- I. The basics of the Supply Chain Act
- II. The concept of the supply chain
- III. The scope of application of the Act
- IV. Affiliated enterprises
- V. Protected human rights and environmental issues in detail
- VI. The basics of complying with due diligence obligations
- VII. Due diligence obligation to establish a risk management system
- VIII. Due diligence obligation to carry out regular risk analyses
- IX. Due diligence obligation to issue a policy statement
- X. Due diligence obligation to establish prevention measures
- XI. Due diligence obligation to take remedial action
- XII. Due diligence obligation to establish a complaints procedure
- XIII. Due diligence obligations on documentation and reporting
- XIV. Monitoring by the Federal Office for Economic Affairs and Export Control
- XV. Consequences of the Act for enterprises / questions of liability
- XVI. Implementation aids for enterprises
- XVII. Effects of the Act on small and medium-sized enterprises
- XVIII. The Supply Chain Act in an international context
Please note: Since the previous version of the FAQ, amendments have been made to questions IV. 3. – 5., XIII. 1 as well as XVII. 1 - 6. As a result of the amendments, the numbering of the other questions may have shifted.
I. The basics of the Supply Chain Act
1. What is the relationship of the Act on Corporate Due Diligence Obligations in Supply Chains to the National Action Plan for Business and Human Rights?
In December 2016, Germany’s Federal Government passed the National Action Plan for Business and Human Rights (NAP). The aim was to work with enterprises towards improving the human rights situation around the world and to give globalisation a social dimension while taking the 2030 Agenda for Sustainable Development into account. The NAP is based on the United Nations Guiding Principles on Business and Human Rights. Corporate responsibility, in addition to both state protection and judicial and extra-judicial remedies, is key to this. In the NAP, Germany’s Federal Government set out its expectations for all enterprises based in Germany to comply appropriately with the core elements of human rights due diligence. The way they do this depends on their size, sector and position in supply and value chains. They are expected to respect human rights throughout their supply and value chains.
A representative survey of enterprises conducted by the Federal Government in 2020 monitoring the NAP, has, however, shown that less than one fifth of enterprises with more than 500 employees based in Germany fulfilled their supply chain due diligence obligations. Voluntary commitments are therefore not enough. In the coalition agreement, the Federal Government of the time, committed to taking legal action on this issue at the national level and also to promoting binding rules at the European level. The Act on Corporate Due Diligence Obligations in Supply Chains (Lieferkettensorgfaltspflichtengesetz – LkSG) was promulgated in the Federal Law Gazette on 22 July 2021.
2. What do the Act’s regulations cover?
The Act puts enterprises under its scope under an obligation to exercise due regard for the human rights and environment-related due diligence obligations in their supply chains in an appropriate fashion. The obligations that enterprises have to fulfil vary according to their ability to exert influence, specifically in relation to
- their own business area,
- the actions of contractual partners, and
- the actions of other (indirect) suppliers.
3. When does the Act come into force? To whom does it apply?
Starting in 2023, the Act will apply to enterprises that have their central administration, their principal place of business, their administrative headquarters, their statutory seat or branch office and 3,000 employees in Germany. Starting in 2024, it will also apply to enterprises with 1,000 or more employees in Germany.
The Act is also significant for enterprises that do not fall within its direct scope of application. They may be indirectly affected, for example as a supplier of an enterprise that has a legal responsibility. Enterprises outside the scope of application are not subject to fines or legal obligations.
II. The concept of the supply chain
1. What exactly is a "supply chain"?
The supply chain within the meaning of the Act refers to all products and services of an enterprise. It includes all steps in Germany and abroad that are necessary to produce the products and provide the services, starting from the extraction of the raw materials to the delivery to the end customer and includes
- the actions of an enterprise in its own business area,
- the actions of direct suppliers and
- the actions of indirect suppliers.
This includes the use of necessary services, such as transporting or temporarily storing goods.
