This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
General context, key principles and hot topics
1 Identify the highest-profile corporate investigation under way in your country, describing and commenting on its most noteworthy aspects.
The diesel emissions cases involving several German carmakers continue to be the highest-profile corporate investigations in Germany. The automotive industry is one of Germany’s key industries and, therefore, the emissions investigations against several major German car manufacturers have attracted a lot of public attention. Furthermore, the high volume of damage allegedly suffered by customers, investors and others, and the technical and regulatory complexity of the topic, are notable. The criminal investigations by various German public prosecutor offices are focused on the individual criminal liability of managers, including former chief executive officers, while at the same time leading to fines of hundreds of millions of euros against the companies involved.
2 Outline the legal framework for corporate liability in your country.
Companies are technically not criminally liable under existing German law. A strict corporate criminal liability had been under discussion for the past few years but was set aside because of the federal elections in autumn 2021. It remains to be seen whether a bill on corporate criminal liability will be taken up again under a new government.
Currently, companies whose employees have committed criminal or administrative offences face the risk of an administrative fine or a confiscation order. Administrative fines are capped at €10 million, though this amount can be – and, in practice, frequently is – exceeded by the financial benefit the company has obtained from committing the offence (i.e., profit disgorgement).
This legal mechanism (administrative fines plus profit disgorgement) has led to quite significant fines in the past, as in the Siemens (€395 million), MAN (€150 million), Ferrostaal (€140 million), Volkswagen (€1 billion) and Audi (€800 million) cases.
As an alternative to an administrative fine, a confiscation order can be imposed on a company if an unlawful act has been committed. The maximum amount for a confiscation order is the entire gross value of the proceeds from the respective criminal offence, and the fined party (i.e., the company) is not permitted to deduct any costs it incurs.
3 Which law enforcement authorities regulate corporations? How is jurisdiction between the authorities allocated? Do the authorities have policies or protocols relating to the prosecution of corporations?
Various law enforcement authorities, at both federal and state levels, regulate corporations, including, among others, the public prosecutors’ offices, antitrust authorities, tax authorities, financial regulators and customs authorities.
The matter of jurisdiction between the authorities depends on the scope of the potential investigation. To this extent, various areas of responsibility are assigned to specialist authorities. It is important to understand that all 16 German states have their own prosecutors, and thus some of them are more active in prosecuting corporations (e.g., Munich, Frankfurt and Stuttgart) than others.
There are no guidelines for the investigation of corporations in the form of laws or legal regulations. However, we are aware of some internal guidelines drafted to assist authorities when investigating corporations.
4 What grounds must the authorities have to initiate an investigation? Is a certain threshold of suspicion necessary to trigger an investigation?
The local public prosecutor’s office is generally obliged to take action in relation to all prosecutable criminal offences, provided there are sufficient factual indications (or initial suspicion). However, this duty of legality pertains only to criminal offences. Therefore, the public prosecutor has discretion whether to open administrative proceedings against a corporation.
5 How can the lawfulness or scope of a notice or subpoena from an authority be challenged in your country?
Enforcement measures taken by authorities against suspects or witnesses (e.g., search warrant or confiscation) can be subject to, inter alia, judicial review. This applies to the order itself as well as the manner of execution.
Subpoenas as such are not challengeable. However, potential enforcement measures or court decisions following a subpoena may be challenged. In German criminal proceedings, the defendant is not obliged to co-operate with the authorities or to provide information about evidence-relevant facts.
6 Does your country make use of co-operative agreements giving immunity or leniency to individuals who assist or co-operate with authorities?
Generally, the public prosecutor cannot grant immunity or leniency to individuals who assist or co-operate with investigations. However, prosecutors and courts regard co-operation as a major factor in determining the level of sentences. Furthermore, in certain cases, prosecutors have some discretionary powers to dispense with the prosecution with the consent of the accused and the court, and co-operation is certainly a factor in this decision.
The German antitrust authorities can grant immunity from fines or a reduction of fines to cartel participants who co-operate and thereby contribute to uncovering a cartel. This leniency programme is available to individuals as well as companies. Full immunity will be granted to cartel participants if they are the first to disclose the cartel and fully co-operate with the antitrust authority throughout the proceedings.
7 What are the top priorities for your country’s law enforcement authorities?
Corporations in Germany are most severely prosecuted for antitrust violations and corruption. The highest fines are regularly imposed in both these areas. In the recent past, fraud and tax fraud proceedings have also been a priority (for instance, alleged irregularities regarding diesel engine emissions and cum-ex or cum-cum trading patterns of banks and financial institutions). We expect data protection violations and the betrayal of business and company secrets to attract more enforcement activity as a result of stricter legal regulations and increased sanctions.
8 To what extent do law enforcement authorities in your jurisdiction place importance on a corporation having an effective compliance programme? What guidance exists (in the form of official guidance, speeches or case law) on what makes an effective compliance programme?
Investigating authorities are increasingly focusing on (1) how a company’s compliance programme is designed and implemented and (2) whether the company adapts its compliance measures adequately after becoming aware of potential irregularities.
Both these factors are taken into account by the enforcement authorities, in particular in their discretion as to whether and to what extent sanctions are imposed on the company.
The Federal Supreme Court confirmed this practice and ruled that investments in compliance and enhancing a compliance management system prior to and after misconduct being detected must be taken into account when setting a fine.
