the deletion.