2. Does a (third-party) enterprise with which the enterprise to which the Act applies does not have any direct contractual relationship but which (in fact) directly supplies the enterprise to which the Act applies constitute a direct supplier of the enterprise to which the Act applies?
No, in the absence of a direct contractual relationship with the enterprise to which the Act applies, the third-party enterprise is not a direct supplier. The distinction between direct and indirect suppliers depends solely on whether or not there is a direct contractual relationship (in which case the enterprise in question is a direct supplier). If, according to the will of the parties involved, enterprises within a performance chain do not provide their goods or services along the existing contractual relationships, but as a direct supply to another enterprise, this does not change the classification of the enterprises as indirect or direct suppliers. Section 5 (1) sentence 2 of the Supply Chain Act applies in the event of an improper structuring of the direct supplier relationship or a transaction to circumvent the due diligence obligations.
3. Does the Act apply to the entire supply chain?
Yes. The business relations and production methods of direct suppliers must also be taken into account in addition to an enterprise’s own business area. If an enterprise has actual indications that suggest a violation of a human rights-related or an environment-related obligation at indirect suppliers, it must take action without undue delay and as warranted.
The principle of appropriateness applies: Enterprises are only required to do what they can given their individual context, for example, their size, the nature of their business or their proximity to the supplier. Enterprises are not required to tackle all human rights challenges they have identified at the same time, but rather to focus on the main risks first. If a human rights violation does occur in its supply chain despite all (appropriate) efforts, an enterprise cannot be prosecuted.
4. The concept of supply chain covers all actions that are “necessary” to produce the products and provide the services. How must the term "necessary" be understood in this context?
The term “necessary“ must be understood broadly. For example, an industrial enterprise’s office supplies are also covered. This broad definition must be distinguished from the question of which supply chains and risks an enterprise must address first as part of its risk management system. Risk management is about assessing risks, prioritising them and addressing them appropriately. One of the main aspects in setting priorities is the influence an enterprise can exert (cf. section 3 (2) Supply Chain Act). Risks that are not a priority can be handled with less urgency.
5. Does the term supplier also include subcontractors providing services (e. g. cleaning services) as part of a “service chain” for an enterprise that falls within the scope of the Supply Chain Act? Are all procurement categories – such as commercial cleaning, office catering and office supplies – part of the supply chain?
Yes, the term “supply chain” is defined broadly. Any risks associated with suppliers responsible for auxiliary services (e. g. commercial cleaning and office catering) can, however, often be completely disregarded or handled with little effort either because there is no causal contribution (cf. section 4 (2) Supply Chain Act or because the causal contribution is insignificant (cf. section 5 (2) Supply Chain Act).
III. The scope of application of the Act
1. The Act applies to enterprises with at least 3,000 (from 2023) or 1,000 (from 2024) employees. How exactly do you determine whether an enterprise has reached this employee threshold? Does the per capita principle apply here?
Yes, the general definition of the term employee of section 611a German Civil Code (Bürgerliches Gesetzbuch – BGB) applies. It does not distinguish between part-time employees and full-time employees.
2. What types of employees are included here?
Again, the general definition of an employee of section 611a Civil Code and case law apply. In addition it must be considered whether the respective employee is significant for the relevant size of the enterprise. This is the case if the period of employment is at least six months.
Besides regular full-time and part-time employees, the following must therefore be fully (per capita) taken into account:
- employees posted abroad,
- temporary agency workers, if the period of deployment with the user enterprise exceeds six months (cf. government explanatory memorandum, p. 14),
- senior staff,
- the following special groups of employees:
- employees on probation,
- dependent sales agents,
- employees taking part in a short-time work scheme or
- those absent due to maternity leave.
The following are not taken into account:
- temporary agency workers if the period of deployment with the user enterprise does not exceed six months,
- freelance employees and the self-employed,
- board members of legal entities,
- generally, shareholders of legal entities (exception: any person who is both a non-executive shareholder and an employee of the enterprise),
- any individuals whose main obligations under the employment contract have been suspended for more than six months during one business year (e. g. people who have left to go into early retirement, people in the passive phase of old age part-time work, employees on parental leave).