However, there is no official guidance on what an effective compliance programme should contain from the perspective of German authorities. German companies usually adhere to international compliance standards.
9 Does your country regulate cybersecurity? Describe the approach of local law enforcement authorities in your country to cybersecurity-related failings.
Since 2015, the issue of cybersecurity has been addressed by various laws and regulations in both German and European legislation, including the German IT Security Act, the EU Directive on Network and Information Security and the EU Cybersecurity Act. This legislation addresses the cybersecurity landscape without imposing any specific duties on individuals or companies.
Under the EU General Data Protection Regulation, companies that are processing personal data must implement appropriate technical and organisational measures to ensure a level of security that is appropriate to the risk. A violation of this duty can trigger administrative fines and claims for damages. As regards data breaches, companies may be obliged to notify supervisory authorities and the individual data subjects.
10 Does your country regulate cybercrime? What is the approach of law enforcement authorities in your country to cybercrime?
Cybercrime (i.e., criminal activities carried out using computers or the internet) is covered by general German criminal law pursuant to a variety of specific provisions regarding data espionage, computer fraud, data forgery, deception in the context of data processing and data tampering.
Cybercrime investigations are seldom only national in scope. They call for coordinated action at international level and require a high level of cross-border co-operation. As an EU Member State, Germany is a signatory to the Convention on Cybercrime, which includes provisions on international co-operation with other EU Member States and further signatories, such as the United States, Japan and Australia.
On the practical side, law enforcement authorities have implemented cross-border communication networks and coordination units, including the Interpol Global Complex for Innovation, the European Cybercrime Centre at Europol and others.
Cross-border issues and foreign authorities
11 Does local criminal law have general extraterritorial effect? To the extent that extraterritorial effect is limited to specific offences, give details.
German criminal law is generally applicable if either the offender acted in Germany or the offence had a consequence in Germany. Furthermore, in 1999, Germany implemented the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions of the Organisation for Economic Co-operation and Development. Since then, the German Criminal Code prohibits illicit payments to foreign public officials, in a similar way to the US Foreign Corrupt Practices Act and the UK Bribery Act. In addition, bribery payments in the private sector that exclusively affect foreign competition are covered by German law.
Furthermore, German criminal law is applicable, among other reasons, if the offence is committed abroad against a German or if a German commits an offence abroad and the act is a criminal offence also in the place where the offence was committed.
12 Describe the principal challenges that arise in your country in cross-border investigations, and explain whether and how such challenges depend on the other countries involved.
Cross-border investigations generally demand a high level of sensitivity with regard to the different expectations of the authorities involved and the different legal frameworks applicable to investigative steps in different countries.
If an investigation has links to a common law jurisdiction, privilege is often a topic because the principles of legal privilege differ. As the concept of pretrial discovery does not exist under German law, privilege is only relevant in relation to law enforcement authorities. Under German law, communication between a company and its legal advisers is not generally privileged, but the concept of legal privilege is limited – in most cases – to communication with the criminal defence counsel. The disclosure of separate information to public authorities does not generally put the legal privilege at risk.
To ensure that privilege is adequately protected, cross-border investigations require clear processes in line with the privilege provisions of all the jurisdictions involved.
Differences in data protection laws are relevant in cross-border investigations outside the European Union, where the General Data Protection Regulation is not applicable. In cross-border investigations, information is gathered in and transferred from and to different jurisdictions, and breaches of applicable data protection laws must be avoided.
When interviewing employees, employment law has to be observed. In Germany, broadly scoped investigative measures may require the involvement of a works council.
13 Does double jeopardy, or a similar concept, apply to prevent a corporation from facing criminal exposure in your country after it resolves charges on the same core set of facts in another? Is there anything analogous in your jurisdiction to the ‘anti-piling on’ policy as exists in the United States (the Policy on Coordination of Corporate Resolution Penalties) to prevent multiple authorities seeking to penalise companies for the same conduct?
Companies are not protected, in principle, from sanctions in Germany after having resolved charges on the same core set of facts in another country outside the European Union (see, for example, the fines imposed against Volkswagen in the emission matter in the United States and Germany, or the fines imposed by German and other antitrust authorities in cross-border cartel cases based on the local effect in their respective jurisdictions). In addition, confiscation orders and similar measures against companies are not recognised as ‘sanctions’ in the sense of double jeopardy, so that companies are not yet effectively protected in this regard even within the European Union. Often, however, authorities consider a (potential) foreign sanction at their discretion when determining a (national) sanction.
14 Are ‘global’ settlements common in your country? What are the practical considerations?
There is no legal framework for ‘global’ settlements under German law. However, as co-operation between authorities across borders generally increases, ‘global’ settlements with German authorities are generally achievable, at least to some extent. In the past, German authorities sometimes took account of foreign sanctions when determining a (national) fine (e.g., the Siemens case).
15 What bearing do the decisions of foreign authorities have on an investigation of the same matter in your country?
In principle, the decisions of foreign authorities have no (legal) effect on an investigation of the same matter in Germany. In some cases, however, German and foreign authorities collaborate with each other to avoid duplicate investigations.
