Whistleblower system – facts & implementation

We have summarized the most important aspects of the EU Whistleblower Protection Act and show what you as a company should do now.
Table of contents

To ensure an EU-wide standard for the protection of whistleblowers, the European Union adopted a whistleblower protection regulation in October 2019. In a two-year implementation period, EU member states are required to transpose EU Directive 2019/1937 into their own national laws by December 17, 2021.

What exactly does this policy entail? What does it mean for me as a company? This is what we want to explain in this article and show how we can help you with our solution – Polario.

The basis of the Whistleblower Protection Act

The Whistleblower Protection Act is based on EU Directive 2019/1937. This directive was issued to improve the protection of whistleblowers. Whistleblowers have made waves in the recent past, both politically and economically, by disclosing unlawful acts.

Probably the best-known whistleblower in the political field is Edward Snowden. But also in the economic context, e.g. in the context of the VW diesel gate, there are numerous people who have pointed out grievances and would be considered whistleblowers according to the new legal situation. Whistleblowers are perceived positively by the public because they disclose illegal actions that cause damage to society as a whole. In companies, however, as past cases have shown, whistleblowers are often perceived negatively, as these tips can have negative consequences for employees and the company. At the same time, this negative perception within the company leads to whistleblowers fearing sanctions, up to and including losing their jobs. This is exactly the point at which the EU policy with the directive has set in, so that framework conditions are created to uncover grievances in the future without the whistleblowers having to fear reprisals.

The aim of the EU Directive 2019/1937

The primary purpose of the Directive and the resulting law is to protect whistleblowers who report violations. Whistleblowers are persons who obtain information about violations in a professional context and report them. Infringements are defined as illegal acts. The directive explicitly refers to EU law, which includes, for example, tax fraud, data protection, consumer protection, environmental protection, money laundering and other offenses sanctioned by EU law. With the transposition of the Directive into German law, the reporting of violations of German law will also be covered by the Whistleblower Protection Act.

Who is to be protected by the law?

Employees of the company

Former employees of the company

Supporters of the whistleblowers




Suppliers & service providers

Individuals who report violations outside of work activities or external violations are not protected.

Mandatory introduction of an internal reporting channel

The guideline specifies two possible reporting channels to which whistleblowers can turn. On the one hand, via external reporting channels and, on the other hand, via internal company reporting channels.

External channels are special authorities that have been established for these purposes.

Internal channels are ways that an employee can report the breach internally within the company. And this is where it becomes relevant for your company, because there is an obligation for companies to set up such reporting channels. The EU Directive explicitly states that internal reporting channels are to be given preferential treatment.

Not only companies under obligation

For companies with more than 50 employees or annual sales higher than 10 million euros, for municipalities with more than 10,000 inhabitants and state and federal authorities, this new law means that you must set up internal reporting channels for your employees for such violations. These reporting channels must meet the following requirements.

You must:

    • Ensure confidentiality
    • Prevent disclosure of information to the reporter
    • Comply with the GDPR
    • Enable anonymity for whistleblowers
    • Protect against reprisals

In addition, the company must appoint an ombudsperson who accepts reports and follows up on the information provided. The guideline states that the ombudsperson must have the following skills:

    • Expertise to follow up on leads from the report
    • Independence
    • Confidentiality

By when do you need to have the internal reporting channel up and running?



Legal entities over 250 employees



Legal entities with more than 50 employees or € 10 million turnover



Municipalities over 10,000 inhabitants



Federal & state authorities

The possibilities of the reporting channels

What can such reporting channels look like according to the law? Basically, the directive provides three options for setting up reporting channels.

As a company, you can set up a 24/7 telephone hotline where employees can report violations. When recording the violations, a detailed log of the report must be made. However, it is difficult to maintain the anonymity of the whistleblower.

The establishment of an office or the appointment of a compliance officer is another way to comply with the requirement to establish an internal reporting channel. In this case, too, a protocol must be prepared. This type of reporting channel hardly enables the preservation of anonymity and creates the risk of disclosure of the informant.

Setting up a digital reporting channel via a web application or integration into an employee app is preferable. In this case, employees are provided with an online form that they can use to report violations. The whistleblowers can be given the option of anonymous or public reporting.

