Frequently Asked Questions
Find your answer
Here we try to answer frequently asked questions with the help of leading experts.
Do you have any unanswered questions? Don’t hesitate to contact us.
Of course!
The new supply chain due diligence obligations (in particular the LKSPG) should prevent violations of human rights and violations of environmental protection along the supply chain. These duties are important for “global players” as well as SMEs. Therefore affected companies should concentrate on the date of implementation of the necessary requirements.
Legal Counsel / Local Compliance Officer
TGW Logistics Group GmbH
The failure to set up a CMS is usually not punishable. However, if a rule is violated because the appropriate control was not provided, the management can be personally liable for negligence offenses according to the Criminal Code and the company can even be liable according to the VbVG.
Lawyer and Partner
Haslinger / Nagele Rechtsanwälte GmbH
Many data protection processes can be handled transparently and efficiently with software solutions. Automations simplify the fulfillment of compliance requirements.
Rather rely on legal technology and don’t be a compliance outlaw!
It doesn’t pay to get a dissuasion.
CEO & Chief Legal Officer
DataReporter GmbH
Are you ready for your digital compliance management system?
Find your Digital Compliance Office in just a minute!
Terms
And their Meanings
We have briefly explained the most important terms for those who are not yet familiar with them. We will be happy to explain further terms in personal contact – just ask.
Compliance is often understood as “to comply with” and can be translated as “the fulfillment of”.
Compliance is defined as all measures within the company that are required and implemented to fulfill laws, (internal) guidelines and other – also value-based – requirements.
Compliance combines preventive measures (e.g., training), the recognition of misconduct and risks (e.g., operation of a whistleblower system), and the resulting reactions (e.g., measures to end misconduct, sanctions, etc.).
According to the Whistleblowing Directive, a whistleblower is “a natural person who reports or discloses information about violations obtained in connection with his or her work activities.”
The Directive includes, but is not limited to, interns, job applicants, employees, supervisory board members, suppliers, etc.
A Compliance Management System (CMS) is the definition and implementation of values and measures from an organisation in accordance with its organisational objectives. Its aim is to ensure objective consistent behaviour by its employees and stakeholders.“
Notification is generally not mandatory for private companies.
However, the report must be clarified regardless of the scope of application of the Whistleblower Protection Act, otherwise there is a risk of liability. An internal investigation must be initiated with the help of (external) specialists, if necessary.
Lawyer
es.law COMPLIANCE & DEFENSE
Yes, as far as operational issues are concerned. If the allegations are directed against employees, the incriminating evidence have to be disclosed. Sometimes the obligation to provide information under employment law is in tension with the criminal refusal to give evidence, especially if the records are to be used in criminal proceedings.
In individual cases, it may make sense to point out to employees that they do not have to incriminate themselves.
Lawyer
The task of compliance is to ensure good behavior and compliance with regulations. Compliance officers have to do a lot of convincing.
It is necessary to enter into relationships with people to ensure this. In this way, empathy is an important key. It creates trust and helps to build bridges.
Lawyer and expert for data protection, regulation and compliance
Compliance surveys and whistleblowing reports show that discrimination is the number one non-compliance issue.
It happens every day in many different ways. Companies have to take structured measures against discrimination for ethical and legal considerations.
CEO
rosa elefant OG
External support of internal reporting channels enables efficient planning of resources and professional processing of reports. This promotes corporate culture.
Reporters trust in independence. This ensures external support – friendly, legally secure, efficient and smart!
CEO VMCON OG
Everyone knows: Regular brushing is important for healthy teeth. Awareness? My kids and I made a picture with a big toothbrush for this. You can see: Regular tooth brushing works. Why? Clear instructions, consistent implementation and regular monitoring – that’s how compliance works.
Lawyer and Partner
Edthaler Leitner-Bommer Schmieder & Partner
Rechtsanwälte GmbH / LeitnerLaw
Whether it’s an orchestra, a school class or a soccer team – inspiration, courage, orientation and security only come from good role models. In companies it is no different and therefore the often quoted Tone from the Top is essential. Good compliance that is lived needs excellent role models!
Managing Director & Founder
rosa elefant OG
Compliance means that managing directors must, among other things, ensure that an internal control system is in place to prevent breaches of standards in accordance with Section 22 of the German Limited Liability Companies Act (GmbHG). According to the law, they are liable for its implementation both internally and under certain circumstances, towards third parties.
