Specialised solution | compliance SUITE Whistleblower
protection and
HinSchG requirements
solve digitally.

The whistleblower system from otris software – easy to implement and secure to operate

otris whistleblower supports companies and organisations in the uncomplicated implementation of the EU Whistleblower Directive and the German Whistleblower Protection Act. The software solution generates the required whistleblower protection through an anonymous reporting channel. Secure and data protection compliant.

The legal regulations on whistleblower protection affect a significant part of business and administration: companies with 250 or more employees as well as public institutions must provide reporting channels that ensure the confidentiality of whistleblowers’ identities. From 17 December 2023, organisations with more than 50 employees will also fall under the regulation. The implementation of the provisions in compliance with the law is the focus for many companies. However, efficient whistleblower protection is also worthwhile independent of the legal requirements: a secure, anonymous system motivates potential whistleblowers to report valuable information internally. This gives the company / organisation the opportunity to remedy grievances at an early stage and prevent reporting to external parties (authorities/press).

otris software is the provider of a whistleblowing system that enables companies to implement the directive in a secure, uncomplicated manner. Whistleblowing software protects the identity of whistleblowers via a technically secure communication channel: whistleblower and whistleblower communicate via a web-based reporting platform that encrypts all exchanged data. Whistleblowers can choose whether to report anonymously or to leave their contact details. The software also simplifies the review process and speeds up case handling.

Anonymous communication and efficient case handling

Whistleblower system

Features that distinguish our whistleblowing system

otris is an established provider of compliance software. All otris solutions combine ease of use with high standards of data security and data protection. Adaptations of the system to company-specific requirements are easy to implement.

Whistleblower system

Security
otris whistleblower meets the highest data security standards: High-security data centres in Germany certified to ISO 27001, modern encryption algorithms and DSGVO compliance, as well as recurring IT security audits and penetration tests.

Whistleblower system

Customisability
The otris whistleblowing system is immediately available to you after installation without any further adjustments, but at the same time it is very flexible. For example, you can design the notice form of the otris reporting platform or the processing procedure in case management individually according to your wishes. A link to already existing systems is possible.

Whistleblower system

Dashboard and reports
The integrated dashboard and real-time statistics facilitate your compliance reporting. Clear reports can be created for individual tips as well as graphical evaluations for a specific portfolio; e.g. evaluations regarding topic, status and relevance of incoming tips.

What are the benefits of a digital whistleblowing system?

Without information from the staff, it is almost impossible to uncover gross misconduct, as disregard for rules often goes hand in hand with concealment. Potential whistleblowers, however, fear disadvantages by revealing their information and identity. The otris whistleblower offers whistleblowers a reporting channel that guarantees anonymous communication and thus protects identity.

How to help
Violations of rules by individual employees can have serious, business-damaging effects and legal consequences for your company. In the worst case, the reputation, financial stability and job security of the entire workforce are at stake. Early warning from your employees about breaches of the rules helps you to implement measures to limit the damage in good time. Your company can learn from violations and further optimise internal company processes and structures. Motivating employees to disclose information to an internal body is therefore a sensible component of the company-wide compliance strategy.

Generating motivation
Potential whistleblowers fear disadvantages if they give information publicly. They endanger good relations with colleagues, their professional development opportunities and, in extreme cases, even their mental and physical health. If these risks disappear, the motivation to report serious breaches of rules increases. The most reliable way to minimise risks for whistleblowers is to ensure their anonymity. For their own sake (to gain access to confidential information), compliance officers should provide secure reporting channels for whistleblowers to disclose information anonymously. With the otris whistleblowing system, the whistleblower decides for himself whether he wants to remain anonymous or deliberately disclose his identity.

„otris is a digitalisation partner with whom we masterfully meet the challenges of international compliance management.“

Markus Hartmann
Compliance Manager and Project Manager within the Legal & Compliance Business Unit at Mast-Jägermeister SE

Optimise your compliance with the otris notice system

In order to set up a reporting channel that is compliant with EU Directive 2019/1937, it must ensure the anonymity of the whistleblower. On a technical level, the otris reporting platform ensures anonymity through external operation and encrypted communication.

Reporting platform
The more secure a whistleblower considers the system to be, the more willing he is to disclose his information. The whistleblower sends his message anonymously to the whistleblower via the otris reporting platform. With the help of an automatically generated ID, the whistleblower can communicate with the whistleblower (compliance officer) via an anonymous mailbox.

As a neutral entity, otris software AG operates the reporting platform in the cloud and guarantees the anonymity of all participants at the technical level. All content exchanged between whistleblowers and whistleblowers is highly encrypted by the reporting platform. In addition to anonymity, the otris whistleblower system fulfils the legal requirements for data protection and data security.

Case management
In addition to the reporting platform, the otris whistleblower system includes a flexibly configurable case management system with which you document, evaluate and consistently follow up on reports. According to the EU Whistleblower Protection Directive 2019/1937, an acknowledgement of receipt must be received by the whistleblower for each report after 7 days at the latest and a response after 3 months at the latest. The system sends alerts to the processor if an open case has a deadline.
Your compliance team communicates with the whistleblower, starting from the case management system, to check the validity and relevance of the whistleblowing. The case management system forwards the message to the reporting platform, which the whistleblower accesses anonymously. As the operator of the case management system, you decide whether the system is operated on-premises (in your company) or in the cloud. In contrast to the case management system, there is no choice for the reporting platform: the reporting platform is always operated by otris software AG as a neutral entity in the cloud, so that the anonymity of the whistleblower is technically guaranteed.

