The German Ombudsman Association – Vereinigung deutscher Vertrauensanwälte e.V. is an association of lawyers and corporate lawyers who specialize in supporting organizations in the investigation of criminal offenses and compliance violations as external ombudspersons. The term organization is to be understood broadly and includes all employers, such as natural persons, legal entities under public and private law, in particular also (sports) clubs and associations, partnerships with legal capacity, other associations with legal capacity, public-law institutions and also NPOs/NGOs.

With the Whistleblower Protection Act (HinSchG), which came into force on July 2, 2023, the legislator has created a set of rules for the establishment of reporting offices and the protection of whistleblowers in implementation of EU requirements. However, many factual and legal issues in connection with ombudsman activities remain unregulated. The German Ombudsman Association – Vereinigung deutscher Vertrauensanwälte e.V. has therefore developed standards to provide members, organizations and interested parties with an overview of these issues as well as concrete recommendations on the organization, establishment and handling of ombudsman offices.

With these standards, the German Ombudsman Association – Vereinigung deutscher Vertrauensanwälte e.V. also aims to draw the legislator’s attention to the pressing, unregulated issues and to present concrete proposals for a practicable, transparent and, above all, legally secure ombudsman activity.

Special legal cases and exceptions are not covered. The standards presented are also no substitute for the necessary legal advice in individual cases. The publication of these standards does not conclude the discussion on the respective topic. However, based on their legal expertise and practical experience, the members of the German Ombudsman Association – Vereinigung deutscher Vertrauensanwälte e.V. believe they are in a position to point this discussion in what they consider to be the right direction – with the aim of ensuring that the respective stakeholders are made aware of potential misconduct as comprehensively as possible, while at the same time providing maximum protection for the whistleblower and ensuring that the respective ombudsperson is on safe legal ground. References have been largely omitted. Where they can be found, they do not claim to fully reflect the academic discussion and/or case law.

Thesis 1: Ombudsperson activity is the receipt and processing of information by a third party appointed by an organization (ombudsperson) relating to possible misconduct within the organization or its environment. A key feature of ombudsperson activity is confidential communication with the person making the report in the interests of the organization. It makes an important contribution to the clarification and future prevention of breaches of the rules.

Crimes come to light through tips from the dark field. It can be assumed that coordinated compliance instruments, which include whistleblowing channels, complement each other and already have a preventative effect to a certain extent. The organization assumes that an offer to talk to an external ombudsperson is sometimes met with more trust than internal discussion partners. This trust stems from the fact that the ombudsperson is regularly not involved in the organization beyond the assignment and is otherwise independent of it.

The ombudsperson is appointed by the organization and is therefore in a position to communicate with the whistleblower in such a way that their rights and the rights of the persons concerned or otherwise named in the report are protected and all information is treated confidentially to the extent permitted. The use of an ombudsperson thus offers a particular guarantee that the trust placed in the organization by the whistleblower will be respected (protection against reprisals).

Organizations also see this relationship of trust as an opportunity for dialogue between the whistleblower and the ombudsperson. This dialog can make it possible to better understand and clarify the facts of the case. The first step is to clarify the facts in detail by asking questions and carrying out plausibility checks. The generally longer cooperation between the organization and the ombudsperson on the one hand and the communication between the ombudsperson and the whistleblower on the other hand provides the opportunity to better classify the information.

The activities of an ombudsperson, as described above, go beyond the mere messenger function and are not limited to receiving information, as is the case with a technical device. The ombudsperson’s experience in case handling can be a valuable aid to the organization, for example in the initial risk assessment and in dealing with the authorities. The perspective of an outsider can also open up a new perspective. The responsibility for remedying violations and preventing violations for the same reason through preventive measures always remains with the organization.

Thesis 2: The role of ombudsperson should be performed by a lawyer.

Due to their professional knowledge and experience, lawyers are better able than other professional groups (such as auditors or tax consultants) to meet the complex requirements of the relevant regulations (e.g. evaluating witness statements, examining initial suspicions, the legal relevance of the report). By engaging a lawyer, it can be ensured that the organizations comply with the legal requirements and that the whistleblowers and those affected by the report are ultimately comprehensively protected.

