Internal whistleblowing policy
An internal whistleblowing policy is a company's in-house procedural framework that defines how reports are received and handled and how whistleblowers are protected from retaliation, turning the requirements of the German Whistleblower Protection Act into binding operational practice.
An internal whistleblowing policy is the in-house rulebook through which a company translates the statutory requirements of the German Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG) into concrete, traceable procedures. It sets out in binding terms which reporting channels are available, who is responsible for handling reports, which deadlines apply, and how the confidentiality of a whistleblower's identity is preserved throughout the process. While the law provides the framework, the policy creates the organisational and procedural basis that allows the internal reporting office and management to act in a legally sound and consistent way.
In substance, such a policy typically governs the material and personal scope, the right to choose between internal and external reporting channels, the duty to acknowledge receipt within seven days, and the obligation to provide feedback on follow-up measures within three months. It also fixes the handling steps – from a plausibility check through internal investigation to closing the case – as well as documentation and retention duties and the comprehensive prohibition of retaliation. It frequently contains provisions on the independence of, and avoidance of conflicts of interest for, the persons tasked with case handling.
The whistleblowing policy thus serves a dual function: it evidences compliant implementation towards authorities and co-determination bodies, and at the same time builds trust among employees. A clearly worded, transparently communicated policy lowers the threshold for reporting wrongdoing internally and reduces the risk that reports go straight to external bodies or the public. Because the works council may have a co-determination right in shaping the reporting procedure, the policy should be coordinated early and reviewed regularly to keep it current.
Legal Basis
Sections 12–18 HinSchG (esp. § 13 tasks, § 16 reporting channels, § 17 procedure for internal reports); EU Whistleblower Directive (EU) 2019/1937
Practical Example
An industrial company with 480 employees sets up an internal reporting office and appoints its compliance officer to lead it. To ensure everyone knows how to proceed, she drafts an internal whistleblowing policy: it specifies the digital reporting channel including an anonymous option, defines the seven-day deadline for acknowledging receipt, describes the steps of the plausibility check and internal investigation, and names a deputy for cases in which she herself is affected by a conflict of interest. Before it takes effect, she coordinates the policy with the works council and publishes it on the intranet, so that every employee knows the reporting routes and their protection against retaliation.