- civil servants and soldiers (these are cases of employment under public law),
- apprentices, people being retrained within the meaning of the German Vocational Training Act (Berufsbildungsgesetz – BBiG), interns and people in journalistic training.
3. When determining the number of employees in an enterprise, what does “normally have ... employees” mean?
Pursuant to section 1 (1) sentence 1 no. 2 Supply Chain Act only employees who are “normally” employed are relevant. According to p. 13 of the government explanatory memorandum, the number of “normally” employed employees must be calculated by way of a retrospective consideration and a prognosis of future staff development. The requirements are the same as those that were developed by the German Federal Labour Court with regard to co-determination.
4. Do charitable enterprises (e.g. associations, foundations, charitable companies (gGmbH, gUG, gAG), cooperatives) fall within the scope of application of the Supply Chain Act? Do any special rules apply in this regard when applying the Supply Chain Act?
Charitable enterprises under private law fall within the scope of the Act without limitation. No special rules apply.
5. Do legal persons under public law come under the scope of the Act?
Legal persons under public law, i.e. corporations, foundations and institutions under public law, only come under the scope of the Act to the extent that they carry out commercial activities in the market. In this regard, the pre-condition for the applicability of the Supply Chain Act to legal persons under public law is that the part of the legal person with commercial activities fulfils the criteria listed in section 1 Supply Chain Act (itself). Conversely, this means that legal persons under public law without any commercial activities in the market or whose commercial activities do not exceed the thresholds laid down in section 1 Supply Chain Act do not have any obligations under the Supply Chain Act.
Commercial activities in the market are taking place if the legal person under public law offers a service or product (even if free of charge) to third parties (natural persons, companies, other legal persons under public law), and if the provision of the service or product competes with other market participants (other companies and/or other legal persons under public law). Such competition is deemed to exist whenever other market participants can also offer the service and/or product.
6. Does the Act also cover purchases by legal persons under public law?
Purchases are only part of the commercial activities of a legal person under public law within the meaning of the Supply Chain Act, if they have the purpose of participation in the market described above.
7. What does it mean that legal persons under public come under the scope of the Act “to the extent” that they carry out commercial activities in the market?
In accordance with the limited applicability of the Supply Chain Act to these legal persons, only those employees are counted who are organisationally assigned to the part of the legal person under public law with commercial activities. This method of counting is to be used by legal persons under public law to determine whether they reach the threshold of 3,000 (starting in 2023) or 1,000 (starting in 2024) employees as laid down in section 1 Supply Chain Act. Civil servants are not counted. Moreover, only the part of legal persons under public law with commercial activities is subject to the obligations specified in the Supply Chain Act.
8. Do legal persons under private law owned by the public sector come under the scope of the Act?
There are no special rules for legal persons under private law owned by the public sector. They come under the scope of the Act if they meet the criteria laid down in section 1 Supply Chain Act.
9. Can territorial authorities (federal level/Länder/administrative districts/municipalities) be parent companies of legal persons with commercial activities in which they have a shareholding within the meaning of the Supply Chain Act?
No, territorial authorities do not act as parent companies.
IV. Affiliated enterprises
1. When can an enterprise be considered to be one “belonging to the group” within the meaning of section 1 (3) Supply Chain Act?
“Belonging to the group” is a nontechnical collective term and is not limited to enterprises that fall under section 18 Stock Corporation Act (Aktiengesetz – AktG). All forms of affiliated enterprises within the meaning of section 15 Stock Corporation Act are covered.
2. Does the parent company have to include the subsidiaries’ subsidiaries’ employees etc. in the count?
Yes, if the parent company, its subsidiaries and subsidiaries’ subsidiaries are affiliated enterprises (cf. section 15 Stock Corporation Act).
