This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

General context, key principles and hot topics

1 Identify the highest-profile corporate investigation under way in your country, describing and commenting on its most noteworthy aspects.

Following the Russian invasion of Ukraine, trade compliance cases gained considerable importance in Germany. Beginning in February 2022, the European Union imposed 10 packages of sanctions against Russia (including Russian politically exposed persons, strongly limiting transactions regarding, inter alia, commodities, financial products, consumables, luxury goods, machinery and services). Since then, German authorities have initiated more than 100 investigations regarding possible infringements of sanctions, most of which have focused on minor infringements. However, German authorities are looking increasingly at cases in which corporations may have bypassed sanctions via third-party countries. In this context, sanctions against countries such as Iran and the Democratic People’s Republic of Korea have come to the fore as well. Against this backdrop, the number of internal investigations regarding possible infringements of sanctions is currently rising and will most likely continue to do so for the duration of hostilities between Russia and Ukraine.

Furthermore, investigations regarding tax compliance retain considerable significance in Germany. Courts as well as law firms and financial institutions, and even the government, continue to deal with the impact of the ‘cum-ex’ scandal regarding tax fraud and tax evasion schemes. For an extended period, a combination of dividend stripping and double tax reimbursement was considered legal by several legal advisers and financial institutions. However, in 2020 and 2021, German federal courts ruled that the scheme is illegal and constitutes tax fraud. Thus, criminal prosecutors initiated investigations against numerous corporations, especially financial institutions, law firms and individuals. The financial damage incurred by the German treasury may amount to between €30 billion and €50 billion. In a key trial, a lawyer publicly perceived as the spiritus rector of the schemes was sentenced to more than eight years in prison. Several financial institutions reimbursed hundreds of millions of euros to the tax authorities; however, fines are rarely imposed and tend to remain rather low. Up to now, the majority of cases, including DekaBank and PwC, are pending, and investigations will most likely continue for years.

In addition, as the importance of legislation relating to environmental, social and governance (ESG) matters increases, investigations in this regard are gaining traction as the German authorities investigate a number of high-profile greenwashing cases.

2 Outline the legal framework for corporate liability in your country.

Since German criminal law applies only to individuals, there is no criminal liability for corporations under German law. Nevertheless, corporations are obligated to comply with laws and can be held liable under both civil and administrative law. In particular, a corporation can be held liable under the German Administrative Offences Act if one of its managers commits an offence by which the corporation’s duties are violated or the corporation is enriched. As a consequence, the corporation may face fines of up to €10 million and any profits generated by the offence may be disgorged. Alternatively, the gross revenue gained by committing a crime may be confiscated by the authorities.

Furthermore, managers of corporations may be held liable under the German Administrative Offences Act if they violate their supervisory duties; for example, failing to implement the necessary supervisory measures, resulting in criminal or administrative offences by employees in connection with the corporation’s business.

Under German competition and antitrust law, fines can amount to up to 10 per cent of group-wide turnover. In practice, particularly high fines are imposed with regard to price gouging.

3 Which law enforcement authorities regulate corporations? How is jurisdiction between the authorities allocated? Do the authorities have policies or protocols relating to the prosecution of corporations?

The Federal Republic of Germany consists of 16 federal states. In principle, criminal prosecution is the responsibility of the prosecution authorities organised at the level of those 16 federal states.

As a rule, the public prosecutor’s office in the district where the criminal act occurred will have responsibility. As regards criminal offences in connection with the business activities of a company, the district of the company’s registered office or the corresponding branch office will typically have responsibility. The legal basis for criminal prosecution is formed by the provisions of the Code of Criminal Procedure, the Administrative Offences Act and the Guidelines for Criminal Proceedings and Fine Proceedings.

There are several other enforcement and regulatory authorities at the state level, including the Federal Financial Supervisory Authority (BaFin), the Federal Office of Economics and Export Control (BAFA), the Federal Cartel Office (FCO) and the customs authorities. BaFin can issue various measures, from warnings and fines to the withdrawal of the licence to conduct banking business and the closing of business premises. The FCO is responsible for enforcing competition law. Customs and tax investigation authorities exist as enforcement agencies at both the state and federal levels.

4 What grounds must the authorities have to initiate an investigation? Is a certain threshold of suspicion necessary to trigger an investigation?

The public prosecutor’s offices are obliged to conduct investigations if there are sufficient factual indications of a prosecutable criminal offence that warrant an initial suspicion. However, this obligation only applies to the prosecution of individuals for criminal offences. Companies themselves cannot commit criminal offences owing to their lack of capacity to act and are therefore subject to the law on administrative offences. In administrative offences law, the decision regarding the initiation of proceedings is at the discretion of the respective authority. No initial suspicion is required there either. Investigations can be triggered, for example in antitrust law, by leniency applications or anonymous whistleblowers. With regard to the latter, German law has strengthened the protection of whistleblowers with the introduction of the Whistleblower Protection Act in July 2023. Therefore, it can be assumed that investigations will increasingly be based on information coming from within the company.

5 How can the lawfulness or scope of a notice or subpoena from an authority be challenged in your country?

In principle, investigative measures by the prosecution authorities, such as subpoenas for the provision of certain evidence, can be challenged; however, it should be taken into account that the competent authorities can independently search and seize in the event of refusal. Furthermore, it is possible that the authorities will be able to access significantly extensive material in the case of a compulsory search and seizure.

Subpoenas to appear and testify are an exception and cannot be challenged, as these could be ignored in the absence of a cooperation obligation under German law. Of course, any refusal to cooperate means that the advantages of cooperation cannot be realised.

6 Does your country make use of cooperative agreements giving immunity or leniency to individuals who assist or cooperate with authorities?

Under German law, cooperation with the authorities will be taken into account and help reduce the sentence; however, cooperation must not interfere with the state’s duty to ascertain the truth. Moreover, there is a general leniency programme for natural persons and rewards for the discovery of certain crimes enumerated by law. If an offender helps to uncover an act related to his or her crime, the sentence may be reduced or completely waived. In antitrust law, there is a statutory (leniency) provision enabling the prosecution authorities to grant immunity from punishment to a cooperating person. Both natural persons and companies can make use of this provision, the benefits of which range from a reduction of the fine up to the granting of immunity from prosecution, the latter usually being granted to the first person to cooperate. Nonetheless, other whistleblowers may also receive a substantial reduction in the fine imposed on them, depending on the extent of the evidence provided.

7 What are the top priorities for your country’s law enforcement authorities?

German law enforcement authorities continue with their efforts to combat classic white-collar crime, such as money laundering, tax evasion, corruption and fraud. In 2022, the competences of BaFin were expanded by the German legislator, especially in the light of the Wirecard scandal. This increased control is likely to prompt banks to report money laundering even more quickly and, therefore, lead to more investigations by public prosecutors. Equally, antitrust and data protection remain key topics for law enforcement agencies and continue to lead to high fines for companies in the event of violations.

Against the current backdrop of the Ukrainian war, violations of European sanctions have increasingly become the focus of investigations, particularly by BAFA and local law enforcement agencies.

