Frequently Asked Questions on the Due Diligence in Supply Chains Act
The current regulatory developments in the area of corporate human rights due diligence - both in Germany and at the EU level - raise many questions. Below we answer some of the most important questions.
This content represents the Helpdesk on Business & Human Rights’ understanding of the German Supply Chain Due Diligence Act, which you can download here. For individual, free of charge and confidential advice for your company or our other support services, please contact us directly.
In order to live up to its responsibility to protect human rights, the German government published the National Action Plan for Business and Human Rights (NAP) in 2016 - the implementation of the UN Guiding Principles on Business and Human Rights for Germany.
The NAP was an important first step and relied on companies implementing the requirements on a voluntary basis.
The status of this voluntary implementation was reviewed from 2018 to 2020 as part of a broad-based monitoring process. The process examined the extent to which companies based in Germany with more than 500 employees fulfil their human rights due diligence obligations as required by the NAP.
The results showed that only 13 to 17 percent of the companies reviewed fulfilled the NAP requirements, which means that the target set by the federal government of at least 50 percent "NAP compliance" was missed.
For this case, the coalition agreement provides for the German government to take legislative action and also advocate for binding due diligence obligations at the European level.
More information on the NAP can be found here.
The Supply Chain Due Diligence Act provides that the following companies are covered by the law:
- Businesses, regardless of their legal form, which have their head office, principal place of business, administrative headquarters or registered office in Germany.
- Starting in 2023: Companies with at least 3,000 employees (incl. temporary workers), i.e. approx. 600 companies in Germany.
- Starting in 2024: companies with at least 1,000 employees (incl. temporary workers), approx. 2,891 companies in Germany.
- Foreign companies with a seat or main office in Germany within the meaning of section 13d of the German Commercial Code if this seat or office has at least 3,000 or 1,000 employees.
In the case of affiliated enterprises (within the meaning of Section 15 of the German Stock Corporation Act), the employee figures are considered jointly. Temporary workers and employees who are posted abroad are counted as well.
Companies under the scope of the law are obliged to apply appropriate due diligence throughout the supply chain. They are to establish a due diligence system that is based on the core elements of human rights due diligence of the German National Action Plan for Business and Human Rights (NAP).
According to Section 3 of the Supply Chain Due Diligence Act, the due diligence obligations include:
- Establishment of a risk management system
- Definition of an in-house responsibility
- Regular risk analyses (once a year and on an ad hoc basis)
- Establishment of preventive measures in the company’s own operations and with direct suppliers
- Implementation of remedial action
- Establishment of grievance mechanisms
- Implementation of risk-based due diligence with indirect suppliers
- Documentation and reporting
Companies are required to review the effectiveness of preventive measures, remedial action and the grievance mechanisms on an annual basis or when significant changes arise.
The due diligence obligations for companies in general relate to the entire supply chain, but in practice are graduated:
- In its own operations and with direct suppliers (direct contractual partners): Duty to carry out risk analysis, preventive and remedial measures.
- With indirect suppliers (in the deeper supply chain to the raw material supplier): Duty to carry out risk analyses, preventative and remedial measures if the company has "substantiated knowledge" (see question 6) of a human rights violation.
Affiliated enterprises in the meaning of section 15 of the Stock Exchange Act on which the company exercises a decisive influence are part of the company’s own business operations. The supply chain is defined from the extraction of raw materials to the delivery of the product or service to the end customer. It covers "all steps in Germany and abroad that are necessary to produce the products and provide the services". This also includes the use of required services, such as the transport or intermediate storage of goods.
Companies are not expected to guarantee that they will remediate all risks in the supply chain. However, companies are expected to take a close look at the risks in their supply chains and to take appropriate action (e.g. trainings) to eliminate or mitigate the risks.
In addition, there shall be no liability for the actions of third parties in the supply chain The law as passed now clarifies that the law does not create additional bases of liability. Already today workers abroad can sue for damages in German courts if they feel that their rights have been violated by a German company. However, as a rule, the law of the country in which the damage occurred is applied.
What is new in the Supply Chain Due Diligence Act is that those affected have the possibility to authorise domestic trade unions and non-governmental organisations (NGOs) to represent them in civil cases by means of the legal instrument of representative action. The trade union or NGO must have a permanent presence of its own, must be not—for-profit and, according to its statutes, must be engaged in human rights work on a more than temporary basis.
Companies must implement due diligence processes regarding risks associated with indirect suppliers (with whom they have no direct contractual relationship) if they have "substantiated knowledge" of possible human rights violations in the lower supply chain.
The law defines "substantiated knowledge" as " factual indications that make the violation of a human rights or environmental obligation at an indirect supplier appear possible". This is "verifiable and serious information about a possible human rights or environmental violation".
For example, these factual indications can include:
- The company has received information through its grievance mechanisms
- The relevant authority has informed the company
- Human rights organisations report on abuses
- It is generally known that there are particular human rights risks in the region or industry of the indirect supplier
- There have been incidents at the indirect supplier in the past.
If substantiated knowledge exists, the company must:
- Conduct a risk analysis
- Establish appropriate preventive measures with regard to the perpetrator of the violation
- Establish and implement a concept to minimise and prevent the relevant violation
- Repeat its policy statement as appropriate.