Professional law requires certain standards from lawyers that are not guaranteed in the work of any other person.

Ombudspersons who receive messages from whistleblowers are in a complex and responsible role that must take into account the interests of the organization on the one hand and the level of protection for the whistleblower themselves on the other (in particular the protection of confidentiality). A lawyer who is professionally involved in the core professional issues of attorney-client confidentiality, objectivity, guaranteeing proper representation of interests and ensuring long-term protection of confidentiality vis-à-vis third parties is much better placed than representatives of other professional groups to guarantee this conflict situation laid out in the HinSchG. The same applies to the correctness of the plausibility check in accordance with Section 17 (1) No. 4 HinSchG.

Thesis 3: The performance of the tasks of an ombudsperson by a lawyer is a lawyer’s activity.

The starting point for consideration is Section 3 (1) BRAO, according to which the lawyer is the “professional and independent advisor and representative in all legal matters”. The definition of a lawyer’s activities is essentially based on the mandate agreement; legal advice does not have to be the main focus as long as legal issues do not completely recede into the background. In this respect, it is irrelevant whether such activities can also be carried out by non-lawyers. The mere fact that a lawyer is mandated as such is a strong indication that advice on legal matters within the meaning of Section 3 (1) BRAO is being provided (see also BGH, NJW 1998, 3486; 1999, 3040).

In addition, the regulation on in-house lawyers in Section 46 (3) BRAO shows that a broad understanding of the term “legal work” must be assumed, which is constantly evolving. Section 46 (3) BRAO explicitly stipulates that the clarification of facts also constitutes legal work. § Section 1 (2) RVG, which contains a catalog of non-lawyer activities, does not mention ombudsperson activities.

In addition, Section 17 (1) No. 4 HinSchG contains a provision to the effect that a central function of the ombudsperson is the plausibility check, which can be carried out more thoroughly and carefully by a lawyer with legal training than by a non-lawyer in accordance with an initial suspicion (Section 152 (2) StPO). The same applies to the structure of the interview on a legal basis (preliminary examination).

In the Jones Day case, the Federal Constitutional Court apparently took it for granted that the related internal/external organization-related investigations are legal work, otherwise it would not have been necessary to deal with §§ 97, 160 StPO.

Thesis 4: The ombudsman activity carried out by a lawyer is an independent activity and not a commercial activity. It is not subject to trade tax.

Pursuant to Section 18 (1) no. 1 EStG, income from self-employment is income from freelance work. Self-employment includes the independent professional activity of lawyers. When a lawyer acts as an ombudsperson, this is a legal activity (see thesis 3).

In any case, this is a professional activity in a “similar profession” within the meaning of Section 18 para. 1 no. 1 sentence 2, 2nd half-sentence EStG: In this respect, legal ombudsperson activity is readily comparable with legal activity as a mediator pursuant to Section 18 BORA.

Whether the ombudsperson provides electronic reporting channels of third parties through which the whistleblower can contact the ombudsperson is irrelevant for the qualification as a freelance activity.

Thesis 5: The client relationship exists exclusively between the legal ombudsperson and the mandating organization. There is no client relationship between the ombudsperson and the whistleblower.

According to the current legal situation, which results from Sections 43a (4) BRAO, 3 BORA and Section 356 StGB, only the simultaneous representation of the interests of several clients or parties is possible. A double mandate is not possible if – as in this case – a conflict of interest is inherent in multiple representation. Only Section 18 BORA permits exceptions (e.g. for mediation activities), but does not currently apply (even in the version dated 01.06.2023). The three areas of activity mentioned there describe different types of conflict resolution proceedings and subject the lawyer to the law governing the legal profession. This does not (continue to) include ombudsman activities.

