Mapping HinSchG, Sapin II, and PIDA Onto One Whistleblowing Platform

A multinational employer operating in Germany, France, and the United Kingdom can run secure whistleblowing software across all three regimes if the admin plane exposes five per-tenant switches: anonymous-acceptance, oral-record format, in-person-meeting SLA, headcount calculation rule, and per-artifact retention period. That five-switch model is the information-gain anchor of this post: each switch is driven by a specific section of HinSchG (Germany, in force 2 July 2023, with the late-2023 anonymous-reporting amendment), by the Sapin II decree of 3 October 2022 in France, or by the structure of PIDA 1998 in the UK. The trap most platforms fall into is treating PIDA as if it mandated a channel; PIDA only protects retaliation, it does not require the employer to operate one.

Key Takeaways

• One platform can serve Germany, France, and the UK if five tenant-level switches are exposed.
• HinSchG: 7-day acknowledgement, 3-month feedback, 3-year retention, anonymous reports accepted.
• Sapin II: same EU timers, plus audio-or-transcript oral records and a 20-working-day in-person-meeting SLA.
• PIDA does not mandate a channel; it only protects workers who make a protected disclosure.
• Default to the strictest combination and relax per jurisdiction only where the law allows.

How does Germany’s HinSchG shape the platform?

HinSchG is the most operationally prescriptive of the three for a multinational, because it codifies the EU directive nearly verbatim and adds explicit anonymous-reporting acceptance. The sections that drive product configuration are concentrated in Sections 8 through 17, plus the sanctions in Section 40.

Section 12 obliges entities with 50 or more workers to operate an internal reporting office, and Section 14 governs how a corporate group may share that office. The headcount is aggregated group-wide for HinSchG purposes, which is the rule that pushes a multinational with a small German subsidiary into scope even when each individual entity has fewer than 50 employees.

Section 16 sets the channel obligations. The internal reporting office must accept oral and written submissions; on the reporter’s request, a personal meeting must also be granted. The amendment that took effect in late 2023 clarifies that anonymous reports must be processed where reasonably possible, which removed the grey area that earlier vendor implementations had to tiptoe around. The German tenant default for switch 1 (anonymous-acceptance) is therefore “on”.

Section 17 sets the timers: a 7-day acknowledgement and a 3-month feedback window, extendable to 6 months in justified cases. Section 8 protects the identity of the reporting person, with limited exceptions for criminal proceedings. Section 11(5) sets a 3-year retention period for the documentation, counted from the completion of the procedure, although other retention obligations under commercial and tax law (the standard 6- and 10-year German retention periods) remain unaffected and frequently lengthen the effective retention for adjacent records.

Image: Schlaier on Wikimedia Commons, public domain

Sanctions under Section 40 cap administrative fines for failing to operate a channel at EUR 50,000, lower than the EUR 100,000 in earlier drafts, but the reputational exposure of a published fine is what most boards actually price in.

What does France’s Sapin II 2022 amendment add on top of the EU directive?

France went beyond the directive in two specific places, and both touch product design directly. The amendment took effect on 1 September 2022 and is fleshed out by the decree of 3 October 2022 (effective 5 October 2022).

The first specific is oral-report handling. If the reporter opts for an oral channel, the platform must record the report as audio (with reporter consent), as audio plus a written transcript, or as a written record. The reporter must be able to verify and amend the transcription before the case is closed, which is the part most foreign vendors miss. A platform that drops voice intake straight into a free-text triage queue without storing the audio or producing a verifiable transcript is non-compliant in France even if the same workflow is fine in Germany and the UK.

The second specific is the in-person-meeting SLA. The reporter may request a video conference or a face-to-face meeting, and the meeting must be held within 20 working days of the request. This is a hard deadline rather than the directive’s “reasonable time” formulation, so a platform that exposes a single global SLA dial cannot serve both France and a less prescriptive jurisdiction without either over-committing everywhere or under-delivering in France.

The 50-employee threshold for Sapin II is computed on French headcount, not group-wide. This is the asymmetry that catches multinationals: a group of 60,000 workers with a 30-person French entity may be in scope under HinSchG (group aggregation) and out of scope under Sapin II (per-entity headcount) at the same time. The decree of 3 October 2022 also clarifies the dialog with the Social and Economic Committee (CSE) before the channel is implemented, which is a procedural prerequisite separate from the technical configuration.

Image: Ex13 on Wikimedia Commons, CC BY-SA 3.0

Sanctions under the French criminal code: obstructing a whistleblower carries up to 1 year of imprisonment and a EUR 15,000 fine, and a retaliatory dismissal is automatically void.

How is the UK’s PIDA 1998 different from the EU directive?

PIDA is a retaliation statute, not a channel mandate. Many platform vendors miscommunicate this and tell UK customers they are “PIDA-compliant” by virtue of having a hotline; a hotline does not make a UK employer compliant with PIDA, because PIDA does not require a hotline in the first place.