Lawyer & Partner
Summereder Pichler Wächter
Rechtsanwälte GmbH
Organizations are exposed to numerous legal risks, e.g. corruption, antitrust law, data protection, etc. An effective CMS helps to identify and reduce specific risks.
This increases employee satisfaction and secures the company’s long-term existence.
Lawyer & Managing Partner
Baker McKenzie in Vienna
A well functioning CMS fulfills three core functions.
First and foremost, it serves to prevent breaches of rules (prevention) and, if they do occur, to identify them (detection) and react to them (response).
Careful clarification of the facts and the taking of suitable and appropriate measures are essential.
Legal Counsel
EVVA Sicherheitstechnologie GmbH
No.
At best, compliance officers have an interdisciplinary profile. They are marketing, legal, human resources development, audit, organizational development, strategy, etc.
The success of compliance does not lie in the profession of its members, but in their ability to use their strengths for prevention, recognition and reaction.
Head of Legal Affairs and registered manager of TANNPAPIER GmbH
Yes!
Since January 1, 2006, legal entities can also be held liable under criminal law (VbVG). However, compliance structures enable them to minimize their risks under both civil and criminal law.
Lawyer
On the contrary, the GDPR provides mechanisms that allow us to work more efficiently, purposefully and successfully.
The same applies as in our private lives: Tidying up is time-consuming. But without unnecessary baggage and with a new and clear order, life is much better.
Corporate lawyer & certified data protection officer
TGW Logistics Group GmbH
It is said that co-determination may not be necessary if the statutory obligations are implemented.
However, if the scope of application is expanded, the system is subject to co-determination. This legal uncertainty still needs to be resolved through statutory implementation – in case of doubt, it is therefore advisable to involve the workers’ council.
Lawyer & Author Edthaler Leitner-Bommer Schmieder & Partner Rechtsanwälte GmbH / leitnerlaw
The involvement of suppliers in the whistleblowing process brings the supply chain and its stakeholders closer to the company.
A whistleblowing system is therefore an essential component of current (and in the future mandatory) sustainability developments as well as the associated due diligence obligations.
Certified Compliance Professional | Certified Information Security Manager & Auditor (ISO 27001) | Directorbei LeitnerLeitner
When designing environmentally and socially relevant advertisements, the boundaries of unfair competition can quickly be crossed – there is a fine line between “doing good and talking about it” and greenwashing.
A careful preliminary check within the company is essential. Unfortunately, the lack of a uniform definition of “greenwashing” complicates the examination.
Baker McKenzie Austria
Wrong!
The purpose of the Whistleblower Protection Act is to enable whistleblowers to disclose wrongdoing without risk.
Legal conformity in the company and a good working atmosphere add up to (also) lived corporate social responsibility. This results in: Satisfied employees, customers and suppliers, which means more success – both in terms of the business and its people.
Managing Director VMCON OG / meineBerater
Sanctioned owners are often obscured by complex corporate structures and legal requirements from secondary sanctions, e.g. OFAC 50% Rule, are insufficiently known.
It is now more important than ever to know the shareholder structure of the third parties and to check them for current sanction risks.
Senior Solution Sales Advisor & Certified Compliance Officer
Dun & Bradstreet Austria GmbH
You should communicate complex topics in a practical and understandable way. This is how we manage to anchor data protection and compliance in the minds of our colleagues.
Senior Legal Counsel & Group Privacy Officer
TGW Logistics Group GmbH
Compliance doesn’t stop at any size of company. If companies want to establish themselves on the market, they can’t afford any violations. The reputation can be irreparably damaged aside from a financial damage.
Corporate Lawyer
MYFLEXBOX Austria GmbH
Yes, there are fixed compliance standards available which provide unified principles for compliance management systems – to name a few, the main standards are: ISO 37301 (Compliance Management System), ISO 37001 (Anti-Bribery Management System), ON-Regel 192050, FCPA Guide (Foreign Corruption Practices Act), OECD-Guide, UK Bribery Act, ISO 37002:2021 (Whistleblowing Management System), etc..
Yes, the “Whistleblower Protection Act” has been in force in Austria since 01.02.2023.