The ombudsperson is commissioned solely by the organization with the mandate agreement and acts in its interest. There is no client relationship with the whistleblower(s). This is the only way to rule out a legal conflict of interest. A corresponding conflict of interest would in any case be inherent in such dual representation. The conflict lies in the fact that, on the one hand, the organization has to ensure confidentiality protection and, on the other hand, has a central interest in clarifying the facts in order to avert liability risks (e.g. pursuant to Sections 30 and 130 of the German Administrative Offences Act (OWiG)) or to assert claims for damages. The organization has a much lesser interest in ensuring confidentiality than the whistleblower. Gaps in the clarification of the facts can even impair the objectives of the investigation. Sometimes the whistleblower is themselves involved in the facts of the case (with a potential damaging effect to the detriment of the organization), so that there is a risk of being accused themselves. Their behavior and interests may change. As a rule, there are unlikely to be consistently aligned interests.

The HinSchG is aligned accordingly in that it stipulates that internal reporting offices of the organization affected by the scope of the law can also be external lawyers (p. 85 f. of the explanatory memorandum to the law).

The legal situation is both unsatisfactory and incomplete. Professional law needs to be modernized.

Thesis 6: There is a mandate agreement between the ombudsperson and the organization with a protective effect in favor of the whistleblower as a third party.

The mandate agreement should contain an irrevocable waiver by the organization of claims for information and disclosure regarding the identity (or even anonymity) of the whistleblower. The whistleblower should be given the opportunity to keep his or her identity secret from the organization, in particular from the internal reporting office. This form, which is established in practice, does not contradict professional law. In this respect, the scope of protection of the Whistleblower Protection Act is extended.

The ombudsperson also has a right to refuse to testify vis-à-vis the authorities with regard to the information entrusted to the ombudsperson by the whistleblower pursuant to Section 53 (1) sentence 1 no. 3 StPO. Whose declaration of release is required for confidentiality depends on the specific structure of the ombudsperson’s work in the individual case (see thesis 15). This should be regulated in the mandate agreement between the organization and the ombudsperson.

Thesis 7: Ombudspersons fully cover the legal requirements of Section 16 (3) HinSchG; this is not the case with a purely electronic reporting channel.

According to § 16 para. 3 sentence 1 HinSchG, internal reporting channels must allow reports to be made verbally or in text form. According to sentence 2, verbal reports must be possible by telephone or another form of voice transmission. S. 3 states that, at the request of the whistleblower, a personal meeting with a person responsible for receiving a report must be made possible within a reasonable period of time. S. 4 finally stipulates that, with the consent of the reporting person, the meeting may also take place by means of video and audio transmission.

It seems technically conceivable to design an electronic reporting channel in such a way that it is also able to receive verbal reports, for example in the form of voice messages. Section 16 para. 3 sentence 2 HinSchG also points to the possibility of a corresponding procedure when it states that oral reports must only be possible either by telephone or by means of another type of voice transmission. The requirements of sentences 1 and 2 of Section 16 (3) HinSchG are therefore probably still met by electronic reporting channels.

However, a purely electronic reporting channel is naturally not able to facilitate a personal meeting, i.e. an actual physical meeting between two people, as is to be organized at the request of the whistleblower in accordance with Section 16 (3) sentence 3 HinSchG. Instead, a human contact person is required, as embodied by an ombudsperson.

Thesis 8: Transferred to the terminology of the HinSchG, the ombudsperson is a special reporting channel, namely one that is designed as an attorney’s activity. The ombudsperson can also be assigned further tasks and powers of the internal reporting office within the scope of what is legally permissible under the mandate agreement.

The HinSchG makes a terminological distinction between “reporting office” and “reporting channel”. According to Section 13 (1) HinSchG, the internal reporting offices operate reporting channels within the meaning of Section 16 HinSchG. In turn, employees should be able to use these reporting channels to contact the internal reporting offices to report violations of the law, Section 16 (1) sentence 1 HinSchG. It must be possible to submit such a report verbally, in text form or in person; anonymous reports should also be possible in accordance with Section 16 (1) sentence 4 HinSchG.