Economic sanctions enforcement
16 Describe your country’s sanctions programme and any recent sanctions imposed by your jurisdiction.
Authorities are making increased use of sanction options (i.e., administrative fines, including profit disgorgement, and confiscation orders.) In 2018 and 2019, fines of €1 billion, €800 million and €535 million were imposed on Volkswagen, Audi and Porsche, respectively, in connection with potential irregularities regarding diesel emissions. Further, significant fines were imposed in antitrust proceedings and cases of corruption (€395 million on Siemens, €150 million on MAN and €140 million on Ferrostaal).
17 What is your country’s approach to sanctions enforcement? Has there been an increase in sanctions enforcement activity in recent years, for example?
Sanctions enforcement activities have steadily increased in recent years, although there are still considerable differences across the 16 German states.
18 Do the authorities responsible for sanctions compliance and enforcement in your country co-operate with their counterparts in other countries for the purposes of enforcement?
In some cases, there is co-operation between national and foreign authorities. This possibility has been codified in the form of mutual legal assistance, within the framework of which formal enquiries can be made.
In our experience, there is also an informal exchange between national and foreign authorities. However, there is often no such co-operation because of the effort involved and the sometimes low yield.
19 Has your country enacted any blocking legislation in relation to the sanctions measures of third countries? Describe how such legislation operates.
According to German law, a boycott declaration is prohibited (this does not apply to resolutions of the United Nations, the European Union or Germany).
In addition, the EU Blocking Regulation (Council Regulation (EC) No. 271/96) applies in Germany. The Regulation prohibits all companies registered in the European Union from complying with the US legislation listed in the Annex to the Regulation (including US sanctions against Iran) unless exceptionally authorised to do so by the European Commission. Furthermore, the Regulation enables such companies to seek compensation if they suffer damage as a result of those US acts and regulations. In addition, judgments by foreign courts (in particular those of the United States) that are imposed to enforce sanctions are not recognised in the European Union.
20 To the extent that your country has enacted any sanctions blocking legislation, how is compliance enforced by local authorities in practice?
A violation of either national or EU blocking legislation is punishable by fines of up to €500,000. Furthermore, there is the risk that legal transactions in violation of the EU Blocking Regulation may be null and void or that violations of that Regulation may trigger contractual claims for damages by the affected business partner.
So far, the Regulation has not been applied in practice. There is no known case, therefore, in which administrative offence proceedings have been initiated for an infringement.
Before an internal investigation
21 How do allegations of misconduct most often come to light in companies in your country?
Allegations of misconduct come to light in many ways. In practice, investigations into serious wrongdoing are most often initiated by whistleblowers or as a side effect of running internal investigations.
22 Does your country have a data protection regime?
Yes. Data protection law in Germany is regulated by the General Data Protection Regulation (GDPR) and the Federal Data Protection Act. Further, there are various provisions on data protection law in sector-specific legislation (e.g., the German Telecommunications Act).
23 To the extent not dealt with above at question 9, how is the data protection regime enforced?
With the introduction of the GDPR, the situation for companies in the European Union changed substantially. Previously, only a limited number of fines were imposed for data protection breaches. Now, companies can face a maximum fine of €20 million or 4 per cent of their annual global turnover, whichever is higher. Although authorities have so far not exceeded this penalty range, the level of company fines has increased significantly since the introduction of the GDPR in May 2018.
24 Are there any data protection issues that cause particular concern in internal investigations in your country?
The collection and use of employees’ personal data during internal investigations has to be in line with the GDPR and the Federal Data Protection Act; this applies in particular to email and data reviews as well as interviews. For each investigative step involving the processing of personal data, one must assess whether the processing is necessary for the purposes of the legitimate interests pursued by the company and whether the company’s interests are overridden by the interests or rights of the respective data subject. Specific requirements apply with regard to employees when the private use of company information technology is allowed. Furthermore, affected employees must be informed about the subject and purpose of the investigation, and their rights under the applicable data protection laws, unless doing so would interfere with the integrity of the internal investigation. The involvement of entities other than the employing entity typically requires the conclusion of data protection agreements. Works council agreements (concluded to comply with German labour law) can stipulate further requirements.
25 Does your country regulate or otherwise restrict the interception of employees’ communications? What are its features and how is the regime enforced?
The live monitoring of employees’ communications is not explicitly prohibited under German data protection or criminal and labour laws, but the threshold for justifying measures of this kind is high and requires, inter alia, a thorough weighing of the company’s interests – including the possibility of less invasive measures – against the rights and interests of the respective employee.
The review of historic email and other communication data is generally permitted if justified by legitimate interests of the company and if there are no overriding interests of the respective employee. To preserve proportionality, some specific rules for data reviews have to be observed, such as the exclusion of private data, search term filters and independent reviewers obliged to maintain secrecy. The employee’s prior consent would only justify the processing of the data if it is given freely on an informed basis, which can generally be disputed in hierarchical structures.
Dawn raids and search warrants
26 Are search warrants or dawn raids on companies a feature of law enforcement in your country? Describe any legal limitations on authorities executing search warrants or dawn raids, and what redress a company has if those limits are exceeded.
In the course of criminal or cartel proceedings, companies are often subject to search and seizure measures. The relevant orders must, inter alia, include the facts giving rise to the suspicion and be proportionate.
Affected companies can, among other remedies, apply for a judicial review of such a measure or defend themselves against it by means of a judicial complaint. In practice, however, these legal remedies are mostly unsuccessful.
