Optional integration of company logo and corporate identity colors. Depending on your needs, a common hintbox for several companies or joint case processing with several hintboxes.
Digital Whistleblower System & Independent Ombudsman Service
The topic of “whistleblower system and compliance” is still treated carelessly in a large number of companies. The EU Whistleblower Directive aims to change this, allowing employees, customers, suppliers and other third parties (e.g. former employees, job applicants and journalists) to confidentially provide information about breaches of EU regulations concerning the company – e.g. in cases of suspected money laundering, tax fraud or in areas such as product and road safety, environmental protection, public health or consumer and data protection.
This new system is not only intended to detect and prevent violations, it also promotes internal communication within the company: it sets an example for the courage and commitment of employees and underlines the trust and sense of responsibility of all involved. We provide you with a whistleblowing system that offers both high security standards and confidential data processing that complies with data protection regulations.
Comprehensible and uniform definition of processing steps. Integrated monitoring of deadlines and notifications to whistleblowers and case managers.
Availability of the online portal in 24 languages with automatic translation of communication with whistleblowers.
Operation of the Hintbox as a closed system with true and complete end-to-end encryption and separation from other Hintboxes.
An internal reporting channel offered as an online portal must meet numerous technical and legal requirements. Legal risks from the use of software providers in third countries outside the EU without an adequate level of data protection were to be avoided, as was inadequate encryption of the whistleblower system’s content.
Our choice therefore fell on the Hintbox from lawcode GmbH. In addition to guaranteeing the highest security standards and true end-to-end encryption, Hintbox offers above all numerous supporting functions in case processing and a fair price-performance ratio. The multilingual user interface with automatic translation into up to 24 languages also enables communication with whistleblowers without language barriers.
Our case managers are qualified in data privacy, information security and compliance management and receive regular training – including on the special requirements of the EU Whistleblower Directive.
Do you need an internal reporting channel and support for message processing? We gladly provide you with a non-binding offer for our digital whistleblower system and the function as an independent ombudsman office.
Internal Reporting Channel
incl. Online-Portal and
and anonymous messages
qualified case management
as independant Ombuds Office.
FAQ Whistleblower System
Is a whistleblower system required by law?
An obligation to establish (anonymous) reporting channels for whistleblowers may already be required by law, depending on the industry.
However, EU Directive 2019/1937 of October 23, 2019, stipulates regulations that strengthen the protection of whistleblowers and establish the framework for setting up reporting channels and handling whistleblowing by employees and business partners. EU member states should have transposed this directive into national law by December 17, 2021 However, many EU countries have let this deadline pass – Germany has also not yet passed the planned Whistleblower Protection Act.
However, companies should not wait for national legislation, as the requirements of the EU Directive must be implemented in any case (sooner or later). Those employing more than 250 people should immediately ensure the establishment of an internal reporting channel and whistleblower protection. For legal entities with 50 to 249 employees, the EU Directive grants a transition period until December 17, 2023, unless (future) national legislation requires earlier implementation.
What does "internal reporting channel" mean?
Based on the EU Whistleblower Directive, legal entities must establish internal reporting channels that allow employees and business partners (customers, suppliers) to report information about legal violations verbally or in writing. This includes, for example, a telephone hotline or online portals.
Subsequently, these internal messages must be checked and, depending on the result, follow-up measures must be taken. Reporting channels may be operated internally by a person or department designated for this purpose or provided externally by a third party.
Reporting channels must be securely designed, established and operated to maintain the confidentiality of the identity of the whistleblower and third parties mentioned in the report and to prevent unauthorized employees from accessing them.
What does "independent ombuds office" mean?
The handling of reports made through one or more internal channels also requires the designation of an impartial person or department responsible for follow-up. This may explicitly be the same person or department that receives reports and communicates with whistleblowers.
An independent ombuds office is operated by an external third party to be responsible for both the operation of an internal reporting channel and subsequent follow-up. In this context, certain professional groups are particularly suitable in terms of the duty of confidentiality and qualifications, e.g. lawyers, external data protection officers or compliance managers.
What is the role of IBS data protection?
We are a consulting firm for data protection, information security and IT security and have been appointed as external data protection officers by companies worldwide. Based on the qualification of our employees, we offer the activity as an independent ombuds office. This includes both the provision of an internal reporting channel – in electronic (=written) form – and the timely processing of reports and follow-up actions.
