Questions and Answers on the Due Diligence in Supply Chains Act
Current developments in the area of due diligence legislation - both in Germany and at the EU level - raise many questions. Below we answer some of the most important questions.
This content represents the Helpdesk on Business & Human Rights’ understanding of the Supply Chain Due Diligence Act, which you can download here. For individual, free of charge and confidential advice for your company or our other support services, please contact us directly.
- The German National Action Plan on Business and Human Rights (NAP) already exists. Why now also a Supply Chain Due Diligence Act?
- Which companies are affected by the German Supply Chain Due Diligence Act?
- Which due diligence obligations must companies covered by the law implement?
- To which part of the supply chain do the due diligence obligations apply?
- Will German companies now be held liable for what their suppliers do abroad?
- What is meant by "substantiated knowledge" of possible human rights violations, and what is the company then expected to do?
- The draft law refers to "adequate" implementation of due diligence obligations. What is meant by "adequacy"?
- What are the consequences for smaller German companies - especially SMEs - that supply to larger companies affected by the law?
- "With this law, the responsibility that actually lies with the state is shifted to companies. As an individual company, I cannot do anything to change difficult situations in individual countries."
- In many countries, the human rights standards differ from those in Germany. Why are companies required to implement higher standards abroad than those that apply locally?
- A law could result in German companies withdrawing from developing countries. Surely that is not the intention?
- What are the reporting obligations for affected companies? How is it ensured that the effort required for this is reasonable?
- Who controls the law and how?
- Are there sanctions for companies?
- How does the German draft law relate to the current EU legislative process?
The German National Action Plan on Business and Human Rights (NAP) already exists. Why now also a Supply Chain Due Diligence Act?
In order to live up to its responsibility to protect human rights, the German government published the National Action Plan for Business and Human Rights (NAP) in 2016 - the implementation of the UN Guiding Principles on Business and Human Rights for Germany.
The NAP was an important first step and relied on companies implementing the requirements on a voluntary basis.
The status of this voluntary implementation was reviewed from 2018 to 2020 as part of a broad-based monitoring process. The process examined the extent to which companies based in Germany with more than 500 employees fulfil their human rights due diligence obligations as required by the NAP.
The results showed that only 13 to 17 percent of the companies reviewed fulfilled the NAP requirements, which means that the target set by the federal government of at least 50 percent "NAP compliance" was missed.
For this case, the coalition agreement provides for the German government to take legislative action and also advocate for binding due diligence obligations at the European level.
More information on the NAP can be found here.Our answers
Which companies are affected by the German Supply Chain Due Diligence Act?
The draft provides that the following companies are covered by the law:
- Businesses, regardless of their legal form, which have their head office, principal place of business, administrative headquarters or registered office in Germany.
- Foreign companies with a seat or main office in German in the meaning of section 13d of the Commercial Code if they have at least 3,000 or 1,000 employees.
- Starting in 2023: Companies with at least 3,000 employees (incl. temporary workers), i.e. approx. 600 companies in Germany.
- Starting in 2024: companies with at least 1,000 employees (incl. temporary workers), approx. 2,891 companies in Germany.
In the case of affiliated enterprises (within the meaning of Section 15 of the German Stock Corporation Act), the employee figures are taken into account jointly. Employees who are posted abroad are considered as well.Our answers
Which due diligence obligations must companies covered by the law implement?
Companies under the scope of the law are obliged to apply appropriate due diligence throughout the supply chain. They are to establish a due diligence system that is based on the core elements of human rights due diligence of the German National Action Plan for Business and Human Rights (NAP).
According to Section 3 of the draft law, the due diligence obligations include:
- Establishment of a human rights risk management system
- Definition of an in-house responsibility
- Regular risk analyses (once a year and on an ad hoc basis)
- Establishment of preventive measures in the company’s own operations and with direct suppliers
- Implementation of remedial action
- Establishment of grievance mechanisms
- Implementation of risk-based due diligence with indirect suppliers
- Documentation and reporting
Companies are required to review the effectiveness of preventive measures, remedial action and the grievance mechanisms on an annual basis or when significant changes arise.Our answers
To which part of the supply chain do the due diligence obligations apply?
The due diligence obligations for companies in general relate to the entire supply chain, but in practice are graduated:
- Own operations and direct suppliers (direct contractual partners): Duty to carry out risk analysis, preventive and remedial measures.
- Indirect suppliers (in the deeper supply chain to the raw material supplier): Duty to carry out risk analyses, preventative and remedial measures only if the company has "substantiated knowledge" (see question 6) of a human rights violation.