27 How can privileged material be lawfully protected from seizure during a dawn raid or in response to a search warrant in your country?
The conditions under which documents are exempt from seizure during internal investigations in Germany are largely unclear. To protect (potentially) privileged documents, the following measures, among others, may be taken:
- enter into an attorney–client relationship with the company affected by an investigation (and not, for example, its holding company) and document that the purpose of the mandate is (at least) to defend the company;
- do not establish a client’s possession of work products at risk of seizure;
- take organisational measures to separate documents that are expected to be seizable from documents that are expected to be privileged; and
- label correspondence and documents as ‘privileged’ or similar.
28 Under what circumstances may an individual’s testimony be compelled in your country? What consequences flow from such compelled testimony? Are there any privileges that would prevent an individual or company from providing testimony?
Defendants have the right to remain silent towards the authorities and do not need to participate actively in the investigation (i.e., the right not to incriminate oneself).
Witnesses (at least in public prosecutors’ offices and courts) are obliged, in principle, to provide information. As an exception, they may refuse to testify if (1) they are related to the defendant or (2) their testimony would expose them or a relative to the risk of prosecution.
If the witness is subject to the obligation of professional secrecy (as are lawyers), testifying may be refused in this regard.
Whistleblowing and employee rights
29 Describe the whistleblowing framework in your country. What financial incentive schemes exist for whistleblowers? What legal protections are in place for whistleblowers?
There is currently no general legal framework for whistleblowing in Germany. The EU Whistleblower Protection Directive (Directive (EU) 2019/1937) came into force in December 2019. EU Member States have two years from then to implement laws aimed at strengthening whistleblower protection in line with the Directive. From that point, at least larger companies will have a duty to implement whistleblowing systems. Whistleblowers who act in good faith will be protected from any retaliation if they report misconduct to the company or the competent authority. So far, the German legislature has not yet passed the implementing legislation.
Until the implementing legislation has been passed, German law provides protection for whistleblowers under general labour law principles and some specific provisions, such as with respect to the reporting of safety-at-work issues and prohibited uncovered short sales.
Currently, there is no general duty on German companies to implement whistleblowing structures under German law except for financial institutions (German Banking Act, Section 25a).
Financial incentive schemes for whistleblowers are not common in Germany and are not expected to be implemented in the near future. However, if the whistleblower is one of the perpetrators, disclosure to the authorities may well reduce a potential sentence significantly (see German Criminal Code, Section 46b). In cartel cases, the fine to be imposed on a cartel participant is even waived if he or she is the first to contact the German cartel authorities to uncover the cartel.
30 What rights does local employment law confer on employees whose conduct is within the scope of an investigation? Is there any distinction between officers and directors of the company for these purposes?
Employees are generally obliged to co-operate with internal investigations and no distinction is made between employees who are suspected of having committed a wrongdoing and those who have potential knowledge about a wrongdoing or just the circumstances surrounding it. Employees are obliged to co-operate even if their co-operation could result in them being convicted for specific crimes.
If an employee co-operates with an internal investigation, the company may have to cover the costs of the employee’s legal counsel, subject to analysis in each case.
German data protection laws impose specific information duties on employers that process employees’ information in the course of an internal investigation. Affected employees must be informed about the subject and purpose of the investigation and their rights under the applicable data protection laws unless doing so would interfere with the integrity of the internal investigation.
The duty to co-operate applies in the same way whether the individual is an employee, an officer or a director. However, directors are obliged not only to co-operate with internal investigations but also actively to initiate and conduct them.
31 Do employees’ rights under local employment law differ if a person is deemed to have engaged in misconduct? Are there disciplinary or other steps that a company must take when an employee is implicated or suspected of misconduct, such as suspension or in relation to compensation?
Although there is no general differentiation between employees under suspicion and others, German labour and data protection laws require the weighing of an employee’s interests against those of the company before measures are taken that affect the employee’s rights. The degree of suspicion against an employee may tip the scales in this context.
Under German corporate law, a company’s management board must investigate potential misconduct and put a stop to any misconduct discovered, revise the compliance programme and the internal controls affected and take steps, including concerning personnel, as a result of the misconduct. Therefore, the management board may be required to transfer certain employees or even give certain employees their notice, based on a thorough analysis in each case.
32 Can an employee be dismissed for refusing to participate in an internal investigation?
In general, employees are obliged to co-operate with internal investigations, even if this could incriminate them. Depending on the specific case and the impact of the refusal, an employee may be dismissed for refusing to co-operate.
Commencing an internal investigation
33 Is it common practice in your country to prepare a document setting out terms of reference or investigatory scope before commencing an internal investigation? What issues would it cover?
Yes, an investigation plan is key to an efficient and successful investigation. An investigation plan would normally include the scope of the investigation, the respective responsibility of the company and the law firm, the steps to be taken, the data and documents to be collected and the custodians.
The investigation plan is an important starting point and requires continuing revision subject to the findings made and the obstacles encountered.
34 If an issue comes to light prior to the authorities in your country becoming aware or engaged, what internal steps should a company take? Are there internal steps that a company is legally or ethically required to take?
