Deploying a whistleblower channel in Germany, Austria, or the Netherlands is not a unilateral employer decision. Works-council codetermination (Mitbestimmung, Mitwirkung, medezeggenschap) attaches to the technical configuration, the procedure, and any associated personal-data processing. Many deployments stall not because of GDPR but because of an unsigned works-council agreement. This guide sets out what needs negotiating, what doesn’t, and how to keep the project moving.
Direct answer
In Germany, §87(1)(1) and §87(1)(6) BetrVG give the Betriebsrat codetermination on the order of operations within the workplace and on the introduction of technical devices that monitor employee behaviour. A whistleblower channel triggers both. The Betriebsrat must concur on the Betriebsvereinbarung covering the channel before deployment. Austria’s ArbVG §96(1)(3) is similar. The Dutch WOR Article 27 requires advice of the ondernemingsraad on personnel-information policy and codetermination on the procedure. France, Spain, and Italy do not have codetermination in this sense but do require information-consultation of CSE/representantes/RSU.
Germany: §87 BetrVG and the Betriebsvereinbarung
§87(1)(6) of the Betriebsverfassungsgesetz gives the Betriebsrat codetermination on the introduction and use of “technische Einrichtungen, die dazu bestimmt sind, das Verhalten oder die Leistung der Arbeitnehmer zu überwachen”. The Bundesarbeitsgericht has consistently read “bestimmt” broadly: an objective capability to monitor is enough, even if the employer’s subjective intent is something else. A case-management system that logs which case handler viewed which case at what time has the capability to be used for performance review of the case handlers and therefore triggers §87(1)(6).
§87(1)(1) — order of operations in the workplace — adds a second hook. The channel and its procedure define a sequence of staff conduct (case handler responds within 7 days, escalates by step 3, closes by step 5). That sequence is the kind of internal ordering §87(1)(1) addresses.
The standard route is a Betriebsvereinbarung Hinweisgeberschutz. A typical document runs 8-15 pages and covers: scope (which entities of the group), channels (web, voicemail, oral, physical meeting), the case-handler role and recusal mechanism, data minimisation, audit log and its access controls, retention, training, and the change-management procedure for future modifications. Concurrence of the Betriebsrat is not a formality: real negotiation typically takes 6-12 weeks, longer for groups with multiple Betriebsräte that must align via a Gesamtbetriebsrat or Konzernbetriebsrat.
What needs negotiating in practice:
- The list of data fields captured and their retention. Push to minimise.
- The audit-log access model: who can read the audit log, who cannot.
- Whether AI features are enabled and what they can do.
- The post-investigation use of case data for trend analysis and training.
- The change-management mechanism for adding sub-processors.
What does not need negotiating: the fact of having a channel at all (HinSchG mandates it; refusal to concur to the existence of the channel would be misuse of codetermination), the legal acknowledgement and feedback deadlines (statutory minima), and the right of access of authorities (BfJ).
If the Betriebsrat refuses concurrence, the dispute goes to the Einigungsstelle, which can resolve it in weeks but represents months of legal cost. Most groups avoid Einigungsstelle by negotiating directly.
Austria: §96 ArbVG and the Betriebsvereinbarung
The Austrian Arbeitsverfassungsgesetz §96(1)(3) requires consent of the Betriebsrat to the introduction of personnel-data systems that touch on dignity (Menschenwürde). A whistleblower channel that captures, processes, and retains identity-adjacent data triggers this. The procedure mirrors the German one: a Betriebsvereinbarung, mandatory consent, and an Einigungsamt fallback. The HSchG (the Austrian transposition of Directive 2019/1937) explicitly references the §96 obligation and does not pre-empt it.
The Austrian negotiation tends to focus on the protection of named third parties (subjects of reports) because Austrian law has historically emphasised the dignity dimension more than the German equivalent. The Betriebsrat will often ask for: a written commitment that subjects are heard before closure, a documented appeal mechanism for closure decisions, and a hard cap on retention of fully unsubstantiated reports.
