Germany

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

General context, key principles and hot topics

1 Identify the highest-profile corporate investigation under way in your country, describing and commenting on its most noteworthy aspects.

The current highest-profile corporate investigation is probably the ‘Cum-Ex’ investigation into tax fraud based on certain share trading schemes around dividend dates, resulting in capital gains tax being reimbursed to scheme participants several times. Investigations against numerous financial institutions, advisory firms, corporations and individuals have included dawn raids, detentions and other measures. Estimations of the financial damage suffered by the German state under the schemes range between €30 billion and €52 billion in total. In July 2021, the Federal Court of Justice ruled that reclaiming capital gains tax that had never been paid constitutes tax fraud, which is a criminal offence in Germany. In March 2022, the Federal Tax Court ruled that the schemes were illegal under tax laws. The public prosecutor’s office in Cologne alone is currently investigating more than 1,400 defendants. During a key trial, a lawyer perceived as one of the ‘inventors’ of the schemes admitted knowledge of the illegality from a certain point. Various banks (as a preliminary measure) had to reimburse hundreds of millions of euros to the tax authorities and, in some cases, accepted (so far only minor) fines. In a few cases, bank employees have been sentenced to imprisonment for several years. However, the vast majority of cases are still pending and investigations are expected to continue for several years.

In a fraud and balance falsification scheme involving Wirecard (a payment services provider listed on the DAX stock exchange that filed for insolvency in 2020 after feigning assets of almost €2 billion) that caused financial damage totalling several billion euros to shareholders, Munich prosecutors launched criminal indictments in March 2022 against three former employees, including the former chief executive officer. The former chief financial officer has so far avoided being detained.

In connection with the manipulation of diesel engine emissions, although significant regulatory fines have already been imposed on manufacturers (including Volkswagen (€1 billion), Daimler (€870 million), Audi (€800 million), Porsche (€535 million) and Bosch (€90 million)), criminal proceedings against responsible managers and other employees (primarily based on fraud) are continuing.

2 Outline the legal framework for corporate liability in your country.

Although corporations are fully liable to comply with laws and can be held liable under both civil and administrative public laws, under German law there is no criminal liability for corporations per se. Only individuals can commit criminal or regulatory offences. However, a corporation can face regulatory fines if one of its managers (including managing directors or other directors and officers with managerial responsibilities) commits a criminal or regulatory offence by which the corporation’s duties are violated or the corporation is supposed to be enriched. A regulatory fine can amount to €10 million or more, the latter if needed to siphon off profits generated by the offence. Recent examples of regulatory fines with disgorgement of profits include those imposed on Airbus (fines of €81 million in Germany and €3 billion in France, the United States and the United Kingdom in connection with corruption allegations), Deutsche Bank (€7 million for an overdue money laundering report) and Commerzbank (€42 million to British authorities for poor money laundering controls). Alternatively, forfeiture (confiscation) orders can be imposed against a corporation covering the (gross) value of the proceeds gained through a crime.

Further, if managers fail to take necessary supervisory measures to prevent criminal or regulatory offences, and employees or other persons acting under their supervision commit an offence in connection with the company’s business, managers can be liable as representatives of the company for damages and for regulatory fines of up to €1 million.

In competition law matters, generally high regulatory fines are imposed on corporations that can amount to up to 10 per cent of group turnover. For example, truck manufacturers (including Daimler, Iveco, Volvo/Renault, DAF and Scania) paid fines totalling €2.93 billion for price-fixing. Technically, antitrust investigations are made against the acting individuals as ‘personally affected’ persons and against the respective corporations as ‘secondarily affected’ persons. However, this is a mere technicality that otherwise does not mitigate the effects of competition law enforcement on corporations.

3 Which law enforcement authorities regulate corporations? How is jurisdiction between the authorities allocated? Do the authorities have policies or protocols relating to the prosecution of corporations?

With some exceptions, law enforcement authorities are generally organised at the level of the 16 states (Länder) that form the federal republic of Germany. Criminal investigations against individuals and regulatory investigations against corporations are generally conducted by the local prosecution office in the district in which the main aspects of an offence took place; for offences in connection with a corporation’s business, this is frequently the district of the corporate headquarters or relevant branch office. Enforcement authorities follow the rules of the German Code of Criminal Procedure, the Administrative Offences Act and the Guideline for Criminal and Fine Proceedings. The latter includes policies to initiate fine proceedings against corporations and assess economic gain for the corporation resulting from misconduct if the suspect of a crime is a member of its management. Additional enforcement authorities include (state and federal) customs authorities, (state level) tax fraud investigation authorities, among others.

For a number of areas, federal enforcement and regulatory authorities have been established, including (but not limited to) the Federal Financial Supervisory Authority (BaFin, which supervises banks and financial institutions regarding anti-money laundering, risk and compliance measures), the Financial Intelligence Unit (which analyses reports on suspicions of money laundering), the German Federal Bank (for reporting obligations for international fund transfers), the Federal Office for Economic Affairs and Export Controls (for export controls and, from 2023 onwards, certain environmental, social and governance requirements under the new German Supply Chain Due Diligence Act), the Federal Office of Justice (for non-publication of annual statements) and more than 300 (regional and local) separate authorities to monitor compliance with anti-money laundering requirements in the non-financial sector.

Competition law is enforced by the German Federal Cartel Office, which is comprised of several decision departments, each of which is responsible for certain sectors. Three decision departments are specifically dedicated to pursuing cartels, and one is charged with consumer protection matters.

As regards data protection, Germany has 16 data protection supervisory authorities at state level with jurisdiction over most companies, clubs, associations and freelance workers in the private sector. The Federal Commissioner for Data Protection and Freedom of Information has special competence for certain telecommunications or postal services and companies falling under the Security Clearance Check Act. Finally, separate data protection supervisory bodies exist in the areas of broadcasting, the press, and churches or other religious communities.

4 What grounds must the authorities have to initiate an investigation? Is a certain threshold of suspicion necessary to trigger an investigation?

Law enforcement authorities such as local public prosecutors’ offices are obliged to initiate investigations if there is an initial suspicion of a crime (i.e., sufficient factual indication of a potential criminal offence), meaning it must appear possible under criminalistic experience that a prosecutable criminal offence has been committed. Currently, however, there is no similar obligation to investigate regulatory offences. Rather, the relevant authority has full discretion as to whether and how to initiate investigations.

In competition law matters, the Federal Cartel Office’s investigations are mostly triggered by leniency filings. The Federal Cartel Office also operates a system for anonymous whistleblowers who have already triggered investigations. It has discretion to decide which cases it will investigate.

German data protection authorities regularly conduct data protection audits on an occasional and non-occasional basis. Occasional audits are usually carried out based on complaints or specific indications of possible data protection violations. Random audits are carried out in all regions, irrespective of the sector. These audits are usually conducted as ‘focused examinations’ at individual companies on site, as examinations by way of a written procedure, or as online examinations conducted via the internet.

5 How can the lawfulness or scope of a notice or subpoena from an authority be challenged in your country?

Generally, investigative measures (including searches or seizures) can be challenged. Affected individuals or corporations can issue a complaint or, if a public prosecutor’s office has decided the concerned measure, apply for a court decision. Both the legal requirements and the execution are fully judicially verifiable.

Subpoenas to appear and to testify cannot be challenged. However, individuals do not have to co-operate, provide information or incriminate themselves, meaning that they can remain silent. Subpoenas to provide certain evidence, such as documents, can also be challenged, although this carries the risk that law enforcement authorities may search and seize the evidence directly.

Subpoenas issued by foreign authorities are usually adhered to by German enterprises to avoid detriments to the group under the foreign proceedings. However, it should be noted that subpoenas are usually worded rather broadly, and the company should seek to narrow them down to the core documents necessary for the authorities to gain an overview. Responding to foreign subpoenas can involve extensive efforts over long periods and should be accompanied by regular discussions and conversations with the requesting authority.

6 Does your country make use of co-operative agreements giving immunity or leniency to individuals who assist or co-operate with authorities?

In principle, law enforcement agencies are not allowed to grant immunity or leniency to criminal offenders assisting or co-operating with them. However, co-operation is seen as a major mitigating factor when assessing appropriate sanctions, which are frequently reduced in such cases. Further, with the approval of the court, co-operation may result in exemption from further prosecution.