According to Section 13 (1) HinSchG, the internal reporting office has the task of conducting the proceedings and taking follow-up measures. Section 17 HinSchG regulates what conducting proceedings means. Most of the tasks mentioned there are part of every mandate agreement for legal ombudsperson services, see in particular Section 17 (1) nos. 1 to 5 HinSchG, but also the obligation to provide feedback in accordance with Section 17 (2) HinSchG. The latter plays a role in particular if the whistleblower wishes to remain anonymous to the organization and only the ombudsperson has the necessary contact details. However, the duty to take appropriate follow-up measures set out in Section 17 para. 1 no. 6 HinSchG does not, or does not necessarily, fall within the remit of an ombudsperson – at least as far as larger organizations are concerned – internal investigations (Section 18 no. 1 HinSchG) or the transfer of proceedings to a competent authority (Section 18 no. 4b HinSchG), for example, are often not the responsibility of the ombudsperson in large organizations, but rather of the compliance department or the internal audit department and ultimately of the company management. In these cases, the ombudsperson should therefore not be regarded as an internal reporting office, but rather as a special reporting channel equipped with legal competence and authority: The ombudsperson always checks the incoming reports for conclusiveness, rectifies any lack of conclusiveness together with the whistleblower, carries out a preliminary legal review and informs the whistleblower about the course of the procedure. As a link with a professional duty of confidentiality, the lawyer ombudsperson remains involved in the communication between the whistleblower and the organization, particularly in cases of anonymously submitted reports. The legal ombudsperson is therefore more than, for example, a digital whistleblowing channel into which the reporting persons can only type or record the facts of the case.

The legal ombudsperson may be assigned additional tasks of an internal reporting office by the mandating organization.

Thesis 9: The HinSchG only protects the identity of the whistleblower. It must be clarified with the organization whether additional protection mechanisms can be agreed for whistleblowers that lower the threshold for reporting even further.

The HinSchG protects the identity of whistleblowers in accordance with the provisions in §§ 8, 9. According to the HinSchG, the whistleblower therefore only has the right to decide whether their identity is disclosed, but not whether the report made to the ombudsperson should be forwarded to the organization (anonymously if necessary).

In order to reduce the threshold of willingness to submit a report to the ombudsman’s office, it can be agreed with the organization that the whistleblower can decide whether a report is forwarded to the organization.

However, the limits of this decision-making authority can be found in the cases of the duty to report under Section 138 StGB. This duty to report relates exclusively to the catalog offenses expressly listed in Section 138 (1) and (2) StGB. An analogous application of the provision is not possible (see only Lackner/Kühl, § 138, para. 2 with further references). Since in organizations, as a rule, only the commission of offences (cf. Section 12 sentence 2 StGB) is in question, a duty to report under Section 138 StGB is likely to be the absolute exception in practice. This applies all the more as a duty to report only exists if the execution or (if knowledge is only obtained after the offense has begun) the success of the offense can still be averted (see BGH NStZ 1996, 595). This is not the case if it is only a matter of reporting crimes that have already been committed or even completed (Section 78a StGB).

It should be examined and agreed with the organization whether cases should also be excluded from the whistleblower’s decision-making authority in which the organization is obliged to report or correct a fact due to legal regulations or other circumstances (e.g. § 153 AO).

Thesis 10: The whistleblower should be given the opportunity to keep their identity secret from the organization, in particular from the internal reporting office.

The starting point of the thesis is the receipt of a report by an ombudsperson who knows or becomes aware of the identity of the person making the report.

In connection with the obligation to disclose the identity of whistleblowers, the Federal Court of Justice ruled in its judgment of 22.02.2022 (VI ZR 14/21) that, in individual cases, a balance must be struck between the right to information (Art. 15 para. 1 GDPR) of a person affected by a whistleblower and the interest of the whistleblower in keeping their identity confidential. If this balancing of interests is in favour of a data subject in an individual case, the organization is legally obliged to disclose the identity of the whistleblower to the data subject. The same applies to the appointed ombudsperson. Exceptions in which an employee of the organization’s internal reporting office or the ombudsperson can invoke a right to refuse to testify pursuant to Sections 52, 53 of the Code of Criminal Procedure or a right to refuse to testify pursuant to Section 136 of the Code of Criminal Procedure, which prevents the disclosure of the identity after all, are either excluded or are in any case likely to be extremely exotic and rare individual cases.

