This past summer, the German legislature passed the Supply Chain Act, in order to require German businesses to comply with due diligence obligations to improve compliance with human rights and material standards within supply chains. In the following guest post, Frank Hülsberg, a Chartered Accountant and Tax Advisor in Düsseldorf, Partner Advisory and Member of the Executive Board at Grant Thornton AG Wirtschaftsprüfungsgesellschaft in Germany, and Burkhard Fassbach, a Senior Manager in the Governance, Risk, Compliance & Technology department at Grant Thornton in Frankfurt, review the Act’s requirements and consider its implications. I would like to thank Frank and Burkhard for allowing me to publish this article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Frank and Burkhard’s article.
On June 11, 2021, the German parliament passed the Supply Chain Act. The law will come into force on January 1, 2023. The Supply Chain Act will impose due diligence obligations on companies to respect human rights and protect the environment. The German Federal Ministry of Labor and Social Affairs, as the responsible department, has provided an English translation of the text of the law, which can be accessed here.
Scope of application – § 1: As of January 1, 2023, the Act applies to companies, regardless of their legal form, that (1) have their head office, principal place of business, administrative headquarters, or registered office in Germany, and (2) generally employ at least 3,000 employees. As of January 1, 2024, the law applies to companies with generally 1,000 or more employees. The obligation always applies to the parent company in Germany. Employees of all companies belonging to the group worldwide must be taken into account when calculating the number of employees of the group parent.
Human rights – § 2: Human rights within the meaning of this Act are those arising from the conventions listed in points 1 to 11 of the Annex. Human rights risk is a condition in which, based on factual circumstances, there is a reasonable probability of a violation of one of the following prohibitions: 1) Prohibition of child labor below minimum permissible age, 2) Prohibition of worst forms of child labor for children under 18 years of age, 3) Prohibition of slavery, practices similar to slavery, 4) Forced labor, 5) Disregard of labor protection, 6) Discrimination (age, race, disability), 7) Withholding of adequate wages, 8) Disregard of freedom of association (trade unions), 9) Causing harmful soil change, water and air pollution, harmful noise emissions and excessive water consumption, 10) Unlawful eviction/extraction of land, forests, waters, 11) Hiring or using private or public security forces, 12) Omission in breach of duty above and beyond this
Definition of the supply chain – § 2 para. 5: The supply chain within the meaning of this Act refers to all products and services of a company. It includes all steps at home and abroad that are necessary to manufacture the products and provide the services, starting with the extraction of the raw materials and ending with the delivery to the end customer and covers 1. the actions of a company in its own business area, 2. the actions of a direct supplier and 3. the actions of an indirect supplier.
Duties of care – § 3: The duties of care include: The establishment of a risk management system (§ 4 (1)), the definition of an in-house responsibility (§ 4 (3)), the performance of regular risk analyses (§ 5), the adoption of a policy statement (§ 6 (2)), the establishment of preventive measures in the company’s own business area (§ 6 (1) and (3)) and vis-à-vis direct suppliers (§ 6 (4)), taking corrective action (§ 7 (1) to (3)), establishing a complaints procedure (§ 8), implementing due diligence with regard to risks at indirect suppliers (§ 9) and documentation (§ 10 (1)) and reporting (§ 10 (2)).
Risk Management – § 4 – provides that appropriate and effective risk management must be established and embedded in all relevant business processes through appropriate measures. Companies must appoint a human rights officer. Management must regularly, at least annually, obtain information on the work of the responsible person or persons.
Risk Analysis – § 5: With an appropriate risk analysis, the human rights and environmental risks in the own business area as well as with direct suppliers are to be identified. The risks are to be weighted and prioritized appropriately. The results of the risk analysis must be communicated internally to the relevant decision-makers, such as the Management Board or the Purchasing Department. The risk analysis must be carried out once a year and on an ad hoc basis.
Policy statement and preventive measures – § 6: If a company identifies a risk as part of a risk analysis, it must immediately take appropriate preventive measures. The company must adopt a policy statement on its human rights strategy and anchor appropriate preventive measures in its own business operations. With the development and implementation of appropriate procurement strategies and purchasing practices, identified risks are to be avoided or mitigated. Training must be provided in the relevant business areas. The implementation of risk-based control measures shall be used to verify compliance with the human rights strategy contained in the Declaration of Principles in the company’s own business area. The company must anchor appropriate preventive measures vis-à-vis a direct supplier. Human rights and environmental expectations must be taken into account when selecting a direct supplier. Contractual assurances are required from an immediate supplier that it will comply with the human rights and environmental requirements demanded by the company’s management and address them appropriately along the supply chain. Agreeing appropriate contractual control mechanisms and conducting training and education to enforce the immediate supplier’s contractual assurances are also required. Also, the implementation of risk-based control measures based on the agreed control mechanisms to verify compliance with the human rights strategy at the immediate supplier. The effectiveness of the preventive measures must be reviewed once a year and on an ad hoc basis.
