Scope of applicationⁱ

The Due Diligence Act applies to companies, regardless of their legal form, where their head office, principal place of business, administrative headquarters, or their registered office is in Germany, and which usually employ at least 3,000 employees. Notably, entities that perform the administrative tasks of a regional authority are excluded from the Due Diligence Act unless they conduct entrepreneurial activity.

The interpretation of the term 'usually', as outlined above, requires both a retrospective view and a prognosis of future personnel. The period considered should be both retrospective, as well as prospective, and must be long enough to ensure that short-term fluctuations in the number of employees do not affect the applicability of the Due Diligence Act. To this end, temporary changes and associated fluctuations in the number of employees should not have any influence on whether a company is bound by the due diligence obligations. On this point, the Due Diligence Act clarifies that the length of the reference period depends on the individual case, but should be based on the financial year.

In regard to temporary workers, temporary agency workers must be included in the calculation of the number of employees where the duration of their assignment exceeds six months.ⁱⁱ Affiliated enterprises, as defined under Section 15 of the German Stock Corporation Act, must also be taken into account when calculating the number of employees within a parent company.

Importantly, from 1 January 2024, the threshold for employed employees will be 1,000 employees instead of 3,000.

Definitions

The Due Diligence Act clarifies the definition of 'human rights' and 'human rights risk'.

Specifically, 'human rights' refers to those arising from the conventions listed in Numbers 1 to 11 of the Annex.

A human rights risk, on the other hand, is a situation in which, on the basis of factual circumstances, there is a sufficient probability of a violation of one of the prohibitions on the protection of the legal positions contained in Part 1 §2(2) of the Due Diligence Act which includes the prohibition of unequal treatment in employment, provided this is not justified by the requirements of the employment and the prohibition of bringing about, among other things, water pollution, air pollution, denying a person access, as well as an environment-related risk within the meaning of the Due Diligence Act.

Due diligence requirementsⁱⁱⁱ

Businesses are required to observe the following human rights and environmental due diligence obligations, namely:

• the establishment of a risk management system;
• the determination of internal responsibility;
• the implementation of regular risk analyses;
• the adoption of a policy statement;
• the establishment of preventive measures;
• the adoption of corrective measures;
• the establishment of a complaint procedure;
• the implementation of due diligence with regard to risks from indirect suppliers; and
• documentation and reporting.

The appropriate manner of acting in compliance with the due diligence obligations above will be determined by:

• the type and scope of the enterprise's business activities;
• the company's ability to influence the person directly responsible for the violation of the protected legal position or an environmental obligation;
• the typically expected severity, reversibility, and probability of the occurrence of the violation; and
• the nature of the causal contribution to the human rights or environment-related risk.

On the above, the Due Diligence Act clarifies that the due diligence obligations establish a duty to make an effort, and not a duty to succeed. Companies do not have to guarantee that no human rights or environmental obligations are violated in their supply chains; but rather, they must be able to prove that they have implemented the due diligence obligations, which are feasible and appropriate given their individual context. These obligations are related to the company's own business area, the business area of the direct supplier, and that of the indirect supplier.

In regard to company specific risk management, companies should note that the greater the company's ability to exert influence, including the likelihood and seriousness of the anticipated violation and contribution to causation, the greater the effort expected to avoid such violations. Along similar lines, the more vulnerable a business is to human rights risks based on product and production site, the more important it is to monitor the supply chain.

Risk management and analysis

Risk management^iv

The Due Diligence Act requires companies to establish an appropriate and effective risk management system which should be embedded in all relevant business processes through appropriate measures. Specifically, effective measures aim to make it possible to identify human rights and environmental risks, prevent violations of protected legal positions or environmental obligations, and ensure such measures are implemented. The effective measures are also meant to enable the identification of human rights and environmental risks, and ensure the prevention, cessation, and/or minimisation of violations where enterprises have caused or contributed to such risks or violations within the supply chain.

To this end, enterprises must ensure that they defined the person within the enterprise that is responsible for overseeing risk management. Specifically, the Due Diligence Act recommends the establishment of a human rights officer reporting directly to senior management, noting that management should regularly (at least once a year) inform itself about the work of the responsible person(s). On this point, the Due Diligence Act states that the company must provide the necessary tools to ensure appropriate monitoring.

More generally, companies should take into account the interests of its workers, workers within its supply chain, and those otherwise affected by the economic activities of the enterprise or of enterprises in its supply chain. This is expected to help companies recognise their human rights risks and select appropriate preventive and remedial measures. By way of example, this may take the form of direct consultation with individuals (potentially) affected by infringements or with an authorised advocacy group.