PIDA protects workers who make a “protected disclosure” from detriment, and structures protection through a tiered framework. The easiest path is internal disclosure to the employer; that path is the one most platform vendors equate with “the channel”. The second tier is disclosure to a “prescribed person”, a regulator like the FCA, the Health and Safety Executive, or the Environment Agency, depending on subject matter. The third tier is wider disclosure (media, MPs) and is protected only under stricter conditions, including reasonableness of the disclosure and the absence of personal-gain motivation.

Employment Tribunal compensation for PIDA dismissal claims is uncapped, in contrast to ordinary unfair dismissal where the compensatory award is capped. This is the practical reason a UK employer runs a channel anyway, even though PIDA does not require one: a documented internal channel produces the evidentiary trail that supports a “good faith handling” defence in a tribunal claim, and the tribunal will look at how the disclosure was actually handled.

Image: Daniele Vaghini on Wikimedia Commons, CC BY-SA 3.0

As of April 2026, two pieces of UK legislative motion sit on top of PIDA. The Employment Rights Act 2025 strengthened whistleblower protections from 6 April 2026, with immediate enhancements that tighten the detriment definition and broaden the protected categories. Separately, the Office of the Whistleblower Bill, introduced on 18 December 2024, is still progressing through Parliament; if enacted in something close to its current form, it would create a standalone duty to report and an independent office to enforce standards, which would change the channel question for UK employers materially. None of this is law as of May 2026; treat it as a freshness signal that the UK row in the configuration table may move within the next 12 to 24 months.

What are the five tenant-level switches that make one platform multi-jurisdictional?

Each switch is one row in an admin-plane configuration table, and each row binds to a specific article of law in each jurisdiction.

Two notes on the table. First, switch 5 is genuinely per-artifact rather than per-case: the retention timer for the submission body, the attachments, the messaging thread, and the audit trail can legitimately differ, and trying to collapse them into one number forces the platform to over-retain or under-retain something. Default to the longest applicable minimum per artifact and consult counsel for the exact period; the typical operating range across these three regimes is 2 to 5 years from procedure completion, with some adjacent record categories pulled longer by tax and commercial-law retention obligations.

Second, the recommended-default column is not an EU-wide cross-jurisdictional minimum; it is the strictest combination across these specific three regimes. A platform deploying into Italy, Spain, the Netherlands, or Switzerland needs the same five-switch analysis re-run against the relevant transposition before the defaults can be trusted there.

How does the platform handle a multinational case that touches all three?

Suppose a France-based reporter alleges accounting fraud in a German subsidiary that also affects a UK-listed parent. The configuration above resolves it without contradiction.

Intake routes by reporter location. The French tenant config governs intake, so the reporter is offered the audio plus transcript option for the oral report and is told the in-person meeting will be held within 20 working days if requested. Switch 1 is on, so the reporter may submit anonymously; switch 2 is audio plus transcript; switch 3 is the 20-working-day SLA; switch 4 selects French entity headcount for the threshold check; switch 5 binds the per-artifact retention to the longest applicable minimum.

Triage runs on the case category. Accounting fraud tags the case for HinSchG handling on the German recipient side (because the alleged conduct sits in the German subsidiary) and, if the UK-listed parent is also US-listed, for SOX 806 audit-committee escalation. The triage layer is the place where one case spawns multiple parallel jurisdiction-tagged workflows; the platform must keep the audit trail synchronised across them rather than forking the case record.

Confidentiality runs to the strictest applicable rule across the three regimes plus any US overlay. HinSchG Section 8 governs identity protection on the German side, the Sapin II decree governs it on the French side, and PIDA case-law governs it for the UK process. The platform’s identity-protection state machine is configured once at the strictest level rather than negotiated case-by-case.

Retaliation is tracked under each jurisdiction’s anti-retaliation forum. The German labour court, the French tribunal correctionnel, and the UK Employment Tribunal each have their own evidentiary expectations, so the audit trail must be rich enough to support each. This is what justifies the apparent over-collection in the recommended-default column: the cost of running the French recording rule globally is much lower than the cost of explaining to a UK Employment Tribunal that the reporter’s oral account was never preserved verbatim.

When NOT to Use This

• You only operate in one of the three jurisdictions; per-country deep dives are more direct than this configuration model.
• You operate primarily in the US and only have a small EU footprint; a EU directive vs SOX 806 vs Dodd-Frank comparison is a better starting point.
• You need a vendor evaluation; this post is a configuration model, not a buyer’s guide.
• You are looking for legal advice on a specific case; consult counsel licensed in the relevant jurisdiction.
• You operate in jurisdictions outside DE, FR, UK (Italy, Spain, the Netherlands, Switzerland); use the five-switch model as a template, but verify each country’s transposition before deploying.

FAQ

• Hinschg
• Sapin-Ii
• Pida
• Multi-Jurisdiction