Confidentiality requirement
The confidentiality requirement obliges internal and external reporting channels to keep secret the identity of the whistleblower, the persons concerned by a report and any other persons named in the report.
The confidentiality requirement is a central protective instrument of the German Whistleblower Protection Act (HinSchG) and is governed by Sections 8 and 9 HinSchG. It obliges the internal and external reporting channels responsible for handling reports to treat the identity of the reporting person confidentially. Protection extends not only to the whistleblower themselves, but also to the person concerned by a report and to all other persons named in the report. This protection applies regardless of whether the report was made to an internal or an external reporting channel.
In concrete terms, information about the identity of the protected persons may in principle only be disclosed to the persons responsible for receiving or handling reports and to those supporting them. Information from which the identity can be inferred indirectly is also covered by this protection. Confidentiality must be safeguarded organisationally and technically, for example through an access-restricted case management system, a limited circle of authorised persons and an obligation of those handling the case to maintain secrecy. The confidentiality requirement continues to apply even after the procedure has been concluded.
There are only narrowly defined statutory exceptions to the confidentiality requirement (Section 9 HinSchG). Identity may be disclosed, for instance, in criminal proceedings at the request of the prosecution authorities, in administrative proceedings following a court order, or in order to fulfil legal obligations. Where a report was made deliberately or with gross negligence as false and untrue, confidentiality may be lifted vis-a-vis the reporting person. Before the identity is passed on, the affected reporting person must in principle be informed in advance, provided this does not jeopardise ongoing investigations. Breaches of the confidentiality requirement can be sanctioned as an administrative offence with a fine.
Legal Basis
Section 8, Section 9 HinSchG; Art. 16 EU Whistleblower Directive (EU) 2019/1937
Practical Example
An employee of a mid-sized company uses the internal reporting channel to report a suspicion of billing fraud by her department head. As the designated person of the internal reporting channel, the compliance officer ensures that only she and one further colleague, who is expressly bound to secrecy, are granted access to the case in the case management system. During the internal investigation and the hearing of the department head, the whistleblower's name and function are not disclosed; the description of the facts is anonymised so that no indirect conclusions about her identity are possible. Only when the public prosecutor's office later requests the identity in criminal proceedings does the reporting channel disclose it, informing the whistleblower beforehand.