Whistleblower protection
The Whistleblower Protection Act (HinSchG) came into force on July 2, 2023, transposing Directive (EU) 2019/1937 into German law. It serves to protect whistleblowers and obliges companies above a certain size or in certain sectors to set up internal reporting channels. The aim is to protect whistleblowers from reprisals and give companies the opportunity to resolve grievances internally before they become public.
An effective whistleblower protection system is not only a legal obligation, but also offers companies numerous advantages: It increases compliance, reduces the risk of legal violations, and prevents economic damage due to loss of reputation or high administrative fines. Companies that take whistleblower protection seriously also benefit from a better working atmosphere and an open culture of error management.
Companies benefit in several ways from effective whistleblower protection.
Early problem detection
Internal reports enable violations to be identified at an early stage and countermeasures to be taken.
Reputation and trust
Companies that actively protect whistleblowers are perceived as responsible and enjoy greater trust among employees, customers, and business partners.
Reduction of liability risks
Proactive measures help avoid administrative fines, penalties, and damage to your image.
Open corporate culture
A whistleblower protection system creates transparency and promotes a culture of open communication.
Companies and public authorities with at least 50 employees are generally required to set up an internal reporting channel. In certain sectors, such as the financial sector, this obligation applies regardless of the size of the company.

Your advantages with our whistleblower protection system HintPilot
Our law firm offers you a comprehensive whistleblower protection system that meets all legal requirements and can be seamlessly integrated into your corporate structure. With our secure reporting channel HintPilot, we enable simple, confidential, and efficient processing of reports.
General Data Protection
The General Data Protection Regulation (GDPR) has been in force since May 25, 2018, and forms the central legal basis for the protection of personal data in the European Union. It specifies how controllers and processors may carry out the processing of personal data in order to ensure the protection of the privacy of natural persons. The aim of the regulation is to ensure a uniform level of data protection within the EU and to give data subjects more control over their data.
The GDPR is based on several basic principles that must be observed by all controllers:
Lawfulness, fairness, transparency:
The processing of personal data must have a legal basis and be comprehensible to the data subjects.
Purpose limitation
Personal data may only be collected and processed for specified, explicit, and legitimate purposes.
Data minimization
Companies should only collect as much data as is necessary for the purpose for which it is intended.
Accuracy
Personal data must be accurate and kept up to date.
Storage limitation
Personal data must not be stored for longer than necessary.
Integrity and confidentiality
Companies must take appropriate security measures to protect personal data.
Obligations of the controller
In addition to these basic principles, controllers must fulfill very specific obligations when processing personal data. These include, for example:
- Ensuring the rights of data subjects
- A reporting obligation in the event of personal data breaches
- The appointment of a Data Protection Officer
- Ensuring technical and organisational measures for data protection
- General documentation and accountability obligations
- Rules for transfers of personal data to third countries
Penalties for violations
The GDPR provides for severe penalties for violations. These range from warnings to heavy administrative fines of up to €20 million or 4% of a company’s global annual turnover. In addition to financial penalties, violations can also lead to reputational damage and a loss of trust among the data subjects.
Would you like to get an initial overview of the level of data protection in your organisation? Take advantage of our free GDPR quick check.
Interview with Scheja & Partners
Artificial Intelligence Act (AI Act)
The AI Act aims to create a harmonized set of rules within the EU that protects the safety and fundamental rights of citizens while promoting innovation. Clear guidelines are intended to minimize the risks associated with the use of AI.
The AI Act aims to create a harmonized set of rules within the EU that protects the safety and fundamental rights of citizens while promoting innovation. Clear guidelines are intended to minimize the risks associated with the use of AI.
A central element of the AI Actis the risk-based approach, which classifies AI systems into different categories:
Unacceptable risk
AI systems that pose a threat to safety or fundamental rights are prohibited.
High risk
These systems are permitted but subject to strict requirements.
Specific AI systems
AI systems subject to special transparency requirements.
AI competence
The AI Act requires companies, public authorities, associations, and NGOs to ensure that their employees have a “sufficient level of AI competence.” “AI competence” includes knowledge of the opportunities and risks of AI, the rights and obligations under the AI Act, and the ability to use AI systems competently. As this applies to all AI systems, regardless of their risk classification, all entities that use AI systems are affected.
Consequences of using AI
The core element of the AI Actis the determination of the specific obligations that apply to you. The first step is to check whether an “AI system” within the meaning of the AI Act exists at all. If this is the case, it must be determined what “role” thecompanies, public authorities, associations, and NGOs play and what risk the respective AI system poses. This gives rise to specific obligations that must be observed when using AI.
Scheja & Partners provides comprehensive advice on all legal issues relating to the AI Act, including the complex determination of roles and risks, and thus identifies your individual obligations. This allows you to concentrate fully on your core business and ensure that AI systems are used in compliance with the law.
Your authorized representatives pursuant to Articles 22 and 54 of the AI Regulation
Secure access to the EU market. Minimize risks. Build trust.
Why is an authorized representative indispensable?
For providers based outside the EU – whether for a high-risk AI system or a general-purpose AI model – the appointment of a representative established in the EU is required by law in order to operate on the EU market. Without this key role, lawful market access is often not possible.
Our expertise for your safety

