Furthermore, companies in particular business areas must set up a hotline regardless of their number of employees. This includes credit institutions, financial services companies, auditors, bookkeepers, tax advisors, law firms, firms carrying out activities related to real estate transactions, and companies in the oil and gas sector.

Whistleblowers and their Subjects

A whistleblowing report may be made, among others, by prospective, current, or former employees, volunteers at the company, or by contractors, subcontractors, or suppliers having a contractual relationship with the company. Businesses have no obligation to investigate anonymous tips.

The internal reporting channels must be available for any unlawful or allegedly unlawful activities or omissions. The reporting person must not suffer any adverse measures (such as termination of employment) due to their whistleblowing.

Data Protection Requirements

Operating internal reporting involves processing the personal data of both the reporting person and the person affected by the whistleblowing. The company operating the internal channel must, as a data controller, prepare and communicate a privacy notice on the data processing. This must also be included in the company’s register of data processing activities.

The Whistleblower Protection Act strictly limits the recipients to whom the personal data can be transferred and the deletion obligations of the controller. Special rules apply to the transfer of personal data to non-EU countries.

source BBJ