3. Do German subsidiaries also have to count the employees of the respective parent company or even their parent company’s other subsidiaries (i.e., ultimately all group employees) or do the subsidiaries only count their own employees?
Counting is always from “bottom to top”, i.e., the employees of all subsidiaries (as well as sub-subsidiaries etc.) count only for the parent company. However, neither the employees of the parent company nor those of the parent company’s other subsidiaries count towards the subsidiary's number. As regards the constellation of several equal-ranking parent companies in a group of equals pursuant to section 18 (2) of the Stock Corporation Act, please refer to the answer to question IV.5.
4. When counting is always from “bottom to top”, are employees counted at each level or only up to the top parent company?
Employees are only counted up to the top parent company (in Germany).
5. Which enterprise in a group of equals (section 18 (2) of the Stock Corporation Act) is the parent company within the meaning of section 1 (3) of the Supply Chain Act? How does the calculation pursuant to section 1 (3) of the Supply Chain Act work in a group of equals?
A group of equals pursuant to section 18 (2) of the Stock Corporation Act exists if at least two equal-ranking parent companies with the same management power are at the top level of the group structure. In this case, each of these equal-ranking parent companies is a parent company of the group of equals within the meaning of section 1 (3) of the Supply Chain Act.
Each equal-ranking parent company at the top level constitutes the parent company for the other equal-ranking parent companies at the top level. At the same time, each equal-ranking parent company at the top level is also the parent company of all the other group companies.
Therefore, when calculating the number of employees, the respective employees of the equal-ranking parent companies are attributed to each other and the employees of all group companies below the parent companies (i.e. all subsidiaries, sub-subsidiaries etc.) are attributed to each equal-ranking parent company.
6. Do subsidiaries count as part of the parent company’s own business area?
Apart from the company itself, own business area also includes affiliated enterprises in Germany and abroad. A prerequisite for this is for the parent company to exercise a decisive influence on the other group company. It must be able to exert influence in accordance with the respective applicable law. Whether decisive influence is judged to be possible is determined by taking an overall view of the business, staff, organisational and legal ties between the subsidiary and the parent. Holding a large majority share of the subsidiary, having a group-wide compliance system, being responsible for steering key processes in the subsidiary, having a similar business area or employing overlapping personnel are indications.
7. Must national employees of foreign group divisions be taken into account when determining the number of employees?
The group of consolidated enterprises as per section 1 (3) of the Supply Chain Act only covers group divisions located in Germany and all possible cases are listed in section 15 of the German Stock Corporation Act. Employees of a foreign parent company or of foreign subsidiaries of a national parent company are not taken into account.
8. Does each enterprise included in a group have to fulfil its own obligations under the Supply Chain Act, or can these obligations also be fulfilled by the parent company in a centralised fashion?
You have to draw distinctions between different kinds of setups in this regard:
a) The case when both parent company and subsidiary fall under the Supply Chain Act, but there is no decisive influence (cf. section 2 (6) Supply Chain Act) of the parent on the subsidiary.
Both enterprises must fulfil the due diligence obligations in their own business area and with regard to their direct and indirect suppliers. In principle, the obligations must be fulfilled by each enterprise separately. Independently of that, enterprises may coordinate the measures they take. For example, subsidiaries can adopt appropriate measures initiated by parent companies (e.g., in the event of policy statements/training etc.), implement them under their own responsibility, where necessary after making the necessary adjustments. This can be then presented in the required report.
Parent companies and subsidiaries must each submit their own report to the Federal Office for Economic Affairs and Export Control (Bundesamt für Wirtschaft und Ausfuhrkontrolle – BAFA). They each have to fully answer the questions in the report questionnaire. Each report must be clear as a standalone document and comprehensible on its own merits. Any adopted content that has been copied from the other report (with amendments where necessary) is permissible provided that compliance with due diligence obligations is made plausible in both enterprises. An enterprise may authorise its parent company or subsidiary to submit its report to the Federal Office for Economic Affairs and Export Control. This does not affect the responsibility of the reporting enterprise for the submission of the report. Moreover, each enterprise must publish its own report on its website.