The concrete steps to be taken in this situation depend on the nature of the issue discovered. Generally, German corporate law imposes certain duties on a company’s management board if there are indications of misconduct. First, the management board has to investigate the potential misconduct and put a stop to it. Second, the management board has to revise the compliance programme and the internal controls affected and take action, potentially including in respect of personnel, as a result of the misconduct.
To a certain extent, the management board can delegate these obligations to internal departments (e.g., compliance). However, to fulfil the board’s supervisory duty, regular reporting to the management board of incidents handled by the internal departments is required. If an issue comes to light that points to severe misconduct or a matter that is potentially of high risk for the company, the management board should be notified immediately.
Although there is no general duty to report misconduct to the competent authority, reporting may be required in some specific cases. In particular, misconduct with a tax implication for the company has to be reported to the tax authorities in the vast majority of cases.
35 What internal steps should a company in your country take if it receives a notice or subpoena from a law enforcement authority seeking the production or preservation of documents or data?
First, it is generally advisable to enforce a litigation hold and to collect the respective data. This step should be extended to documents and data in the relevant context and should not be restricted to the documents and data requested by the law enforcement authority.
As a second step, the company will have to assess whether it is obliged to produce the requested data and documents. Independently of the result of this assessment, the company will have to answer the question of whether it is willing to co-operate and will have to find a strategic position regarding the authority. In many cases, it is advisable to co-operate with the enforcement authority to prevent coercive measures and reputational damage.
36 At what point must a company in your country publicly disclose the existence of an internal investigation or contact from a law enforcement authority?
In general, there is no duty to publicly disclose the existence of an internal investigation or contact from a law enforcement authority. Whether a disclosure is made or not largely depends on the interests of the company in the specific case.
Exceptionally, stock listed companies may be subject to a disclosure requirement if the investigation has an effect on the company that would be likely to significantly affect the company’s stock price (ad hoc announcements).
37 How are internal investigations viewed by local enforcement bodies in your country?
Especially in larger and complex proceedings, authorities welcome internal investigations as part of a company’s pledge to co-operate with a criminal investigation. In our experience, in most cases, authorities take into account the costs of an internal investigation when it comes to sanctions and fines if the internal investigation is done properly and the company has co-operated fully with the authority.
As far as possible, the measures to be taken as part of an internal investigation conducted in parallel with an official investigation should be coordinated with the authorities. Otherwise, there is a risk that an authority might feel obstructed by an internal investigation and that a possible bonus could turn into a handicap.
38 Can the attorney–client privilege be claimed over any aspects of internal investigations in your country? What steps should a company take in your country to protect the privilege or confidentiality of an internal investigation?
German case law is inconsistent on this issue. In principle, protection against seizure depends on whether (1) the company is already under an official investigation or at least objectively likely to be officially investigated and (2) the relevant documents are drafted for defence purposes.
To protect potentially privileged materials, a company may adopt protective measures, such as to:
- enter into an attorney–client relationship and document that the purpose of the mandate is (at least) to defend the company;
- not establishing possession of work products at risk of seizure;
- take organisational measures to separate documents that are expected to be seizable from documents that are expected to be privileged; and
- label correspondence and documents as ‘privileged’ or similar.
39 Set out the key principles or elements of the attorney–client privilege in your country as it relates to corporations. Who is the holder of the privilege? Are there any differences when the client is an individual?
German case law is inconsistent on this issue. In principle, protection against seizure depends on whether (1) the company is already under an official investigation or at least objectively likely to be officially investigated and (2) the relevant documents are drafted for defence purposes. In general, these principles apply to both companies and individuals.
40 Does the attorney–client privilege apply equally to in-house and external counsel in your country?
The protection from seizure applies in principle only to defence communication with external counsel.
41 Does the attorney–client privilege apply equally to advice sought from foreign lawyers in relation to investigations in your country?
Protection from seizure can also cover the work-product of foreign lawyers drafted in their capacity as defence counsel. International attorneys, however, may be subject to restrictions as to their ability to appear in court.
42 To what extent is waiver of the attorney–client privilege regarded as a co-operative step in your country? Are there any contexts where privilege waiver is mandatory or required?
The disclosure of privileged documents is generally regarded as a co-operative step by national authorities. However, there is no general concept of waiving privilege under German law.
43 Does the concept of limited waiver of privilege exist as a concept in your jurisdiction? What is its scope?
There is no concept of limited waiver of privilege in Germany.
44 If privilege has been waived on a limited basis in another country, can privilege be maintained in your own country?
Waiving privilege in another country has no direct legal effect on privilege claims in Germany. However, it is possible that the waived documents may be seized from the third person abroad if he or she does not enjoy protection against seizure under German law.
45 Do common interest privileges exist as concepts in your country? What are the requirements and scope?
The concept of common interest privilege does not exist in Germany.
46 Can privilege be claimed over the assistance given by third parties to lawyers?
The question as to the extent to which assistance should also be included in protection against seizure has not yet been conclusively clarified by case law. As a rule, the further documents leave the sphere of an external counsel, the weaker their protection.
47 Does your country permit the interviewing of witnesses as part of an internal investigation?
Interviews are an important and common part of internal investigations in Germany.
48 Can a company claim the attorney–client privilege over internal witness interviews or attorney reports?
National case law is inconsistent on this issue. In principle, protection against seizure depends on whether (1) the company is already subject to an official investigation or at least objectively likely to be officially investigated, and (2) the relevant documents are drafted for defence purposes.