Consultation with affected persons or their representatives can be an important participatory method of obtaining information about their interests and human rights situation. More specifically, a consultation - through a direct exchange, for instance - is intended to promote transparency, understanding, and acceptance for the shared concerns of those affected and the company. The Due Diligence Act explains that linguistic and other barriers may need to be removed to enable proper consultation, noting that particular attention must be paid to affected vulnerable people, such as migrants or people with disabilities, whose rights are increasingly under threat.

Risk analysis^v

As part of risk management, enterprises must conduct an appropriate risk analysis to determine the human rights and environmental risks in its business area and those of its direct suppliers. In cases where an indirect direct supplier relationship abuses or circumvents the due diligence requirements, an indirect supplier will be considered a direct supplier.

When identifying the risks, it is at the company's discretion to choose an appropriate method for gathering and assessing information, depending on the risk, industry, and production region. An on-site inspection can make sense when it comes to assessing risks in connection with occupational health and safety, e.g. fire or building safety or suitable protective measures for employees. Discussions with workers or their union representatives can also serve as an important source of information for assessing whether workers' rights are being respected. To this end, information on the impact of entrepreneurships on health, uses of water, and land can be obtained through direct interaction with local residents or their stakeholders, or through appropriate case studies or other expertise.

Once the risk has been determined, the identified human rights and environmental risks must be appropriately weighted and prioritised, as well as taking into account the findings from the processing of information according to §8(1). In consideration of this, enterprises must ensure that the results of the risk analysis are communicated internally to the relevant decision-makers, such as the board of directors or the purchasing department, confirming that they take appropriate account of the results. In regard to frequency, such risk analyses must be carried out once a year, as well as on an ad hoc basis if the enterprise is faced with a significant change, or where a significant increased risk situation is expected in their supply chain, for example the introduction of new products, projects, or a new business field.

As human rights situations are dynamic, risk analyses must be updated at regular intervals, at least on an annual basis. In addition, updated risk analyses must be carried out where required, for example prior to the starting a new job or relationship, the beginning of a strategic decision or change in business activities, where there is an upcoming market entry, a product launch, a change in business principles, or more extensive business changes. An analysis may also be necessary in response to, or in anticipation of, changes in the business environment.

Policy statement and preventive measures^vi

If an enterprise identifies a risk in accordance with §5, it must immediately take appropriate preventive measures which include the adoption of a policy statement and the development of human rights strategies.

Policy statement

A company must adopt a policy statement on its human rights strategy. The policy statement must be adopted by the company's management and contain at least the following elements:

• a description of the procedure by which the company fulfils its obligations under §4(1), §5(1), § 6(3) to (5), and § 7 to 10;
• the priority of human rights and environmental risks identified for the company, with reference to the conventions listed in the Annex; and
• the definition of the human rights and environmental expectations that the company has of its employees and suppliers in the supply chain which should be based on the risk analysis and the conventions listed in the Annex.

The policy statement must be approved at the management level of the company to ensure that the company's management position itself clearly supports the human rights strategy through the declaration. The policy statement must also be communicated to employees, the work councils where applicable, direct suppliers, and the public.

Preventive measures

The company must develop appropriate prevention measures in its own business area, such as:

• the implementation of a human rights strategy setting out in the declaration of principles for the relevant business processes;
• the development and implementation of appropriate sourcing policies and practices which avoid or mitigate identified risks;
• the implementation of training in relevant business operations; and
• the implementation of risk-based monitoring measures to verify compliance with the human rights strategy contained in the declaration of principles.

By way of example, for the implementation of the human rights strategy set out in the declaration of principles for the relevant business processes, the Due Diligence Act recommends that companies create a code of conduct that specifies the applicable standards for employees and describes such standards in a way that is easy to understand.

Specific to suppliers, companies must develop appropriate preventive measures for direct supplier which must include:

• the consideration of human rights and environmental expectations in the selection of a direct supplier;
• contractual assurances from a direct supplier that the latter will comply with the human rights-based management of the company and adequately address them along the supply chain;
• an agreement on the appropriate contractual control mechanisms and the implementation of training and education to enforce the contractual assurances of the direct supplier in line with point two; and
• the implementation of risk-based control measures based on the agreed control mechanisms according to point three in order to verify the compliance of the supplier with the human rights strategy.

When considering compliance checks of direct suppliers, the Due Diligence Act states that such checks can be done by means of on-site inspections, by third parties commissioned to carry out audits, or by using recognised certification systems or audit systems, among other things, insofar as they guarantee the implementation of independent and appropriate controls. Nevertheless, it should be noted that the commissioning of external third parties does not release the company from its responsibilities under the Due Diligence Act.