Affiliated enterprises in the meaning of section 15 of the Stock Exchange Act on which the company exercises a decisive influence are part of the company’s own business operations. The supply chain is defined from the extraction of raw materials to the delivery of the product or service to the end customer. It covers "all steps in Germany and abroad that are necessary to manufacture the products and provide the services". This also includes the use of required services, such as the transport or intermediate storage of goods.Our answers
Will German companies now be held liable for what their suppliers do abroad?
Companies are not expected to guarantee that they will remediate all risks in the supply chain. However, companies are expected to take a close look at the risks in their supply chains and to take appropriate action, such as training, to eliminate or mitigate the risks.
In addition, there shall be no liability for the actions of third parties in the supply chain. It is already possible in principle to hold companies liable under German or foreign law; there are no plans to change the basis for liability under civil law. Since the existing bases of liability were not created for human rights violations in value chains, this is difficult in practice and much is unclear in this context. The law as passed now clarifies that the law does not create additional bases of liability.
What is new in the draft law is that those affected have the possibility to authorise domestic trade unions and non-governmental organisations (NGOs) to represent them in civil cases by means of the legal instrument of representative action. The trade union or NGO must have a permanent presence of its own, must be not—for-profit and, according to its statutes, must be engaged in human rights work on a more than temporary basis.Our answers
What is meant by "substantiated knowledge" of possible human rights violations, and what is the company then expected to do?
Companies must implement due diligence processes for indirect suppliers (with whom they have no direct contractual relationship) if they have "substantiated knowledge" of possible human rights violations in the lower supply chain.
The law defines "substantiated knowledge" as " factual indications that make the violation of a human rights or environmental obligation at an indirect supplier appear possible". This is "verifiable and serious information about a possible human rights or environmental violation".
For example, these factual indications can include:
- The company has received information through its grievance mechanisms
- The relevant authority has informed the company
- Human rights organisations report on abuses
- It is generally known that there are particular human rights risks in the region or industry of the indirect supplier
- There have been incidents at the indirect supplier in the past.
If substantiated knowledge exists, the company must:
- Conduct a risk analysis
- Establish appropriate preventive measures with regard to the perpetrator of the violation
- Establish and implement a concept to minimise and prevent the relevant violation
- Repeat its policy statement as appropriate.
The draft law refers to "adequate" implementation of due diligence obligations. What is meant by "adequacy"?
The question of adequacy often arises in the context of what influence, for example, a company has over a much larger supplier. Basically, when implementing due diligence - i.e. risk analysis, preventative and remedial measures - "the appropriate way of acting in accordance with the due diligence obligations" is defined by the following criteria:
- The nature and extent of the business activity
- The company's ability to influence the direct perpetrator of the violation
- The typically expected severity of the violation, the reversibility of the violation, and the likelihood of the violation.
- The nature of the causal contribution to the risk.
The use of this flexible term is intended to take into account the fact that companies and their supply chains vary widely.Our answers
What are the consequences for smaller German companies - especially SMEs - that supply to larger companies affected by the law?
If smaller companies are direct suppliers to companies covered by the Act, they may be affected by due diligence obligations through their contractual relationship (in which, for example, human rights-related expectations may be enshrined).
However, according to the draft law, many obligations by their nature cannot be passed on. For example, even if a large buyer covered by the law requires a smaller supplier to analyse risks to a certain extent, the smaller company is not subject to reporting and disclosure obligations to the relevant authority and the public. Nor would it be subject to control measures or sanctions by the BAFA.
Numerous support services are already available for small and medium-sized enterprises. For example, the Helpdesk on Business & Human Rights offers individual, free and confidential advice on behalf of the Federal Government on how to implement human rights due diligence in business processes.
In addition, there is a new online tool, the SME Compass, which is specifically geared to the requirements of SMEs and provides support in implementing human rights due diligence.Our answers
"With this law, the responsibility that actually lies with the state is shifted to companies. As an individual company, I cannot do anything to change difficult situations in individual countries."
The requirements of the German Supply Chain Due Diligence Act are based on the UN Guiding Principles on Business and Human Rights. This internationally recognised reference framework clearly stipulates that
- states have a duty to protect human rights ("state duty to protect"), and
- companies have a responsibility to respect human rights ("corporate due diligence").
The German Supply Chain Due Diligence Act provides companies with a clear, proportionate and reasonable legal framework for fulfilling human rights due diligence obligations, based on requirements of the UN Guiding Principles.
Many companies have already addressed the requirements for human rights due diligence and implemented corresponding processes since the publication of the UN Guiding Principles or the NAP. More than 70 companies have also spoken out in favour of a clear German regulation.
The advantages of a law are seen above all in legal clarity, transparency and a level playing field.Our answers
In many countries, the human rights standards differ from those in Germany. Why are companies required to implement higher standards abroad than those that apply locally?