In respect of interview protocols and attorney reports, it should be argued that these work-products also serve as preparation for corporate defence and are therefore privileged.
49 When conducting a witness interview of an employee in your country, what legal or ethical requirements or guidance must be adhered to? Are there different requirements when interviewing third parties?
An employee is generally obliged to co-operate with internal investigations and to tell the truth even at the risk of self-incrimination. This may not apply to interviews of third parties, such as former employees.
As many employees are not aware of their duty to tell the truth, it is customary to inform them about it in an introduction. Other customary elements of the introduction, if applicable, are as follows:
- notification that the legal counsels conducting the interview are the company’s lawyers and are not acting for the interviewee;
- the possibility of an employee engaging his or her own attorney and clarification about the costs. If relevant and to prevent disruption, this information may be provided in the invitation to the interview;
- the company may choose to share part of or all information provided in the interview with national or foreign courts or law enforcement authorities;
- refusing to co-operate may lead to disciplinary action;
- the modus of the protocol, whether the employee will be granted access to it and whether he or she will have to confirm its content; and
- the employee’s data protection rights, ideally accompanied by this information in writing.
Essentially, this information is very similar to the Upjohn warning concept developed in the United States.
50 How is an internal interview typically conducted in your country? Are documents put to the witness? May or must employees in your country have their own legal representation at the interview?
An interview usually begins with a briefing about, inter alia, the subject of the interview and the interviewee’s rights. The interview environment should be appropriate (e.g., a neutral meeting room on the company’s premises or the law firm’s offices) and – depending on the duration of the interview – sufficient breaks, drinks and food should be offered.
Depending on the stage of the internal investigation, documents may well be shown to witnesses during interviews.
German case law is not yet settled on the question of whether an employee has the right to be accompanied at an interview by his or her own counsel and who has to bear the costs. However, companies usually allow interviewees to have a legal representative of their own in attendance, at least when the company is represented as well. In the recent past, there have been discussions as to whether an employee’s right against self-incrimination in internal investigations shall be introduced into German law.
Reporting to the authorities
51 Are there circumstances under which reporting misconduct to law enforcement authorities is mandatory in your country?
In principle, there is no obligation in Germany to report misconduct to law enforcement authorities. Exceptionally, however, individual statutory regulations may require a report. This applies, inter alia, in connection with incorrect tax returns and the field of money laundering.
52 In what circumstances might you advise a company to self-report to law enforcement even if it has no legal obligation to do so? In what circumstances would that advice to self-report extend to countries beyond your country?
This depends on a comprehensive analysis in each particular case. Generally, if there is a high risk that the competent authorities may get hold of the information or the company’s future business may be compromised as a consequence of the undisclosed misconduct (e.g., if a declaration of honour cannot be signed), disclosure may be advisable.
53 What are the practical steps you need to take to self-report to law enforcement in your country?
First, you should make sure you have the right timing, in particular with respect to the ongoing investigations. Then, the company representative should contact the competent authority and set up a meeting for initial discussions based on a summarised set of facts, including evidence. During this meeting, there should be mutual agreement about any further proceedings.
Responding to the authorities
54 In practice, how does a company in your country respond to a notice or subpoena from a law enforcement authority? Is it possible to enter into dialogue with the authorities to address their concerns before or even after charges are brought? How?
This will depend on the status of the investigation and the negotiations. It is generally possible to discuss requests made by the authorities. It is important to understand that, although there is no legal duty to reply to requests for information in criminal investigations, refusal to do so is likely to lead to a raid by the law enforcement authority.
55 Are ongoing authority investigations subject to challenge before the courts?
The investigation itself cannot be challenged in court.
56 In the event that authorities in your country and one or more other countries issue separate notices or subpoenas regarding the same facts or allegations, how should the company approach this?
Preventing inconsistent communication with different authorities is certainly important. However, it should be considered that in particular in complex investigations, different authorities develop different focus areas, for example as a result of a different legal assessment.
57 If a notice or subpoena from the authorities in your country seeks production of material relating to a particular matter that crosses borders, must the company search for, and produce material, in other countries to satisfy the request? What are the difficulties in that regard?
In principle, companies are not obliged legally to produce any material from abroad. However, refusal to do so could lead to legal assistance requests from German authorities to their foreign counterparts and would be seen as unco-operative, thus jeopardising any co-operation bonus. Therefore, it might be advisable to produce documents that are outside Germany, provided the company has the power to do so under company law. In these situations, the company is also obliged to respect local laws, in particular data protection laws.
58 Does law enforcement in your country routinely share information or investigative materials with law enforcement in other countries? What framework is in place in your country for co-operation with foreign authorities?
Law enforcement authorities have implemented cross-border communication networks and coordination units to co-operate effectively, and we have seen a rise in the scale of international co-operation. The legal framework is fragmented and includes EU regulations as well as bilateral and multilateral treaties.
59 Do law enforcement authorities in your country have any confidentiality obligations in relation to information received during an investigation or onward disclosure and use of that information by third parties?
Generally, investigating officers are bound by confidentiality with respect to information received in the course of an investigation. However, third parties may have a right to access the investigation file or parts of it, for instance, to prepare civil claims against the perpetrator.
Public officials in the tax authorities are additionally obliged to observe tax secrecy (under the German Fiscal Code, Section 30).