FAQ | Whistleblower system

A compact summary: the most important questions and answers on the topic of the whistleblower system, IT security and data protection

What is the purpose of the HinSchG and what does it prescribe?

The Whistleblower Protection Act (HinSchG) is the German implementation of the EU Directive 2019/1937 (EU Whistleblower Directive). The EU Directive and thus also the German HinSchG are intended to improve the detection and punishment of wrongdoing. The protection of whistleblowers is an instrument to achieve this goal, in that

  • Whistleblowers who report wrongdoing are protected from reprisals,
  • the protection against reprisals reduces inhibitions to make reports,
  • the reports help to uncover, punish or prevent violations.

In order to implement whistleblower protection, the HinSchG contains provisions for companies and organisations to set up reporting channels. The reporting channels or whistleblowing systems must be designed in such a way that the identity of the whistleblower is protected. Affected by the regulation are:

  • Companies with 250 or more employees
  • Companies with 50 to 249 employees (transitional period until 17.12.2023)
  • Municipalities – depending on the respective state law (e.g. from 10,000 inhabitants)
  • Institutions of the public sector

How does otris whistleblower comply with the HinSchG?

The Whistleblower Protection Act requires companies to provide reporting channels that are securely designed to protect the confidentiality of the whistleblower’s identity. The otris whistleblower system ensures the required identity protection by enabling anonymous reporting. Anonymity is realised by these technical means:

  • The reporting platform through which whistleblowers submit reports is not operated by the whistleblower (company, organisation, authority), but by otris software in the secure otris cloud. The reporting platform forwards the submitted report to the recipient.
  • The system does not store any data that could allow conclusions to be drawn about the whistleblower (IP address, location data, device specifications, etc.).
  • End-to-end encryption of all messages and attachments between whistleblower and whistleblower.
  • Transport encryption of all messages and attachments (BSI TLS1.3 compliant).
  • Encryption of all data stored in the databases of the reporting platform and case management.
  • Regular IT security audits (pentests) monitor system security.

How does the otris notice system work in compliance with the GDPR?

otris whistleblower protects the identity and thus also the personal data of whistleblowers through a procedure that enables anonymous reporting (see previous point). The reporting platform does not log any personal data of anonymous whistleblowers. Information sent by the whistleblower is protected by the system through transport and end-to-end encryption. In addition, an FAQ provides the whistleblower with information on how to protect his or her personal data.

However, compliance with the GDPR is not limited to anonymous whistleblowers. Personal data of non-anonymous whistleblowers as well as of third parties (e.g. an accused person) are also subject to the provisions of the GDPR. On a technical level, this data is also protected by transport and end-to-end encryption (reporting platform and case management). Rule-based deletion routines support the data protection-compliant deletion of received reports. A possible two-factor authentication offers additional protection against unauthorised access to personal data via the backend.

The SaaS offering of the otris whistleblowing system is provided exclusively on servers in data centres which are

  • are subject to German law and located in Germany,
  • are certified according to ISO 27001
  • are certified according to ISO 9001.

Due to the end-to-end encryption, it is not possible for operators of the data centres to read submitted reports.
A TÜV expert opinion confirms the effectiveness of the data protection concept for the otris whistleblower system.

What safety standards does the otris notice system meet?

The otris whistleblowing system and the infrastructure used meet the following data security standards:

  • Hybrid encryption of all whistleblower-related data on the reporting platform according to BSI specifications.
  • End-to-end encryption. Signing of data when sent by the whistleblower in the browser and when sent by the whistleblower in the backend.
  • BSI-compliant transport encryption of all messages and attachments with TLS1.3.
  • Possibility of two-factor authentication
  • Data centres certified according to ISO 27001 and ISO 9001
  • Security audits and regular system pentests according to OWASP Application Security Verification Standard

How time-consuming is the implementation of the system?

The otris whistleblower system is available within a few hours after configuration. The data protection statement, whistleblower FAQ, message categories and e-mail texts are ready for immediate use as templates and can be easily adapted by the user if required. The otris whistleblowing system has a processing procedure for whistleblowing that can be team- and role-based. This means that the system is immediately ready for use from the moment a tip is submitted to the time it is processed. Adaptations are easy to implement due to the system architecture, but require additional time for implementation.

Does the Whistleblower Protection Act require a software-based system?

No. As long as the confidentiality of the whistleblower’s identity is preserved, each company / organisation can determine for itself what kind of reporting channels it sets up. Alternatives to the software system are e.g. ombudsperson, e-mail box, telephone hotline. It should be noted that the required identity protection may be difficult to implement via these channels: the ombudsperson works on behalf of the company, with ordinary e-mail communication the IP address can be traced and with a telephone hotline the whistleblower cannot be sure who he is talking to on the phone and whether his voice is being alienated. Software systems offer the possibility to ensure the identity protection of the whistleblower by technical means and thus motivate him to provide information. In addition, software systems enable queries via the anonymous mailbox. Further benefits: Software-supported whistleblowing systems are easily accessible (via a website), permanently accessible, simplify timely processing, documentation and the deletion of received reports in compliance with data protection requirements.

Online demo | Register now for free!

reCAPTCHA is required.

otris software AG will use all information provided herein solely in accordance with the Privacy policy verwenden.


Your contact

Ulrich Palmer
+49 231 95806950
compliance@otris.de

Whistleblower system