Companies are not required to ensure that all human rights are fully guaranteed to all people employed in their operations and supply chains. The duty to protect human rights lies with the state, primarily with the state in which the people live.
In this respect, companies are not expected to guarantee similar human rights standards in other countries as for example in Germany.
However, it is expected that an "adequate and effective" risk management system is established with regard to risks to human rights and environmental obligations (Section 4 para. 1).
Adequacy is based on the following criteria: The nature and extent of the business activity, the company's ability to influence the direct perpetrator of the violation, the typically expected severity of the violation, the reversibility of the violation, and the likelihood of the violation occurring as well as the nature of the causal contribution to the risk (Section 3 para. 2).
According to Section 4 para. 2, "effective" means "measures that make it possible to identify and minimise human rights and environmental risks, prevent, end or minimise violations of human rights and environmental obligations, if the company has caused or contributed to these risks, violations within the supply chain".Our answers
A law could result in German companies withdrawing from developing countries. Surely that is not the intention?
The principle of “engagement before disengagement" ("Befähigung vor Rückzug") is explicitly enshrined in the law. This means that companies are encouraged not to withdraw from regions with weak standards, but to work locally with their suppliers or within the industry to minimise risks.
Even in cases of serious human rights violations, termination of the business relationship is only warranted if the following factors are present:
- Serious violation
- Attempts to mitigate the risk fail within the time specified
- No other milder mitigating means are available
- The increase of influence is not promising
The law now clarifies that the fact alone that a state has not ratified the relevant treaties does not require a termination of the business relationship. In addition, there are other reasons why companies operate in certain countries. For example, relocating industrial production to Germany seems unlikely given the labour costs and costs of environmental regulations. Moreover, raw materials cannot be extracted in all countries.Our answers
What are the reporting obligations for affected companies? How is it ensured that the effort required for this is reasonable?
Companies must submit an annual report to the BAFA (Federal Office for Economic Affairs and Export Control) on the implementation of due diligence obligations; they must also publish a report online.
The report must provide comprehensible information on:
- Which human rights and environmental risks the company has identified
- What the company has done to fulfil its due diligence obligations
- How the company assesses the impact and effectiveness of the measures taken
- What conclusions it draws from the assessment for future action.
The report must be made publicly available online no later than four months after the end of the fiscal year and must be available for seven years. Business and trade secrets must be duly protected.
An electronic reporting format is being developed. Existing reporting obligations (e.g. CSR reporting) are to be integrated into it in order to avoid parallel structures.
"Recognition mechanisms" for existing certification systems are also being discussed.Our answers
Who controls the law and how?
The implementation of the law is controlled by the Federal Office for Economic Affairs and Export Control (BAFA).
Companies must submit their report at least four months after the end of the fiscal year; the authority reviews the reports and also carries out inspections.
The authority can require companies to take concrete action, demand a plan within three months, summon persons and demand information, enter business premises and inspect and examine documents and records.
For enforcement purposes, the authority can impose periodic penalty payments. These can amount to up to 50,000 euros.Our answers
Are there sanctions for companies?
The law provides for fines if companies act contrary to regulations (intentionally or negligently).
The draft law lists cases such as if a risk analysis is not carried out or is incomplete, corrective measures are not taken or are not taken in time or if documentation is not carried out.
In addition, companies can be excluded from public contracts for up to three years.Our answers
How does the German draft law relate to the current EU legislative process?
In April 2020, EU Justice Commissioner Reynders announced a draft for the EU-wide binding legislation of due diligence in supply chains. At the same time, the European Parliament's Legal Affairs Committee prepared a draft report with a proposal for a European regulation. Then, in March 2021, the European Parliament voted by a clear majority (504 out of 695 votes) in favour of the "Legislative Report on Human Rights and Environmental Due Diligence of Businesses". This means that the European Parliament recommends to the EU Commission to introduce a European directive on due diligence. The next step is for the EU Commission to present a draft directive in autumn 2021.
At present, it is not possible to anticipate the design of a European legislation. However, current developments suggest that a European legislation will provide for more far-reaching obligations for companies.
For example, the planned European directive is to apply to companies with 250 or more employees, but also to listed companies as well as companies of any size operating in risk areas. The due diligence obligations - which explicitly include environmental and governance risks - apply to the entire value chain. In addition, the proposed directive provides for member states to amend their civil liability legislation so that affected persons can claim damages from companies if companies fail to comply with their due diligence and cause damages.
As a directive, these must be transposed into the national law of the member states. Currently, the proposed directive provides for an implementation period of 2 years. This may also create a need for adaptation of the German Supply Chain Due Diligence Act.Our answers