60 How would you advise a company that has received a request from a law enforcement authority in your country seeking documents from another country, where production would violate the laws of that other country?
Subject to a thorough assessment of the local law prohibiting the production, we would generally advise complying with applicable law and trying to convince the German authority either to forego the requested documents or to seek administrative co-operation to formally seize the documents locally.
61 Does your country have secrecy or blocking statutes? What related issues arise from compliance with a notice or subpoena?
Both the European Union and Germany have introduced certain blocking statutes. A violation of either national or EU blocking legislation is punishable by law and may result in severe fines. We would generally advise engaging with the investigating authorities to evaluate alternatives.
62 What are the risks in voluntary production versus compelled production of material to authorities in your country? Is this material discoverable by third parties? Is there any confidentiality attached to productions to law enforcement in your country?
Before voluntarily producing documents, privilege issues in cross-border situations have to be considered. In addition, in the case of voluntary production, increased attention should be paid to aspects of data protection. With respect to confidentiality, there are no relevant distinctions between voluntary production and compelled production under German law.
Prosecution and penalties
63 What types of penalties may companies or their directors, officers or employees face for misconduct in your country?
Individuals can be sanctioned by fines or imprisonment. They may also be banned from carrying on their profession.
For companies, fines and profit confiscation are particularly relevant. In addition, exclusion from (public) tenders can have a significant negative effect.
64 Where there is a risk of a corporate’s suspension, debarment or other restrictions on continuing business in your country, what options or restrictions apply to a corporate wanting to settle in another country?
A debarment under German public procurement law can also be based on misconduct by the company or its employees abroad. To mitigate this risk, a settlement abroad should be accompanied by self-evaluation and remediation measures by the company in Germany. These actions may include disciplinary measures against the individuals involved, compensation for damage sustained, co-operation with investigating authorities and strengthening of the compliance management system.
65 What do the authorities in your country take into account when fixing penalties?
Authorities take into account, inter alia, the degree and extent of the misconduct committed, the subjective accusability of the misconduct, economic circumstances and the extent to which the parties concerned have co-operated with the investigating authorities. In addition, the Federal Supreme Court has ruled that the design of a compliance management system and the extent to which it was adapted at the time of the misconduct, and the improvements implemented after the misconduct, must also be taken into account.
Resolution and settlements short of trial
66 Are non-prosecution agreements or deferred prosecution agreements available in your jurisdiction for corporations?
Not at the moment. Currently, settlements with authorities are reached via a ‘negotiated’ fine or confiscation order in which the misconduct and the facts are described. Under German law, neither the order nor the statement of facts is made public. Nevertheless, in high-profile cases, the authorities usually issue a short press release summarising the facts of the case (approximately one to two pages). The settlement needs no approval by the court but lies in the discretion of the public prosecutor. German authorities often expect the company under investigation to improve their internal structures before a settlement is made to achieve a decent deal.
67 Does your jurisdiction provide for reporting restrictions or anonymity for corporates that have entered into non-prosecution agreements or deferred prosecution agreements until the conclusion of criminal proceedings in relation to connected individuals to ensure fairness in those proceedings?
68 Prior to any settlement with a law enforcement authority in your country, what considerations should companies be aware of?
Companies should consider in particular the economic and reputational effects of the settlement itself, the (regularly positive) consequences of terminated investigations for the operational capacities of the company, the consequences for public procurements (e.g., potential debarments in Germany or abroad), further co-operation with investigations against individuals and the structural consequences to be drawn to prevent similar misconduct in the future.
69 To what extent do law enforcement authorities in your country use external corporate compliance monitors as an enforcement tool?
Corporate compliance monitors are not currently foreseen by the law and are therefore not used in Germany.
70 Are parallel private actions allowed? May private plaintiffs gain access to the authorities’ files?
Parallel private actions are allowed. In some cases, however, civil courts tend to suspend proceedings until criminal proceedings on the same subject have been completed.
Private plaintiffs may have the right to access criminal files if, inter alia, they present a legitimate interest in this and if this is not opposed by the overriding interests of the defendant or other persons who are worthy of protection.
Publicity and reputational issues
71 Outline the law in your country surrounding publicity of criminal cases at the investigatory stage and once a case is before a court.
In principle, investigations are not public. However, they regularly become publicly known if the case is interesting enough. Apart from a few exceptions, criminal trials are public.
72 What steps do you take to manage corporate communications in your country? Is it common for companies to use a public relations firm to manage a corporate crisis in your country?
This depends on the specifics of the case and the in-house capabilities of the company. In larger-scale cases in which public opinion is of greater relevance, the engagement of public relations consultants is quite common. The communication strategy needs to be fully aligned with the company’s internal findings and legal defence strategy. In our experience, the communication strategy should strike a balance between ‘litigation language’ and frank and honest communication.
73 How is publicity managed when there are ongoing related proceedings?
Usually, no substantial public statements on the allegations should be made while the facts are still under investigation. If possible, next steps can be communicated.
Duty to the market
74 Is disclosure to the market in circumstances where a settlement has been agreed but not yet made public mandatory?
This must be assessed in each particular case, taking into account all rights and legitimate interests of the company, its shareholders and the authorities involved.
