Skip to main content
Whistleblower Protection

Identity protection

Identity protection is the reporting channel's duty to keep the identity of the whistleblower and of any other persons named in a report confidential and to shield them from unauthorised disclosure.

Identity protection is a core element of the German Whistleblower Protection Act (HinSchG) and the underlying EU Whistleblower Directive (EU) 2019/1937. It obliges internal and external reporting channels to keep the identity of the reporting person confidential. Protection extends not only to whistleblowers themselves, but also to persons who are the subject of a report and to any other third parties named in it. The confidentiality requirement under Section 8 HinSchG means that only those responsible for receiving and processing reports may learn the identity.

Protection applies regardless of the channel through which the information arrives and also covers any information from which the identity of the named persons could be indirectly inferred. Passing details to bodies outside the responsible handling team is generally prohibited. Section 9 HinSchG governs narrowly defined exceptions to the confidentiality requirement, for instance towards law enforcement authorities in the context of criminal proceedings or towards administrative authorities in official procedures; in such cases the reporting person must be informed in advance, provided this does not jeopardise the investigation.

In technical and organisational terms, identity protection requires reporting channels to be designed so that unauthorised persons cannot gain access and so that documents and correspondence are stored with restricted access. Breaches of the confidentiality requirement can be sanctioned as a regulatory offence carrying a fine. Identity protection is therefore the practical precondition for employees to report wrongdoing without fear of reprisals, and it is closely linked to the prohibition of reprisals and the option of anonymous reporting.

Legal Basis

Sections 8, 9 HinSchG; Art. 16 Directive (EU) 2019/1937

Practical Example

At a mid-sized company, a report about possible corruption in procurement arrives through the digital whistleblowing system. As the case handler, the compliance officer sets up a separate, access-restricted case file that no one else can view. During the internal investigation she anonymises every reference to the whistleblower's identity before discussing the facts with the legal department. Only when the public prosecutor later demands disclosure in criminal proceedings does she release the identity, informing the whistleblower beforehand about this legally permitted step.

FAQ

The protection covers the identity of the reporting person as well as the identity of all other persons named in the report, including the person concerned. It also extends to information from which the identity could be indirectly inferred. Only those responsible for handling the case may learn it.
Section 9 HinSchG permits disclosure only in narrowly defined cases, such as towards law enforcement authorities in criminal proceedings or towards authorities in administrative procedures. The reporting person must be informed in advance, provided this does not jeopardise the investigation. Disclosure to the accused for their own defence is not permitted.
An intentional or negligent breach of identity protection can be sanctioned as a regulatory offence carrying a fine. The person concerned may also have civil claims for damages. Companies should therefore design their reporting channels and case handling to be access-secure in technical and organisational terms.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Confidentiality requirement Breach of confidentiality Prohibition of Retaliation Anonymous Reporting Person concerned
Back to Glossary