Whistleblower Protection Act (HinSchG) and Background Checks: The overlooked link
The German Whistleblower Protection Act has been in force since July 2023 and implements the EU Whistleblowing Directive. For compliance officers, it is one topic — for HR, another. The connection to background checks often remains under the radar. This guide shows three touchpoints that every compliance system must consider.
An overview of the HinSchG
The law requires companies with at least 50 employees to set up internal reporting channels through which whistleblowers can report compliance violations. The following can be reported:
Criminal offenses
Administrative offenses, insofar as they protect health, life, or the rights of others
Violations of EU law in specific areas (finance, data protection, consumer protection, antitrust law, money laundering, etc.)
Whistleblowers are comprehensively protected against retaliation. Termination, reassignment, reduction of bonuses — all such measures are considered presumed retaliation if they occur within two years of the report. The whistleblower only has to prove that the report was made; the employer must prove that the measure had nothing to do with the report.
Three touchpoints with background checks
1. The integrity of the ombudsperson itself
The internal reporting channel is managed by an ombudsperson — either internally (compliance officer, legal counsel) or externally (specialized law firm, external whistleblower platform). This person has access to highly sensitive information: suspected cases against management, internal fraud cases, sanctions violations.
If the ombudsperson itself is compromised — through unresolved conflicts of loyalty, financial distress, or proximity to sanctioned parties — the entire whistleblower system becomes worthless. Many companies overlook this: the ombudsperson also needs a structured fit-and-proper check, especially:
Sanctions list screening (no PEP-adjacent profile without disclosure)
Insolvency history (no one with immediate financial vulnerability)
Adverse media screening (public integrity incidents)
Conflicts of interest (no connection to reported parties)
2. Reactive screening when reports come in
When a report comes in — for example, a whistleblower reports suspected bribery of a senior executive — the company must respond. Part of that response is a reactive background check on the accused person:
Current PEP/sanctions status (maybe something has changed since hiring)
New adverse media (are there public indications of the reported behavior?)
Connections to external parties (UBO analysis in cases of suspected corruption)
Important: A reactive screening must be documented under data protection law. The legal basis is usually legitimate interest under Art. 6(1)(f) GDPR — documented through a proportionality assessment that cites the report as the trigger.
3. Candidate screening for sensitive roles with a whistleblower history
If an applicant has previously acted as a whistleblower at a company, that is not a legitimate reason for rejection under the HinSchG. At the same time, sensitive roles must still be reviewed in a structured way.
The screening must not treat public whistleblower references as a negative signal. On the contrary: a documented whistleblower history can signal integrity. The challenge is to structure screening in a way that excludes discriminatory rejection and remains compliant with the General Equal Treatment Act (AGG).
What applies in Switzerland and Austria?
Switzerland
Switzerland has no equivalent to the HinSchG. Whistleblowers are protected by case law under the Federal Act on the Protection of Personality and Art. 328 of the Swiss Code of Obligations, but less comprehensively than in the DACH region. For Swiss subsidiaries of EU-based groups, the German HinSchG applies indirectly as well — through group integration.
Austria
Austria implemented the Whistleblower Protection Act (HSchG) in February 2023. Substantively comparable to Germany, with one particularity: external reporting channels (public prosecutor's office, anti-corruption prosecutor's office) are given greater prominence.
Integration recommendation
For an integrated compliance system, the following is recommended:
Pre-hire check of the ombudsperson with fit-and-proper depth (analogous to Section 25c of the German Banking Act (KWG))
Reactive screening protocol with defined triggers and a data protection framework
Candidate screening policy that respects HinSchG requirements (no discrimination based on whistleblower history)
Annual integrity audit of the ombudsperson — same procedure as fit-and-proper
How Indicium supports this
Documented fit-and-proper workflow for ombudspersons
Reactive screenings with an audit trail for the proportionality assessment
Integrated AGG-safe screening (no automatic negative assessment of whistleblower history)
Cross-jurisdictional coverage for HinSchG DE, HSchG AT, and Swiss Code of Obligations Art. 328
Conclusion
Whistleblower protection and background checks share a common foundation: integrity. Companies that treat the two in isolation miss structural risks — a compromised ombudsperson, a neglected reactive screening, discriminatory handling of candidates. The touchpoints are clear — most compliance systems do not address them systematically.
Book a demo and see the integrated HinSchG screening workflow for yourself.
Further reading — related articles
Nabil El Berr
