Corporate (Ir)Responsibility Made in Germany - Part III: The Referentenentwurf: A Compromise à la Merkel - By Mercedes Hering

Editor’s Note: Mercedes is a recent graduate of the LL.B. dual-degree programme English and German Law, which is taught jointly by University College London (UCL) and the University of Cologne. She will sit the German state exam in early 2022. In September 2020, she joined the Asser Institute as a research intern for the Doing Business Right project.


I. What happened so far

It took Ministers Heil (Labour, SPD), Müller (Development, CSU) and Altmaier (Economy, CDU) 18 months to agree on a draft for the Lieferkettengesetz (Supply Chain Law) to be presented soon to the German Bundestag for legislative debates. For an overview of the different proposals put forward by the Ministries and NGOs, and political discussion surrounding them, please check my previous blogs, which you can find here and here. You can also watch the panel discussion on the Lieferkettengesetz that we organized in November 2020 with Cornelia Heydenreich (Germanwatch), Miriam Saage-Maaß (European Centre for Constitutional and Human Rights), and Christopher Patz (European Coalition for Corporate Justice).

On 15 February 2021 the government’s “final” draft was published – the so-called “Referentenentwurf”. This initial agreement was met with relief from all parties involved, as it was preceded by a long-lasting deadlock. At first, Minister for Economic Affairs, Peter Altmaier, blocked Cabinet meetings so that the government position paper (“Eckpunkteplan”) published by Ministers Heil and Müller could not be discussed. Afterwards, Altmaier again blocked a compromise proposal brought forward by Müller and Heil in Cabinet. The matter went up to the “Koalitionsausschuss”, the committee that negotiates if members of the coalition parties cannot reach an agreement. This committee failed to come to an agreement. The issue of civil liability and the scope of application were the most controversial points. Thereafter, the matter reached the “Chefetage”, Angela Merkel. She sat down with the three ministers involved and Olaf Scholz, Vice-Chancellor and Minister for Finance (SPD), and tried to mediate between the different positions. The group met twice before, eventually, an agreement was reached resulting in the Referentenentwurf of 15 February 2021. The agreement did not last for long. Peter Altmaier withdrew (again) his support for the draft just after it had been circulated.

On 28 March 2021, another “final” draft was published. Those two drafts differ in subtle but impactful aspects. This blog post was originally based on the first draft; its text has been amended to integrate the changes introduced in the second draft. The second Referentenentwurf is the one signed off by Cabinet on 3 March 2021. In this blog, I will first summarize the main points of the draft(s), and afterwards review the various critical points raised against it.


II. Key elements of the final draft of the Lieferkettengesetz

In twenty-four paragraphs the draft Lieferkettengesetz codifies a “gradual due diligence obligation”[1] applying to risks to human rights and the environment occurring in supply chains. Cornerstone of the draft is the ‘principle of proportionality’: Companies must have regard for human rights in an ‘appropriate’ manner – ‘appropriateness’ depends on size and nature of the business, the degree of influence the company exerts over the entity that directly causes the human rights risks, the expected level of harm and the nature of the company’s contribution to the harm (cf. §3(2)). ‘Gradual’ effectively means that the most rigorous due diligence obligation applies to the company’s own economic activity, while a lower standard of due diligence obligation applies regarding the company’s direct suppliers, with whom it has a contractual relationship. Finally, a much less stringent due diligence obligation is imposed with regard to ‘indirect suppliers’, suppliers that supply the company’s direct suppliers, but with no direct contractual relationship to the company.


1. Personal scope of application

The question of the personal scope of application of a due diligence obligation is always a controversial one. For example, should it cover SMEs or should they be excluded?

The German Supply Chain Law, if enacted as it currently stands, would be applicable as from January 2023 to companies that fulfil two conditions: First, have their headquarters in Germany, and second, usually employ more than 3,000 people (§1(1)[2]). From 1 January 2024, this second threshold would be lowered to 1,000 or more employees. At the moment, there are 2,891 companies with 1,000 or more employees in Germany.[3] For an element of comparison, the French duty of vigilance law applies to between 200 and 300 companies.

The key concept used to determine whether a company falls under the scope of the future German law is whether it usually has more than 3,000 (and then 1,000) employees. The word ‘usually’ accounts for the fact that the number of people employed in a company can fluctuate immensely depending on the period of the year. These temporary fluctuations should not impact whether or not a company falls under the Supply Chain Law. In practice, the number of employees usually employed by a company will have to be determined on a case-by-case basis. Also, the current draft of the law foresees that employees on temporary working contracts will be considered if the company employs them for a duration of more than six months – irrespective of whether they are the same people or employed in the same position (§1(2)).