Authorized representative for providers of high-risk AI systems
As your company’s authorized representative, we take on all the tasks required by law, e.g.:
- Checking whether the EU declaration of conformity and technical documentation have been prepared
- Keeping contact details, declaration of conformity, documentation, and, where applicable, certificates – 10 years after placing on the market/putting into service
- Providing all information required for proof of conformity and automatically generated logs upon request by authorities
- Cooperating with authorities to minimise risk
- Acting as a contact person for authorities in all matters relating to ensuring compliance with the AI Act

Authorised representatives for general-purpose AI models
For providers of such models, we take on all tasks specified by EU legislators, e.g.:
- Checking whether the technical documentation has been created and whether the legal obligations are being complied with
- Keeping documentation and contact details – 10 years after placing on the market
- Providing all information required for proof of conformity to the AI Office or competent authorities upon specific request
- Cooperating with regulatory measures, even if your model is integrated into AI systems
- Acting as a contact person for authorities in all matters relating to ensuring compliance with the AI Act
The Data Act – A new legal framework for data access
With the Data Act, the European Union has set a milestone: From September 2025, far-reaching obligations regarding access to, use, and sharing of data will gradually come into effect. The aim is to make data more usable for innovation and competition – especially in the area of connected products and digital services.
For companies, this means new opportunities for data-driven business models, but also significant legal risks if requirements are not met.
The central challenge of implementation lies in the interplay between the Data Act and other legal acts of recent years, including the GDPR. The Data Act covers both personal data and non-personal data.
Resolving this conflict poses enormous challenges for those affected by this legal act in times of complex data structures:
- What precautions must controllers take to enable the transfer of data?
- What technical and legal foundations must be in place before customers and other third parties can assert their rights?
- How can controllers themselves benefit from the Data Act?

What companies should do now
Implementing the Data Act requires more than just reviewing individual legal cases. Holistic strategies are needed that bring together technology, contracts, and other essential components of implementation. These include:
- Establishing secure interfaces for data use and transfer
- Adapting contractual clauses in light of new fairness requirements
- Developing integrated compliance concepts that combine the GDPR and the Data Act
- Identifying opportunities for new data-driven business models
NIS2 – Are you well prepared?
The EU Directive NIS2 (Network and Information Security Directive) is on everyone’s lips – and with good reason. It will reshape the rules for cybersecurity across Europe, aiming to strengthen resilience and safeguard digital infrastructures. Germany missed the implementation deadline in October 2024. However, following the government draft resolution in July 2025, the NIS2 Implementation Act (NIS2UmsuCG) is expected to come into force at the end of 2025 or beginning of 2026.
IS2 will apply to far more companies and public bodies than before, requiring strict compliance with binding minimum standards for IT security, risk management, and incident reporting.
At the very least, organizations should promptly assess whether they fall within the scope of NIS2. Given the complexity of the new obligations, entities likely to be affected are strongly advised to conduct a gap analysis well before the NIS2UmsuCG comes into force – and to initiate necessary measures early to meet the heightened requirements.

- Expanded scope:
Many more sectors are now classified as “essential entities” – not just traditional critical infrastructures. - Management liability
Executive leadership will bear personal responsibility for implementing security requirements. - Minimum security requirements
Mandatory baseline measures (e.g., technical and organizational safeguards, incident response mechanisms).
- Supply chain considerations
Security responsibilities extend to service providers and suppliers.
- Multi-level incident reporting
Incidents must be reported promptly in accordance with national rules.
- Tougher sanctions
Significantly higher fines for non-compliance – comparable to the GDPR
- Public bodies, authorities, and companies in sectors such as energy, transport, healthcare, digital services, public administration, and more.
- Medium-sized and large entities providing important or critical services.
- IT service providers and suppliers as part of the extended supply chain
- Governance duties: Ultimate accountability at the management and leadership level.
- Risk analysis and management: Regular assessments and controls
- Security measures: Implementation and maintenance of technical and organizational safeguards.
- Supply chain integration: Ensuring third parties meet security requirements.
- Incident reporting: Mandatory notifications within specified timeframes to authorities (e.g., the German BSI).
- Registration: Affected entities must register with competent authorities.
- Assess applicability: Is your organization covered by NIS2?
- Conduct a gap analysis: Identify compliance gaps compared to the new standards.
- Clarify governance & responsibilities: Define clear roles for management, IT security, data protection, and risk management.
- Start implementing minimum security requirements: Especially in IT, process controls, and supply chain management.
- Plan registration and reporting processes with sufficient lead time.
- Train employees and management to raise awareness and minimize risks
As a law firm specialized in data protection, data law, and cybersecurity, we combine legal expertise with practical implementation know-how. Our experience with complex compliance regimes – such as the GDPR, the Supply Chain Due Diligence Act, and now NIS2 – enables us to help you:
- Translate legal and technical requirements into practical, risk-conscious, and future-proof solutions.
- Minimize liability risks for executives and organizations.
- Ensure your compliance roadmap is efficient, reliable, and sustainable.
Whether you are a medium-sized company, multinational group, or public authority – with us, you can be confident that you won’t be navigating in the dark, but will be fully prepared when the NIS2UmsuCG comes into force in Germany.