otris whistleblower supports companies and organisations in the uncomplicated implementation of the EU Whistleblower Directive and the German Whistleblower Protection Act. The software solution generates the required whistleblower protection through an anonymous reporting channel. Secure and data protection compliant.
The legal regulations on whistleblower protection affect a significant part of business and administration: companies with 250 or more employees as well as public institutions must provide reporting channels that ensure the confidentiality of whistleblowers’ identities. From 17 December 2023, organisations with more than 50 employees will also fall under the regulation. The implementation of the provisions in compliance with the law is the focus for many companies. However, efficient whistleblower protection is also worthwhile independent of the legal requirements: a secure, anonymous system motivates potential whistleblowers to report valuable information internally. This gives the company / organisation the opportunity to remedy grievances at an early stage and prevent reporting to external parties (authorities/press).
otris software is the provider of a whistleblowing system that enables companies to implement the directive in a secure, uncomplicated manner. Whistleblowing software protects the identity of whistleblowers via a technically secure communication channel: whistleblower and whistleblower communicate via a web-based reporting platform that encrypts all exchanged data. Whistleblowers can choose whether to report anonymously or to leave their contact details. The software also simplifies the review process and speeds up case handling.
otris is an established provider of compliance software. All otris solutions combine ease of use with high standards of data security and data protection. Adaptations of the system to company-specific requirements are easy to implement.
otris whistleblower meets the highest data security standards: High-security data centres in Germany certified to ISO 27001, modern encryption algorithms and DSGVO compliance, as well as recurring IT security audits and penetration tests.
The otris whistleblowing system is immediately available to you after installation without any further adjustments, but at the same time it is very flexible. For example, you can design the notice form of the otris reporting platform or the processing procedure in case management individually according to your wishes. A link to already existing systems is possible.
Dashboard and reports
The integrated dashboard and real-time statistics facilitate your compliance reporting. Clear reports can be created for individual tips as well as graphical evaluations for a specific portfolio; e.g. evaluations regarding topic, status and relevance of incoming tips.
Without information from the staff, it is almost impossible to uncover gross misconduct, as disregard for rules often goes hand in hand with concealment. Potential whistleblowers, however, fear disadvantages by revealing their information and identity. The otris whistleblower offers whistleblowers a reporting channel that guarantees anonymous communication and thus protects identity.
How to help
Violations of rules by individual employees can have serious, business-damaging effects and legal consequences for your company. In the worst case, the reputation, financial stability and job security of the entire workforce are at stake. Early warning from your employees about breaches of the rules helps you to implement measures to limit the damage in good time. Your company can learn from violations and further optimise internal company processes and structures. Motivating employees to disclose information to an internal body is therefore a sensible component of the company-wide compliance strategy.
Potential whistleblowers fear disadvantages if they give information publicly. They endanger good relations with colleagues, their professional development opportunities and, in extreme cases, even their mental and physical health. If these risks disappear, the motivation to report serious breaches of rules increases. The most reliable way to minimise risks for whistleblowers is to ensure their anonymity. For their own sake (to gain access to confidential information), compliance officers should provide secure reporting channels for whistleblowers to disclose information anonymously. With the otris whistleblowing system, the whistleblower decides for himself whether he wants to remain anonymous or deliberately disclose his identity.
In order to set up a reporting channel that is compliant with EU Directive 2019/1937, it must ensure the anonymity of the whistleblower. On a technical level, the otris reporting platform ensures anonymity through external operation and encrypted communication.
The more secure a whistleblower considers the system to be, the more willing he is to disclose his information. The message is sent to the whistleblower in highly encrypted form via the otris reporting platform. The system ensures anonymity – regardless of whether the tip is sent from the internal company network or from an external person. With the help of an automatically generated ID, the whistleblower can communicate with the whistleblower (e.g. compliance officer) via an anonymous mailbox.
As a neutral entity, otris software AG operates the reporting platform in the cloud and guarantees identity protection at the technical level. All content exchanged between whistleblowers and whistleblowers is highly encrypted by the reporting platform. In addition to identity protection, the otris whistleblower system complies with the legal requirements for data protection and data security.