Finally, where a company is part of a group, the employees of each individual corporate entity will count towards the mother companies’ total number of employees (§1(3)).

Two aspects are particularly noteworthy: The final draft deviates from what NGOs proposed in that it fails to cover businesses which are smaller in size but operate in high-risk sectors such as surveillance or the arms trade. Furthermore, mere “business activity” in Germany does not suffice for a company to fall within the scope of application.

2. Scope of the due diligence obligation

The second fundamental question raised by mandatory due diligence legislation concerns the scope of the obligation. What are companies expected to do under the legislation? What type of processes do they have to put in place? And what type of risks do they have to monitor and prevent?

§4(1) and (2) of the draft law provides that companies must implement an appropriate risk management process, which allows them to identify, prevent, or minimize human rights risks and risks of environmental damage in their supply chains.

The object of the due diligence process

‘Risk’ is defined as imminent harm to one of the protected rights and the environment (§2(2)). The draft lists a number of specific situations in which the risk materializes, for example the risk that private security officers, hired to protect corporate entities, commit torture and other degrading treatment.

The due diligence obligation extends to human rights as well as the environment. The draft explicitly lists the following rights: Right to life, health, fair labor standards, appropriate living standards, child protection, freedom from slavery or forced labor, freedom of collective bargaining, protection from torture; and codifies certain obligations pertaining to the preservation of the environment (§2(1), (2), (3) and (4)). In this regard, a list of all relevant conventions and treaties is annexed to the draft.[4]

In the following, I will elaborate on the different compounds of the risk management process. As will be seen below, ‘risk management process’ is very similar to the due diligence process enshrined in the UNGPs.

The nature of the due diligence process

The company must first appoint a specialized human rights officer responsible for the company’s compliance with the due diligence obligation enshrined in the law (§4(3)). This obligation comports a number of steps: Risk analysis, preventative measures, corrective measures, communication. Additionally, the law foresees that the company will have to put in place a grievance mechanism.

Risk Analysis

The company must conduct a risk analysis in its supply chain (§5). This risk analysis is to be conducted regularly, at least once a year and as soon as there are changes to the company’s business activity or other factors indicate that a new risk analysis is necessary (§5(4)). Even though the notion of “supply chain” is defined quite extensively,[5] a risk analysis is only to be conducted in the company’s “own field of business activity”[6] and with regard to its direct suppliers (§5(1)). Thus, while indirect suppliers are included in the definition of “supply chain”, on the basis of which the draft operates, the actual obligation to conduct a risk analysis does not extend to them.

However, §5(1) also explicitly states that where a supply chain was designed to circumvent the obligation to conduct due diligence obligation enshrined in the Supply Chain Law – e.g. by creating unnecessary subsidiaries or fictitious intermediaries – indirect suppliers count as direct suppliers. This means that as soon as companies can be shown to have structured their supply chains in order to evade the law, they will have to conduct a risk analysis with regard to what are formally ‘indirect suppliers’.

The risks discovered pursuant to the risk analysis must be weighted and prioritized (§5(2)) according to:

  • Nature and size of the business (§3(2) no. 1);
  • Degree of influence the company exercises over the company that directly causes a human rights violation or damage to the environment (§3(2) no. 2);
  • Typical intensity of the harm that can be expected, reversibility of the damage, probability of damage occurring (§ 3(2) no. 3);
  • Nature of the contribution to the risk (§ 3(2) no. 4).

In conducting the risk management, the company must pay due regard not only to the employees of the company and employees of contractual partners, but also to everyone affected by the business activity of either the company itself or its suppliers (§4(4)).

Preventative measures

The next step in the risk management process is the adoption of preventative measures to tackle the risks identified at the risk analysis phase. The draft describes (in great detail) what measures the company could take in its own field of business activity (§6(3)) or towards direct suppliers (§6(4)). Again, indirect suppliers are not per se covered by the obligation to implement preventative measures.

Concerning direct suppliers, the draft requires corporations to adopt the following measures:

  • The company has to take into account human rights and environmental expectations when selecting a direct supplier (§6(4) no. 1).
  • A contractual commitment of the supplier to abide throughout its supply chain by human rights and environmental standards required by the company’s management (§ 6(4) no. 2).

