Criminal Law and Whistleblowing

The Whistleblower Protection Act and its relationship to the Austrian Criminal Code and Code of Criminal Procedure

The Whistleblower Protection Act (HinweisgeberInnenschutzgesetz, “HSchG”) contains numerous problematic points under criminal law. Both potential whistleblowers and companies should be aware of a few key aspects in order to avoid legal pitfalls as far as possible. It is particularly important to be aware of the (limited) material scope of the Whistleblower Protection Act on the one hand and the lack of identity protection for whistleblowers under the Whistleblower Protection Act once an initial criminal suspicion exists on the other. This article also highlights the criminal law restrictions on whistleblowing and important obligations of companies.

Is there an obligation to report?

In principle, there is no obligation for private individuals and companies to report criminal acts that have already occurred due to violations of the Austrian Criminal Code (StGB) or other punishable acts. This also applies to whistleblowers. However, private individuals have the right to report criminally relevant facts to the police or public prosecutor’s office (Sec 80 para 1 Austrian Code of Criminal Procedure). This also includes the whistleblower system of the Central Public Prosecutor’s Office for the Prosecution of Economic Crimes and Corruption (WKStA) or that of the Federal Bureau of Anti-Corruption (BAK), which is the central external report system of the Austrian Whistleblower Protection Act.

Corresponding suspicious cases can also be reported internally – as part of the internal whistleblower system. The Whistleblower Protection Act does not expressly provide for an obligation for whistleblowers to report internally. However, a corresponding obligation to report internally may arise from the duty of loyalty under employment law.

Possible future criminal offenses of which an employee becomes aware must first and foremost be prevented internally within the company. Only if such prevention is not (or no longer) possible, there can be an obligation to report to the prosecution authorities (Sec 286 Criminal Code).

Which criminal law restrictions must whistleblowers observe?

It is of course forbidden to knowingly make a false whistleblower report. Such violations can be punished with an administrative fine (Sec 24 no 4 Whistleblower Protection Act) of up to EUR 20,000, or up to EUR 40,000 in the event of a repeated offense. Anyone who knowingly exposes another person to the risk of prosecution by the authorities by providing false information can even be sentenced by a criminal court to between six months and five years imprisonment if the elements of the offense of defamation (Sec 297 Code of Criminal Code) are given.

This does not apply to “bona fide” whistleblowers who can assume, on the basis of the factual circumstances and the information available to them at the time of the tip, that the information they have provided are true and falls within the scope of the Whistleblower Protection Act.

Be careful when obtaining information: The end does not justify the means!

Like any other person, whistleblowers must comply with criminal law provisions. Illegal forms of obtaining information are therefore not privileged. The unauthorized acquisition of information in connection with the intrusion into legally protected spheres of secrecy may therefore be punishable by law. Information may therefore not be obtained, for example, in the course of a breach of the secrecy of correspondence (Sec 118 Criminal Code) or unlawful access to a computer system (Sec 118a Criminal Code). The same applies to the violation of telecommunications secrecy (Sec 119 Criminal Code), the improper interception of data (Sec 119a Criminal Code), the misuse of sound recording or listening devices (Sec 120 Criminal Code), the misuse of computer programs or access data (Sec 126c Criminal Code) or other offenses in the area of cybercrime (IT criminal law). The aforementioned offenses are punishable by a criminal court; in some cases, the penalties range up to several years of imprisonment.

Which obligations apply to companies after a disclosure?

Upon receipt of a report of a possible violation of the law, it is the responsibility of the internal unit that is responsible for checking whistleblower tips to investigate the suspicions. However, the overall responsibility for the proper functioning of the internal unit lies with the company management.
A careful internal investigation of indications of possible legal violations is recommended in any case. In addition to liability consequences under civil law and risks under company law for managing directors or board members, failure to investigate a suspected case and prevent such future acts may also result in criminal law risks, which in exceptional cases may also give rise to Corporate Criminal law liability under the Austrian Corporate Criminal Liability Act (VbVG). In the event of such allegations and the initiation of criminal investigation proceedings, the advice of a specialized criminal defense lawyer should be sought quickly.

Do you have any questions on this topic or do you need support? Feel free to contact us directly.

Dr. Elias Schönborn

Do you have any questions on this topic or do you need support? Feel free to contact us directly.

Dr. Elias Schönborn
Attorney at Law & Criminal Defense Lawyer

How much Criminal Code does the Whistleblower Protection Act contain?