Lastly, the effectiveness of the preventive measures must be checked once a year, and as required, if the company has a significantly change or expanded risk situation in its own business area or through one of its direct suppliers; for example, this can include the introduction of new products, projects, or a new business area. Findings from the processing of information according to §8(1) must also be taken into account.

Remedial measures^vii

Where an enterprise becomes aware that a breach of a protected legal position or environmental obligation has occurred, or is imminent, in its own business or that of a direct supplier, it must promptly take appropriate corrective measures to prevent such breach, either ending it, or at least minimising an already realised or imminent violation.

In regard to the company's specific business, the remedial actions must lead to the termination of the violation. However, where the violation is from a direct supplier and cannot be stopped in the foreseeable future, the company must immediately create and implement the concept of 'minimisation'. The concept of minimisation requires the development of a concrete timetable, and the consideration of the following during its creation and implementation:

• the joint development and implementation of a corrective action plan with the company causing the violation;
• joining forces with other companies within the framework of industry initiatives and industry standards in order to increase the possibility of exerting influence on the violator; and
• a temporary suspension of the business relationship, while efforts are made to minimise the risk.

Further to the above, the termination of a business relationship is required where:

• the violation is assessed as very serious;
• the implementation of the measures provided in the concept does not bring about a remedy after the time specified has expired, or does not bring about a remedy generally;
• the company has no other mitigating means at its disposal; and
• an increase of influence on the violator does not appear to be promising.

As a final point on remedial measures, their effectiveness must be checked once a year, and as required if the company expects a significantly change or expanded risk situation in their business or by their direct supplier. Where necessary, the measures must be updated immediately. Findings from the processing of information according to §8(1) must also be taken into account.

Complaint procedures^viii

A company must establish and implement a complaint procedure for persons directly affected by their business or direct suppliers' economic activities, and/or in a protected legal position, and inform persons potential affected by the violation obligations. The complaint procedure is meant to enable the abovementioned persons to report violations of the protected legal positions, as well as human rights and environmental obligations. To implement such a complaint procedure companies can set up either an internal complaints procedure, or participate in a corresponding external complaints procedure which can include complaint mechanisms set up across companies by an industry association.

In line with the above, companies should establish procedural rules on this matter. These rules should outline, in writing, the timeframe for each stage of the procedure, and provide clear information on the types of processes involved. Moreover, the persons in charge of executing the procedure should be impartial, as well as independent and bound to secrecy. Regarding transparency, companies must make publicly accessible, clear, and comprehensible information on the accessibility, responsibility, and implementation of the complaint procedure. More specifically, the complaints procedure must be accessible to potential users, maintain the confidentiality of their identity, and ensure effective protection against discrimination or punishment as a result of a complaint. It is recommended that before the procedure is established, companies should conduct a consultation with the target group.

On the subject of notifications, companies must confirm receipt of a complaint and document it. The Due Diligence Act clarifies that companies are required to discuss the violations with the directly affected person, noting that companies may choose to offer a settlement to amicably resolve the dispute, which may help the company avoid reputational harm. More generally, companies are under an obligation to check and ensure, at least once a year, that the complaints procedure is effective. Where the company expects or is experiencing significant risk in its business as a result of the introduction of new products, projects, or venturing into a new business area, the complaints procedure should be amended to reflect this.

Indirect suppliers^ix

For indirect suppliers, companies must ensure that the complaints procedure outlined above is set up in a way to include anyone who may be injured or in a protected legal position as a result of the economic activities of the indirect supplier, and enable persons aware of a potential breach or breach of environmental obligations to report it.

Where a company has substantiated knowledge of violations by its indirect suppliers, it must:

• adapt its risk management procedures as stipulated under §4;
• carry out a risk analysis in accordance with §5;
• implement appropriate preventive measures as described under §6;
• a concept for minimising and avoiding the violation; and
• where necessary, update the policy statement according to §6.

For clarity, the Due Diligence Act explains that substantial knowledge can be assumed where a company has an actual indication of the indirect supplier's violations which may include information derived through the complaints procedure, the company's own investigation, information obtained from the responsible authority, or through other sources of information. On the other hand, actual indications can be, for example, reports on the poor human rights situation in the production region, the affiliation of an indirect supplier to an industry with particular human rights or environmental risks, and previous incidents by the indirect supplier.

Importantly, the company has the discretion to choose the appropriate preventive measures, but should be guided by the provisions of §6. Thus, appropriate preventive measures may include informing its indirect suppliers of the human rights expectations and environmental obligations that should be fulfilled. Additionally, the company can assist the indirect supplier to implement appropriate measure to prevent and avoid risk which may help build stable business relationships.

