The Hinweisgeberschutzgesetz (HinSchG) entered into force on 2 July 2023. The 50-249 employee tier became compliant on 17 December 2023. Two years on, the Bundesamt für Justiz (BfJ) and the Länder data protection authorities have built up a body of practice that is now visible in the fines registered, the inspection minutes shared with affected employers, and the published warnings of the BfJ’s whistleblower-protection unit. Here is what HinSchG enforcement looks like in mid-2026, from the perspective of compliance officers who have been on the receiving end of it.
Direct answer
Two years of HinSchG enforcement show the same five deficiencies cited in nearly every BfJ inspection: (1) no acknowledgement within seven days, (2) substantive feedback missed at the three-month mark, (3) the channel is operated by someone with a conflict of interest, (4) the audit log is editable or absent, and (5) the channel does not actually offer the required oral and physical-meeting options. Fines have settled in the €5,000-€30,000 range for first-time deficiencies, with €50,000 reserved for retaliation. Retaliation cases drive litigation, not BfJ inspections.
How inspections start
BfJ’s whistleblower-protection unit (Referat IV C 1 in Bonn) does not run blanket sweeps. Inspections start in one of three ways. First, a reporter who used the BfJ external channel and was unhappy with the internal one writes a complaint; about 60% of inspections trace back to this pattern. Second, an anonymous tip arrives at the BfJ alleging that an in-scope employer has no channel at all; staff verify on the company website and follow up where credible. Third, a Land DPA refers a case after finding a GDPR concern that overlaps with the HinSchG channel — typical when retention rules are out of step.
The inspection itself usually begins with a written information request (Auskunftsersuchen) under §40 HinSchG, listing 15-30 specific documents: the policy, the procedure, the role description of the case handler, training records, the list of cases received over the last 12 months with their case codes, sample acknowledgement messages, the audit log for a named case, and the DPIA. The reply window is usually 30 days; extensions are granted on request for complex multi-entity groups.
The five deficiencies cited in nearly every report
1. Late acknowledgement under §17(1) HinSchG
The seven-day acknowledgement is the most commonly missed rule. §17(1) is precise: the case handler must confirm receipt to the reporter “spätestens nach sieben Tagen”. Many channels do this automatically by email — but if the reporter chose anonymous reporting the acknowledgement must be delivered through the channel itself (the case timeline), and that step requires a human action that frequently slips. BfJ flags acknowledgements that are more than seven days late in 40-50% of inspections.
2. Missed substantive feedback at the three-month mark
§17(2) requires substantive feedback within three months, extendable to six. Cases that drift past three months without any feedback message back to the reporter — even an interim “investigation continues, expected to close within X weeks” — are routinely cited. The cure is to make the three-month deadline visible in the case timeline and to require an explicit feedback action before the date passes; pure-calendar reminders are not enough if the reminder fires but no one acts on it.
3. Conflict of interest in the case handler role
§14(2) HinSchG requires the case handler to act unabhängig and frei von Interessenkonflikten. BfJ asks for the case handler’s full role description and routinely cites situations where the handler reports to the very executive whose conduct could be the subject of a report. Mid-sized employers typically have a head of compliance who reports to the CFO; a case against the CFO has nowhere to go without a documented recusal mechanism. Inspectors want to see a named alternate handler and an escalation route to the supervisory board for senior-management cases.
4. Editable or absent audit log
§11(5) requires durable documentation of received reports. “Durable” is interpreted to mean tamper-evident: an audit log stored in an Excel file that anyone in compliance can edit does not meet the standard. BfJ asks for a sample audit log entry showing the user identity, timestamp, and action taken. Channels that cannot produce one are cited; channels that produce one but cannot demonstrate it is append-only are warned. Confidly’s audit log is hash-chained and exportable, and the cryptographic verification of the chain is reproducible by the inspector.
5. Missing oral and physical-meeting options
§16 HinSchG requires the channel to accept reports in writing, orally (by phone or voicemail), and through a physical meeting if the reporter requests one. Many employers have a perfectly good web form and no oral channel at all. The oral option does not require a 24/7 call centre; a recorded voicemail line that is reviewed daily is enough. The physical-meeting option requires the case handler to be willing to meet the reporter in person within a reasonable time; the right to request the meeting cannot be qualified (“only if the case is serious”).
The fines actually imposed
Public records and counsel debriefings suggest the following pattern of fines through 2024-2026 (none of these are published with company names; the figures come from administrative orders cited in the Annual Whistleblower Protection Report):
- No channel at all: typically €15,000-€30,000 for an employer in the 250-999 employee range, scaled to size.
- Retaliation against an identified reporter: €30,000-€50,000 (the §40(2)(2) maximum), with some cases pushed higher through criminal proceedings where dismissal was used as retaliation.
- Confidentiality breach (disclosure of reporter identity): €20,000 typical, with the named individual also potentially sanctioned.
- Late acknowledgement and feedback on its own: usually settled with a formal warning (Verwarnung) and an undertaking to fix, not a fine, unless repeated.
The €500,000 ceiling for legal entities under §40(6) has not been reached in any single matter published to date. That ceiling exists for cumulative or aggravated cases — the most likely scenario is a multi-deficiency channel where retaliation, confidentiality breach, and process failures combine.
What an inspection-ready setup looks like
The employers who pass a HinSchG inspection cleanly share a small number of characteristics:
- The seven-day and three-month deadlines are visible on the case timeline and trigger an action, not just a reminder.
- The case handler has a named alternate, and the audit log shows the alternate being used when conflicts arise.
- The audit log is hash-chained or exported daily to a WORM bucket; the case handler can produce a chain-of-custody record for any attachment.
- The channel website lists the legal name and contact details of the case handler, not just “compliance@”.
- Oral reporting is offered: typically a voicemail line monitored daily.
- The DPIA is dated and signed, references both GDPR Article 35 and HinSchG, and explicitly addresses anonymous reporting and EU-resident data processing.
- Training records show that every case handler attended a refresher in the previous 12 months.
None of this is exotic, and none of it requires expensive software. It requires that the operational discipline matches the legal disciplines on paper. The Bundesamt für Justiz looks for that match; when it finds it, inspections close without fines.
What’s next: the 2026 review
The German Bundestag’s Rechtsausschuss has begun consultations on a HinSchG amendment for 2026-2027. The two most likely changes: a clarification on group privilege (whether one channel can serve multiple legal entities, which is contested between BfJ and the Federal Ministry of Justice), and on harmonisation with the GDPR retention rules. Neither will change the inspection patterns described above; both will add procedural detail.
Confidly tracks HinSchG enforcement decisions and will update this guide as new cases publish.