With regards to the second point, the explanatory notes add that the company should contractually enshrine which specific conditions the supplier has to fulfil in order to prevent or minimize the risks to human rights and the environment identified in the risk analysis. [7]

In order to ensure that the direct supplier complies with these obligations, the company should also take the following contractual measures (§6(4) no. 3):

  • Enshrine control mechanisms (§6(4) no. 3), i.e. the company’s right to review whether the supplier complies with its obligation.
  • Implement training and workshops to be conducted by the supplier.

Even though ‘appropriate preventative’ measures only target direct suppliers, the explanatory note goes even further and proposes contractual clauses that could help ensure that human rights and the environment are respected further down the supply chain.[8] Supplier codes could become binding on indirect suppliers via so-called ‘transfer clauses’. Such transfer clauses oblige the direct supplier to impose the company’s supplier code to its suppliers through their contract. Moreover, companies could oblige their suppliers to obtain their raw materials from specified suppliers or buy certain products from certified regions (‘Chain of Custody Certificates’).

The explanatory notes also provide more detail on how the company can exercise control over its direct suppliers. The company could:

  • visit the supplier’s premises and review the situation there.
  • instruct third parties to conduct audits.
  • make use of recognized certification or audit systems.[9]

When opting to instruct a third party or utilize a certification or audit system, the company must ensure that the assessments obtained are comprehensive and impartial.[10] Neither exempts the company from its obligation to conduct due diligence under the Supply Chain Law.

Corrective measures

If the company detects a risk linked to its ‘own business activity’ or to one of its direct suppliers that materialized or is about to materialize, then it must react immediately. The company will need to take appropriate ‘corrective measures’ to prevent, mitigate or terminate the harm to human rights or the environment (§ 7). The draft explicitly states that if a harm is caused by the company’s ‘own business activity’, the measures taken must lead to termination of the harm (§7(1)).

If the business activity of a direct supplier caused the harm, the law assumes that the company will not be able to immediately address it. In such cases, the company will have to draw up an ‘action plan’ in order to at least minimize the harm. This ‘action plan’ must include a clear time frame for implementation. In this context, ending the contractual relationship with its supplier is the last resort for the company. Even if the human rights violation is particularly grave, the company is urged (not obliged!) to end the contractual relationship only if the time frame set for the successful implementation of the ‘action plan’ has unsuccessfully passed, there are no less severe measures left, and it does not seem possible for the company to increase its leverage over the supplier (§ 7(3)).

The corrective measures taken must be reviewed at least once a year, and with every occasion or change in circumstances that warrant a review (§7(4)).

Public communication

Companies are expected to publish a policy statement (§6(2)), which should outline the due diligence process introduced by the company, the relevant risks identified in the risk analysis, and, on the basis of these relevant risks, the company’s expectations for its employees and suppliers regarding human rights and the environment. The company is also expected to publish a yearly report on its compliance with its due diligence obligation and to make it freely available on its website for at least seven years (§10).

Grievance mechanism

Finally, the companies subjected to the law will have to set up a grievance mechanism. The grievance mechanism must fulfil certain conditions:

  • There must be a proper written procedure (§8(2)).
  • The persons responsible to oversee the grievance mechanism must be impartial and independent; they must treat information confidentially (§8(3) – added by second draft).
  • The company must provide accessible information on how to make use of the grievance mechanism (§8(4)).
  • The identity of those who make use of the grievance mechanism must be protected. They must also be protected from any disadvantages that might follow from using the grievance mechanism (§8 (4)).

Instead of setting up its own grievance mechanism, the company can alternatively join an external grievance mechanism that fulfils these conditions (§8(1)).

The second draft of the Supply Chain Law includes two changes with regard to the grievance mechanism. First, it obliges the company to engage with any substantiated matters raised with those who submitted their complaint to the grievance mechanism. Second, it allows the company to offer a settlement (§8(1)).

Indirect suppliers

The risk management process, with all its compounds, only apply to direct suppliers, i.e. suppliers the company is in a direct contractual relationship with. There are two exceptions: 1) Where the supply chain was intentionally structured in such way as to evade the obligations of the law (§5(1); and 2) where the company obtains substantiated knowledge about a potential human rights violation or breach of environmental standards linked to an indirect supplier (§9(3)). The company could obtain such knowledge for example through its grievance mechanism or NGO reporting. Indeed, the grievance mechanism must be set up in such a way that individuals affected by violations or individuals who have knowledge of any violations can inform the company of such abuses occurring in its indirect supply chain (§8(1) of the second draft). 