As a more recent development, ESG matters are increasingly being targeted by the law enforcement authorities, including greenwashing (i.e., the false marketing of products as sustainable and environmentally friendly), environmental infractions and violations of the Supply Chain Due Diligence Act, which came into force at the beginning of 2023.

8 To what extent do law enforcement authorities in your jurisdiction place importance on a corporation having an effective compliance programme? What guidance exists (in the form of official guidance, speeches or case law) on what makes an effective compliance programme?

A compliance programme is not explicitly required by law; however, German company law obliges directors to ensure that employees at all levels of hierarchy act in accordance with the rules. It is the duty of the board of directors to ensure compliance with the legal provisions by means of organisational structures.

In certain industries, however, minimum requirements with regard to compliance are mandatory. In banking and finance, for example, these are the Minimum Requirements for the Compliance Function and Other Duties of Conduct, Organisation and Transparency (MaComp) and the BaFin Circular 10/2021, which sets out the Minimum Requirements for Risk Management (MaRisk). Certain requirements are also standardised in the area of anti-money laundering (the Money Laundering Act) and of due diligence in The Act on Corporate Due Diligence in Supply Chains. In 2022, the European Union adopted the Digital Services Act, which imposes numerous compliance obligations on intermediary services and aims to establish a safe, predictable and trustworthy online environment.

The existence of a compliance programme is equally relevant if a company is investigated for any illegal conduct. If the company has implemented a compliance programme that is appropriate to the scope of its business activities and its industry, this will be taken into account to reduce the fine.

Cyber-related issues

9 Does your country regulate cybersecurity? Describe the approach of local law enforcement authorities to cybersecurity-related failings.

Cybersecurity regulation is based on various legal sources, mainly Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union and the IT Security Act. As in general, there are also different possible triggers for investigations by law enforcement authorities (e.g., anonymous tip-offs or media reports). What is unique in data protection law, however, is that an identified data protection breach must be reported to the competent data protection authority within 72 hours. This means that the company must trigger the investigation. In individual cases, notification of the data subjects may also be required. For operators of critical infrastructures, it may also be necessary to inform the Federal Office for Information Security. As in other areas, violations of data protection law may result in the imposition of fines.

10 Does your country regulate cybercrime? What is the approach of law enforcement authorities in your country to cybercrime?

Cybercrime can occur in many ways and cover a wide range of criminal offences. The Federal Criminal Police Office describes malware, spam and phishing, ransomware and distributed denial-of-service attacks as central phenomena of cybercrime. The police and the public prosecutor’s offices of the federal states are responsible for combating cybercrime, whereby some public prosecutor’s offices have set up special cybercrime units. In addition, the Federal Criminal Police Office performs coordinating tasks at the national level, provides information and tools and, according to its own information, is the hub for international cooperation.

At the international level, Germany, as an EU Member State, has signed the Convention on Cybercrime (the Budapest Convention), which creates the framework for international cooperation with other EU Member States as well as the United States, Japan and Australia. At the European level, there is also close cooperation with Europol, and at the international level with Interpol.

Cross-border issues and foreign authorities

11 Does local criminal law have general extraterritorial effect? To the extent that extraterritorial effect is limited to specific offences, give details.

German criminal law is applicable to all actions carried out within the territorial boundaries of Germany. However, under specific circumstances, criminal law extends its jurisdiction to cases where the offence has been committed abroad. This occurs primarily when a foreign offence is committed against or by a German individual, and (1) the act is also punishable according to the laws of the location where the crime occurred or (2) the crime scene is not subject to criminal jurisdiction.

Moreover, there are cases of foreign offences with a specific domestic connection or offences against internationally protected legal interests. The exceptions listed in the Criminal Code establish the applicability of German criminal law independently of the law of the crime scene.

12 Describe the principal challenges that arise in your country in cross-border investigations, and explain whether and how such challenges depend on the other countries involved.

Under German law, management is obliged to investigate any suspicions regarding potential non-compliance within the corporation and to initiate appropriate countermeasures if the suspicions are confirmed; however, there is no separate set of rules for conducting internal investigations. Measures taken by the management nevertheless have to be sufficient and appropriate with regard to the specific case at hand; in other words, management has to take all necessary actions to clarify the suspicions that appear reasonable with regard to the gravity of the potential non-compliance and the possible damages. If authorities such as the public prosecutor or regulatory authorities are involved, it will often make sense to coordinate investigative measures with them. Although there is no obligation for authorities to cooperate with corporations subject to official investigations, it is quite common and sometimes expected by the authorities involved.

In any case, the requirements set forth by German labour law must be observed if the investigation concerns employees; for example, if a works council is established, it must be involved in the investigative measures. Furthermore, the rather short notice period (two weeks) must be observed if an employee has to be dismissed. In addition, data protection law may require informing employees of investigative measures if their personal data is processed (e.g., during an e-search). In some cases, employees’ consent and the redaction of personal data may be necessary.

In contrast to common law principles, German law does not provide for an extensive legal privilege. German criminal procedure law contains stipulations merely protecting communication between a defendant (i.e., an individual) and its defence counsel. Thus, work-products prepared by legal advisers to corporations are typically not protected by a legal privilege. Furthermore, in-house counsels are not covered by any legal privilege. In consequence, ensuring a potential legal privilege under foreign law is key when planning and conducting cross-border investigations.

Blocking statutes in other jurisdictions (e.g., Australia, Canada, France, Switzerland and China) may be a stumbling block in cross-border investigations. When transferring data to recipients outside the European Union, corporations and their (legal) advisers must observe the requirements of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation); for example, transfers of personal data at the request of foreign authorities are typically permitted only through established routes, such as under mutual legal assistance treaties.

13 Does double jeopardy, or a similar concept, apply to prevent a corporation from facing criminal exposure in your country after it resolves charges on the same core set of facts in another? Is there anything analogous in your jurisdiction to the ‘anti-piling on’ policy as exists in the United States (the Policy on Coordination of Corporate Resolution Penalties) to prevent multiple authorities seeking to penalise companies for the same conduct?

The constitutionally enshrined prohibition of double jeopardy applies in Germany and establishes that no one can be punished or sanctioned twice for the same criminal offence. It should be noted, however, that this prohibition applies only to sanctions imposed by German or other European authorities and courts. This means that German authorities and courts are not obliged to consider fines imposed by other foreign entities and these do not prevent a subsequent German sanction. Nonetheless, they can be taken into account when determining the fine.

In principle, a procedure corresponding to the US ‘anti-piling-on’ policy does not exist in Germany. If multiple law enforcement authorities are involved in the same matter, they all act in parallel according to their respective jurisdiction. In some cases, however, there are legal provisions that combine responsibilities; for example, the public prosecutor’s office is also responsible for prosecuting an administrative offence in the context of criminal proceedings, unless the law provides otherwise.

14 Are ‘global’ settlements common in your country? What are the practical considerations?

German law does not provide for a framework regarding ‘global’ settlements. Thus, there is no common best practice in this regard. However, depending mostly on the complexity of the case, German authorities may cooperate with foreign authorities; for example, the settlement of the Siemens corruption scandal involved US and German authorities simultaneously.