Moreover, the company is required to update its policy statements according to §6(2). The policy statement may be adjusted in relation to the identified risks in the supply chain or with respect to human rights expectations that the company has towards its suppliers.

Documentation, reporting requirements, and retention^x

Companies are under an obligation to document compliance with the due diligence obligations outlined under §3. The report must be made publicly accessible on the company's website no later than four months after the end of the financial year, free of charge, and for a period of seven years. Importantly, however, companies are not required to make such report public where it may contain sensitive information, such as trade secrets. Additionally, the compliance report may serve as evidence of the company's fulfilment of its due diligence obligations.

Moreover, a company is required to make an annual report on the fulfilment of its due diligence obligations in the fiscal year, which must include in a comprehensible manner:

• if the company has, or is facing any, human rights and environmental risks and the specific types of human rights and environmental risks faced;
• the actions that the company has taken to fulfil its due diligence obligations described under §§4 to 9 as well as any measures it has taken with respects to any complaints made under §8;
• how the company assesses the impact and effectiveness of its measures; and
• the conclusions drawn from its evaluation for future reference.

The report should also provide information on all steps of the risk analysis showing the types of risks identified, the preventive and remedial measures the company has taken to counter the risks with respect to direct and indirect suppliers, and the reasons for taking such steps. If a company fails to identify any risks, it must state so in the report.

Moreover, the compliance report under §10(1) must be submitted in German and electronically, via a portal provided by the Federal Office of Economics and Export Control ('the Federal Office'), no later than four months after the end of the company's financial year. Furthermore, the Federal Office has the authority to check whether the annual report under §10(2) is available on the company's website, and whether the report follows the criteria outlined under §10(2) and (3). If the annual report does not contain provisions outlined under §10(2) and (3), the Federal Office has the power to order the company to amend the annual report accordingly within a reasonable time.

Penalties^xi

In administrative proceedings for responsible persons penalties will be up to €50,000.

In addition, the Due Diligence Act outlines various violations, ranging from least negligent acts to the intent to commit the violations, which attract different fines. These violations include, for natural persons, the failure to make a determination of internal responsibility, wrongly conducting risk analyses with respect to manner and time, to carry out inspections, to update measures, as well as violations of an enforceable order under §13, which attracts fines of up to €500,000.

Additionally, for natural persons, failing to take the remedial actions, develop, and implement preventive measures, when working with a company that is violating the Due Diligence Act, to implement complaint procedures, to minimise and avoid the violation of a protected legal position after a company became aware of possible infringements, and/or taking remedial actions attracts fines of up to €800,000.

Furthermore, the failure to keep the required documentation and for the required period, to prepare a correct report under §10(2) and make it publicly available, as well as to submit the due diligence report under §12 attracts a fine of up to €100,000.

Finally, §24(3) of the Due Diligence Act notes that, in the case of violations for failing to implement remedial measures and to develop and implement preventive measures, when working with a company that is in violation of the Due Diligence Act as required under §7(2)(1), a legal entity with an annual turnover of more than €400 million, is liable to a fine of up to 2% of the average annual turnover. Such fines may amount up to €5 million.

Importantly, before fines are applied, there has to be an assessment on the nature of the offence, the economic circumstances of the legal entity, the intentions of the violator, the duration of the administrative offence, the number of violators, the effects of the administrative offence, previous offences the violator is responsible for, and the measures taken by the violator to uncover the offence and repair any damage caused, among other things.

Next steps

The Due Diligence Act will enter into force on 1 January 2023.

In addition, the Due Diligence Act clarifies that it will apply to companies with 3,000 or more employees from 1 January 2023, and companies with 1,000 or more employees from 1 January 2024.^xii

Keshawna Campbell Lead Privacy Analyst
[email protected]
Wangari Thuo Privacy Analyst
[email protected]

i. Part 1 §1(1)(1) and (2) and Part B on §1 Scope of Application
ii. Part 1 §1(2)(2)
iii. Part 1 §3(1) and Part B on §3 Duty of Care
iv. Part 1 §4 and Part B on §4 Risk Management
v. Part 1 §5 and Part B on §5 Risk Analysis
vi. Part 1 §6 and Part B on §6 Policy Statement and Preventive Measures
vii. Part 1 §7(1)
viii. Part 1 §8(1) and Part B on §8 Complaint Procedures
ix. Part 1 §9 and art B on §9 Indirect Suppliers
x. Part 1 §10 and Part B on §10 Documentation and Reporting
xi. Part 1 §23, 24, and Part B on §24 Regulation of Fines
xii. Part 1 §1