Environmental, Social and Corporate Governance (ESG)
75 Does your country regulate ESG matters?
ESG-related matters have gained prominence in German legislation in the past few years. It would go beyond the scope of this publication to list them all. Therefore, we focus on the main regulations on ESG.
In accordance with Directive 2014/95/EU (the Corporate Sustainability Reporting Directive), Germany has established several non-financial reporting duties for listed companies with total assets of more than €6 million or an annual turnover of more than €12 million, and financial institutions and insurance companies with more than 500 employees in their annual report. The annual report shall outline the main risks that exist with regard to labour, social and environmental issues. Further, it shall state which concepts the company employs to combat these issues as well as the measures undertaken with regard to respecting human rights and to prevent corruption. If the company does not adopt a concept regarding these matters, it needs to explain why this is the case (‘comply or explain’). Companies that do not incorporate such a non-financial report in their annual report are at risk of incurring a fine.
Further, Regulation (EU) 2019/2088 on sustainability‐related disclosures in the financial services sector affects financial market participants (e.g., investment firms and banks offering portfolio management) as well as financial advisers (e.g., a credit institution or an investment firm that provides investment advice). It requires the publication of sustainability-related information at both the company and the product levels.
Transparency at the company level includes, inter alia, disclosure on the company website of, among other things, strategies for the inclusion of sustainability risks and information about the material adverse effects on sustainability factors and explanations of the remuneration policy, including a description of how it is consistent with the inclusion of sustainability risks.
If financial products are advertised or offered with environmental or social characteristics or as sustainable investments, the following must be complied with:
- extensive pre-contractual information, including information about investment strategies, intended investment goals, the expected effects of sustainability risks on the return, indices used as reference values, etc.;
- comprehensive product description on the website of the financial market participant; and
- detailed explanations in the regular reports by the financial market participant, including the extent to which the features or the investment goals have been met.
Sustainability factors gain more and more prominence in public procurement law since the legislator decided that these factors can also be taken into account when awarding public contracts.
Equal participation in corporate leadership
In August 2021, the legislator amended the Stock Corporation Act with the Act on the Equal Participation of Women in Leadership Positions. Under this Act, the board of directors of any listed company that is subject to the Co-determination Act must include at least one woman or one man if the board consists of more than three persons, among other things.
Corporate responsibility in supply chains
The legislator has implemented the Act on Corporate Responsibility in Supply Chains, which has been influenced by the UK Slavery Act to a certain extent. As of 1 January 2023, it requires corporations that are headquartered in Germany and employ more than 3,000 people group-wide in Germany and abroad, or have a branch in Germany and employ more than 3,000 people in Germany (these numbers will be reduced to 1,000 employees as of 2024), to adhere to human rights and environmental standards in their supply chains. The term ‘supply chain’ encompasses all stages of production, domestically or abroad, irrespective of whether the process takes place within the company or with a supplier, which is necessary to manufacture the company’s products or provide its services.
The duties under the Act include, inter alia:
- the establishment of a risk management system that entails frequent risk analyses;
- the definition of the responsible internal unit;
- the issuance of a declaration of compliance;
- the establishment of prevention measures within the company and in respect of suppliers;
- remedial actions in the event of a violation of human rights or environmental standards; and
- the establishment of a grievance procedure.
Compliance with the duties under the Act needs to be documented regularly. Additionally, companies shall prepare an annual report of its compliance with the duties under the Act during the previous business year and make the report available to the public on the company’s website for seven years.
In the event of a breach of one of the duties under the Act on Corporate Responsibility in Supply Chains, the government can exclude companies from public tenders. Further, companies may risk a fine of up to €800,000 or up to 2 per cent of the annual global group turnover if it exceeds the threshold of €400 million. The competent management can be sanctioned individually with a fine of up to €800,000.
German Corporate Governance Codex and ESG
Since 2019, the German Corporate Governance Code, with which listed companies have to adhere on a comply or explain basis, states in its foreword that with its actions, the company and its governing bodies must be aware of the enterprise’s role in the community and its responsibility towards society. Social and environmental factors influence the enterprise’s success. In the enterprise’s best interests, the management board and supervisory board should ensure that the potential effects of these factors on corporate strategy and operating decisions is identified and addressed.
76 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address ESG matters?
Owing to the federal elections in September 2021, it is hard to estimate which legislative projects will be introduced by the new government in the coming year. However, one potential law could be the Whistleblower Protection Act, which implements the EU Whistleblower Protection Directive.
The election programmes of the three major parties in Germany contain vague proposals for legislative projects relating to ESG matters. In general, they agree that environmental issues should be on the agenda. It remains to be seen whether this will lead to stricter regulations for companies.
77 Has there been an increase in ESG-related litigation, investigations or enforcement activity in recent years in your country?
In recent years, ESG-related litigation has gained some prominence in Germany. Although most of the cases are still brought up against the government, we know of several lawsuits that have been filed against companies. We expect that ESG-related litigation will continue to gain importance in the near future, especially as a result of new legislation (such as the Act on Corporate Responsibility in Supply Chains).
78 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address corporate misconduct?
Owing to the federal elections in September 2021, a legislative change in the coming year seems unlikely. Overall, it remains to be seen whether a bill on corporate criminal liability will be taken up again under a new government.
1 Eike Bicker, Christian Steinle and Marcus Reischl are partners and Christoph Skoupil is an associated partner at Gleiss Lutz.