Handler confidentiality duty

The handler confidentiality duty is a core element of the confidentiality requirement enshrined in the German Whistleblower Protection Act (HinSchG). It binds every person authorised to receive, assess or further process reports, or brought in for a specific case – in particular the individuals charged with operating the internal reporting office, their deputies and supporting specialists. Protection extends not only to the identity of the reporting person, but also to the identity of the persons named in a report as the subject of allegations, to other third parties mentioned, and to all content that could allow conclusions to be drawn about these individuals.

Under Section 8 HinSchG, this information may become known only to the persons responsible for receiving reports or taking follow-up measures, and to those supporting them within the scope of their responsibilities. The duty applies regardless of whether a report later proves to be justified, and generally continues to apply after the procedure has been concluded. Handlers must put technical and organisational safeguards in place so that unauthorised persons – including supervisors, management or IT staff – cannot access the confidential data; this includes, for example, access restrictions within the case management system and separate storage of documents.

The confidentiality duty is not absolute: Section 9 HinSchG sets out narrowly defined exceptions, such as breaching confidentiality – after prior notification of the reporting person – at the request of law enforcement authorities in criminal proceedings or in certain administrative procedures. Breaches of confidentiality may be subject to fines and can undermine the law's protective effect for the reporting person. A consistently observed handler confidentiality duty is therefore the precondition for employees to trust the reporting system and for reprisals to be effectively prevented.