Conclusion: Complete protection of the whistleblower’s identity is therefore not guaranteed by law, as the characteristic that distinguishes the ombudsperson (reliable protection of the anonymity of the whistleblower and at the same time open communication between the whistleblower and the ombudsperson) would no longer apply. In this case, anonymous reports that allow communication with the whistleblower can practically only be ensured via internet-based systems. This does not meet the need for reporting offices that allow anonymous reports. As shown, for example, by the survey conducted by the University of Applied Sciences Graubünden in four European countries, 48% of initial reports are made anonymously (if permitted by the organization), see Whistleblowing Report 2021, p. 11; https://www.integrityline.com/de-ch/knowhow/white-paper/whistleblowing-report/.

These considerations ultimately lead to the conclusion (at least in the absence of an electronic whistleblowing channel) that the whistleblower would have a good argument at hand to immediately address their report to an external reporting office (e.g. the Federal Cartel Office), bypassing the internal reporting office pursuant to Section 22 (1) HinSchG (“fear of reprisals in connection with a lack of protection of legitimate expectations”). The mandatory provision pursuant to Section 7 (1) HinSchG, according to which whistleblowers should give preference to the internal reporting office as the first point of contact if they do not fear reprisals, would therefore be easy to undermine due to the lack of protection of legitimate expectations. This cannot be the intention of the legislator.

Practical instruction: If an ombudsperson is to be able to handle reports from whistleblowers anonymously at their request, the ombudsperson must contractually agree with the organization that they do not have to disclose the identity of the whistleblower to the organization in this case.

Thesis 11: The mandate agreement should be structured in such a way that the ombudsperson receives and processes anonymous reports.

In this way, more people decide to submit a report.

It is true that the design of the reporting channel for receiving anonymous information is not legally binding (Section 16 para. 1 sentence 4 HinSchG). However, it is in the interest of the organization to obtain relevant information as comprehensively as possible and thus meet its legal obligations to clarify misconduct and further develop its compliance system (see in particular Sections 93 AktG, 43 GmbHG).

In individual cases, an obligation to process anonymous reports with substantiated content may arise from general regulations anyway.

Thesis 12: The responsibility for the group-wide receipt and processing of reports must be clarified with the organization, especially in connection with foreign matters.

Since the HinSchG came into force, the prevailing opinion in Germany has been that it is sufficient for a group, i.e. for the parent company and all subsidiaries and sister companies, to set up a group-wide reporting office equipped with the corresponding reporting channels in accordance with Section 14 (1) sentence 1 HinSchG in order to fulfill the obligation under Section 12 HinSchG. This means that not every legal entity within a group, which generally has more than 50 employees (Section 12 para. 2 HinSchG), has to set up its own internal reporting office with various reporting channels. Instead, a “third party” can be commissioned by all companies with the tasks of an internal reporting office and set up corresponding reporting channels, Section 14 para. 1 sentence 1 HinSchG. In this respect, an ombudsperson can also act as a special reporting channel for a group with all its individual companies.

However, different legal regulations apply around the world, which means that a certain situation may be judged differently in one country than in another. The extent to which and the mandate with which an ombudsperson should therefore be responsible for receiving and processing foreign matters must be discussed in advance with the mandating organization and set out in a contract. When making contractual arrangements, care must be taken to ensure that the mandating organization ensures that the ombudsperson may actually work in the respective country and receive and process reports (particularly with regard to the respective national regulations on data protection and employment law).

 

Thesis 13: The ombudsperson can be both a special reporting channel (or internal reporting office) and a complaints office within the meaning of the LkSG.

