Frequently asked questions

With our FAQ (Frequently asked questions) we answer your questions regarding the EU-Whistleblower Directive. Furthermore it should give you the possibility to get first questions about our Whistleblower-System, the Hintbox, answered.


General questions

What does whistleblowing mean & who are whistleblowers anyway?

So-called whistleblowers publish secret information which is of special interest to the general public. Because whistleblowers usually ensure transparency, they are highly regarded by large parts of the population. But unfortunately, whistleblowers are usually suppressed, dismissed or bullied by their employers after the publication of secret documents.

Who needs a whistleblower system & who is obliged to use it?

From 17 December 2021, every company or legal entity under public law with 250 or more employees must integrate a whistleblower system. Companies or legal entities with 50 and more employees have an additional grace period of 2 years.

In principle, it is recommended to use such a system even before this directive. Regardless of legal violations, much more can be mapped via the system. For example, suggestions for improvement or cases of bullying can be communicated and dealt with via the whistleblower system.

What is a whistleblower system used for?

A whistleblower system is used to prevent damage or, if a violation has already been committed, to minimize economic damage. In addition, a company can thereby avoid damage to its reputation, which is important in the business world, or damage to its image.

A digital whistleblower system, such as the Hintbox, is used to receive, prioritize and process information from whistleblowers in the form of case management. In addition, deadlines are recognized and met by the system. All in all, the Hintbox fully secures you with regard to the EU-Whistleblower-Directive, so that you are already compliant by purchasing the Hintbox and can dedicate yourself to the important things in your company.

Who is responsible for a whistleblower system?

Ideally, the Compliance Officer, who is considered a trustworthy person, is responsible for processing information. According to the EU, the tasks can also be carried out, for example, by personnel management, company lawyer, finance director, member of the board of directors, managing director or an outsourced ombudsman.

What are the alternatives to a digital whistleblower system?

Basically, the whistleblower must have the possibility to give a notice both in writing and orally. This means that in addition to a digital whistleblower system such as the Hintbox, which relieves them of all bureaucratic tasks, a mailbox or telephone answering service may also be sufficient.

If cases are recorded in analog form in this way, they can be immediately maintained in the Hintbox and processed in accordance with the EU whistleblower directive.

The Hintbox also offers the possibility to transfer such reports directly into your Hintbox via a telephone bot and an e-mail interface without additional effort.

Which legal areas must be covered by a whistleblower system?

The EU Whistleblower Directive provides protection for whistleblowers who report

  • public procurement,
  • financial services, financial products and financial markets as well as the prevention of money laundering and terrorist financing,
  • product safety and conformity,
  • traffic safety,
  • environmental protection,
  • radiation protection and nuclear safety,
  • Food and feed safety, animal health and welfare,
  • public health,
  • consumer protection,
  • protection of privacy and personal data and security of network and information systems;


  • infringements of the financial interests of the Union within the meaning of Article 325 TFEU and as more precisely defined in relevant Union policies;


  • breaches of internal market rules within the meaning of Article 26(2) TFEU, including breaches of Union rules on competition and State aid, as well as breaches of internal market rules in respect of acts in breach of corporate tax rules or agreements aimed at obtaining a tax advantage contrary to the object or purpose of the applicable corporate tax law.

However, national legislators are free to extend the scope of protection to other areas.

What are the threats if there is no reporting channel, do I have to expect penalties?

The exact level of penalties must be determined when the law is transposed into national law. However, the EU Whistleblower Directive already stipulates that member states must lay down “effective, proportionate and dissuasive sanctions for natural or legal persons” if institutions concerned

  • obstruct or attempt to obstruct reporting;
  • take repressive measures against named persons;
  • initiate wilful legal proceedings against the named persons;
  • violate the obligation under Article 16 to maintain the confidentiality of whistleblowers’ identities.
Until when do I have time to set up a whistleblower system?

From 17 December 2021, every company or legal entity under public law with 250 or more employees must integrate a whistleblower system. Companies or legal entities with 50 and more employees have an additional grace period of 2 years.

What can be reported via the whistleblower system?