In competition law matters, the Federal Cartel Office has a leniency policy under which leniency of up to 100 per cent of the fines can be granted. Typically, the first applicant will obtain 100 per cent leniency. Further whistleblowers may obtain substantial leniency if and to the extent they provide further evidence.

7 What are the top priorities for your country’s law enforcement authorities?

The most prominent areas for corporate investigations are antitrust, corruption, tax evasion, money laundering and fraud (including fraud committed in connection with covid-19 state-aid programmes or services). In 2021, the German legislator widened the scope of the money laundering offence extensively, such that an increase in proceedings can be expected. Traditionally, the highest fines (up to between 2 per cent and 4 per cent of annual global turnover) are currently imposed for antitrust and data protection violations. However, equally significant fines will apply (or are to be expected) in the near future in other areas, including non-compliance with requirements under the new Supply Chain Due Diligence Act.

In competition law, the top enforcement priority continues to be the fight against ‘hardcore’ cartels (i.e., pricing cartels), allocation of customers or territories and cartels relating to submissions. Another current enforcement focus is to ensure a level playing field in the platform economy (i.e., economic and social activity facilitated, typically, by online sales or technology frameworks). Further, the Federal Cartel Office investigates violations of data protection and consumer protection laws and takes the view that these violations can constitute an abuse of a dominant position.

8 To what extent do law enforcement authorities in your jurisdiction place importance on a corporation having an effective compliance programme? What guidance exists (in the form of official guidance, speeches or case law) on what makes an effective compliance programme?

There is no general legal requirement under German laws for organisations to have a compliance programme in place, nor any official guidance regarding the elements of a compliance programme. Rather, under German corporate law, management has the general obligation to organise a business in such a way that all laws are adhered to at any time and, in particular, that business-related criminal conduct and regulatory offences are effectively prevented. Thus, German corporate law indirectly requires compliance measures to prevent management liability, as well as corporate liability under the Administrative Offences Act. Further, enforcement authorities consider whether a corporation has a compliance programme, if and to what extent it is effectively implemented, and whether the corporation has learned from compliance failures in the past. In doing so, enforcement authorities would look at the size, sector and business scope, and in practical terms benchmark compliance measures against standard practices in the respective sector. In 2017, the Federal Court of Justice (BGH 1 StR 265/16) ruled that effective compliance measures taken before or after a law violation has been detected have to be considered as a mitigating factor when assessing fines against corporations. More recent proposals to make such an assessment mandatory (e.g., through a specific Corporate Sanctions Act proposed in 2019) have not yet been enacted. In the area of tax, implementation of an efficient tax compliance management system can prevent intentional or frivolous tax fraud being committed by management in connection with errors in assessing and declaring a corporation’s tax.

In certain areas, more specific compliance measures are required, including banking and finance (such as the Minimum Requirements for the Compliance Function and the Additional Requirements Governing Rules of Conduct, Organisation and Transparency (MaCom) and the BaFin Circular 10/2021 on Minimum Requirements for Risk Management (MaRisk), among others), anti-money laundering (Money Laundering Act) and certain defined environmental, social and governance areas (Supply Chain Due Diligence Act). Failure to adhere to these requirements (i.e., having no effective compliance programme), constitutes regulatory liability. In other areas, German corporations follow generally accepted compliance standards on how to prevent, detect and react to violations, and to improve their compliance programme.

German competition law specifically allows a reduction of fines if compliance measures were in place or are being put in place. The Federal Cartel Office’s Guidelines on the Setting of Fines specify that measures that were in place before the violation occurred can be considered, provided that chief officers, managing directors or senior management were not involved in the violation. Compliance measures that were put in place after the violation may be considered if the Federal Cartel Office is convinced that the corporation is co-operating fully and that a convincing and efficient structure for the avoidance of future violations is put in place.

The European Data Protection Board issued its Guidelines 04/2022 on the calculation of administrative fines under the General Data Protection Regulation in May 2022. According to these Guidelines, having an effective data protection compliance programme in place shall be considered by data protection authorities as a mitigating circumstance when determining the amount of a fine.

Cyber-related issues

9 Does your country regulate cybersecurity? Describe the approach of local law enforcement authorities to cybersecurity-related failings.

Cybersecurity-related matters are regulated by several different pieces of legislation, the most prominent being the General Data Protection Regulation, which, inter alia, obliges corporations to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing certain personal data, which is also required under the German Federal Data Protection Act. Further, the German IT Security Act, Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union, and Regulation (EU) 2019/881 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (the EU Cybersecurity Act) impose specific obligations on corporations.

A cyber breach has to be notified to the competent data protection supervisory authority no later than 72 hours after the breach is identified. Depending on the type of breach and the associated risks, data subjects affected by the breach may also have to be notified. German data protection authorities have different views on triggers for notification of data subjects and some tend to see notification as best practice in any event. Corporations operating critical infrastructures may have to notify the Federal Office for Information Security. Failing to take necessary measures pursuant to this legislation can lead to severe regulatory fines.

10 Does your country regulate cybercrime? What is the approach of law enforcement authorities in your country to cybercrime?

Cybercrime as a collective term for all offences using information technology can be relevant to many different criminal offences under German law, including fraud, computer fraud, data espionage, phishing, handling stolen data, data manipulation, computer sabotage, data forgery, and in cases of ransomware attacks, even extortion. The federal states have formed special cybercrime units at certain public prosecutors’ offices that specialise in investigating cybercrime.

As an EU Member State, Germany is a signatory to the Convention on Cybercrime (also known as the Budapest Convention), which includes provisions on international co-operation with other EU Member States and further signatories, such as the United States, Japan and Australia. From a data protection perspective, the regulations on monitoring measures in the area of electronic communications included in the Convention on Cybercrime are particularly important.

Considering the cross-border nature of cybercrime, German law enforcement authorities have implemented cross-border communication networks and coordination units, including the Interpol Global Complex for Innovation, the European Cybercrime Centre at Europol, and others.

Cross-border issues and foreign authorities

11 Does local criminal law have general extraterritorial effect? To the extent that extraterritorial effect is limited to specific offences, give details.

German criminal laws apply to all criminal acts (at least in part) committed or having an effect on German territory. This also applies if a participant (accomplice or instigator) to an offence committed abroad acted within the German territory, even if the act is not a criminal offence according to the law applicable in the location of the crime.

For offences in connection with the bribery of foreign public officials, German criminal law always applies if the perpetrator is a German national, regardless of the place where the act occurred (German Criminal Code, section 5(15)(a)).

German criminal law also applies to any other offences committed abroad if the act is a criminal offence in the place of its commission or if that place is not subject to any jurisdiction, if the offender either was a German national at the time of the offence or became a German national after committing the offence.

12 Describe the principal challenges that arise in your country in cross-border investigations, and explain whether and how such challenges depend on the other countries involved.

In some instances, German law poses challenges to the expectations of foreign authorities on how corporations should conduct investigations and the expected work-product. Although there is wide acceptance in German legal practice that corporations may conduct internal investigations and, under German corporate laws, have to clarify allegations of misconduct to avoid corporate and managerial liability, there is no specific legal framework for it, and some prosecutors might refuse to accept the merits of an international investigation. Data protection laws frequently provide challenges in terms of timing and work-product as, for certain investigation steps, employees’ consent may need to be obtained or personal data may need to be redacted. In such cases, steps have to be taken to avoid breaches of applicable data protection laws. This might include safety measures such as white-lining or black-lining of personal data.

German employment laws must be observed, which might include the need to involve the works council, if any.

Legal privilege protection of work-product envisaged under foreign laws might not work under German laws, as German law provides for only a rather limited legal privilege between an accused and its defence lawyer, and in-house counsel generally do not qualify for legal privilege. Safeguarding legal privilege under foreign laws thus requires careful planning and processes.

The blocking statutes of other countries (such as Switzerland, France, China and Saudi Arabia, to name but a few) might affect cross-border investigations in Germany.

13 Does double jeopardy, or a similar concept, apply to prevent a corporation from facing criminal exposure in your country after it resolves charges on the same core set of facts in another? Is there anything analogous in your jurisdiction to the ‘anti-piling on’ policy as exists in the United States (the Policy on Coordination of Corporate Resolution Penalties) to prevent multiple authorities seeking to penalise companies for the same conduct?