3. Access to remedy and legal representation

Interestingly, the proposal also extends to the legal representation of potential claimants before the German courts. Instead of enshrining new civil liability grounds, the proposal allows individuals, who claim to have suffered a harm due to a violation of human rights as set out in §2(1),[11] to authorize trade unions and NGOs to litigate on their behalf (§11(1)). Violations of environmental standards are excluded. This provision does not change or add to the material law under which a company could be held liable. It is merely supposed to facilitate access of foreign claimants to German courts. Thus, the difficulties linked to the burden of proof, lack of financial aid, language barriers, and regarding the determination foreign law will remain.

4. Enforcement and sanctions

The law foresees that public authorities will be tasked with enforcing the due diligence obligation set out in the draft. The draft law outlines a detailed enforcement process potentially leading to considerable fines and exclusion from access to public procurement.


The Supply Chain Law empowers the competent authorities from the Ministry for Economy and Export Control (§ 19(1)) to:

  • assess compliance with the obligations enshrined in the Supply Chain Law (§14(1) no. 1); and
  • detect, terminate or prevent a breach of the obligations enshrined in the Supply Chain Law (§15).

In order to do so, the competent authorities are empowered to, for example, enter premises, review official documents and interrogate staff members (§16, §17).

The authorities can also compel the company to take certain action, like for example drawing up an action plan (§15 no. 1 and 2).

Sanctions: Fines and Exclusion from public procurement

In case of non-compliance, the draft foresees two types of sanctions, both of an economic nature: Fines and exclusion from public procurement.

On the one hand, the authorities can impose fines if companies breached their obligations under the law intentionally or negligently. First, they can issue so-called “Zwangsgeld” (§23) up to 50,000 €, which is an administrative penalty payment used to force businesses to comply with a request of the administration (e.g. draw up an ‘action plan’). Second, authorities can impose stiff fines (§24) in case of noncompliance. The fines range from 100,000 to 800,000 euros depending on the obligation breached (§24(2)). Fines can go up to 2% of the yearly average turnover if: 1) The company’s yearly turnover on average exceeds 400,000,000 euros; and 2) If the company failed to implemented corrective measures in time (§24(3)).

On the other hand, the draft currently foresees that non-compliant companies may also be in certain circumstances deprived from access to public procurement. The exclusion from public procurement hinges on the amount to be paid in fines by the company. The threshold is staggered – again, depending on the obligation breached. It ranges from 175,000 euros to 0,35% of the yearly average turnover of a company.  (§22(2)). Exclusion from public procurement ought to last for an ‘appropriate’ time, but must not exceed three years (§22(2)).

The following provisions were removed in the second draft: In the first draft, a company was to be excluded from public procurement irrespective of the penalty paid if the contract that was to be procured was worth more than 3 million euros in case of transportation services, or 10 million euros in case of building projects. Moreover, companies were able to recover their eligibility by so-called “Selbstbereinigung” pursuant to §125 Restriction of Competition Act.  ‘Selbstbereinigung’ essentially would have meant that the company promised to remedy the situation, worked with authorities to resolve the situation, or took active steps to prevent further misbehavior.

[1] “Abgestufte Sorgfaltspflicht”

[2] § denotes „paragraph“. One paragraph consists of multiple „sections”.

[3] Explanatory notes to the Referentenentwurf of 28 February 2021, p. 3.

[4] Explanatory notes to the Referentenentwurf of 28 February 2021, p. 22 et seq.

[5] [...] every contribution the company makes to produce a good or service, beginning from the extraction of raw materials and ending with delivery to the end customer. Supply chain covers: 1. Every act by a company in its own ‘field of business activity’; 2. Acts by contract partners, insofar they are necessary to produce the product OR insofar they are necessary to create or make use of a service (direct supplier); and 3. Acts of every other supplier (indirect suppliers). – §2(5).

[6] Every act intended to benefit the overall aim of the company which can be directly attributed to the company. It includes every location where the company produces or uses products or services. – §2(6).

[7] Explanatory notes to the Referentenentwurf of 28 February 2021, p. 30

[8] Ibid.

[9] Ibid.

[10] Ibid.

[11] Human rights enshrined in the conventions found on p. 22 et seq. of the explanatory notes to the Referentenentwurf of 28 February 2021.

Comments are closed