Pursuant to Section 8 para. 1 sentence 1, 2 LkSG, companies must set up an appropriate, internal complaints procedure that makes it possible to draw attention to human rights and environmental risks and to the violation of human rights and environmental obligations that have arisen as a result of the company’s business activities in its own business area or in the area of a direct supplier of the company. Companies are not only obliged to receive, acknowledge and take into account relevant information, but also to interact with the whistleblower in accordance with Section 8 (1) sentences 3 and 4 LkSG. In particular, contact must be made with the whistleblower and the relevant facts must be discussed with them.

An internal whistleblower system must therefore be established, the establishment of which is also required under the Whistleblower Protection Act, see Section 12 (1) sentence 1 HinSchG. The purpose of such complaints mechanisms is at least to serve as an early warning system for the company. After all, incoming complaints can contain valuable information on existing risk situations which, in the best case scenario, can prompt the company to take preventive and/or remedial measures and thus prevent the expansion of risks or the occurrence of damage.

The requirements of the LkSG for the design of the complaints procedure, in particular for the establishment of offices for reporting complaints, are not stricter than those of the HinSchG and do not contain any special features that would prevent the ombudsperson from being mandated as a (simultaneous) complaints office within the meaning of the LkSG. It should only be noted that according to Section 8 (2), (4) sentence 1 LkSG, the complaints procedure and the rules of procedure must be made public and not only – as with the reporting channel under the HinSchG – to the company’s own employees. A company can therefore appoint an ombudsperson not only as a special reporting channel (or as an internal reporting office) under the HinSchG, but also to receive information under the LkSG. Against the background of the comparable purposes, valuable synergy effects can be achieved. In addition, this solution saves a potential whistleblower the hurdle of having to find out for themselves which office is responsible for “their” issue.

Proposition 14: The ombudsperson also has a right to refuse to give evidence to the authorities with regard to the information entrusted to the lawyer ombudsperson by the whistleblower in accordance with Section 53 (1) sentence 1 no. 3 StPO.

Notwithstanding the provisions of the HinSchG, it is standard practice for a mandate agreement to be concluded between the organization and the legal ombudsperson, which regulates the relationship between the organization and the ombudsperson on the one hand and the whistleblower and the ombudsperson on the other. In this respect, a contract with protective effect for third parties is usually assumed (see thesis 7). Protective clauses to safeguard the identity of the whistleblower vis-à-vis the organization, an irrevocable waiver by the organization of claims for information or surrender vis-à-vis the ombudsperson under the attorney-client agreement with regard to the identity of the whistleblower (“small solution”) and, if applicable, going beyond the protection standard of the HinSchG, also of the entrusted facts (“large solution”), as well as a contractual confidentiality obligation of the ombudsperson vis-à-vis third parties, represent the current standard. Explicit provisions in the mandate agreement between the organization and the ombudsperson are expressly recommended.

If the work of an ombudsperson is carried out by a lawyer, this constitutes legal work (see thesis 3). Reports and the related information (including the identity of the whistleblower) are therefore entrusted to or made known to a lawyer ombudsperson in their capacity as a lawyer. Consequently, the lawyer ombudsperson has a right to refuse to give evidence with regard to this information, Section 53 (1) sentence 1 no. 3 StPO.

The ombudsperson must examine on a case-by-case basis and – depending on the specific form of confidentiality – in compliance with Section 53 (1) sentence 1 no. 3 of the Code of Criminal Procedure who (the whistleblower and/or the organization) is responsible for releasing the whistleblower from the duty of confidentiality regarding the person and/or the facts entrusted.

One individual opinion denies this right to refuse to give evidence (Meyer-Goßner/Schmitt, StPO, 66th edition, 2023, Section 53, marginal no. 15 with further references), albeit without a viable justification. Persons providing information must be made aware of the unresolved legal situation.

Thesis 15: According to current regional court case law, the lawyer ombudsperson’s documents are not protected from seizure. This situation is unsatisfactory as it thwarts whistleblower protection and thus makes it more difficult for potential whistleblowers to accept whistleblower systems. In this respect, the law needs to be amended.