15 What bearing do the decisions of foreign authorities have on an investigation of the same matter in your country?

German authorities generally are not bound by the decisions of foreign authorities but execute their investigations and decisions independently. Thus, decisions made by foreign authorities have no influence on the investigation of the same matter in Germany. However, decisions by foreign authorities may de facto be relevant for proceedings carried out by German authorities, especially in respect of cross-border cooperation between authorities or international legal assistance granted by foreign authorities. Furthermore, judgments by foreign courts may become enforceable if they are acknowledged by a German court.

With regard to matters concerning competition and anti-trust law, the Federal Cartel Office (FCO) keeps track of investigations in other jurisdictions and fines imposed by foreign authorities by participation in the International Competition Network and the European Competition Network. Nevertheless, the FCO will decide autonomously. Additionally, the European Commission may investigate and impose fines in cross-border cases.

Economic sanctions enforcement

16 Describe your country’s sanctions programme and any recent sanctions imposed by your jurisdiction.

Sanctions are based on measures imposed by the United Nations, the European Union and national authorities. However, most restrictions are primarily determined by EU law through regulations, which have direct effect in Germany without the need for further national implementation. United Nations sanctions, on the other hand, require implementation at the state level.

In exceptional cases, EU Member States can impose (temporary) measures in the area of capital and payment transactions themselves. In Germany, this is done based on the Foreign Trade and Payments Act.

Various federal and state authorities collaborate in the operational implementation of sanctions. The Service Centre for Financial Sanctions of the German Federal Bank is responsible for implementing financial sanctions, with commercial banks and insurance companies also engaging directly in operational activities. The Federal Office for Economic Affairs and Export Control is responsible when prohibitions or licensing requirements concern the supply of goods or the provision of non-financial services. The Customs Office also provides support in this regard. Finally, the newly established Central Office for Sanctions Enforcement, which began its work on 1 January 2023, has investigative and monitoring tasks, particularly for ensuring compliance with freezing and asset transfer bans resulting from EU listings. This authority will coordinate the work of the relevant enforcement agencies in Germany.

Currently, sanctions imposed by the European Union against Russia (including economic sanctions, targeted restrictive measures (individual sanctions) and visa measures) are of particular relevance. Economic sanctions aim to effectively prevent Russia’s ability to continue its aggression. They cover various areas, including trade with Russia, imports and exports to and from Russia, business relations of EU Member States regarding oil from Russia, the transportation sector, the banking system and the Russian media. Individual sanctions target individuals responsible for supporting, financing or carrying out actions undermining the territorial integrity of Ukraine, or benefiting from such actions. This involves freezing the accounts of the relevant individuals and organisations at EU banks and prohibiting the direct or indirect provision of funds or assets to them.

17 What is your country’s approach to sanctions enforcement? Has there been an increase in sanctions enforcement activity in recent years, for example?

Violations of applicable sanctions can result in both fines and imprisonment. Particularly in recent times, owing to the conflict in Ukraine, the pursuit and punishment of sanctions violations have increased.

18 Do the authorities responsible for sanctions compliance and enforcement in your country cooperate with their counterparts in other countries for the purposes of enforcement?

Yes. Regarding the sanctions against Russia, coordination at the G7 level is carried out through the Task Force Russian Elites, Proxies and Oligarchs and the Enforcement Coordination Mechanism. At the EU level, the Freeze and Seize Task Force serves as the central forum for discussing and coordinating further actions. In early 2023, an EU Sanctions Coordinator, David O’Sullivan, was appointed to internationally coordinate the enforcement of EU sanctions, primarily against Russia. Germany also collaborates internationally in other areas of sanctions.

19 Has your country enacted any blocking legislation in relation to the sanctions measures of third countries? Describe how such legislation operates.

Council Regulation (EC) No. 2271/96 (known as the EU Blocking Statute) aims to protect EU economic operators from the effects of extraterritorially effective sanctions. The core content of the Regulation is the prohibition of complying with the sanctions provisions listed in the annex. An exception to this exists if the European Commission has granted an exemption. Conversely, the Regulation grants EU citizens and companies the right to seek compensation for damage incurred as a result of the application of the sanctions provisions.

20 To the extent that your country has enacted any sanctions blocking legislation, how is compliance enforced by local authorities in practice?

Pursuant to Article 9 of the EU Blocking Statute, EU Member States are responsible for enforcing sanctions in the event of a violation of the Regulation. In Germany, a violation is not subject to criminal penalties; the individual involved only commits an administrative offence, leading to a fine of up to €500,000. The responsible authority is the main customs office.

Additionally, the European Commission has published a document for the enforcement of the EU Blocking Statute, which serves as non-binding guidelines for the application of the individual provisions of the Regulation.

Before an internal investigation

21 How do allegations of misconduct most often come to light in companies in your country?

In most cases, suspicions regarding potential misconduct arise within a corporation predominantly in the course of reviews carried out by internal audits or revisions, or by whistleblowers through internal reporting mechanisms. In addition, allegations are frequently raised by involved parties outside the corporation (e.g., financial or regulatory authorities, or by investigative media coverage). Sometimes, allegations can be traced back to reports made by third parties, such as complaints filed with the public prosecutor or other authorities.

Information gathering

22 Does your country have a data protection regime?

Yes. Personal data of citizens is protected by the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (GDPR) and the German Federal Data Protection Act. Additionally, more specific regulations exist for certain sectors, such as the field of credit institutions. The central principle in all data protection law is the prohibition principle; this means that the processing of personal data is generally prohibited and is only permitted by way of exception if the conditions of one of the permission standards of the GDPR apply. In some cases, companies are obliged to process certain data, but for them, the permissibility criteria of consent and overriding legitimate interest are of particular importance.

23 To the extent not dealt with above at question 9, how is the data protection regime enforced?

Compliance with the GDPR and other national regulations is supervised and monitored by the supervisory authorities, including the Federal Commissioner for Data Protection and Freedom of Information, as well as the state supervisory authorities. Additionally, each of the 16 federal states has its own data protection officer.

If a supervisory authority becomes aware of a breach of a data protection provision, it can issue a warning to the responsible party or issue instructions, orders or processing bans. In addition, or instead, the supervisory authority can impose a fine of up to €20 million or 4 per cent of global annual turnover, whichever is the greater. Furthermore, a criminal offence may be committed if non-publicly accessible data is processed without authorisation and the act is committed on a commercial basis, for remuneration, or with the intent of enrichment or causing harm.

24 Are there any data protection issues that cause particular concern in internal investigations in your country?

In general, conducting an internal investigation requires a prior assessment of the legal admissibility of the envisaged steps (e.g., email reviews, interviews) under German data protection law (i.e., the GDPR and the Federal Data Protection Act). The collection and processing of employees’ personal data during an internal investigation is typically allowed under German data protection law if it is required to investigate suspicions of criminal offences committed by particular employees. Data protection law does not prohibit investigative measures concerning employees’ personal data if (1) there are factual indications supporting the suspicion that an employee has committed a criminal offence within the employment relationship, (2) the processing of personal data is necessary to investigate the offence, and (3) the employee’s interests prevail in the specific case.

