Internal investigation
A structured fact-finding process carried out by the organisation itself to examine a report of a possible legal violation, document the findings and decide on appropriate follow-up measures.
An internal investigation is the organisation's own clarification of the facts after a report of a possible legal violation has been received through the internal reporting channel. It is at the heart of the follow-up measures required by the German Whistleblower Protection Act (HinSchG): the reporting office assesses the validity of the report, establishes the underlying facts and decides on this basis how to proceed. The aim is to substantiate or dispel the reported suspicion and to enable the organisation to take corrective action.
The process follows typical steps: a plausibility and validity check of the report, securing relevant documents and data, interviewing witnesses, and, where appropriate, consulting the whistleblower. Throughout the investigation the duty of confidentiality (Section 8 HinSchG) applies: the identity of the whistleblower, of the person concerned and of others named in the report must be protected. At the same time, the presumption of innocence and data protection (GDPR) must be respected; only personal data that is necessary may be processed. The whistleblower must not face any reprisals because of the report.
The internal investigation is closely tied to statutory deadlines: at the latest three months after the acknowledgement of receipt, the reporting office must provide the whistleblower with feedback on planned or implemented follow-up measures (Section 17 (2) HinSchG). Possible outcomes include initiating internal corrective measures, referring the matter to a competent body, closing the case for lack of substance, or handing it over to law enforcement or supervisory authorities. The entire procedure must be documented and retained for three years (Section 11 HinSchG).
Legal Basis
Section 18 HinSchG (follow-up measures), Section 17 HinSchG (feedback, three-month deadline), Section 8 HinSchG (duty of confidentiality), Section 11 HinSchG (documentation), Art. 9 EU Whistleblower Directive (EU) 2019/1937
Practical Example
A report reaches the digital whistleblowing system of a mechanical engineering company alleging that a head of purchasing accepted gifts in kind from a supplier in exchange for preferential awarding of contracts. The internal reporting office acknowledges receipt within seven days, checks the report for plausibility and launches an internal investigation: it secures procurement records and email correspondence, compares award decisions with market prices and interviews those involved. The whistleblower's identity and the suspect's presumption of innocence are preserved. Within the three-month deadline the whistleblower receives feedback; the confirmed violation leads to employment-law measures and an update of the procurement policy.