According to current case law, there is no protection against seizure under Sections 97 (1) No. 3, 160a StPO for the legal ombudsperson (see Bochum Regional Court, decision of 16.3.2016 – 6 Qs 1/16, BeckRS 2016, 15626; Stuttgart Regional Court, decision of 26.3.2018 – 6 Qs 1/18 = BeckRS 2018, 8717; BVerfG of 27.06.2018 – 2 BvR 1405/17, NJW 2018, 2385 “Jones Day”; Meyer-Goßner/Schmitt, StPO, 66th edition, 2023, Section 97, para. 10a with further references). Persons providing information must be made aware of this (see thesis 17).

There is an urgent need to adapt the legal provisions accordingly: reports by whistleblowers are often only submitted because the whistleblower trusts the confidentiality of the ombudsperson and the protected space in which the report is submitted and subsequently processed. The whistleblower is often particularly concerned about protecting their identity. If they have to fear that their identity will be revealed through confiscation, this concern may prevent them from making a report – which is precisely what the organization wants.

Furthermore, the whistleblower cannot actually be granted full protection if there is a fear that the identity of the whistleblower will be revealed as a result of search measures. The person affected by the report would then also find out who actually made the report when the files are inspected at the latest. This can lead to corresponding risks for the whistleblower.

Thesis 16: The ombudsperson must provide appropriate and transparent information about his or her own position, working methods, the course of proceedings and the position and scope of protection of the whistleblower.

In order to prevent misunderstandings on the part of the whistleblower when contacting an ombudsperson, the whistleblower should be made aware of the existing client relationship with the organization.

Open questions about the requirements and scope of their protection and the working methods of the ombudsman’s office (e.g. the course of the procedure; the question of whether the report is “automatically” forwarded to the organization for investigation; the scope of the feedback; any follow-up measures; data protection regulations) should be answered at the beginning of the initial meeting.

Thesis 17: The ombudsperson must check the plausibility of information (conclusiveness check).

“Plausibility check” means a preliminary examination of the information with regard to its credibility, the credibility of the person providing the information and the assessment of possible further evidence. In the case of a criminal reference, Section 152 (2) of the Code of Criminal Procedure applies mutatis mutandis. This is not a final assessment, but a preliminary assessment.

If a report is not entirely plausible, it may be necessary for the ombudsperson to consult with the person making the report.

Without this preliminary legal and factual assessment, the organization risks initiating potentially costly and time-consuming investigations based on inaccurate, misleading or false information. In addition, false or misleading information may interfere with the legal positions of third parties.

The ombudsperson’s review of the plausibility of reports plays a central role in the proper handling of these reports. It helps to maintain the integrity of the organization, use resources efficiently and strengthen trust in the whistleblowing process.

Thesis 18: Information may contain trade secrets and illegally obtained information. In this case, the ombudsperson must examine particularly carefully whether and, if so, to what extent they can use this information to further clarify the facts.

The task of the ombudsperson is to receive and process reports. In principle, it is irrelevant whether these reports contain business secrets, illegally obtained information or are made in breach of other confidentiality and secrecy obligations.

Pursuant to Section 5 (1) HinSchG, exceptions to this apply to notifications containing certain intelligence information or information relating to national security, as well as to notifications of procurement violations involving defense or security aspects covered by Article 346 TFEU. Likewise, according to Section 5 (2) HinSchG, the notification does not fall within the scope of application if it contravenes secrecy or confidentiality obligations for the material or organizational protection of classified information, judicial secrecy or various professional confidentiality obligations (including the duty of confidentiality of doctors and lawyers).

Apart from the duty of the ombudsman’s office to process reports that fall under the protection of the HinSchG, the whistleblower is faced with the question of the legal consequences of a report:

With regard to trade secrets, disclosure to the ombudsman’s office is permitted apart from Section 5 No. 2 GeschGehG, provided that the person making the disclosure had sufficient reason to believe that disclosure of the trade secret is necessary to uncover a violation (Section 6 para. 1 No. 1 HinSchG) and the other (general) requirements for the protection of the person making the disclosure are met (Section 6 para. 1 No. 2 in conjunction with Section 33 para. 1 Nos. 2 and 3 HinSchG).