In addition, employees whose personal data is processed during the investigation need to be informed about the subject and purpose of the investigation and their rights under data protection law; however, this does not apply if the information would interfere with the objective of the investigation (which often will be the case).

If personal data is transferred to entities other than the employing company during the investigation, a data processing agreement typically needs to be concluded prior to the investigation.

According to certain opinions in legal literature and jurisdiction, additional requirements may apply if the company allows private use of its information technology (e.g., email accounts, telephones, mobile devices). As a precautionary measure, it may be advisable to filter out private information before beginning the review.

25 Does your country regulate or otherwise restrict the interception of employees’ communications? What are its features and how is the regime enforced?

Monitoring employees is neither inherently allowed nor prohibited under German law; however, any interception of employees’ communications must be in line with the legal requirements under data protection law and telecommunications law. If there is a concrete suspicion regarding potential misconduct by certain employees, their business communications are likely to be reviewed, as the employer’s interest in investigating possible violations of duties will often outweigh the employees’ interest to protect their business communications from review. This generally also applies if the private use of the company’s communication tools (e.g., computers, mobile devices, email accounts) is permitted; however, any communications of private nature must be excluded from the review.

In any case, the employer must document the indications justifying the monitoring in advance. Monitoring telephone conversations of any kind without the consent of the participants is completely prohibited.

Specific regulations must be adhered to for business communications between financial institutions and their customers. Depending on the business area, internal communications are also subject to these regulations.

Dawn raids and search warrants

26 Are search warrants or dawn raids on companies a feature of law enforcement in your country? Describe any legal limitations on authorities executing search warrants or dawn raids, and what redress a company has if those limits are exceeded.

Searches and raids can be carried out on companies as well as individual persons. They can occur out at any time, including in the early hours of the morning, provided that the prerequisites are fulfilled. Searches carried out by public prosecutors and any agencies cooperating with them require the prior issuance of a search warrant by a court. In the event of imminent danger, a search warrant may exceptionally be omitted.

As with any coercive measure, both the search and the seizure of documents must be suitable, necessary and proportionate, in particular to achieve their purpose (i.e., to find evidence). They can be challenged in court; however, the legal remedy has no suspensive effect. If the search was unlawful, the seized objects must be returned afterwards.

27 How can privileged material be lawfully protected from seizure during a dawn raid or in response to a search warrant in your country?

Only a very limited attorney–client privilege applies in Germany. An attorney–client privilege that protects all communications between client and attorney, in particular in respect of in-house counsel, does not exist within the German legal system. The attorney–client privilege that does exist is only for written correspondence between the defence attorney and the client that is in the defence attorney’s custody and for documents prepared by the defence attorney in this matter. It is advisable, therefore, to establish a direct defence relationship at an early stage and to mark this potentially privileged material.

Even in the context of searches and raids, the individual should simply advise the law enforcement authorities that certain documents are privileged. Independently setting aside documents relevant to the evidence carries the risk of criminal liability for obstruction of justice. If one behaves cooperatively throughout the duration of the proceedings, it is also likely that privileged material will not be seized by the law enforcement authorities.

28 Under what circumstances may an individual’s testimony be compelled in your country? What consequences flow from such compelled testimony? Are there any privileges that would prevent an individual or company from providing testimony?

Protection against self-incrimination applies in Germany, according to which the accused or the person affected by the investigation does not have to make any statements. This applies in any case to natural persons, and according to controversial opinion also to legal persons (i.e., also to companies). Witnesses, on the other hand, must always testify, unless they have a right to refuse to testify or they may refuse to testify if they would incriminate themselves or a relative. If a witness refuses to testify without a permissible reason, a fine or even imprisonment may be imposed on the witness.

Whistleblowing and employee rights

29 Describe the whistleblowing framework in your country. What financial incentive schemes exist for whistleblowers? What legal protections are in place for whistleblowers?

The Whistleblower Protection Act, which implements Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (with some additions), came into effect on 2 July 2023. The Directive and the implementing law constitute requirements for the establishment of reporting channels and, notably, provide comprehensive protection for bona fide whistleblowers against retaliatory measures. Additionally, companies with 50 or more employees are obliged to establish whistleblowing systems.

Whistleblowers are not currently incentivised through financial rewards to provide information and disclose internal violations. Although such a regulation would be permissible under European law, German lawmakers have so far decided against it owing to the risk of abuse through false information.

30 What rights does local employment law confer on employees whose conduct is within the scope of an investigation? Is there any distinction between officers and directors of the company for these purposes?

A distinction must be made between the employee’s duty to provide information, for example in the context of internal investigations, and the subsequent use of the results of any such interviews.

Despite a potential conflict with the employee’s protection against self-incrimination, which is directly applicable at least in criminal proceedings, it is predominantly assumed that the employee is obliged to cooperate fully and to share knowledge with the employer. Therefore, it is advisable to inform the employee that any statement may be used by the law enforcement authorities. Also, the employer has the duty to inform the suspected employee in advance about the purpose of the questioning.

Further, it can be assumed that the findings obtained in an interview are admissible in the subsequent criminal proceedings, as the Federal Constitutional Court declared in its Volkswagen AG/Jones Day decision in 2018 that the seizure of interview transcripts prepared by an external law firm was constitutional.

There is a legal distinction between directors and officers, as the former are usually not employees of the company. Nevertheless, serious misconduct can lead to disqualification for all persons in the company. Directors and officers have a higher duty of loyalty to the company as compared with an ordinary employee.

31 Do employees’ rights under local employment law differ if a person is deemed to have engaged in misconduct? Are there disciplinary or other steps that a company must take when an employee is implicated or suspected of misconduct, such as suspension or in relation to compensation?

In principle, workers’ rights do not depend on whether a worker is suspected of misconduct. It also makes no difference whether the suspicion is within the company or whether the prosecuting authorities are already investigating. Since German labour law always seeks to achieve a balance between employer and employee interests, various measures may be required, depending on the timing and the stage of the investigation. If a criminal investigation has been initiated against the employee, the conclusion of the investigation should generally be awaited before dismissal. The company must react appropriately as soon as any suspicion has been confirmed. Various measures can be considered, from a warning to a transfer or even termination without notice. In individual cases, the employee may also have made himself or herself liable to pay damages to the company. In such a case, the company management is obliged to assert these claims in court if necessary. Case law on the question of what measures are permissible against the employee has now been largely clarified.

In addition, fostering the company’s compliance programme may also be necessary. If deficiencies in the compliance management system become apparent, management is required to address these deficiencies so that such violations are avoided in the future or at least made significantly more difficult. As a consequence, management must initiate not only remediation of the concrete violations but also improvement of the company’s compliance management programme to prevent future violations. Any failure to do so may constitute a violation of the management’s supervisory duties and result in liability of the management towards the company as well as possible fines against the company or the management (or both) in the case of recurring compliance issues.