This obliges companies to set up internal whistleblower systems and compliance structures. Thus, the Whistleblower Directive and the Whistleblower Protection Act seem to imply greater effort in the area of compliance, but subsequently lead to more compliance with the rules (and thus to a reduction of potential risks, disadvantages and other damages to companies).
Even though the introduction of a whistleblowing system is not yet mandatory, many companies have made the decision to implement it. On the one hand, they are aware of the benefits and advantages of a whistleblowing system. On the other hand, the legal framework already requires certain companies to establish a basic compliance system with a whistleblowing channel. For example, the German Corporate Government Code (07.02.2017) requires management to ensure that the company acts within legal boundaries and guidelines. A compliance management system (CMS) is designed to regulate the way in which actions are taken and to enable employees and third parties to report misconduct within the organization.
Since the Whistleblower Protection Act, all companies with more than 50 employees are required to implement compliance structures or a corresponding compliance organization (at least limited to an efficient whistleblowing management system).
Although it is the responsibility of a managing director to design the organization in such a way that it operates within the legal framework and thus complies with local laws and legal regulations – this personal liability means that a uniform compliance structure must be created (e.g. § 22 GmbHG, § 25 GmbHG, § 82 AktG, § 84 AktG). These laws require management to establish internal control systems. The legal obligations on whistleblowing and Corporate Sustainability Due Diligence Directive (CSDD) force organizations to implement compliance structures by law.
The Supreme Court has also ruled that effective compliance management must be established (OGH, 3 0b 34/97i).
Based on the previously described norms and standards we as fobi solutions see an effective compliance management system built on the three fundamental compliance rules: PREVENT – DETECT – REACT. ‘Prevent’ means knowing your organisational risks and your legal framework. Based on that an organisation can set internal rules and codes of conduct, compliance trainings, compliance information for employees, etc. To then ‘detect’ any compliance issues within the organisation further mechanisms must be implemented, such as an internal control system, a whistleblowing program, risk-assessments, internal audits, etc. For any compliance problem or issue an adequate reaction must follow – the organisation must ‘react’ and therefore giving the employees trust in the compliance management itself and the confidence to act compliant with all rules and values.
When implementing these obligations, many companies rely on “tried and true” methods and believe that the protection of whistleblowers and the fulfillment of the corresponding processes can be guaranteed by e-mail, mailboxes and open-door reporting options. This misconception is put to rest by Section 9 of the Whistleblower Protection Act in Austria.
In this provision, companies are required to document all reports and at the same time meet the required deadlines. In Section 9 (6), the law expressly provides that “internal and external bodies shall store the records pursuant to subsections (1) to (5) in a confidential and secure system and shall log and restrict access to this system in such a way that the data stored therein is only accessible to those employees who need access to the data in order to process the whistleblowing.”
The legally correct implementation of the legal obligations thus appears to be fulfilled exclusively by a digital whistleblowing system.
The question of whether reporting channels should and/or must also be made publicly available in the future – i.e. via the company’s own websites – seems to have been answered (from our point of view) with regard to the definition of whistleblowers. In addition, the (upcoming) legal supply chain management obligations mean that the requirement to provide a reporting channel for suppliers is in the starting blocks.
The topic of “compliance” and the associated legal obligations will therefore continue to occupy us in the future.
Who is behind .LOUPE?
The people behind
.LOUPE and fobi solutions.
Questions
About .LOUPE
When it comes to compliance, you should also trust each other. That’s why it’s important to know who’s behind .LOUPE and how .LOUPE operates.
Feel free to ask us your questions in person or in writing at any time.
.LOUPE is operated in ISO 27001 certified data centers in Germany.
The technical provision is possible within one day. Depending on the degree of individual design (e.g. corporate identity) the workload increases.
.LOUPE is quick and easy to use. For this purpose, we offer standardized information material for employees, a corresponding investigation guide, standard categories, etc.
.LOUPE is not only a simple, secure and legally compliant whistleblowing system, but also provides innovative support for risk identification, mitigation, communication, control and consequences in case of detected misconduct.
With .LOUPE, you close several security gaps at once. But since there are different sized companies, each with differentiated compliance requirements, we are happy to offer you needs-oriented, customised packages.
You can find more information about our packages here.