Businesses around the globe, including those situated in Germany, continue to face difficulties because of disruptions in their supply chain created, in particular, by COVID-19 and the war in Ukraine.

To add to that, the new German Supply Act on Corporate Diligence Obligations in Supply Chains (the "Act") is likely to place further pressure on companies because of the steps that they are required to take to ensure compliance.

In this alert, we explain which companies the Act will apply to and what obligations compliance with it will entail.

Which Businesses Will the Act Affect and When?

The Act, which applies from 1 January 2023, sets out how companies must comply with their due diligence obligations in the field of human rights along their entire supply chain. This involves analysing human rights-related risks, taking measures to prevent and mitigate human rights violations, setting up grievance mechanisms and reporting on their activities. In this context, environmental concerns are also relevant when they lead to human rights violations (e.g., through poisoned water) or serve to protect human health.

Accordingly, companies must assess their obligations in their own field of business and vis vis their direct suppliers. Suppliers are involved indirectly as soon as a company receives substantiated reports of human rights or environmental violations at that level.

The Act applies as follows:

  • As of 1 January 2023 companies that have their central administration, their principal place of business, their administrative headquarters or their statutory seat in Germany or companies that have a branch in Germany and in each case usually employ at least 3,000 employees in Germany will have to comply with the Act. According to estimates, this affects approximately 700 companies.
  • From 1 January 2024 the Act will affect smaller business and apply to companies with at least 1,000 employees that have their central administration, their principal place of business, their administrative headquarters or their statutory seat in Germany or companies that have a branch in Germany. According to estimates, this affects approximately 2,900 companies.

The Act also applies to German subsidiaries of foreign companies if the subsidiary exceeds the above-mentioned thresholds and has its registered office in Germany.

It should be noted that all group companies in Germany are included in the calculation of the number of employees. Temporary workers are only included in the calculation if the duration of the assignment exceeds six months.

Requirements Under the Act in Relation to Risk Management

Under the Act, a specific risk management strategy is required. Companies must analyse and assess their risks within their supply chains to be able to take appropriate measures to manage these risks. The Act identifies the following Environmental, Social, and [Corporate] Governance (ESG) criteria as relevant risk areas: child labour, forced labour, occupational health and safety, problematic employment and working conditions, freedom of association, discrimination, minimum wage, life, health, unlawful seizure of land and waters, torture, and environmental damage.

The risk analysis must be carried out by companies at least once a year and on an ad hoc basis (e.g., when introducing a new product/service). As part of their risk management, companies must first conduct an analysis of their own human rights and environmental risks and the identical risks of their direct suppliers.

In addition, the compliance obligations also relate to indirect suppliers. An indirect supplier is any company that is not a direct supplier and whose supplies are necessary for the manufacture of the enterprise's product or for the provision and use of the relevant service.

The due diligence obligations only apply on an ad hoc basis and only if the company has actual indications of a possible violation ("substantiated knowledge"). The company can obtain substantiated knowledge through, for example, external sources such as press articles or complaints. In that case, the company must immediately conduct a risk analysis, implement a process for minimization and prevention and implement appropriate preventive measures vis--vis the polluter.

Based on the risk analysis, companies must take or review appropriate preventive and remedial measures. This applies, for example, to supplier selection and monitoring, the creation of codes of conduct, the implementation of training courses and sustainable contract drafting. Because of the risk analysis, companies must take measures to prevent, minimize and remedy any identified negative impacts on human rights and the environment. These preventive measures include:

  • Implementing an appropriate procurement strategy
  • Considering the supplier's compliance with human rights and environmental standards when selecting a supplier
  • The assurance of a supplier's compliance with human rights and environmental requirements
  • Agreeing on appropriate contractual control mechanisms with the supplier
  • Implementing risk-based control measures

Steps a Company Can and Should Take If a Supplier is in Breach

In the event of a violation by a direct or indirect supplier, a company has a few options. It can immediately draw up and implement a process to minimize the human rights and environmental violations either by creating and implementing a plan to remedy the violation in cooperation with the supplier causing the violation or by developing solutions within the framework of industry initiatives and industry standards to increase the company's ability to exert influence on the supplier causing the violation. If the violation of a human rights-related or if an environmental obligation at a direct supplier is such that the company cannot end it in the foreseeable future, it must immediately draw up and implement a concept to end or minimise it.

Alternatively, it may decide to temporarily suspend the business relationship with the supplier while efforts are made to mitigate the risk.

Terminating the business relationships is a last resort but is required if:

  • The violation is judged to be very serious
  • The process implemented to remedy the violation has not remedied it by the intended time
  • The company has no other mitigating means at its disposal and an increase in its ability to exert influence does not appear promising

What Due Diligence Obligations Are Required?

The due diligence obligations for companies include:

  • Establishing a risk management system
  • Designating a responsible person or persons within the company
  • Conducting regular risk analyses and issuing a policy statement
  • Laying down preventive measures
  • Taking remedial action and establishing a complaints procedure
  • Documenting and reporting

Accordingly, the effectiveness of the preventive and remedial measures must be reviewed annually and on an ad hoc basis, such as at the introduction of new products, projects or a new field of business.

In this regard, companies should establish, implement and publish a complaint mechanism in writing through which (potentially) affected persons and persons with knowledge of possible violations can point out human rights risks and violations.

In addition, companies should continuously document their compliance with the due diligence requirements under the Act and retain the relevant records for at least seven years.

Companies are also legally bound to prepare an annual report on the actual and potential negative impacts of their business activities on human rights and the environment and submit it to the supervisory authority, the German Federal Office for Economic Affairs and Export Control (BAFA). The report must also outline which measures the company has taken to fulfil its due diligence obligations. Notably, companies are required to publicly disclose the report on their website for a period of seven years.

BAFA can act at the request of an affected person or on its own initiative and can impose measures on a company to ensure compliance with human rights standards. Toward this end, it has extensive rights to information and access and the company concerned must support it in enforcing the compliance measures.

Fines for violations of due diligence and reporting obligations are up to 8 million, depending on the nature and extent of the violation. Companies with an average annual turnover of more than 400 million may be fined up to 2% of their average annual turnover for breaches of the obligation to take remedial action or to implement an appropriate remedial action plan at a direct supplier.

Ultimately, trade unions and non-governmental organizations can be granted the authority to conduct litigation for an affected party. Anyone along the supply chain can be affected, not just the employees of the obligated company or of the direct supplier.

Action Points

The Act imposes several obligations on German businesses that could threaten that business if the risks are not identified, assessed, and addressed appropriately. For most businesses, carrying out a compliance audit of its supply chain generally and implementing measures to address identified risks will help to protect and ensure that a business remains resilient.

As the new law includes broad, complex and vaguely worded legal concepts, guidance on its implementation issued by BAFA carries significant weight. So far, BAFA has published two handouts and a questionnaire. The handouts contain useful information for companies but are unspecific on certain provisions of the law. The questionnaire is designed to be used by companies for generating a complete report to be submitted to BAFA to fulfil their reporting obligations, as outlined in the law. It remains to be seen how BAFA will deal with the still considerable legal uncertainty of how companies are supposed to achieve compliance with the law and whether this will be reflected in BAFA's enforcement approach during the initial phase. However relevant companies should start implementing measures now.