Are all references to criminally relevant violations of the law covered by the material scope of the Whistleblower Protection Act? No. In addition to criminal offenses that are covered by the general terms of the scope of application specified by the Whistleblower Directive (such as environmental crimes and crimes against the financial interests of the Union), the Austrian legislator has (only) included Sec 302 to Sec 309 Criminal Code in the scope of application. In addition to the offense of abuse of official authority (Sec 302 Criminal Code) and negligent violation of personal liberty or of occupant’s rights (Sec 303 Criminal Code), these are in particular corruption offenses – namely in the public sector (Sec 304 to Sec 308 Criminal Code) and in the private sector (Sec 309 Criminal Code).

Conversely, this means that many criminal offenses that are relevant in business life are not covered by the scope of the Whistleblower Protection Act. This applies, for example, to reports of breach of trust, embezzlement, fraud, theft, balance sheet falsification, cybercrime or acts against sexual integrity and self-determination. Although the Whistleblower Protection Act does not provide any protection for whistleblowers who provide such information, governing bodies are nevertheless obliged to have such suspicions investigated for reasons of liability law – irrespective of the applicability of the Whistleblower Protections Act.

Delivering legal clarity

Due to the complicated regulations of the Whistleblower Protection Act, it is not immediately clear to many people working in the internal office responsible for checking whistleblower tips whether the reported information falls within the scope of the Whistleblower Protection Act or not and which specific steps should now be taken. Particularly in the case of sensitive information such as potentially criminally relevant processes, it may therefore be advisable to obtain an initial legal review with recommendations for follow-up measures from a specialist. This allows potential liability risks to be avoided, reporting obligations to the authorities to be recognized and risk assessments to be taken into account early and with strategic foresight.

In order to protect whistleblowers who do not fall under the material scope of the Whistleblower Protection Act, companies have the option of voluntarily extending and expanding the scope of the internal whistleblower system. The catalog of reportable violations can be supplemented internally in order to still grant the whistleblower protection. On the one hand, this requires the implementation of some legally necessary points (in particular data protection and labor law), but it has the great advantage that the risk of the company’s own employees contacting the law enforcement authorities directly with criminally relevant information can be reduced.

Does the protection of the identity of whistleblowers under the Whistleblower Protection Act also apply in criminal proceedings under the Austrian Code of Criminal Procedure?

Protecting the identity of the whistleblower is one of the most important provisions of the Whistleblower Protection Act. The identity of the whistleblower and the person affected by the whistleblowing may only be disclosed within the scope of application of the Whistleblower Protection Act, if an administrative authority, a court or the public prosecutor’s office considers this to be essential in the context of corresponding state proceedings and proportionate in view of the seriousness of the allegations made. Contrary to what the above wording might suggest, however, a counter-exception applies to criminal proceedings: Pursuant to Sec 3 (6) sentence 4 Whistleblower Protection Act, the Whistleblower Protection Act does not apply to the application of the provisions of the Austrian Code of Criminal Procedure once there is an initial suspicion under criminal law. Therefore, if a whistleblower is to act as a witness in criminal proceedings, the special safeguards of the Whistleblower Protection Act do not (or no longer) apply to them in my opinion. Anything else would be an unlawful breach of the Code of Criminal Procedure and would also violate or curtail the right of the accused to ask questions of prosecution witnesses, which is provided in Art 6 sentence 3 lit d ECHR and therefore guaranteed by constitutional law.

Attractive internal reporting channel is in the interests of the company

Uncertainty among employees about the internal whistleblowing system can pose a potential threat to companies. As there is no explicit obligation for primary internal whistleblowing, it is in the interest of the company to make the internal reporting channel so attractive that whistleblowers prefer an internal report to an external report (towards the police). This avoids the risk of loss of control, reputational damage and often lengthy proceedings with an uncertain outcome. Because one thing is certain: initiating criminal proceedings against the company is the worst-case scenario, even if the proceedings (often after years of investigation) end in a non-conviction.

Dr. Elias Schönborn
Dr. Elias Schönborn
Attorney at Law & Criminal Defense Lawyer


In my opinion, the special requirements of the Whistleblower Protection Act no longer apply to the criminal prosecution authorities once initial suspicion under the Austrian Code of Criminal Procedure has been affirmed. If criminal proceedings are initiated, a criminal defense lawyer should be consulted quickly. However, not every report relevant under criminal law ends up before the public prosecutor’s office: Companies should see the lack of an obligation to report criminally relevant incidents as an opportunity to make the internal reporting channel as attractive as possible in order to be able to discreetly investigate the incidents internally once a corresponding report has been received. From a practitioner’s point of view, it is advisable to extend the scope of application of the internal whistleblower system to important criminal offenses under the Austrian Criminal Code with the help of legal expertise and, if necessary, to initiate a confidential internal investigation. If you have any questions on these topics or need support from an experienced expert, I am happy to assist you.
Picture of Dr. Elias Schönborn

Dr. Elias Schönborn


Fast and competent legal advice

Do you need legal support?
We are here for you – book a consultation appointment directly or use the contact form to get in touch with us.