32 Can an employee be dismissed for refusing to participate in an internal investigation?

As employees are obliged to cooperate in internal investigations and to provide relevant information, the violation of this obligation can be sanctioned by the company as with any other breach of duty. Termination without notice may be permissible in individual cases, following a warning. However, it must be ensured that the company complies with its obligations ahead of such an interview; in particular, it must not put the employee under undue pressure.

Commencing an internal investigation

33 Is it common practice in your country to prepare a document setting out terms of reference or investigatory scope before commencing an internal investigation? What issues would it cover?

Typically, the methodology, elements and settings of the course of an investigation are set out in advance on an investigation map. This will generally describe:

  • the scope of the investigation (e.g., specific allegations or suspicions, relevant entities and jurisdictions, subjects of the investigation, and relevant areas of law);
  • the methodology, including forensic measures )e.g., email and document review, interviews, site visits);
  • coordination with other parties (e.g., counsels, advisers or forensic services providers); and
  • timing and costs.

The investigation map is subject to constant review and amendments to reflect findings and changes to the factual circumstances. Updates to the investigation map are normally subject to regular update calls.

34 If an issue comes to light prior to the authorities in your country becoming aware or engaged, what internal steps should a company take? Are there internal steps that a company is legally or ethically required to take?

German corporate law requires managers to both observe legal requirements and duties themselves and to ensure that the company and its employees, within their employment relationship with the company, act in accordance with the applicable laws and its business. Thus, management is required to monitor compliance within the company. Should any reasonable suspicion arise pointing to a potential violation of legal requirements, management is obliged to investigate. Typically, the management only has limited entrepreneurial discretion when deciding whether to investigate a suspicion, as in many cases – especially potentially serious misconduct and criminal offences – it is obliged to clarify the facts. On the other hand, under the business judgement rule, management has considerable entrepreneurial discretion regarding the actual forensic measures of an investigation. Since management is obliged to act in the best interests of the company, it has to take into account the expected effectiveness of the investigative measures (i.e., the likelihood of results produced by them), the gravity of the potential non-compliance and the implications of both the potential non-compliance and the investigative measures to the company and its business, including possible damages and reputational issues, resources of the company, anticipated costs of the investigation and future infringements.

Depending on the size of the company and its business, and therefore the extent of the risk and the effects of potential non-compliance, management has to implement preventive measures to ensure compliance within the company and to enable itself to take effective remediation measures if necessary. To this end, management may delegate certain aspects of its supervisory duties to appropriate functions within the company, such as compliance, legal and audit departments. However, the duty to properly staff these functions, to provide them with the means to fulfil their duties and to supervise them remains with the management. Most importantly, management has to establish adequate reporting lines within the company to ensure that it is regularly updated with relevant information regarding the status quo as well as possible suspicions regarding potential non-compliance on an ad hoc basis. In addition, management has to provide comprehensive information in this regard to the supervisory body (if established) and potentially other relevant corporate bodies.

35 What internal steps should a company in your country take if it receives a notice or subpoena from a law enforcement authority seeking the production or preservation of documents or data?

Under German criminal law, destroying or tampering with evidence can be a criminal offence and can lead to serious consequences for both individuals and companies. Therefore, all possible steps to prevent the loss of or tampering with evidence should be taken. It is highly advisable to order a document hold, including email inboxes and other relevant data. At the same time, data protection laws in particular must be respected.

Furthermore, the company should assess whether it wants to comply with the order or subpoena as cooperation can be advisable in many situations. The company should equally consider initiating its own investigation, since knowing the underlying facts will help to assess a strategy for the further proceedings; in any case, the executive board is obliged to investigate any indications of violations of the law within the company.

36 At what point must a company in your country publicly disclose the existence of an internal investigation or contact from a law enforcement authority?

Companies do not have to always publicly disclose internal investigations or investigations by prosecuting bodies under German law. Only listed stock corporations may be obliged to make an ad hoc announcement if the (internal) investigations are of a scope that could affect the share price, for example from a loss of reputation. The obligation may also arise at a later stage of the investigation. This is intended to ensure transparency for all investors and the prevention of insider trading.

37 How are internal investigations viewed by local enforcement bodies in your country?

In most cases, internal investigations are tolerated or sometimes even welcomed by law enforcement authorities, especially in complex and time-consuming matters. They can be seen as a form of cooperation and help to avoid coercive measures by law enforcement agencies. However, in most cases it is important to establish an open line of communication with the authorities, otherwise it could be seen as interference with the official investigation.

Furthermore, internal investigations are necessary to determine a strategy of defence for further proceedings and are unavoidable for most companies in any event.

Attorney–client privilege

38 Can the attorney–client privilege be claimed over any aspects of internal investigations in your country? What steps should a company take in your country to protect the privilege or confidentiality of an internal investigation?

There is no comprehensive attorney–client privilege in Germany. Only written communications between the defence lawyer and the client, and the defence lawyer’s documents created in this context, are protected from seizure. The fact that documents are relevant for internal investigations and are used for this purpose does not trigger protection against confiscation. Therefore, documents of any kind, such as invoices, communications between employees, notes and employee interview protocols can be seized by the German law enforcement authorities. In its Volkswagen AG/Jones Day decision in 2018, the Federal Constitutional Court commented for the first time on the seizability of documents from internal investigations and affirmed it. Specifically, it concerned the seizure of interview transcripts and reports during a search at a US office of the law firm Jones Day.

It is possible that the same law firm is mandated with both the defence mandate and the investigation mandate. In this case, the documents from the respective mandate should be strictly separated and the privileged documents should be marked. A cooperative attitude with the law enforcement authorities and an indication to them that certain documents are privileged material is most likely to avoid an inadmissible seizure.

39 Set out the key principles or elements of the attorney–client privilege in your country as it relates to corporations. Who is the holder of the privilege? Are there any differences when the client is an individual?

The attorney–client privilege, which only applies to a limited extent in Germany, does not differentiate between the defence of a natural person or a company. Privilege is granted if the documents are part of the correspondence between the defence lawyer and the accused against whom state prosecution proceedings are pending or are notes made by the defence lawyer in this context.

40 Does the attorney–client privilege apply equally to in-house and external counsel in your country?

Under German law (in line with case law of the Court of Justice of the European Union), in-house lawyers cannot benefit from the attorney–client privilege as, owing to the employment relationship, they lack the necessary independence from the companies. This privilege applies only to externally commissioned defence lawyers.

41 Does the attorney–client privilege apply equally to advice sought from foreign lawyers in relation to investigations in your country?

Foreign law firms whose principal place of business is outside the European Union cannot generally invoke fundamental rights and, therefore, not the attorney–client privilege. This also applies if German lawyers of an international law firm work in their German office, as the search and seizure measures would affect the professional sphere of the law firm, but not the lawyers.

42 To what extent is waiver of the attorney–client privilege regarded as a cooperative step in your country? Are there any contexts where privilege waiver is mandatory or required?

The disclosure of documents relevant to an investigation is always considered cooperative behaviour, regardless of their status as privileged. There is no (legal) obligation to waive the attorney–client privilege in Germany.

43 Does the concept of limited waiver of privilege exist as a concept in your jurisdiction? What is its scope?

No such concept exists under German law.