In individual cases and for specific, definable parts of the due diligence obligations, a summary of and meaningful reference to the Supply Chain Act report of another enterprise belonging to the group may also be permissible. This might, for example, be considered with regard to the obligations of the persons responsible for the complaints procedure. In this case, too, the above-mentioned requirements must be met, i.e. the report must be clear as a standalone document and comprehensible on its own merits and compliance with due diligence obligations in the reporting enterprise must be made plausible. Any blanket references or references without a summary of the content do not meet this requirement.
If the subsidiary is also a direct supplier (cf. section 2 (7) of the Supply Chain Act) of the parent company, the parent must then also fulfil its due diligence obligations for direct suppliers with regard to that subsidiary. The subsidiary is also subject to the due diligence obligations related to direct suppliers if the parent company qualifies as a direct supplier of the subsidiary (e.g. because the parent company provides the subsidiary with goods and/or services).
b) The case when both parent company and subsidiary fall under the Supply Chain Act, but there is decisive influence (cf. section 2 (6) Supply Chain Act) of the parent on the subsidiary.
The parent company must meet the due diligence obligations in its own business area and with regard to direct and indirect suppliers. This also includes the business area and suppliers of the subsidiary (cf. section 2 (6) of the Supply Chain Act). The responsibility covers the subsidiary’s commercial activities concerning the manufacture and exploitation of products or the provision of services. It does not matter whether a subsidiary supplies its products or services to the parent company or whether it sells them to third parties.
The parent company is responsible for the establishment of an appropriate and effective risk management and the appropriate and effective fulfilment of due diligence obligations in its own business area (also in business areas attributed in accordance with section 2 (6) sentence 3 of the Supply Chain Act). The own business area thus also extends to the subsidiary on which the parent company exercises a decisive influence. It is at the discretion of the parent company whether and to what extent the risk management or due diligence processes of a subsidiary are established mainly at the level of the parent or the subsidiary. That means: the parent company can either
- centralise risk management or due diligence processes, i.e. define processes and measures, roll them out to the subsidiary and then limit itself to a monitoring function, i.e. supervise the implementation of the processes and measures by the subsidiary;
- or opt for a more decentralised implementation, i.e. exercise its power to issue instructions to oblige the subsidiary to independently lay down and implement measures and processes for the implementation and monitoring of due diligence obligations.
Regardless of any activities and instructions of the parent company, however, the subsidiary itself always remains responsible for ensuring that risk management and due diligence obligations are implemented and fulfilled in its own business area and with regard to its suppliers.
As part of the reporting obligation, the parent company and subsidiary must each submit a separate report to the Federal Office for Economic Affairs and Export Control. They each have to fully answer the questions in the report questionnaire. Each report must be clear as a standalone document and comprehensible on its own merits. Any adopted content that has been copied from the other report (with amendments where necessary) is permissible provided that compliance with due diligence obligations is made plausible in both enterprises. An enterprise may authorise its parent company or subsidiary to submit its report to the Federal Office for Economic Affairs and Export Control. This does not affect the responsibility of the reporting enterprise for the submission of the report. Moreover, each enterprise must publish its own report on its website.
In individual cases and for specific, definable parts of the due diligence obligations, a summary of and meaningful reference to the Supply Chain Act report of another enterprise belonging to the group may also be permissible. This might, for example, be considered with regard to the obligations of the persons responsible for the complaints procedure. In this case, too, the above-mentioned requirements must also be met, i.e. the report must be clear as a standalone document and comprehensible on its own merits and compliance with due diligence obligations in the reporting enterprise must be made plausible. Any blanket references or references without a summary of the content do not meet this requirement.
c) Only the group’s parent company, not the subsidiary, falls within the Supply Chain Act’s scope of application.