The principle of ne bis in idem has constitutional rank in Germany, so generally no one can be punished twice for the same offence. However, this applies only to German and European proceedings. German authorities and courts do not have to recognise fines imposed by other foreign criminal, civil or antitrust enforcement authorities. In practical terms, however, these can be considered on a discretionary basis in determining regulatory fines. One example of this is the regulatory fine against Siemens AG for its failure to prevent systematic bribery of foreign officials, for which settlement amounts in the United States were considered.

Further, there is no ‘anti-piling on’ policy under German law. If several enforcement authorities or regulators pursue a corporation on the same set of facts, each would do so under its own competences, rules and sanctions framework.

14 Are ‘global’ settlements common in your country? What are the practical considerations?

‘Global’ settlements are not common and there is no framework in this regard. In exceptional cases, however, German authorities are willing to and do co-operate with authorities abroad, as was the case in the Siemens corruption scandal settled with the US Department of Justice, the US Securities and Exchange Commission and German authorities at the same time. Usually, the impetus to do so would need to come from the corporation, which would also bear most of the coordination efforts.

15 What bearing do the decisions of foreign authorities have on an investigation of the same matter in your country?

Decisions of foreign authorities (including enforcement authorities, regulators or courts) per se do not have any bearing on an investigation into the same matter in Germany or the European Union. However, German and foreign authorities might decide to collaborate on fact-finding or otherwise for efficiency. Further, decisions from abroad can affect investigations in Germany if international legal assistance has been applied for and granted, or foreign judgments are enforceable following acknowledgement through a German court.

For competition law matters, the Federal Cartel Office generally is aware of investigations and fines in other jurisdictions through communications in the international and European networks of competition authorities (the International Competition Network and the European Competition Network). The decisions of foreign authorities have a binding effect either legally or de facto. Although decisions are generally studied with great care, the Federal Cartel Office will come to its own conclusions.

Economic sanctions enforcement

16 Describe your country’s sanctions programme and any recent sanctions imposed by your jurisdiction.

The European sanctions mechanisms established by the European Union apply, as do the Common Foreign and Security Policy objectives and the United Nations Security Council Resolutions. EU sanctions become directly applicable law in Germany when the respective EU legal acts come into force. Further, the German Foreign Trade and Payments Act and the German foreign trade regulations have to be observed. Sanctions are enforced by German authorities and can be directed against governments of third countries, as well as against non-government institutions, legal entities and natural persons. The prohibition of exporting weapons or other trade restrictions in third countries may also be covered by these sanctions. Commercial banks and insurance companies have direct operational responsibility for financial sanctions. The Federal Office of Economics and Export Control is responsible if bans or licensing requirements relate to the supply of goods or the provision of non-financial services in connection with goods (e.g., dual-use goods), as well as for exemptions regarding frozen economic resources. Furthermore, customs authorities supervise the import and export of goods.

Following the invasion of Ukraine by Russia in 2022, numerous Russian enterprises and private individuals are now subject to sanctions. To implement these, various federal and state authorities have worked together in accordance with their responsibilities and competences to freeze private assets.

17 What is your country’s approach to sanctions enforcement? Has there been an increase in sanctions enforcement activity in recent years, for example?

Although the Foreign Trade and Payments Act has probably been less of a focus of attention for German authorities in recent years, recently imposed Russia sanctions are strictly controlled. Since the beginning of the war in Ukraine, German authorities have initiated a total of 147 investigations in relation to sanctions on Russia, mostly violations of import and export bans. Not only fines are imposed but also imprisonment for up to five years.

18 Do the authorities responsible for sanctions compliance and enforcement in your country co-operate with their counterparts in other countries for the purposes of enforcement?

Yes, this is mainly done at EU level.

19 Has your country enacted any blocking legislation in relation to the sanctions measures of third countries? Describe how such legislation operates.

The EU Blocking Regulation (Council Regulation (EC) No. 2271/96) is directly enforceable in Germany. It prohibits EU businesses from complying with certain sanctions (namely those imposed by the United States against Iran and Cuba) and prevents foreign judgements enforcing these sanctions from being recognised. The measure forbids EU citizens from complying with these third-country extraterritorial sanctions unless exceptionally authorised to do so by the European Commission.

20 To the extent that your country has enacted any sanctions blocking legislation, how is compliance enforced by local authorities in practice?

In January 2022, the European Court of Justice (ECJ) for the first time provided some interpretation with regard to the EU Blocking Regulation. Further, there is a non-binding Guidance Note available from the European Commission. The ECJ addressed four interpretive questions referred by a German higher regional court. In summary, the ECJ evaluated that commercial decisions taken by EU persons in response to US sanctions risks may in fact be subject to scrutiny in litigation. Thus, in practical terms, businesses still have to choose whether to comply with either the US sanctions or the EU Blocking Regulation or set up their business processes and operations accordingly to avoid sanction violations.

Before an internal investigation

21 How do allegations of misconduct most often come to light in companies in your country?

Although there are no official statistics, the majority of allegations faced by German corporations (including multi-jurisdictional enterprises with German headquarters) probably stem from (internal) whistleblowers using a whistleblowing hotline or other reporting mechanisms. Another frequent source of relevant information comes from accounting reviews (through the tax authorities, the statutory auditor, financial controller or the internal audit function), followed by other sources such as compliance training sessions or workshops, risk assessments, internal controls, country spot checks, media reports or alerts by business partners.

Information gathering

22 Does your country have a data protection regime?

Yes. Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation (GDPR)) is directly applicable in Germany and regulates the vast majority of general data protection issues. Further, the Federal Data Protection Act supplements, specifies or modifies the GDPR under certain circumstances. The German federal states also have their own data protection laws that regulate data protection for their public authorities and institutions. Further, there are other area-specific data protection regulations, such as the Telecommunications-Telemedia Data Protection Act, the German Banking Act and the Money Laundering Act, to name a few.

23 To the extent not dealt with above at question 9, how is the data protection regime enforced?

The data protection regime is typically enforced by one of the 16 federal data protection authorities. They have various means of enforcing the data protection regime, but most often they either prohibit a specific data processing activity (e.g., the transfer of personal data outside the European Union) or impose certain fines for non-compliance in the past.

Non-compliance with data protection regulations by companies can result in a fine of up to €20 million or 4 per cent of annual global turnover, whichever is higher. Although authorities have so far not exceeded this penalty range, the level of company fines has increased significantly since the introduction of the GDPR in May 2018. The highest fine issued by a German data protection authority to date was €35 million for the illegal surveillance of hundreds of employees. Typically, fines range between €5,000 and €20,000 for non-compliance with data subject rights or the illegal processing of personal data for marketing purposes.

24 Are there any data protection issues that cause particular concern in internal investigations in your country?

Depending on the scope of the investigation and the type of personal data affected, conducting a data protection impact assessment prior to the investigation may be necessary. Generally, the collection and use of employees’ personal data during internal investigations must be in line with the GDPR and the Federal Data Protection Act, namely during email and data reviews, and in interviews. Processing employees’ personal data for the purpose of uncovering criminal offences is only justifiable under German data protection laws if:

factual indications (to be documented) give rise to the suspicion that an employee has committed a criminal offence in the employment relationship;
the processing is necessary for the purpose of uncovering the offence; and
the interests of the employee in preventing the processing does not prevail.

Further requirements may apply if and to the extent that the private use of company information technology is allowed. This might include processes to ensure that private information is filtered out and not reviewed. Furthermore, employees affected by an investigation must be informed about the subject and purpose of the investigation and their rights under the applicable data protection laws, unless doing so interferes with the integrity of the investigation. Transferring personal data to entities other than the employing entity during the investigation typically requires the conclusion of data processing agreements. Under German law, there are special regulations regarding companies in the banking and insurance sectors, who may be allowed, or even obliged, to process personal data during an investigation resulting from their legal duties regarding money laundering and fraud prevention.

25 Does your country regulate or otherwise restrict the interception of employees’ communications? What are its features and how is the regime enforced?

The key factor is whether, according to company policy, employees may use email, internet and other means of communication (chats, intranet functions, platforms) only for business purposes or also for private purposes. If the latter, the employer may be considered a ‘tele media service provider’ under German law and has to comply with the requirement for telecommunications secrecy. If so, the employer is only permitted to access data subject to telecommunications secrecy with the prior consent of the employees concerned.