44 If privilege has been waived on a limited basis in another country, can privilege be maintained in your own country?

The waiver of rights abroad has no effect on rights in Germany.

45 Do common interest privileges exist as concepts in your country? What are the requirements and scope?

No such concepts exist under German law.

46 Can privilege be claimed over the assistance given by third parties to lawyers?

An extension of privilege may be invoked insofar as the third party has been instructed by the defence counsel and the latter assists the third party for defence purposes.

Witness interviews

47 Does your country permit the interviewing of witnesses as part of an internal investigation?

In principle, it is the company’s decision whom to question. However, only the employees of a company are obliged to testify in principle.

48 Can a company claim the attorney–client privilege over internal witness interviews or attorney reports?

In principle, documents prepared by the defence counsel for the purpose of defending the client are subject to the attorney–client privilege. In theory, no distinction should be made as to whether the documents are witness interviews or other defence documents; however, interview reports should be marked as privileged if they stem from the defence mandate, specifically, if the same law firm is responsible for both the internal investigation and the defence.

49 When conducting a witness interview of an employee in your country, what legal or ethical requirements or guidance must be adhered to? Are there different requirements when interviewing third parties?

There are no specific legal requirements on how employee interviews should be conducted. It is always recommended that employees are informed of the fundamental obligation to provide comprehensive information and that they must cooperate. In some circumstances, especially in more complex matters, employees should be granted the right to consult legal counsel. They should also be informed that their statements may be used in any legal proceedings against them.

Regarding the impending labour or civil law measures, an amnesty agreement may be advisable under certain circumstances. In this context, the employer can promise the employees that, in the event of complete and truthful disclosure, the employer will refrain from imposing sanctions under labour and civil law, such as dismissal or the assertion of claims for damages. Since management is obliged to act diligently, the waiver of these rights and claims must be reasonable.

50 How is an internal interview typically conducted in your country? Are documents put to the witness? May or must employees in your country have their own legal representation at the interview?

Before conducting an interview, the interviewees are typically informed about their rights and duties with regard to their participation. This requires adequate preparation, especially with regard to labour and data protection law. In particular, interviewees have to be informed with regard to the processing of personal data in the course of the interview. Failure to adequately inform the interviewees may negatively affect the possibilities to make use of the information obtained in the interview with regard to further legal measures (e.g., sanctions under labour law and further investigations carried out by the authorities). Early involvement of the works council may be required under works agreement but may generally be advisable to maintain a cooperative way of communication.

Interviews are normally conducted along the lines of a questionnaire prepared by the company and its legal advisers, which is often based on the results of a prior document-based investigation. The interview may be conducted either during a physical meeting between the participants, typically on the company’s premises or in the legal advisers’ office, or remotely by way of a video call. However, there are situations in which the non-verbal behaviour of an interviewee may be relevant and, in consequence, a meeting in person is preferable. In any case, the confidentiality of the interview has to be ensured (e.g., when sending email invitations containing dial-ins). During the interview, documents may be presented to the interviewee to illustrate questions, to confront the interviewee with findings or to refresh memories.

Employees are obliged to participate in interviews conducted within the course of an investigation. It is widely understood that employees are allowed to have their own legal adviser or witness counsellor if the interview is conducted by external legal advisers. Although employees have to bear the costs of their own legal advisers, companies may voluntarily elect to partially or fully bear their expenses depending on the circumstances. Sometimes, companies have internal policies in place (especially works agreements), according to which the company has to provide legal assistance to its employees with regard to internal investigations.

Although employees do not have the right to be accompanied by a member of the works council during an interview, companies will often grant such a request, since close and trusting cooperation with the works council is in the interests of the company. This applies in particular if disciplinary actions are potentially required as remediating measures.

Reporting to the authorities

51 Are there circumstances under which reporting misconduct to law enforcement authorities is mandatory in your country?

There is no general obligation to report ones own or third-party breaches or violations within the company to law enforcement authorities. However, the following exceptions exist: when correction of a tax return is required; when there is a suspicion of the future commission of a serious crime (from within the company); in certain cases of a cyber or data breach; and in some circumstances when there is a suspicion of money laundering. For members of the company management, a report to the law enforcement authorities may be obligatory from a criminal law perspective if the commission of a criminal offence from within the company is imminent and criminal liability of the individual is to be avoided.

52 In what circumstances might you advise a company to self-report to law enforcement even if it has no legal obligation to do so? In what circumstances would that advice to self-report extend to countries beyond your country?

A voluntary self-report can offer a variety of advantages for a company. In some areas of law, the legislator provides for immunity from prosecution in the case of an effective and conclusive self-report. This is the case, for instance, in tax law, competition law, foreign trade law and anti-money laundering law. Even if there is no provision for leniency, German sanctioning law allows for a voluntary self-report to be taken into consideration to reduce fines and sentences.

Aside from leniency, a company can have an interest in a criminal prosecution by external investigative bodies with significantly more far-reaching investigative powers and the right to inspect files to help with insurance claims.

Moreover, a self-report can be advisable in situations where it is likely that an infringement will be reported by other parties, for instance employees or competitors. In some situations, a self-report can also help to protect the reputation of the company and to take control of the media situation.

However, each situation must be assessed individually, especially since there is no control over the reaction of the law enforcement authorities once a self-report has been disclosed.

53 What are the practical steps needed to self-report to law enforcement in your country?

In practice, the company needs to investigate the facts surrounding the infringement and have an accurate understanding of the situation. In most cases, the law offers leniency only if the self-report is accurate and conclusive. Companies should carefully consider which persons could be considered as perpetrators of or accomplices to the offence. If possible, the self-report should include all persons who are at least partially responsible for the offence, since leniency will only extend to those who have been specifically named.

Before filing a self-report, a company’s external counsel could also consider approaching the authorities beforehand to assess the situation and signal cooperation.

Responding to the authorities

54 In practice, how does a company in your country respond to a notice or subpoena from a law enforcement authority? Is it possible to enter into dialogue with the authorities to address their concerns before or even after charges are brought? How?

The right to a fair trial applies to companies as well as individuals. Therefore, they can comment on the allegations both before and after the charges are brought.

If a company opts to contact the authorities, it must first decide on the basic strategic question of cooperation versus confrontation. The approach is heterogeneous and often differs. The company can then give its own assessment of the facts and the legal situation and indicate to what extent it is willing to cooperate. In addition, successful cooperation and communication can prevent further searches by the authorities and scandals in the media.

55 Are ongoing authority investigations subject to challenge before the courts?

Under German law, ongoing investigations cannot be challenged – only individual investigative measures.

56 In the event that authorities in your country and one or more other countries issue separate notices or subpoenas regarding the same facts or allegations, how should the company approach this?

Before responding to the various notices and subpoenas, the company needs to consider various aspects. Even though each request should be handled individually, it is likely that law enforcement agencies will communicate and cooperate with each other, especially within the European Union. Therefore, if answers and data are disclosed, responses should be consistent.

Furthermore, data protection issues need to be carefully assessed, especially when it comes to the data and messages of employees.