Netherlands: WOR Article 27 and 28
The Wet op de ondernemingsraden (WOR) splits the procedural rights of the ondernemingsraad between advice and consent. WOR Article 27(1)(k) requires consent on regulations concerning personnel-information systems; WOR Article 27(1)(l) on regulations on the processing and protection of personal data of employees. A whistleblower channel fits both. Additionally, the Wbk explicitly requires that the internal reporting procedure be drawn up “in consultation with the ondernemingsraad” (Article 17 Wbk). The procedure must obtain the OR’s consent before adoption.
Practical: the OR’s consent is required for the internal reporting procedure; the OR is informed of the choice of platform but does not have a veto on the supplier. The procedure must address anonymous reporting (allowed under Wbk), the role of the Huis voor Klokkenluiders, retention, and the access rights of the case handler and any HR or board representative.
If consent is refused, the WOR provides for arbitration through the kantonrechter or through the Bedrijfscommissie. In practice OR consent is given within 4-8 weeks where the employer has prepared the procedure properly.
France: CSE information-consultation
France does not have codetermination in the German sense. Articles L2312-8 and L2312-26 of the Code du travail require information-consultation of the comité social et économique (CSE) on the introduction of new technologies that have an impact on conditions of work. The CSE’s opinion is consultative, not binding; the employer must consider it but can proceed if the opinion is negative. Practical: prepare a CSE consultation pack including the legal basis, the DPIA, and the procedure, and present it in a CSE meeting. The CSE has one month to render an opinion. The opinion is recorded in the procès-verbal of the meeting and the channel can deploy.
The CSE may also raise questions through the right of alert (droit d’alerte). The employer must respond formally.
Italy: RSU and the Garante
The Italian rappresentanze sindacali unitarie (RSU) have a consultative role under the relevant CCNL (national collective bargaining agreement); the obligation is on the employer to inform and discuss material changes to working conditions. A whistleblowing channel does not, by default, trigger a binding RSU consent under most CCNLs but the employer is expected to discuss it. Separately, the Garante per la protezione dei dati personali has issued specific guidance on whistleblower channels (Provvedimento 27 luglio 2023) which sets out expected data-protection measures; failure to follow the Provvedimento is itself a sanctionable item under GDPR.
Spain: representantes de los trabajadores
The Spanish Estatuto de los Trabajadores Article 64 requires information and consultation of representantes de los trabajadores on new working procedures and on personnel-data systems. The Ley 2/2023 transposing Directive 2019/1937 also requires negotiation of the internal procedure with the representantes. The negotiation is closer to the German Mitbestimmung in spirit than to the French consultation: in practice, employers reach a documented agreement before deployment.
Sequencing the project
A practical sequence for a multinational deployment that minimises freeze risk:
- Draft the procedure and DPIA in headquarters.
- Localise the procedure for each in-scope jurisdiction in parallel.
- Initiate works-council/CSE/RSU/representantes engagement in the same week across all countries with the same draft.
- Run the local negotiations in parallel, each on its own timeline, with a project manager tracking cross-country consistency.
- Reserve the final two weeks for cross-country alignment of agreed text variants.
The single biggest mistake in cross-border deployments is starting with one country (typically Germany), running it to conclusion, and then learning that the other countries want variations that cascade back. Parallelising from week one avoids this.
What to ask the platform vendor
Compliance officers running a works-council negotiation typically ask the platform vendor four things: (a) can the audit log be exported as evidence to the Betriebsrat without disclosing report content, (b) can role-based access be configured per legal entity within a group, (c) can the AI features be turned off per channel, and (d) can retention be configured per case type per jurisdiction. Confidly answers yes to all four and ships pre-written Betriebsvereinbarung clauses on request.
The works council is not the obstacle. The obstacle is starting the conversation late, with an incomplete picture of the technical configuration, and asking for concurrence on a moving target. Bring a complete proposal, document the negotiation transparently, and the codetermination becomes a non-event in the project plan.