Remedial action – § 7: In the company’s own business area, the remedial action must lead to an end to the violation. If the nature of the breach at a direct supplier is such that the company cannot end it in the foreseeable future, it must immediately create and implement a concept for minimization. Provision is made for temporary suspension of the business relationship while efforts are made to minimize the risk. The termination of a business relationship is only required if the violation of a protected legal position or an environmental obligation is judged to be very serious, the implementation of the measures developed in the concept does not provide a remedy after the time specified in the concept has elapsed, no other milder means are available to the company, and an increase in the company’s ability to exert influence does not appear promising.
Complaints procedure – § 8: The company must ensure that an internal complaints procedure is in place that enables persons who are directly affected by economic activities in the company’s own business area or by economic activities of a direct supplier or whose protected legal position may be violated, as well as persons who have knowledge of the possible violation of a protected legal position or an environmental obligation, to point out human rights and environmental risks or violations.
Indirect suppliers – Section 9: If the company obtains substantiated knowledge of a possible violation of a protected legal position or an environmental obligation at indirect suppliers, it must immediately 1. carry out a risk analysis in accordance with Section 5 Paragraphs 1 to 3, 2. establish appropriate preventive measures within the meaning of Section 6 vis-à-vis the originator, 3. draw up and implement a concept for minimizing and avoiding the violation of a protected legal position or environmental obligation and 4. update its policy statement accordingly if necessary.
Duty of documentation and reporting – § 10: The fulfillment of due diligence obligations must be documented on an ongoing basis within the company. The company shall prepare an annual report on the fulfillment of its due diligence obligations in the previous fiscal year.
Sanctions: Compliance with the statutory due diligence requirements is monitored by the German Federal Office of Economics and Export Control (BAFA). Violations can lead to various official orders and measures (Section 24). Companies with more than 400 million euros in annual sales may be subject to fines of up to 2 percent of global annual sales. Further sanctions include exclusion from the award of public contracts for up to three years (Section 22 Due Diligence Act, Section 124 ARC), a levy of assets (Section 29a OWiG) and entry in the competition register (Section 125 ARC) may also be threatened.
Litigation status under Section 11 is intended to allow trade unions and non-governmental organizations (NGOs) to represent the interests of an affected party. However, this instrument does not create any new claims. A breach of the duties under the Due Diligence Act does not in itself give rise to civil liability. Independently existing bases for claims, e.g. under tort law, remain unaffected. The explanatory memorandum to the Act clarifies that the Due Diligence Act is not intended to constitute a protective law within the meaning of Section 823 (2) of the German Civil Code. Liability in tort exists only for own breaches of duty. Suppliers are not vicarious agents within the meaning of § 831 BGB. Joint liability according to § 830 BGB requires intent. There is no third party protection through Code of Conducts and compliance clauses.
Recommendations for action: Companies can minimize the risks of fines and exclusion from public tenders through an effective compliance management system (CMS). (1) Code of Conduct for suppliers (as a preventive measure), (2) Internal compliance guideline on human rights and supply chain as well as purchasing, (3) Due diligence check for individual suppliers, (4) Compliance clauses in contracts with suppliers, (5) Whistleblowing hotline for reporting possible human rights violations in the company and in the supply chain, (6) Training on working with suppliers and potential risks for human rights violations in the supply chain, (7) Competitive partnerships with competitors to discuss industry-specific risks of human rights violations in the supply chain, (8) Processes for responding to and remediating legal and/or compliance violations.
Practice note: The Federal Office of Economics and Export Control (BAFA) has published guidance in German for the implementation of the law:
Catalog with general questions: here.
Handout for risk analysis: here.
Catalog of questions for reporting: here.
Handout for the complaints procedure: here.
EU initiative: Last but not least we provide an outlook on EU supply chain law: On February 23, 2022, the EU Commission presented its proposal for a law on corporate sustainability obligations, the so-called EU Supply Chain Act. The EU Supply Chain Act goes significantly beyond the German Supply Chain Act (LkSG), which will apply from January 2023: with 500 or 250 employees, significantly more European companies fall under the regulation than under the German Act, which only applies to German companies with more than 3,000 employees (more than 1,000 employees from 2024). The EU directive requires companies to audit the entire supply chain, not just direct suppliers as in the German supply chain law. The new EU regulation includes civil liability for companies. Affected parties can thus sue for damages in European courts.