The same applies in accordance with Section 6 (2) HinSchG for the communication of information that is subject to the contractual or statutory confidentiality and non-disclosure obligations referred to in the standard.

There are special requirements for the ombudsman’s office itself when dealing with communications containing business secrets and other secrets (Section 6 (3) and (4) HinSchG):

This information may only be used and passed on to the extent necessary for the employees of the ombudsman’s office to take follow-up measures. In all other respects, the persons working for the ombudsman’s office are themselves subject to the same confidentiality and non-disclosure obligations to which the whistleblower was initially subject.

Thesis 19: The whistleblower is entitled to meaningful feedback. This takes place in accordance with the legal regulations and in compliance with the legal interests of all parties involved.

According to Section 17 para. 2 sentence 1 HinSchG, the internal reporting office (this can be the ombudsperson or the internal reporting office can instruct the ombudsperson to act as a special reporting channel, see thesis 9) must provide feedback to the whistleblower within a certain period of time. According to Section 17 para. 2 sentence 2 HinSchG, this includes “notification of planned and already taken follow-up measures as well as the reasons for these.” Feedback to the whistleblower may only be provided to the extent that it does not affect internal inquiries or investigations and does not impair the rights of the persons who are the subject of the report or named in it.

The provisions therefore already reveal the tension between the obligation to provide comprehensive feedback to the whistleblower on the one hand and the protection of investigations and the rights of third parties on the other. The tension is resolved by the law in the sense of a rule-exception relationship in favor of the protection of investigations and the rights of the person affected by the report.

Thesis 20: The retention periods under professional law apply to legal ombudspersons.

The professional regulations (Section 50 (1) sentence 2 BRAO), as special statutory regulations, take precedence over the general data protection regulations and the provisions of the HinSchG on retention. The obligation to retain files, which includes the notifications pursuant to Section 17 HinSchG, therefore exists for six years, beginning at the end of the calendar year following the conclusion of the respective process.

Thesis 21: Legal ombudspersons and outsourced internal reporting offices are responsible for data processing.

If a lawyer acts as an ombudsperson, their work as an ombudsperson is legal work. Lawyers collect and process their own data in the client relationship and are not processors in accordance with Art. 28 GDPR.

If the lawyer acts as an internal reporting office, he is also not a processor, as Section 15 (1) sentence 1 HinSchG stipulates the independence of the reporting office. However, if the follow-up measures are carried out in close cooperation with a compliance staff unit of the organization and data is exchanged in the process, joint responsibility should be examined in accordance with Art. 26 GDPR.

Thesis 22: The ombudsperson must ensure an adequate level of data protection for incoming reports.

Technical and organizational measures within the meaning of Art. 32 GDPR must be taken to ensure that unauthorized third parties do not gain access to the reports and related communication and documentation (see Section 16 (2) HinSchG).

Suitable means include, for example, data encryption, confidentiality obligations for authorized users and authorization concepts.

The process of receiving and processing reports of breaches must be recorded and described by the organization and the legal ombudsperson in the register of processing activities (VVT).

The legal ombudsperson should check whether a separate data protection impact assessment (DPIA) is required in their specific case.

Thesis 23: The information and disclosure rights of the reported person and other named persons are limited.

Due to the derogation in Art. 14 para. 5 b) GDPR, the reported person does not have to be informed of the processing when their data is collected if this makes it impossible or seriously impairs the implementation of the whistleblowing procedure.

A request for information via Art. 15 GDPR can be opposed by Section 29 para. 1 sentence 2 BDSG if the information would reveal information that must be kept secret in accordance with Section 8 HinSchG. If the HinSchG is not relevant for the controller, a balancing of interests must take place in accordance with Section 29 (1) sentence 2 BDSG.

The same applies to other persons named by the informant (parties involved, witnesses).

The obligation to fulfill the information and disclosure rights of the reported and other persons applies to all data controllers (see thesis 22).