The question of adequacy often arises in the context of what influence, for example, a company has over a much larger supplier. Basically, when implementing due diligence - i.e. risk analysis, preventative and remedial measures - "the appropriate way of acting in accordance with the due diligence obligations" is defined by the following criteria:
- The nature and extent of the business activity
- The company's ability to influence the direct perpetrator of the violation
- The typically expected severity of the violation, the reversibility of the violation, and the likelihood of the violation.
- The nature of the causal contribution to the risk.
The use of this flexible term is intended to take into account the fact that companies and their supply chains vary widely.
If smaller companies are direct suppliers to companies covered by the Act, they may be required to implement human rights due diligence processes through their contractual relationship (in which, for example, human rights-related expectations may be enshrined).
However, according to the Supply Chain Due Diligence Act, many obligations by their nature cannot be passed on. For example, even if a large buyer covered by the law requires a smaller supplier to analyse risks to a certain extent, the smaller company is not subject to reporting and disclosure obligations to the relevant authority and the public. Nor would it be subject to control measures or sanctions by the BAFA.
Numerous support services are already available for small and medium-sized enterprises. For example, the Helpdesk on Business & Human Rights offers individual, free and confidential advice on behalf of the Federal Government on how to implement human rights due diligence in business processes.
In addition, there is a new online tool, the SME Compass, which is specifically geared to the requirements of SMEs and provides support in implementing human rights due diligence.
The requirements of the German Supply Chain Due Diligence Act are based on the UN Guiding Principles on Business and Human Rights. This internationally recognised reference framework clearly stipulates that
- states have a duty to protect human rights ("state duty to protect"), and
- companies have a responsibility to respect human rights ("corporate due diligence").
The German Supply Chain Due Diligence Act provides companies with a clear, proportionate and reasonable legal framework for fulfilling human rights due diligence obligations, based on requirements of the UN Guiding Principles.
Many companies have already addressed the requirements for human rights due diligence and implemented corresponding processes since the publication of the UN Guiding Principles or the NAP. More than 70 companies had also spoken out in favour of a clear German regulation.
The advantages of a law are seen above all in legal clarity, transparency and a level playing field.
Companies are not required to ensure that all human rights are fully guaranteed to all people employed in their operations and supply chains. The duty to protect human rights lies with the state, primarily with the state in which the people live.
In this respect, companies are not expected to guarantee similar human rights standards in other countries as for example in Germany.
However, it is expected that an "adequate and effective" risk management system is established with regard to risks to human rights and environmental obligations (Section 4 para. 1).
Adequacy is based on the following criteria: The nature and extent of the business activity, the company's ability to influence the direct perpetrator of the violation, the typically expected severity of the violation, the reversibility of the violation, and the likelihood of the violation occurring as well as the nature of the causal contribution to the risk (Section 3 para. 2).
According to Section 4 para. 2, "effective" means "measures that make it possible to identify and minimise human rights and environmental risks, prevent, end or minimise violations of human rights and environmental obligations, if the company has caused or contributed to these risks, violations within the supply chain".
The principle of “engagement before disengagement" ("Befähigung vor Rückzug") is explicitly enshrined in the law. This means that companies are encouraged not to withdraw from regions with lower standards, but to work locally with their suppliers or within the industry to minimise risks.
Even in cases of serious human rights violations, termination of the business relationship is only warranted if the following factors are present:
- Serious violation
- Attempts to mitigate the risk fail within the time specified
- No other milder mitigating means are available
- The increase of influence is not promising
The law clarifies that the fact alone that a state has not ratified the relevant treaties does not require a termination of the business relationship.
Companies must submit an annual report to the BAFA (Federal Office for Economic Affairs and Export Control) on the implementation of due diligence obligations; they must also publish a report online.
The report must provide comprehensible information on:
- Which human rights and environmental risks the company has identified
- What the company has done to fulfil its due diligence obligations
- How the company assesses the impact and effectiveness of the measures taken
- What conclusions it draws from the assessment for future action.
The report must be made publicly available online no later than four months after the end of the fiscal year and must be available for seven years. Business and trade secrets must be duly protected. An electronic reporting format is being developed to minimize the burden on businesses.
The implementation of the law is controlled by the Federal Office for Economic Affairs and Export Control (BAFA).
Companies must submit their report at least four months after the end of the fiscal year; the authority reviews the reports and also carries out inspections.
The authority can require companies to take concrete action, demand a plan within three months, summon persons and demand information, enter business premises and inspect and examine documents and records.
For enforcement purposes, the authority can impose periodic penalty payments. These can amount to up to 50,000 euros.
The law provides for fines if companies violate certain obligations (intentionally or negligently). This includes, among others, if a risk analysis is not carried out or is incomplete, corrective measures are not taken or are not taken in time or if documentation is not carried out.
In addition, companies can be excluded from public contracts for up to three years, if a fine of a certain minimum amount (threshold level depending on the severity of the violation: EUR 175.000 or 1.500.000, 2.000.000, 0.35% of the annual turnover) has been imposed.
In April 2020, EU Justice Commissioner Reynders announced a draft EU-wide binding regulation on due diligence in supply chains. At the same time, in March 2021, the European Parliament adopted a resolution with recommendations to the Commission on corporate due diligence and accountability. This means that the European Parliament recommends that the EU Commission introduce a European directive on due diligence. On February 23, 2022, the EU Commission presented a draft directive on corporate sustainability obligations. As a directive, the regulation would have to be implemented in the national law of the member states. This would also have an impact on German law, if applicable.