57 If a notice or subpoena from the authorities in your country seeks production of material relating to a particular matter that crosses borders, must the company search for and produce material in other countries to satisfy the request? What are the difficulties in that regard?

There is no specific law that requires foreign material to be surrendered; however, the authorities can always try to obtain the material via legal assistance directly. As with any other request by the authorities, the company can consider cooperating with the authorities to demonstrate good will. In any event, data protection laws must be respected.

58 Does law enforcement in your country routinely share information or investigative materials with law enforcement in other countries? What framework is in place in your country for cooperation with foreign authorities?

International cooperation between law enforcement authorities is usually carried out through mutual legal and administrative assistance, which is granted to one state by another at its request; however, cooperation in criminal matters within the European Union, which is based on the principle of mutual recognition, differs from classic mutual legal assistance. It requires a higher degree of cooperation with the aim of replacing slow legal assistance proceedings. Most importantly, judicial decisions of other EU Member States must be recognised, even if the application of one’s own national legal system would lead to a different result.

59 Do law enforcement authorities in your country have any confidentiality obligations in relation to information received during an investigation or onward disclosure and use of that information by third parties?

Generally, personal information obtained during an investigation is confidential and protected by data protection laws; however, law enforcement agencies can share information with each other, especially when suspicion of misconduct arises.

Moreover, third parties can request access to files, but must prove a prevalent interest – factual, economic or non-material.

60 How would you advise a company that has received a request from a law enforcement authority in your country seeking documents from another country, where production would violate the laws of that other country?

In this case, it is advisable to contact the authorities and point out the legal difficulties in producing the material. Moreover, the subpoena could be challenged in court. In this case, law enforcement agencies could still seek international assistance. However, even if it does get hold of the documents, the company would not be forced to violate foreign law.

61 Does your country have secrecy or blocking statutes? What related issues arise from compliance with a notice or subpoena?

The transmission of certain information as evidence in foreign judicial or administrative proceedings by private parties is not prohibited by law per se; however, subpoenas and other orders issued by a third country can only be enforced if they are based on an inter­national agreement with Germany or the European Union. If such an international agreement is lacking, the requirements for data transfer under general data protection law must be met. Other general, overarching confidentiality obligations must also be observed.

In addition, agreements on secrecy or other confidentiality obligations under private law may have been concluded with business partners that prohibit the transfer of certain information.

62 What are the risks in voluntary production versus compelled production of material to authorities in your country? Is this material discoverable by third parties? Is there any confidentiality attached to productions to law enforcement in your country?

Under German law, there is no differentiation between the use of compelled and voluntarily produced material; however, if there are any links to a foreign investigation or litigation, privilege under foreign law should be carefully assessed. Under the Anglo-American legal system, but also with regard to European competition law, it must be noted that disclosure of internal documents can be interpreted as a waiver of legal privilege (i.e., the attorney–client privilege).

Prosecution and penalties

63 What types of penalties may companies or their directors, officers or employees face for misconduct in your country?

In this context, a distinction must be made under German law between the natural persons acting and the company. Natural persons can be criminally prosecuted, so that a fine or imprisonment can be imposed on them, but also various secondary consequences (such as loss of official capacity or professional bans). If criminal sanctions are not imposed, fines of up to €10 million may be imposed on persons acting within the management of the company if the conditions are met, if they have failed to organise and supervise the company in such a way that the commission of criminal offences and administrative offences is at least made considerably more difficult.

As it stands today, only a fine can be imposed on the company, which can be as much as €10 million per offence, or more if the profit from the violation is greater. Another prerequisite for this is that the company management has violated its supervisory duty regarding the prevention of criminal offences and administrative offences in and from the company.

Finally, certain violations are entered in a competition register, which is taken into account for public tenders.

64 Where there is a risk of a corporate’s suspension, debarment or other restrictions on continuing business in your country, what options or restrictions apply to a corporate wanting to settle in another country?

It is possible that law enforcement agencies will use the information of a settlement to further a suspension, debarment or other restrictions since any infringement abroad can be taken into account. Therefore, the company should take further steps to prove its reliability and prevent illicit behaviour in the future. This could mean implementing or revising its compliance management system, exchanging employees and cooperating with the authorities.

65 What do the authorities in your country take into account when fixing penalties?

The determination of the sanction is at the discretion of the competent authorities and courts. In general, however, the following circumstances must be taken into account: the seriousness and extent of the offence; the motives and objectives of the offender; the attitude arising from the offence; the will expended in the offence; the degree of breach of duty; the conduct prior to the offence; the personal and economic circumstances of the offender; and conduct after the offence, including the effort to repair the damage. If the sanction is imposed on a company, most of these criteria can be applied accordingly.

Resolution and settlements short of trial

66 Are non-prosecution agreements or deferred prosecution agreements available in your jurisdiction for corporations?

Neither non-prosecution agreements nor deferred prosecution agreements are legal instruments available under German law to the authorities, especially the public prosecutors. Although there are no legal provisions acknowledging deals, there are, in practice, lots of cases in which criminal proceedings are settled without public court proceedings. Normally, this requires full cooperation by the companies and individuals involved; for example, the involved companies will conduct internal investigations in close coordination with the authorities and provide them with the results. If the facts of the case are clarified to the satisfaction of the authorities involved, the authorities and the defendants will agree on closure of the official investigation and certain conditions that have to be met by the defendants. Typically, the defendants will agree to pay a fine (as negotiated between the parties) and to implement certain remediation measures. Closure of the investigation may be subject to approval by the competent court, depending on the status of the official investigation. To achieve a settlement, communication between the company and the involved authorities and full cooperation are key.

67 Does your jurisdiction provide for reporting restrictions or anonymity for corporates that have entered into non-prosecution agreements or deferred prosecution agreements until the conclusion of criminal proceedings in relation to connected individuals to ensure fairness in those proceedings?

Under German law, criminal proceedings against individuals are carried out completely independently of proceedings against the company and their status. Thus, there are no provisions regarding reporting restrictions or anonymity in this regard.

68 Prior to any settlement with a law enforcement authority in your country, what considerations should companies be aware of?

The company needs to take several different aspects into account when considering a settlement with a law enforcement authority, such as:

  • avoiding a conviction and its consequences, such as an entry on the German commercial register;
  • calculating monetary and reputational effects;
  • avoiding negative effects on daily operations through ongoing investigations; and
  • effects of public debarments of the company.

The management decides at its discretion whether to enter into a settlement with a law enforcement authority. This decision is generally covered by the business judgement rule under German law and, therefore, is subject to limited judicial review if the management decides based on adequate information, is not biased by extraneous interests and acts for the benefit of the company. When taking the decision, the management must weigh any relevant aspects arguing for and against the settlement. Furthermore, the supervisory body must be involved if any approval requirements have to be observed. The decisions of corporate bodies and the considerations on which they are based should be documented.

Before agreeing to a settlement, the company should also ensure internal decision-making processes are complied with.

69 To what extent do law enforcement authorities in your country use external corporate compliance monitors as an enforcement tool?

German law does not provide for the use of external corporate compliance monitors.