If communication on company devices is permitted for business purposes only, employers may access employee communications under certain circumstances. However, access shall be limited to specific occasions, and not result in constant employee surveillance. There are specific rules for business communications between financial institutions and their customers. Enforcement action by data protection authorities is frequently based on complaints launched by employees or works council members.

Dawn raids and search warrants

26 Are search warrants or dawn raids on companies a feature of law enforcement in your country? Describe any legal limitations on authorities executing search warrants or dawn raids, and what redress a company has if those limits are exceeded.

Searches (including those in the early morning) that lead to seizure of information are frequently made by prosecutors, the police or cartel authorities. They generally require a search warrant, as issued by a judge, or, in exceptional circumstances of imminent danger, by the prosecutor or enforcement authority itself. Search warrants need to refer to relevant facts, be proportionate, adhere to further formalities and have a limited period of validity. Entities subject to searches can apply for judicial review but an application does not have suspensive effect against the seizure. In the event of non-compliance with the requirements of the warrant, seized information has to be returned. Typically, the prospects for success are rather low.

27 How can privileged material be lawfully protected from seizure during a dawn raid or in response to a search warrant in your country?

In practical terms, the most effective protection is to keep material (and access thereto) out of the territorial reach of German authorities; whatever is not available or accessible at the company cannot be seized from it. Apart from that, under a (narrow) prevailing legal opinion on statutory provisions confirmed by case law, legal privilege under German law is generally limited to written communication between the suspect of a crime and its defence lawyer, and records prepared by the defence lawyer in this regard. Measures to preserve (potential) legal privilege to the best extent possible include establishment of a direct attorney–client relationship with the legal entity that is (or might potentially become) subject to public investigations, criminal defence being part of the engagement, and careful record-keeping, including separation, and labelling, of (potentially) privileged material from other documents.

28 Under what circumstances may an individual’s testimony be compelled in your country? What consequences flow from such compelled testimony? Are there any privileges that would prevent an individual or company from providing testimony?

Under the nemo tenetur se ipsum accusare principle of the German Code of Criminal Procedure, no one is obliged to make a statement that would incriminate that individual. Thus, defendants can remain silent at all stages. Witnesses are generally obliged to provide information and tell the truth. Witnesses can refuse to testify only if they are related (or married) to the defendant, or risk incriminating themselves through their testimony. Further, certain witnesses (such as lawyers, doctors and priests) can refuse to testify on facts gained under professional confidentiality.

Witnesses who do not have a right to refuse testimony may be subject (by a court only) to imprisonment for contempt of court for up to six months. Once they state their willingness to testify, however, they have to be released immediately and the testimony provided will be fully valid.

Whistleblowing and employee rights

29 Describe the whistleblowing framework in your country. What financial incentive schemes exist for whistleblowers? What legal protections are in place for whistleblowers?

Until 2019, there was no uniform legal framework for the protection of whistleblowers in Germany. A certain protection from repressions, however, resulted from a number of different statutory provisions. In addition, German labour courts are guided in their interpretation by the case law of the European Court of Human Rights regarding freedom of expression (ECHR, 21 July 2011 – 28274/08, Brigitte Heinisch). Directive (EU) 2019/1937 (the EU Whistleblower Protection Directive) came into force in 2019. Among the requirements to establish reporting channels, it provides for comprehensive protection of (bona fide) whistleblowers against repression and sanctions, including damage compensation. As Germany failed to implement the Directive by the 17 December 2021 deadline (owing to disagreements in the previous coalition government), under EU laws the Directive is directly applicable since that date to the relationship between the German state and its citizens. Accordingly, public employers must offer internal reporting systems and comply with the protection requirements. Although EU Directives have no horizontal direct effect between private parties after the transposition deadline, the labour courts are obliged to interpret national law in accordance with EU law. Therefore, certain protection obligations in favour of whistleblowers are already in effect. In April 2022, the German Federal Ministry of Justice submitted a draft Whistleblower Protection Act, which is expected to be adopted in the near future. The draft provides for an overshooting transposition of the EU Directive. In addition to EU law, certain national regulations are also to be covered, such as violations of criminal law and, to a certain extent, administrative offences, as well as protective regulations in specific areas, such as environmental law or combating money laundering. Furthermore, provision is made for administrative court review of decisions by authorities.

There are no financial incentive schemes for whistleblowers in Germany. The introduction of such schemes is the subject of a controversial debate.

30 What rights does local employment law confer on employees whose conduct is within the scope of an investigation? Is there any distinction between officers and directors of the company for these purposes?

Employees are generally obliged to co-operate with an internal investigation. To the extent that information relates to an employee’s individual area of activity, the employee has a duty to fully co-operate and testify. Although this duty appears to conflict with the nemo tenetur se ipsum accusare principle under the German Code of Criminal Procedure, according to which there is no obligation on an individual to self-incriminate, the Code does not apply to internal investigations that do not involve public authorities. To the extent that information outside the employee’s individual area of responsibility is concerned, however, the employee’s interests not to self-incriminate must be weighed against the employer’s interest in clarifying the facts. The more serious the investigated offence and the higher the employee’s hierarchical position within the company, the more likely it is that the employee has a duty to actively co-operate and to testify in the case.

A separate question is whether the findings obtained in an employee interview are subject to a prohibition on the use of evidence in subsequent criminal proceedings. The Federal Constitutional Court has declared a seizure of interview records prepared by an external law firm to be constitutionally permissible. However, the details are as yet unclear.

In principle, there is no difference between managerial staff and other employees with regard to the above-mentioned principles. However, managers are subject to a particularly high degree of fiduciary duties under their employment contracts since their task is precisely to prevent damage to the company. Therefore, if an employee in a higher position remains silent after discovering wrongdoing in the company, this can lead more quickly to dismissal and, if necessary, claims for compensation against the employee.

Internal investigations and the monitoring of employees involve the processing of personal data within the meaning of Article 4, No. 1 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation (GDPR)). Section 26 of the German Federal Data Protection Act allows the collection of data for preventive control or for the detection of criminal acts if there is a corresponding suspicion (subject to limitations). Particularly strict standards may apply to the inspection of employee communications for constitutional reasons (secrecy of telecommunications) if employees were also permitted to communicate privately via company channels.

According to Article 13 of the GDPR, an employer is generally subject to extensive obligations to provide information ‘at the time of the collection’ when interviewing suspects. Thus, employers should in principle have informed the suspected employee about the purpose of the interview prior to the interview. As regards the extent to which employers can deviate from this principle if any prior information contradicts an adequate and promising questioning strategy, this is unclear and subject to discussions.

31 Do employees’ rights under local employment law differ if a person is deemed to have engaged in misconduct? Are there disciplinary or other steps that a company must take when an employee is implicated or suspected of misconduct, such as suspension or in relation to compensation?

In general, there is no differentiation between a person suspected of having engaged in misconduct and others; a person even if suspected of misconduct principally has the same employee rights. It is also irrelevant whether a person is under suspicion by the company or a law enforcement agency. Nevertheless, German laws principally require weighing an employee’s interests against those of the company to determine what measures affecting an employee’s rights might be suitable.

However, if allegations against employees have been confirmed (e.g., during an internal investigation), an effective compliance programme requires the company to take adequate steps. Thus, a company’s management is strongly advised to investigate any potential misconduct and react to identified violations appropriately, in particular in the area of employment law, by imposing disciplinary sanctions (depending on the seriousness of the misconduct), such as warning letters, loss of voluntary or variable remuneration components, transfer to another role or function, or routine dismissal or termination for cause without notice, taking into account local legislation and case law.

Moreover, the company might need to take other remediation steps, such as revising business processes and the compliance programme to ensure more effective controls that will avoid similar violations in the future. Neither a prosecuting authority nor the courts would understand if weaknesses that have been identified in the past have not been demonstrably closed.

32 Can an employee be dismissed for refusing to participate in an internal investigation?

Yes. Employees have to co-operate during internal investigations in providing information, including interview testimony. Employers must adhere to the legal framework, in particular by observing constitutional and data protection requirements. Insofar as the immediate area of work is affected or perceptions have been made in this context, there is an obligation under German labour law to make complete and truthful statements. Insofar as perceptions go beyond the immediate area of work, the obligation depends on whether the employer’s interest in information prevails and whether this does not place an excessive burden on the employee. A refusal by employees to participate accordingly may result in a termination for cause, if necessary, following a previous warning.