However, individual adaptations are also possible on request – from providing the online reporting portal without case processing to setting up additional reporting channels (presence, e-mail, telephone). Please contact us if you have any questions.
Who decides on the follow-up?
As an independent ombuds office, we guarantee both the receipt of hints (internal reporting channel) and individual case processing. Different workflows are implemented depending on the legal area of the violation. In each case, we evaluate the information and recommend follow-up measures to the company concerned. However, the decision on the implementation of certain measures (e.g. reporting to authorities, criminal charges, etc.) is always made by the management.
Are there other reporting channels in addition to the online portal?
In principle, we provide an internal reporting channel with the digital whistleblower system. Of course, the company concerned can also provide its own channels for submitting hints in parallel (e.g. intranet, mailbox). Upon request, we offer additional communication options that can be integrated into the Hintbox case processing (e.g., receiving tips by phone or in person).
How do we provide information about our whistleblower system?
When commissioning our digital whistleblower system, you should inform employees and business partners about this internal reporting channel and the responsibility of the independent ombudsman office for follow-up measures. Short articles on the website as well as on the intranet and in newsletters that provide a link to the online portal are ideal.
FAQ Reporting Portal
Who operates the reporting portal?
As an independent ombudsman service, IBS data protection services and consulting GmbH operates the online reporting portal both as a telemedia provider within the meaning of Section 5 of the German Telemedia Act and as a controller within the meaning of the GDPR. A commissioning for the establishment of the internal reporting channel as well as for the processing of reports and follow-up measures is carried out as an external third party and thus not within the scope of a contracted processing according to Art. 28 GDPR.
lawcode GmbH is in turn used by us as a processor within the scope of providing the Hintbox. Hintbox is hosted by Hetzner Online GmbH, which acts as a processor for lawcode GmbH.
Neither lawcode GmbH nor Hetzner Online GmbH are in possession of the keys, so access to the contents of the Hintbox is excluded.
Can the reporting portal be customized?
There is a possibility of individual branding. An additional logo (besides the IBS data protection logo) as well as an individual banner graphic and a desired color (highlight, button, link text, frame) can be selected for each Hintbox.
The legal texts are provided by us, as we are the operator of the online portal. A coordination of the texts on the home page as well as with regard to formulations about the company can again be carried out individually.
Is embedding in our website possible?
Each Hintbox is accessible via an individual DNS address, which consists of a freely selectable subdomain and one of several available toplevel domains. Thus, the online portal is publicly accessible at any time via the Internet as a stand-alone website. However, it is also possible to embed the Hintbox afterwards as an iFrame in your website on the Internet / Intranet.
How is a whistleblower’s data protected?
Each Hintbox is operated as a completely closed container, ensuring separate data storage and separation from other Hintboxes. Communication between the whistleblower’s / case manager’s browser and the server is secured using TLS (https). Data on the server is fully encrypted, and the keys are only available to the parties involved in the communication (whistleblower and Hintbox user). Access to the content is not possible even in the event of seizure without IBS data protection granting access. In addition, every access to whistleblower information and every processing step is logged in the Hintbox.
Who can access a whistleblower’s data?
Every report submitted via the online portal is available exclusively in the Hintbox. End-to-end encryption ensures that initially only responsible case managers of IBS data protection have access to the communication. Neither the company concerned nor lawcode GmbH or Hetzner Online GmbH can read the whistleblower’s data. Depending on the permissibility and necessity for processing the report and taking follow-up action, data of the whistleblower or other persons involved may be disclosed to third parties.
Can whistleblowers also report anonymously?
Although the EU Directive does not provide for legal entities to enable anonymous reporting for whistleblowers, Hintbox offers this feature. By not collecting IP addresses or other connection data, and removing metadata from file uploads, true anonymization of the whistleblower can be ensured. Subsequent communication takes place via an electronic mailbox to which only the whistleblower has access. Depending on the individual case, however, it may be necessary for the whistleblower to give up anonymity so that appropriate follow-up measures can be taken.
How long does it take to set up the whistleblower system?
For the technical setup of a Hintbox, including the necessary legal texts, the individual branding and a test run, we currently need 10 working days. If several Hintboxes are required for a group of companies, the technical setup will be extended by 5 working days from the second Hintbox onwards. In addition, there are the times for the contractual agreements and the information about the internal reporting channel on your side (website/intranet or similar).