70 Are parallel private actions allowed? May private plaintiffs gain access to the authorities’ files?

Parallel civil actions are admissible; however, the civil courts may stay the proceedings until the criminal proceedings in the same matter are concluded.

Private individuals may request access to files, provided they can claim a legitimate interest and the person concerned has no interest worthy of protection.

Publicity and reputational issues

71 Outline the law in your country surrounding publicity of criminal cases at the investigatory stage and once a case is before a court.

Generally, investigations are not public; however, in high-profile cases, law enforcement agencies do issue public statements and disclose at least some information about the case.

In addition, some law enforcement authorities disclose investigations if there is a valid public interest. For instance, the Federal Financial Supervisory Authority (BaFin) often publishes measures to protect the financial market and to inform the public and market participants of what conduct it considers to be a violation.

Furthermore, once a case goes to court, all proceedings are usually public and only extraordinary circumstances lead to a protection of privacy.

72 What steps do you take to manage corporate communications in your country? Is it common for companies to use a public relations firm to manage a corporate crisis in your country?

In the event of a public investigation, it is not uncommon for law firms to help prepare statements and press releases. The company should also liaise with individual customers, suppliers, financiers or other business partners to keep good faith. In some cases, public relation managers are hired; however, in these instances, it is imperative to carefully avoid overlapping strategies when it comes to the defence of the company.

73 How is publicity managed when there are ongoing related proceedings?

Publicity management can go two different ways: First it can mean issuing a statement on the company’s behalf. During an ongoing investigation, this statement can usually only be very broad, unless the relevant facts are already clear or the allegations are not true.

Furthermore, managing publicity can also mean challenging unlawful press coverage in court. German law enables continuing coverage to be stopped via an interim injunction. This can be equally important as public prosecutors often use information published in the media about alleged wrongdoings to initiate investigation proceedings.

Duty to the market

74 Is disclosure to the market in circumstances where a settlement has been agreed but not yet made public mandatory?

There is no general obligation to disclose such settlements. An obligation to disclose may only exist for listed stock corporations if the settlement could significantly influence the share price. In this case, the company is obliged to make an ad hoc announcement to ensure transparency for all investors and the prevention of insider trading.

Environmental, social and corporate governance (ESG)

75 Does your country regulate ESG matters?

ESG issues are subject to legal regulation in Germany and are becoming increasingly important on both a national and an international scale. They include, in particular, human and labour rights, diversity and inclusion, the environment, health, data protection and corruption. Regulations are implemented by national and EU legislators.

German commercial law has so far required large German companies as well as banks and insurance companies to report non-financially. This was a result of the implementation of the Non-Financial Reporting Directive ((EU) 2014/95) issued in 2014. It was revised at the end of 2022 (Corporate Sustainability Reporting (CSR) Directive ((EU) 2022/2464,)) and the scope of its application expanded. In particular, unlisted and relatively smaller companies can now be covered by the regulations. The new CSR Directive is intended to give sustainability reporting as important a status as financial reporting. On 31 July 2023, the delegated act on the European Sustainability Reporting Standards (which Member States are required to transpose into their national law) was issued.

Furthermore, the EU Sustainable Finance Disclosure Regulation (SFDR) ((EU) 2019/2088) sets transparency requirements for financial market actors to ensure that investors are informed about the ESG aspects of financial products. The aim is to make it easier for investors to choose from the many sustainable investment strategies now available in the European Union. The regulation requires asset managers and investment advisers to make specific disclosures at the company level about how they deal with sustainability risks and adverse impacts. In addition, asset managers must also comply with transparency in remuneration policies.

The Act on Corporate Due Diligence in Supply Chains, which came into force on 1 January 2023, requires large companies in Germany to consider and report on ESG aspects along their supply chain. This applies in particular to environmental and social standards.

Furthermore, under Regulation (EU) 2017/821 of the European Parliament and of the Council of 17 May 2017 establishing supply chain due diligence obligations for Union importers of tin, tantalum and tungsten, their ores, and gold originating from conflict-affected and high-risk areas, EU importers of conflict minerals have comprehensive due diligence and verification obligations along the supply chain, which aims to reduce the financing of violence and human rights abuses in conflict-affected or high-risk areas.

In addition, there is the European Green Deal, a concept of the European Commission, the aim of which is to make Europe the first continent to become climate neutral by 2050. This is to be achieved with the help of a wide range of measures aimed at reducing net greenhouse gas emissions in various sectors to zero.

The German Corporate Governance Code also contains recommendations on good corporate governance, including ESG aspects such as sustainability, environmental protection and social responsibility. Finally, many German banks have signed up to the UN Principles for Responsible Banking to address ESG risks in their business activities.

Overall, Germany is implementing regulations and measures to demand and promote sustainability and responsible behaviour in business and financial markets.

76 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address ESG matters?

Directive (EU) 2022/2464 (the Corporate Sustainability Reporting Directive) was published on 16 December 2022 and must be implemented in German law within the subsequent 18 months. In addition, ESG issues are always under development, so that improvements and changes can be expected to continue.

77 Has there been an increase in ESG-related litigation, investigations or enforcement activity in recent years in your country?

Several legal disputes on ESG-related issues have been pending in recent years. Private individuals in particular want to achieve more climate protection through civil lawsuits. So far, however, ‘civil climate protection’ has not been achieved. Also notable are the German ‘climate lawsuits’ against well-known car manufacturers, trying to prevent sales of vehicles with combustion engines beyond the year 2030, which were unsuccessful at least in the first instance.

In this context, it should be noted that the European Parliament decided this year that, after 2035, only passenger cars that do not run on diesel or petrol may be newly registered in EU Member States. An exception applies to ‘e-fuels’.

Furthermore, a Peruvian farmer sued the German energy supplier RWE for damages at the end of November 2015. He accuses the company of being partly responsible for climate change because of the carbon dioxide emissions it produces, which in turn leads to the melting of glaciers in the Andes and threatens his house. After a claim was rejected in the first instance, the case is now pending before the Higher Regional Court of Hamm.

Finally, in 2021, the Federal Constitutional Court declared the Climate Protection Act partially unconstitutional, justifying this by stating that the German legislature had provided too few specific requirements for the reduction of carbon dioxide emissions after 2031. In June 2023, the Federal Cabinet passed and launched an updated Climate Protection Act.

Anticipated developments

78 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address corporate misconduct?

The Whistleblower Protection Act transposing Directive (EU) 2019/1937 into German law came into force in July 2023, including regulations that go beyond the Directive. As a result, it is to be expected that whistleblowing procedures will increase in number, but also that more violations will be uncovered and significantly more investigations will be carried out both internally and by the state.

To improve the prosecution of corporate misconduct and to ensure a uniform sanctioning practice, the former German federal government drafted a law on association sanctions, which was abandoned during the legislative process. Even though the current government also has the issue of corporate criminal law on its agenda, no legislation has been suggested or introduced.


[1] Julia Sophia Habbe is a partner, Konrad Gieseler is an associated partner and Jana Hanke is a senior associate at Noerr Partnerschaftsgesellschaft mbB.

Unlock unlimited access to all Global Investigations Review content