Commencing an internal investigation

33 Is it common practice in your country to prepare a document setting out terms of reference or investigatory scope before commencing an internal investigation? What issues would it cover?

Yes. Investigations are (and should be) frequently based on a work plan setting forth, among other things:

the key allegations or facts to be investigated;
a generic assessment of the risks posed by the allegations;
the scope of the investigation (in terms of timing, facts, countries, business units, etc., to be covered);
methodology and steps to be taken (such as document review, accounting review, email review, interviews, site visits, etc.);
planned data and document preservation and collection efforts (including data custodians); and
a description of the mandates (and limitations thereto, if any) to external advisers, including lawyers, auditors, forensic intelligence providers and others.

The work plan should be continuously revised to reflect findings as the investigation progresses and include a record of decisions made within the scope of the investigation, with reasons for those decisions.

34 If an issue comes to light prior to the authorities in your country becoming aware or engaged, what internal steps should a company take? Are there internal steps that a company is legally or ethically required to take?

Under German corporate law, to avoid liability, management generally has to organise and supervise the affairs of the corporation in such a manner as to prevent violations of applicable laws, perform regular checks thereon and investigate any substantiated indications of misconduct. Further, management has to stop continuing misconduct and take adequate remediation steps, which might include sanctions against wrongdoers (as appropriate), ad hoc measures such as compliance training or audits (including, if necessary, at other business units with a similar risk profile), and an adjustment of the compliance programme and compliance controls (if needed). In the case of serious misconduct (such as a criminal offence), the entrepreneurial discretion as to whether to clarify misconduct is limited, in effect resulting in an obligation to do so. However, under the business judgement rule, management has significant entrepreneurial discretion as to how to investigate potential misconduct, provided its actions are based on adequate information and in the best interests of the company. Relevant factors include stopping continuing violations and damage, addressing legal and reputational risk, building a strong defence position, and clarifying the facts in sufficient detail to enable a reasonably informed decision on remediation measures. Nevertheless, management has to make reasonable and efficient use of company resources and prevent business disruption.

To enable due supervision by management, functions within the company with delegated responsibility for the tasks as described (such as finance, legal, compliance and audit) have to regularly update management on incidents of misconduct and the status of investigations (e.g., during meetings with responsible board members or the compliance committee (if any)). In the case of serious misconduct or potentially high risk to the company, immediate ad hoc reporting should be made: the company’s governance rules should provide for this. Further, if there is a second supervisory body within the company, in addition to the management board (such as a supervisory board, an advisory board, a shareholders committee, or similar), that body should also regularly be updated on recent developments, if necessary, through ad hoc reporting on significant incidents and management’s response thereto.

35 What internal steps should a company in your country take if it receives a notice or subpoena from a law enforcement authority seeking the production or preservation of documents or data?

As a matter of precaution, the company should impose a document or litigation hold in its system, preventing information potentially relevant to the context of the notice or subpoena from being deleted under its regular document retention policies. If the company assesses that it is indeed obliged to produce the requested information, or the company elects to do so as it is willing to volunteer to co-operate with the authorities, relevant data must be identified and collected. The extent of the efforts and steps involved depend on the nature and scope of the subpoena and can be extensive.

36 At what point must a company in your country publicly disclose the existence of an internal investigation or contact from a law enforcement authority?

There is no obligation to publicly disclose internal investigations or contacts from law enforcement authorities. Publicly listed stock corporations can be obliged to make an ad hoc disclosure if an investigation potentially affects the corporation to an extent that might affect the stock price (e.g., if there are significant financial or reputational consequences). This obligation needs to be continuously monitored throughout the investigation.

37 How are internal investigations viewed by local enforcement bodies in your country?

The position of enforcement bodies on internal investigations may vary from district to district, and even from prosecutor to prosecutor. Generally, German criminal laws are based on the concept that investigations are being made exclusively through the executive power. Thus, although an investigation carried out by a company in accordance with the law is certainly not prohibited, some prosecutors occasionally discourage internal investigations. In particular, some prosecutors do not want companies to conduct interviews first. Thus, if internal and external investigations are pending or on the horizon, a close coordination of efforts with the authorities is key, to prevent authorities from being made to feel obstructed in their own investigation by steps made by the company. However, authorities (including prosecutors experienced with corporate investigations) often view internal investigations as a means of co-operation and are sometimes willing to refrain from coercive measures, such as dawn raids, if the company fully co-operates. The foregoing often applies to comprehensive and complex investigations, frequently with cross-border aspects. However, this requires mutual trust between the company, its advisers and the authorities, which needs to be built and maintained by both sides.

At present, German law does not provide for specific (positive or negative) requirements regarding the conduct or format of internal investigations, notwithstanding that legal obligations under general laws (such as employment and data protection laws) have to be adhered to. The draft Corporate Sanctions Act had proposed a potential fine reduction if, among other things, the results of an internal investigation were handed over in full, and the investigations followed certain ‘fair trial’ elements, including warnings to interviewees of a possible use of statements in criminal proceedings, the right to have a lawyer or works council member present during interviews, and the right to refuse to testify (nemo tenetur se ipsum accusare).

Attorney–client privilege

38 Can the attorney–client privilege be claimed over any aspects of internal investigations in your country? What steps should a company take in your country to protect the privilege or confidentiality of an internal investigation?

The attorney–client privilege under German law is generally limited to written communication between the suspect of a crime and its defence lawyer, and records prepared by the defence lawyer in this regard. Thus, there is no privilege protection for most material relevant for internal investigations. This includes usual company records (invoices, presentations, letters, emails), but also attorney work-product such as work plans, interview protocols and reports. Attempts by the German investigation practice to expand legal privilege to work-product in the past have failed in most cases, culminating in three decisions by the German Federal Constitutional Court in July 2018 (Jones Day) upholding the seizure of interview protocols and reports at the company and its law firm by confirming the prevailing (and narrow) legal opinion.

Measures to preserve legal privilege to the best extent possible include careful planning of the client relationship (directly to the entity potentially subject to public investigation) and record-keeping (such as separation and labelling). Further, additional steps might be necessary to preserve any foreign (non-German) attorney–client privilege over investigation material.

39 Set out the key principles or elements of the attorney–client privilege in your country as it relates to corporations. Who is the holder of the privilege? Are there any differences when the client is an individual?

There is no specific attorney–client privilege with regard to corporations. The owners of the (limited) privilege are individuals or legal entities subject to (actual or imminent) public investigation, as well as their defence lawyers. As yet, the principles are the same, regardless of whether the client is an individual or an entity.

40 Does the attorney–client privilege apply equally to in-house and external counsel in your country?

Any attorney–client privilege is limited to communication with (and work-product by) external defence counsel. In-house counsels are considered part of the company and cannot qualify for the attorney–client privilege under German law.

41 Does the attorney–client privilege apply equally to advice sought from foreign lawyers in relation to investigations in your country?

Although foreign lawyers can qualify as defence counsel and, thus, work-product can be covered by the (limited) privilege, international lawyers may not be able to appear in court. Further, international law firms may find it more difficult (if not impossible) to successfully challenge seizures in front of German courts with reference to some of the basic rights under the German Constitution that are limited to individuals and domestic (German or EU-based) entities.

42 To what extent is waiver of the attorney–client privilege regarded as a co-operative step in your country? Are there any contexts where privilege waiver is mandatory or required?

Although disclosure of (privileged or other) material is usually regarded as co-operation and might be credited in favour of the company by authorities, there is no concept of privilege waiver under German laws.

43 Does the concept of limited waiver of privilege exist as a concept in your jurisdiction? What is its scope?

The concept does not exist.

44 If privilege has been waived on a limited basis in another country, can privilege be maintained in your own country?

Waiver of privilege in another country does not legally affect the (limited) privilege in Germany. However, in practical terms, documents produced to a third party who does not benefit from German privilege might be subject to seizure from that third party abroad.

45 Do common interest privileges exist as concepts in your country? What are the requirements and scope?

These concepts do not exist.

46 Can privilege be claimed over the assistance given by third parties to lawyers?

Yes, if and to the extent that third parties (forensic auditors, private investigators, etc.) were instructed by and assisted the defence lawyer in fact-finding for defence purposes.

Witness interviews

47 Does your country permit the interviewing of witnesses as part of an internal investigation?

Current employees can be interviewed as witnesses. In some cases, this might also entail external parties (such as former employees, external advisers or other business partners), if and to the extent that they agree to provide information.