Theoretically, any report can be submitted via the Hintbox. However, the incoming reports are first checked for plausibility. It may happen that reports are not processed further because they are not intended for processing via the whistleblower system.

The EU directive provides protection for whistleblowers who submit reports of a violation of EU law. Violations of national law are currently not considered, but can be implemented by national legislators.

What happens if deliberate false reports are made?

For the deliberate reporting of false facts, the EU Whistleblower Directive also requires national legislators to lay down “effective, proportionate and dissuasive sanctions” for whistleblowers.

What do I need to know now about the EU Whistleblower Directive (2019/1937)? (Status: July 2020)

The EU Whistleblower Directive is currently being implemented into national law by national legislators throughout the EU and extended in the interest of the respective countries.

Sweden has already implemented the directive. The German legislator still has to fulfill this task and has until December 17, 2021 to do so. From this date, every company or legal entity under public law with 250 or more employees must have integrated a whistleblower system. If this is not done, severe penalties will be imposed.

Companies with 50 and more employees are also subject to this directive, but have a grace period of 2 years to integrate such a system in the company.

Questions about Hintbox

How does the HINTBOX ensure the anonymity of the whistleblowers?

Each report can be submitted anonymously and further monitored. In addition, even anonymous persons can exchange messages with the processor of the report (e.g. the Compliance Manager) via the Hintbox, as well as uploading files afterwards.

Of course, according to the guideline, reports cannot be submitted anonymously. This means that the whistleblower fills out a classic contact form in which he can only enter the information about himself that he wants to disclose.

Can the responsible Compliance Manager contact an anonymous person?

The Compliance Manager can use the Hintbox to exchange messages with the whistleblower, no matter whether it is anonymous or not. If the whistleblower is anonymous, he cannot receive notification of a new message due to missing information, such as an email address. The anonymous whistleblower has to log in again with his access data in order to retrieve and reply to the messages.

Is the data stored in Germany & is the data secure?

All data is held in Germany. Hetzner ( is our ISO 27001 certified hoster Made in Germany. The Hintbox servers are securely located in the Datacenter Park Nuremberg.

What security standards does the HINTBOX meet?

The Hintbox meets all security standards. Be it the encryption of the database or the scanning of uploaded files for viruses. There is no question that the information contained in the Hintbox must be 100% secure.

All communication to the Hintbox is SSL encrypted, so that nobody can spy out the data. The GDPR stipulates among other things that personal data must be encrypted. In addition, all reports contained in the Hintbox are protected with the latest encryption technologies, so that only authorized persons have access to the information.

In which languages is the HINTBOX available?

Currently the Hintbox is available in 24 languages. Any other language can be added without problems. We are working on adding more languages to the standard package.

How long does it take to provide a HINTBOX for my company?

The provision of your Hintbox takes a few seconds. Normally, your individual Hintbox is accessible & ready for use in 60 seconds on average after confirmation of purchase and payment. You can buy the Hintbox from winter 2020.

Is the system ready for immediate use or do you need to configure it first?

The system is immediately ready for use and runs on a separate server instance. After the purchase your Hintbox can be accessed via your personal sub-domain e.g.

Legal texts such as imprint and privacy policy can be individually adapted by you, whereby we already provide suitable legal texts. Additionally, the company color and logo can be maintained so that the system perfectly reflects your brand.

Once you have set up the system to meet your requirements, the only thing missing is integration on your company website, so that potential whistleblowers can quickly find their Hintbox.

We are happy to assist you with the integration and customizing at any time.

How is it guaranteed that only authorized persons have access to the system?

The authorized persons can only be created by an invitation from an equally authorized person. Each customer receives an initial user from us, from whom he can invite further authorized persons. From now on these persons can only authenticate themselves with their user name and password. The passwords are subject to a high security standard and can be reset at any time by the administrator of the respective system.

Does the purchase of a HINTBOX comply with the directive?

Yes, our focus is on being able to map all requirements of the EU Whistleblower Directive in detail. Our interdisciplinary team from different fields of business informatics, computer science, programming and law have managed to develop just such a system. With the Hintbox your company is 100% compliant with the directive.

Could we not answer your question ?


2 + 3 =