The advantages of the digital reporting channel

    • Pre-structuring of notifications through standardized form
    • Automatic time stamp for compliance with deadlines
    • Possibility of anonymous or public reporting
    • Transparent overview and documentation of reported information

Further obligations of the companies

In addition to setting up a whistleblower system, i.e. a reporting channel for whistleblowers, companies have further obligations. An “impartial person” is to be designated for responsibility within the company for following up on the whistleblower’s reports. According to the EU, this could be compliance officers, human resources managers, in-house counsel, CFO, management or even entire departments. Even the same person/department that receives tips or reports can be designated.

Within seven daysof receipt of a report, the company must confirm to the whistleblower that the report has been received. Information from the company regarding the measures taken, the status of the internal investigation and its outcome must be provided within three months.

Furthermore, the company has an obligation to provide information. Companies must provide their employees with easily understandable and accessible information about internal reporting processes and external/alternative reporting channels to the competent authorities.

All reports received must be stored securelyso that they can be used as evidence if necessary.

Polario of plazz AG as a whistleblower system

plazz AG is a leading provider of content and communication platforms. An individual Polario solution can be activated and implemented for companies and municipalities within a few weeks, since the requirements from the Whistleblower Protection Act are already implemented as functions in the employee app Polario Campus.

Our SaaS solution Polario Campus has a survey and query tool. It is easy to configure in the CMS that answers from these forms are submitted anonymously The corresponding notes are also displayed anonymously in the CMS. There is a possibility of email forwarding to ombudsperson/department.

Whistleblower system

  • Web-based frontend for whistleblowers
  • Web-based content management system for ombudsperson
  • Standardized forms
  • Automatic e-mail to e-mail box defined by you
149 /Month

Whistleblower system

  • Web-based frontend for whistleblowers
  • Web-based content management system for ombudsperson
  • Standardized forms
  • Possibility of individualization of forms
  • Setting up of own forms for independent processing
  • Viewing of the reports in the CMS
229 /Month

Pre-filtering by plazz AG

The whistleblower system Advanced enables you to extend the service of plazz AG. In order to relieve your ombudsperson/department, we offer expert and trained employees who filter and analyze reports from your whistleblower system and forward only valid reports to you. Furthermore, you ensure that the legal deadlines are met.

As a German company, integrity and confidentiality are very important goods to us. Especially with regard to the confidentiality of whistleblowers, plazz AG sets the highest standards for data protection and IT security. As a long-standing provider of SaaS solutions, we can rely on a mature security architecture.

    • ISO 27001 certified company
    • ISO 27001 certified data center
    • Regular pentration tests
    • TISAX certification
    • Detailed technical and organizational measures
    • Development and support completely in house at the development center in Erfurt, Germany
    • Hard encryption (TLS 1.2+)
    • Anonymous data collection
    • Precise access control

Check whether your company needs a whistleblower system!

Tips from plazz AG

      • If you have a works council in the company, involve it in the planning and processes of a whistleblower system at an early stage. A works agreement can be useful here.
      • Model open culture and see such a system as an opportunity to uncover unknown wrongdoings in the company. Compliance culture helps optimize the overall corporate culture.
      • Get your management on board and inform them about the introduction of the whistleblower system and processes at an early stage.
      • Inform your employees transparently about the possibilities of the whistleblower system and create a climate of openness, that tips are followed up and that concerns are reduced that whistleblowers have to fear disadvantages. Make it clear that both the law and the whistleblower system counteract these concerns.
      • Involve all necessary departments in your company in the process, such as data protection, compliance, internal communications, legal, IT, etc.
Thumbnail - whistleblower system
General Use Case

Whistleblower system

Meet legal requirements effectively and in an appealing design with the plazz AG whistleblower system of our intuitive app.

Read ->

Discover more posts!

Thumbnail - Onboarding App

Onboarding App

Build and strengthen the attachment of new employees to your company with an onboarding app.

Read ->

Follow us on social media to stay informed.
Do you have any questions or suggestions? Feel free to contact us!

More Info

About plazz AG
About Mobile Event App

Contact Details

T: +49 (0) 89 26 20 43 469
E: sales@polario.app