48 Can a company claim the attorney–client privilege over internal witness interviews or attorney reports?

Generally yes, if it can be argued that interviews are conducted by the company’s defence counsel to prepare for the corporate defence. Possible steps can (and should) be taken to achieve this protection, including careful planning of the client relationship and record-keeping. However, in practical terms, attempts to do so have rarely been successful in the past. Rather, seizures of interview notes and attorney reports are frequently upheld by the courts, sanctioned in principle by the Federal Constitutional Court.

49 When conducting a witness interview of an employee in your country, what legal or ethical requirements or guidance must be adhered to? Are there different requirements when interviewing third parties?

Although there are no specific legal requirements in this regard, employees (both suspects and witnesses) at the outset of the interview should be informed that (1) they are generally obliged to co-operate fully, testify and tell the truth, (2) counsel is acting on behalf of the company, not on behalf of the employee, (3) the company may choose to share information gained with third parties, including authorities, and (4) lack of co-operation may result in sanctions (including dismissal). An Upjohn-style warning as used in international investigations frequently works for this purpose. Further, the company may choose to include additional information as relevant under the processes or policies that apply to the investigation, such as being based on the presumption of innocence, the handling of protocols, optional assistance by lawyers (and cost-bearing in this regard) or a works council representative, among other things. In any event, employees need to be informed about the collection and use of their personal data in connection with the investigation, unless this has been done prior to the interview.

50 How is an internal interview typically conducted in your country? Are documents put to the witness? May or must employees in your country have their own legal representation at the interview?

Interviews are preferably made in person in a neutral conference room on company premises or externally (e.g., a hotel or law firm offices) under circumstances that maintain confidentiality of the interview and its content. In the case of remote interviews (as was necessary during the covid-19 pandemic), additional precautionary matters are advisable to secure the integrity and confidentiality of the interview. Frequently, interviews are prepared on the basis of documents that can then be presented to witnesses during the interview to confront suspects with evidence or to refresh the memories of witnesses and obtain opinions and views thereon.

Employees who have been invited to an interview as part of an internal investigation have neither the right to involve a works council member nor a lawyer. In the event of external investigations, the legal situation can be assessed differently. If the questioning is carried out by external lawyers, it is largely understood that employees also have a right to call in a lawyer, but at their own cost. Sometimes, however, companies elect to provide interviewees with access to lawyers on a voluntary basis (the costs being covered by either the interviewee or the company), or there are internal policies (including works council agreements) in place that provide for such assistance. Finally, the draft Corporate Sanctions Act provides for such assistance as one requirement for a ‘fair’ investigation, making the company eligible for fine reduction.

Reporting to the authorities

51 Are there circumstances under which reporting misconduct to law enforcement authorities is mandatory in your country?

Generally, companies do not have to report misconduct to the authorities. However, if the misconduct affected the company’s past tax returns, tax declarations need to be corrected to avoid criminal liability. Under limited circumstances, the company would need to report any knowledge of serious crimes planned in the future. Further, a cyber breach or personal data breach has to be notified to the competent data protection supervisory authority no later than 72 hours after its detection, unless the breach is unlikely to result in a risk to the rights and freedoms of concerned data subjects. Finally, financial institutions, and certain companies and advisers who are subject to anti-money laundering requirements, have to file money laundering suspicion reports in defined circumstances.

52 In what circumstances might you advise a company to self-report to law enforcement even if it has no legal obligation to do so? In what circumstances would that advice to self-report extend to countries beyond your country?

Voluntary self-reporting requires a careful analysis of the arguments for and against, and the associated risks. Self-reporting can be in the best interests of the company, for example, to obtain leniency for violations of competition law (see below), initiating public investigations (including coercive measures), enabling the company to assert damages against wrongdoers, or gaining credits for co-operation when there is a high risk of independent disclosure of facts to the authorities, such as through a whistleblower, third parties or media reports. On the other hand, self-reporting might trigger external public investigations, media attention and reputational risk beyond the company’s control.

Competition law provides for a leniency policy for horizontal cartels (i.e., agreements or concerted practices between competitors). However, there is no such provision for vertical cartels (e.g., resale price maintenance) or cases of abuse of a dominant position. Under the policy, a reduction of the fine of up to 100 per cent is possible, in particular for the first to file a report, making self-reporting of horizontal cartels rather attractive. On the downside, in many cases, a decision of the Federal Cartel Office on a cartel will lead to follow-on claims for damages by customers, which can also be brought against the self-reporting whistleblower. Nevertheless, leniency filings are an attractive option for horizontal cartels.

53 What are the practical steps needed to self-report to law enforcement in your country?

Generally, there is no defined process for self-reporting. Companies should carefully consider associated risks and timing. Frequently, authorised representatives of a company (and its lawyers) ask the authorities for an initial informal meeting for a preliminary discussion about facts (including evidence) and to agree on the next steps to be taken.

In competition law, the Federal Cartel Office’s guidelines on leniency filings provide detailed instructions for self-reporting. Typically, self-reporting involves a first short notice, in which the violation is described (a ‘marker’), followed by a formal leniency filing, which gives a detailed description of the violation and is accompanied by evidence.

Responding to the authorities

54 In practice, how does a company in your country respond to a notice or subpoena from a law enforcement authority? Is it possible to enter into dialogue with the authorities to address their concerns before or even after charges are brought? How?

In criminal investigations, there is no general obligation to respond to information requests as suspects do not have to incriminate themselves by handing over information. Still, co-operation with official orders is usually taken as a sign of goodwill. It is generally possible to enter into dialogue with authorities on investigation measures (including the scope of notices or subpoenas) at any time. As the authorities must seek to clarify the incident in question according to the principle of official investigation through other reasonable means, the refusal to respond to information requests might result in coercive measures, such as dawn raids, seizure or detention.

55 Are ongoing authority investigations subject to challenge before the courts?

Although it is not possible to challenge the investigation itself in court, investigative steps taken, such as dawn raids, seizures or detentions, can be challenged.

56 In the event that authorities in your country and one or more other countries issue separate notices or subpoenas regarding the same facts or allegations, how should the company approach this?

Although communication with different authorities on facts should be consistent, different pieces of evidence may still need to be provided owing to differences in the authorities’ respective focus, requests, legal requirements or legal assessments. Providing uniform disclosure packages to several authorities bears the risk of shortcomings or over-disclosing unnecessary facts that lead to follow-on investigations outside the initial scope. Rather, decisions as to which pieces of evidence are provided to whom should be tailored depending on the specific request and legal framework.

57 If a notice or subpoena from the authorities in your country seeks production of material relating to a particular matter that crosses borders, must the company search for and produce material in other countries to satisfy the request? What are the difficulties in that regard?

German companies are generally not obliged to collect and produce material from abroad. Still, the assistance in producing material will usually be seen as a sign of goodwill and co-operation, and refusal to do so might have a negative effect. Further, the authorities might seek to obtain the respective information from abroad directly (e.g., by means of a request for legal assistance), which usually includes additional efforts by the company group and will significantly delay the investigation. Thus, companies might seek to fulfil such a request, provided it has the authority to do so and in compliance with applicable laws, including local data protection laws or foreign blocking statutes (if any).

58 Does law enforcement in your country routinely share information or investigative materials with law enforcement in other countries? What framework is in place in your country for co-operation with foreign authorities?

Cross-border communication among authorities has been well established in the past, including authorities within the European Union but also internationally. Such co-operation is not necessarily based on formal rules, and there is no comprehensive legal framework apart from some bilateral and multilateral treaties. Although the typical communication route is via centrally competent offices for foreign affairs and official requests for administrative assistance, direct communication is an additional but often faster route.

59 Do law enforcement authorities in your country have any confidentiality obligations in relation to information received during an investigation or onward disclosure and use of that information by third parties?

Criminal, regulatory and tax proceedings are generally not public, and both enforcement agencies and tax authorities have to keep information confidential. Tax authorities, however, have to forward facts that indicate a criminal or regulatory offence in connection with benefits (i.e., potential bribes) to the prosecutor’s office. Third parties (including victims) might have access rights to files, however, and can use information for their own purposes, such as damage claims.