The otris whistleblower system not only fulfils the standards of the HinSchG, but can also be used as a complaint management system in accordance with LkSG requirements.
In addition to the reporting platform, the otris whistleblower system includes a flexibly configurable case management system with which you can document, evaluate and consistently follow up on the reports. According to the EU Whistleblower Protection Directive 2019/1937, an acknowledgement of receipt should be received by the whistleblower for each report after 7 days at the latest and a response after 3 months at the latest. The system sends alerts to the processor if an open case has a deadline.
Your compliance team communicates with the whistleblower, starting from the case management system, to check the validity and relevance of the whistleblowing. The case management system forwards the message to the reporting platform, which the whistleblower accesses anonymously. As the operator of the case management system, you decide whether the system is operated on-premises (in your company) or in the cloud. In contrast to the case management system, there is no choice for the reporting platform: the reporting platform is always operated by otris software AG as a neutral entity in the cloud to technically ensure anonymity and identity protection of the whistleblower.
A compact summary: the most important questions and answers on the topic of the whistleblower system, IT security and data protection
The Whistleblower Protection Act (HinSchG) is the German implementation of the EU Directive 2019/1937 (EU Whistleblower Directive). The EU Directive and thus also the German HinSchG are intended to improve the detection and punishment of wrongdoing. The protection of whistleblowers is an instrument to achieve this goal, in that
In order to implement whistleblower protection, the HinSchG contains provisions for companies and organisations to set up reporting channels. The reporting channels or whistleblowing systems must be designed in such a way that the identity of the whistleblower is protected. Affected by the regulation are:
The Whistleblower Protection Act requires companies to provide reporting channels that are securely designed to protect the confidentiality of the whistleblower’s identity. The otris whistleblower system ensures the required identity protection by enabling anonymous reporting. Anonymity is realised by these technical means:
otris whistleblower protects the identity and thus also the personal data of whistleblowers through a procedure that enables anonymous reporting (see previous point). The reporting platform does not log any personal data of anonymous whistleblowers. Information sent by the whistleblower is protected by the system through transport and end-to-end encryption. In addition, an FAQ provides the whistleblower with information on how to protect his or her personal data.
However, compliance with the GDPR is not limited to anonymous whistleblowers. Personal data of non-anonymous whistleblowers as well as of third parties (e.g. an accused person) are also subject to the provisions of the GDPR. On a technical level, this data is also protected by transport and end-to-end encryption (reporting platform and case management). Rule-based deletion routines support the data protection-compliant deletion of received reports. A possible two-factor authentication offers additional protection against unauthorised access to personal data via the backend.
The SaaS offering of the otris whistleblowing system is provided exclusively on servers in data centres which are
Due to the end-to-end encryption, it is not possible for operators of the data centres to read submitted reports.
A TÜV expert opinion confirms the effectiveness of the data protection concept for the otris whistleblower system.
The otris whistleblowing system and the infrastructure used meet the following data security standards:
The otris whistleblower system is available within a few hours after configuration. The data protection statement, whistleblower FAQ, message categories and e-mail texts are ready for immediate use as templates and can be easily adapted by the user if required. The otris whistleblowing system has a processing procedure for whistleblowing that can be team- and role-based. This means that the system is immediately ready for use from the moment a tip is submitted to the time it is processed. Adaptations are easy to implement due to the system architecture, but require additional time for implementation.
No. As long as the confidentiality of the whistleblower’s identity is preserved, each company / organisation can determine for itself what kind of reporting channels it sets up. Alternatives to the software system are e.g. ombudsperson, e-mail box, telephone hotline. It should be noted that the required identity protection may be difficult to implement via these channels: the ombudsperson works on behalf of the company, with ordinary e-mail communication the IP address can be traced and with a telephone hotline the whistleblower cannot be sure who he is talking to on the phone and whether his voice is being alienated. Software systems offer the possibility to ensure the identity protection of the whistleblower by technical means and thus motivate him to provide information. In addition, software systems enable queries via the anonymous mailbox. Further benefits: Software-supported whistleblowing systems are easily accessible (via a website), permanently accessible, simplify timely processing, documentation and the deletion of received reports in compliance with data protection requirements.