Breach of confidentiality
A breach of confidentiality refers to the narrowly defined exceptions under the German Whistleblower Protection Act (HinSchG) in which the identity of a whistleblower or a person concerned may or must be disclosed despite the confidentiality requirement.
The German Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG) obliges internal and external reporting channels, as a matter of principle, to keep confidential the identity of the whistleblower, the persons affected by a report and any other persons named in it (confidentiality requirement, Section 8 HinSchG). The term breach of confidentiality describes the conclusively regulated exceptions in which this identity may nonetheless be passed on to third parties. Because confidentiality is the central protective promise of the Act, the exceptions must be interpreted restrictively.
Under Section 9 HinSchG, the identity of a whistleblower may only be disclosed without their consent in narrow situations: in particular in criminal proceedings at the request of the prosecuting authorities, pursuant to a court order, vis-a-vis competent authorities under securities trading or financial supervision law, and where the whistleblower has intentionally or through gross negligence reported false information. In these cases the person must be informed of the planned disclosure in advance, unless doing so would jeopardise ongoing investigations or court proceedings.
Special rules also apply to the person affected by a report: their identity may not be revealed to the whistleblower, but it may be shared with the bodies responsible for clarifying the facts within the scope of follow-up measures, for example to conduct internal investigations or to refer the matter to the competent authorities. Every breach of confidentiality must be documented, limited to what is strictly necessary and carried out in compliance with data protection law. An unauthorised disclosure of identity may constitute a reprisal giving rise to claims for damages and is subject to a fine under Section 40 HinSchG.
Legal Basis
Sections 8, 9 HinSchG; Section 40 HinSchG; Art. 16 EU Whistleblower Directive (Directive (EU) 2019/1937)
Practical Example
A compliance officer receives a report of possible bribery payments through the internal reporting system. As the case develops, the public prosecutor opens an investigation and, in the criminal proceedings, requests disclosure of the whistleblower's identity. The officer verifies that a statutory exception under Section 9 HinSchG applies, informs the whistleblower in advance of the impending disclosure, documents the transfer and strictly limits it to the information requested by the authority.