In competition law matters, any document that the Federal Cartel Office publishes or shares with a third party is generally sent to the concerned party before publication or sharing. The concerned party then has the opportunity to mark all information that it considers confidential. The Federal Cartel Office generally accepts confidentiality claims for information that typically is a business secret. Confidentiality issues arise particularly in the context of the final decisions of the Federal Cartel Office. These decisions are the basis for future follow-on damages claims by customers. Corporations therefore frequently try to claim confidentiality for as many facts of the case as possible. The Federal Cartel Office is aware of that strategy and critically examines confidentiality claims.

60 How would you advise a company that has received a request from a law enforcement authority in your country seeking documents from another country, where production would violate the laws of that other country?

A violation of applicable laws (e.g., data protection laws or blocking statutes) should generally be avoided. The company should carefully assess the scope and limitations of local laws, and whether and how information contained in the documents can be produced in line with them (e.g., redacting data or seeking official approval, if possible). Alternatively, the authority should be asked to refrain from the request or seek mutual legal assistance to have the documents seized locally through available processes, including local authorities.

61 Does your country have secrecy or blocking statutes? What related issues arise from compliance with a notice or subpoena?

Germany does not have blocking statutes that would generally or specifically prohibit the communication of certain information as evidence in judicial or administrative proceedings abroad. However, general confidentiality and secrecy obligations (including, among other things, patents and utility models on defence and armament technology, nuclear technology, or secret message transmission) as well as data protection obligations might affect a company’s ability to fully respond to a notice or subpoena received from a foreign authority. Further, relevant non-disclosure or other confidentiality agreements with business partners should be checked for whether they include exceptions should the company be obliged to provide information to authorities.

62 What are the risks in voluntary production versus compelled production of material to authorities in your country? Is this material discoverable by third parties? Is there any confidentiality attached to productions to law enforcement in your country?

A voluntary production should only be made following an assessment of whether it might have a negative effect on privilege protection (if any) under relevant foreign laws, and in accordance with applicable data protection laws. Confidentiality is generally attached to productions to law enforcement, irrespective of whether the production was voluntary or compelled.

Prosecution and penalties

63 What types of penalties may companies or their directors, officers or employees face for misconduct in your country?

Criminal sanctions against individuals include fines, imprisonment and additional measures such as occupational bans (e.g., a prohibition on serving as a managing director or taking political mandates), or the withdrawal of driving or other licences, if related to the committed offence. Further, individuals can face regulatory fines if they are involved in regulatory misconduct.

Employees with managerial responsibilities (including managing directors, executive board members, as well as other directors and officers) face regulatory fines of up to €1 million if they failed to organise and supervise the company so as to prevent criminal or regulatory offences.

Although companies currently do not face criminal sanctions, they can face regulatory fines of up to €10 million (or more if required to disgorge profits generated through illegal conduct) if (1) managers have committed a criminal or administrative offence that enriches the corporation or through which the corporation’s duties are violated, or (2) although another person committed the offence, management negligently omitted to have supervisory measures in place that would have prevented the offence. In addition to such fines, forfeiture (confiscation) orders can be imposed against the company covering the (gross) value of the proceeds gained through a crime (e.g., payments received under a contract obtained through corruption). Costs incurred by the company in connection therewith will be disregarded.

Finally, fines in connection with certain illegal conduct (including bribery, formation of criminal organisations, financing of terrorism, money laundering, fraud and subsidy fraud to the detriment of public budgets, tax evasion, withholding and unauthorised misappropriation of wages, violations of certain labour law provisions, cartel agreements, or, from 2023 onwards, non-compliance with the Supply Chain Due Diligence Act) imposed against companies will be registered in the central Competition Register for up to five years. Authorities issuing public tenders have to check this register prior to a tender decision. Thus, registration usually leads to a practical debarment from public tenders for the duration of the register entry, unless the tender authority accepts ‘self-cleaning’ measures taken by the company in the meantime, which might include disciplinary sanctions against employees, payment of damages to victims and improving the compliance management system.

64 Where there is a risk of a corporate’s suspension, debarment or other restrictions on continuing business in your country, what options or restrictions apply to a corporate wanting to settle in another country?

A settlement abroad does not prevent the company or its employees from being held liable under German laws. Thus, the risk of debarment in Germany has to be considered when assessing options to settle abroad. Debarment can also be based on an employee’s misconduct abroad.

65 What do the authorities in your country take into account when fixing penalties?

Although there is no general sentencing guidance or mechanism, factors considered by authorities, including prosecutors (for orders of penalty or case dismissals against monetary fines) and courts (for convictions), at their discretion, frequently include one or more of the following:

seriousness, dimension, scale and weight of the offence;
motives and objectives of the perpetrators;
position of the perpetrators within the organisation (involvement of managers frequently increases penalties);
prior offences;
impact of the offence (e.g., on victims and the public);
endeavours to clarify the offence and mitigate its effects (e.g., through payment of damages); and
other consequences for the organisation arising from the offence (whether profits gained or a significant economic loss suffered, as well as the cost and efforts taken to investigate); or
fines (including settlement amounts) paid under separate proceedings or abroad.

Frequently, there is a certain bonus for co-operation with the authorities during public investigations. Under case law, including the Federal High Court of Justice, compliance measures taken (if and to the extent effectively implemented) also have to be considered. The draft Corporate Sanctions Act had proposed to consider compliance measures taken before and after the violation as mandatory mitigating factors, as well as full co-operation with the authorities, including internal investigations, as long as they were conducted in line with certain ‘fair trial’ principles, and results (including reports) were handed over to the authorities.

In competition law matters, the Federal Cartel Office has issued detailed Guidelines on the Setting of Fines in Cartel Proceedings. The quantum of a fine depends on an holistic appraisal of a whole variety of factors, including the total turnover of the corporation, the turnover achieved from the violation, the nature and the duration of the violation, the size of the affected markets, the degree of organisation of those involved in the violation, the active or passive role of the corporation in the infringement, the corporation’s position in the market, the degree of intent or negligence and previous infringements, as well as compliance measures.

Resolution and settlements short of trial

66 Are non-prosecution agreements or deferred prosecution agreements available in your jurisdiction for corporations?

German law does not acknowledge either ‘deals’ in criminal proceedings or deferred prosecution agreements. However, in practical terms, criminal proceedings against companies can be solved without public court procedure or conviction through ‘settlement-like’ orders of case dismissals with obligations (including monetary fines) or confiscation orders, each issued by the prosecution office and without involvement of the courts. Such orders frequently include a description of the facts and factors relevant to assess the quantum of the fine. Although they are not made public, in significant cases authorities might issue brief press releases describing the circumstances. Remediation measures (including improvements to the compliance programme) are usually expected and required to achieve an acceptable level of fine. Thus, achieving such an order frequently involves a continuing process of information sharing and negotiations with the prosecutors.

67 Does your jurisdiction provide for reporting restrictions or anonymity for corporates that have entered into non-prosecution agreements or deferred prosecution agreements until the conclusion of criminal proceedings in relation to connected individuals to ensure fairness in those proceedings?

No. Proceedings against individuals are generally independent from proceedings against the company and their status.

68 Prior to any settlement with a law enforcement authority in your country, what considerations should companies be aware of?

Relevant considerations, such as those concerning the timing of the ‘settlement’ (orders of case dismissal with obligations or confiscation orders), include both positive and negative consequences, such as:

business operations (including management attention) no longer being obstructed by (pending or threatened) public investigations;
reputational and monetary effects;
the compliance programme and its further development;
public debarments in Germany or abroad); and
more generally, weighing the likelihood of convictions following a continued public investigation against benefits posed by the ‘settlement’.

In competition law matters, one advantage of a settlement can be that, following a settlement, the Federal Cartel Office may only issue a ‘short form’ or summary decision that will include little detail, making it more difficult for customers to submit follow-on damages claims. This advantage is of little value, however, should not all the parties involved settle, since in that case the Federal Cartel Office will issue at least one full decision with all details of the case.

69 To what extent do law enforcement authorities in your country use external corporate compliance monitors as an enforcement tool?

There is no concept of corporate compliance monitors under German law at present. The draft Corporate Sanctions Act had proposed that authorities might require companies to take specific compliance measures and provide evidence thereof (including effective implementation) through qualified persons, such as lawyers, auditors or business consultants.

70 Are parallel private actions allowed? May private plaintiffs gain access to the authorities’ files?

Yes. In some cases, however, judges at civil courts suspend civil proceedings until criminal investigations and court proceedings on the same matter have been completed. Private plaintiffs can apply for access to the authorities’ files based on a legitimate interest. Access can be granted unless there are overriding interests of the criminal investigation or other persons (including the defendant).

Publicity and reputational issues

71 Outline the law in your country surrounding publicity of criminal cases at the investigatory stage and once a case is before a court.

Criminal (and other regulatory) investigations are not public. Further, court orders and court decisions are not made public but remain privy to the parties involved. Publications (such as in legal literature) are made on an anonymised basis only. However, high-profile investigations might (and frequently do) get into the public domain through media reports following dawn raids or leaks within companies or the authorities. In some cases, prosecutors issue press releases.

Criminal (and most civil) trials, with few exceptions, are open to the public , so anyone can attend and listen. This does not apply to discussions between the accused (individuals as well as companies) and the enforcement authorities (e.g., prosecutors) during investigations, which are confidential.

72 What steps do you take to manage corporate communications in your country? Is it common for companies to use a public relations firm to manage a corporate crisis in your country?

In the case of publicly listed companies or high reputational risk for a company, public relations consultants are frequently hired to coordinate communications content and timing among management, investors, the internal and external investigation teams, and, if different, defence counsel at least in the key jurisdictions involved. Also, the communications strategy has to consider engagement with internal statutory auditors and the possible implications of allegations and the current status of findings about the company’s financial situation.

73 How is publicity managed when there are ongoing related proceedings?

If and to the extent that fact-finding operations are under way and allegations have neither been cleared nor substantiated, no detailed public statements should be made about the allegations. Rather, if needed, general statements that certain allegations of misconduct are currently clarified can be made, including high-level descriptions of the next steps.

Duty to the market

74 Is disclosure to the market in circumstances where a settlement has been agreed but not yet made public mandatory?

Disclosure to the market can be mandatory for publicly listed stock corporations if and to the extent the settlement potentially affects the corporation to a degree that might affect the stock price, for example, the financial or reputational consequences (both positive and negative) resulting therefrom. This obligation needs to be monitored throughout the investigation.

Environmental, social and corporate governance (ESG)

75 Does your country regulate ESG matters?

Yes. Significant ESG-related aspects (social rights, employee rights, environmental health and safety, data protection, risk management, bribery and corruption, environmental laws to protect natural resources from pollution and harmful emissions, etc.) have been embedded in national laws for decades. Further, an increasing number of additional ESG-related topics continue to be subject to domestic and EU-wide regulations, including the following key aspects.

Under the German Commercial Code (but based on Directive 2014/95/EU on disclosure of non-financial and diversity information by certain large undertakings and groups), German listed companies, financial institutions and insurance companies exceeding defined thresholds of assets, annual turnover or number of employees have to provide non-financial reporting on environmental, social and labour aspects as well as human rights standards and anti-corruption measures as part of their annual reporting. Under proposed amendments, such as a new Corporate Sustainability Reporting Directive, the scope and the level of non-financial reporting are expected to increase significantly in the near future, which may then include certain non-listed entities as well.

Further, based on the United Nations Sustainability Development Goals and a National Action Plan in 2016, Germany introduced a national Supply Chain Due Diligence Act in 2021, requiring enterprises with German headquarters or branch offices and 3,000 (from 2024, 1,000) or more employees in Germany to take comprehensive defined compliance measures to assess and mitigate a broad range of human rights and environmental risks in their own (global) business operations and their supply chain. These measures include the establishment of risk management, including assignment of internal responsibility (e.g., to a human rights officer) and at least annual risk assessments, a declaration of principle (Grundsatzerklärung) setting forth the human rights strategy, preventive measures covering direct (tier 1) suppliers, such as procurement strategies, contractual commitments, audits and risk-based controls, remediation measures in the event of identified violations (also covering suppliers further down the supply chain in the case of substantive knowledge), a whistleblowing mechanism open to relevant stakeholders in the supply chain, documentation and annual public reporting. Non-compliance with the Act might trigger regulatory fines of up to €800,000 or 2 per cent of annual global group turnover, and effectively exclude companies from public tenders for up to three years.

Additionally, Regulation (EU) 2017/821 laying down supply chain due diligence obligations for Union importers of tin, tantalum and tungsten, their ores, and gold originating from conflict-affected and high-risk areas (the EU Conflict Minerals Regulation) imposes extensive due diligence and verification obligations along the supply chain on EU importers of conflict minerals, as stated above. Finally, Regulation (EU) 2019/2088 on sustainability-related disclosures for participants in the financial sector requires the addressees to disclose comprehensive sustainability-related information.

The German Corporate Governance Code contains recommendations and suggestions for listed companies on good corporate governance and includes several relevant aspects. Although the rules are not mandatory per se, corporations annually have to issue statements on compliance (‘comply or explain’). Further, several recent acts aim to increase the proportion of women in leadership positions and to set binding targets for businesses and the public sector.

76 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address ESG matters?

Yes, as there are relevant European developments under way. Most prominently, in February 2022, the European Commission released a draft proposal for a European Corporate Sustainability Directive. If adopted, national laws implementing the Directive would need to go even beyond the scope of the German Supply Chain Due Diligence Act in several aspects, namely a broader scope of application, including non-EU-based entities with certain revenues in the European Union, a broader definition of the relevant value chain to be covered by compliance measures, the obligation to instal a corporate climate protection strategy, and liability for damages to third parties in the event of non-compliance, to name but a few.

77 Has there been an increase in ESG-related litigation, investigations or enforcement activity in recent years in your country?

Several ESG-related litigation cases have been initiated, mainly with regard to environmental concerns. Notably, the Federal Constitutional Court ruled in 2021 that Germany’s first climate protection law falls short in its protective path, as it provides too few specific requirements for cutting carbon dioxide emissions after 2031, violating fundamental human rights, namely of the younger generation. Second, several enterprises have been sued by private individuals (frequently assisted by non-governmental organisations), including a Peruvian farmer suing one of Germany’s largest energy providers, RWE, for damages, arguing that his estate and economic existence are directly threatened by Andean glaciers melting owing to climate change caused by greenhouse gases that, to a certain extent, are attributable to RWE. In another case, an organic farmer from Lower Saxony sued the car manufacturer Volkswagen, arguing that his crops were threatened by changes to the climate caused, among other things, by exhaust gases emitted by Volkswagen’s products. Further, the environmental aid organisation Deutsche Umwelthilfe sued several German car manufacturers on similar grounds, adjuring the arguments by the Federal Constitutional Court ruling described above. Although most proceedings are still pending and prospects are unclear, the expectation is that there will be further litigation in the future in which social and governance issues feature more prominently.

Anticipated developments

78 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address corporate misconduct?

In April 2022, the German Federal Ministry of Justice submitted a draft Whistleblower Protection Act to implement Directive (EU) 2019/1937 (the EU Whistleblower Protection Directive), which came into effect in December 2019. The legislative process is under way and enactment is expected in the near future. At its core, the draft law provides for the mandatory establishment of internal reporting channels for companies with 50 or more employees. Whistleblowers shall be granted a right of disclosure to the public if the reporting authority does not take adequate steps to clarify the violations. In the draft, whistleblower protection is not limited to violations of specific EU law (as defined in the Directive) but covers violations of national criminal and certain regulatory laws. In terms of legal protection for whistleblowers, the draft contains significant developments, including legal action being possible against authorities’ decisions on the conclusion of procedures in the administrative courts. Expectations are that a wider establishment of whistleblowing processes as required might lead to a significant increase in reports and both internal and external investigations in the coming years.

Further, the current government in its coalition agreement announced that it would continue reviewing the need for legal reform to address corporate misconduct more effectively. This implies that either the draft for a Corporate Sanctions Act (as proposed in 2019) might be taken up again, or other laws (such as the Administrative Offences Act) will be amended to either introduce corporate criminal liability or at least significantly increase potential sanctions for violations. Amendments might include a legal framework for investigations and, potentially, effective compliance management having to be considered as a mitigating factor when assessing fines.

Finally, the current federal government proposed the introduction of further central federal authorities to align enforcement across the states, including a federal finance criminal department and a federal central department to supervise anti-money laundering efforts in the non-financial sector.

Footnotes

^[1] Eike W Grunert, Michael Reich, David Stoppelmann and Stephan Appt are partners at Pinsent Masons Rechtsanwälte Steuerberater Solicitors Partnerschaft mbB.