The parent company must fulfil the due diligence obligations in its own business area and with regard to direct and indirect suppliers. This also includes the business area and suppliers of a subsidiary if the parent company exerts decisive influence over the subsidiary (cf. section 2 (6) of the Supply Chain Act).
If there is no decisive influence within the meaning of section 2 (6) of the Supply Chain Act, the parent company only has to deal with the subsidiary in accordance with the requirements of the Supply Chain Act if the subsidiary is also a (direct) supplier of the parent company. In this case, the parent company is subject to the same due diligence obligations with regard to the subsidiary as in the case of a (direct) supplier.
In these cases, the subsidiary itself is not legally obliged to implement or report on its own due diligence obligations. The Federal Government does however expect enterprises outside the scope of the Act to comply with their human rights due diligence obligations as set out in the National Action Plan for Business and Human Rights.
d) Only the subsidiary, not the parent company, falls within the scope of application (e.g., subsidiary of a US parent company)
The subsidiary must fulfil the due diligence obligations for its own business area and with regard to its direct and indirect suppliers, but not for the whole group. The parent company’s activities need not be taken into account by the subsidiary. The situation is different if the foreign parent company supplies the German subsidiary with goods and/or services and thus qualifies as a direct supplier. In this case, the subsidiary is subject to the same due diligence obligations with regard to the parent company as in the case of a direct supplier.
9. How should the criteria of “decisive influence” within the meaning of section 2 (6) sentence 3 Supply Chain Act be interpreted in practice for enterprises? What form must these criteria take?
An affiliated enterprise is counted as part of the parent company’s own business area if the parent company exercises a decisive influence over the affiliated enterprise. For there to be a decisive influence, it is required that influence be possible under the respective applicable laws. To determine whether there is decisive influence, all relevant aspects are to be considered in an overall view. All business, staff, organisational and legal ties between the subsidiary and the parent company must be considered and weighted in context. This may be different from case to case.
Indications (not conclusive) of a decisive influence include:
- a large majority stake in the subsidiary,
- there being a common compliance system for the group,
- taking on the responsibility for the control of key processes in the subsidiary,
- there being a legal framework foreseeing the possibility of exerting influence,
- overlapping staff at the (highest) management level,
- a decisive influence on the subsidiary's supply chain management,
- exerting influence via shareholders' meetings and
- that the business area of the subsidiary correspond to the business area of the parent company, for example, when the subsidiary manufactures and exploits the same products or provides the same services as the parent company.
These indications must already be in existence. It would not be enough, for example, for a group-wide compliance system to only be planned, but not yet implemented. It is not necessary, however, that the decisive influence has already been exercised with a view to complying with the due diligence obligations pursuant to the Supply Chain Act.
10. Does a foreign enterprise whose German subsidiary is covered by the Supply Chain Act have to set up a risk management system in line with the Supply Chain Act at the level of the subsidiary, or can this also be done at the global level?
A subsidiary of a foreign group within the Supply Chain Act’s scope of application must comply with the Act’s due diligence obligations, just as it must comply with Germany’s product and consumer standards to be allowed to offer products or services on the German market, for example. The subsidiary must thus also establish a risk management system for its own business area and integrate it into its relevant business processes.
In terms of the Supply Chain Act, the decisive aspect is that (subsidiary) enterprises are complying with the statutory requirements. This can be accomplished via a uniform risk management system at group level or via a risk management system designed by the German subsidiary itself.
11. To what extent do group companies of a German parent company abroad fall within the Supply Chain Act’s scope of application as part of the “business area”? Does being part of a parent company’s business area mean that subsidiaries have to comply with the full list of due diligence obligations even if they do not do any business in Germany?
If the German parent company has a decisive influence on a foreign subsidiary (cf. section 2 (6) Supply Chain Act), then it must fulfil all due diligence obligations with respect to the subsidiary, regardless of whether the subsidiary does business in Germany or exports to Germany.
12. How are subsidiaries’ subsidiaries to be treated? When is the parent company assumed to have decisive influence on the subsidiary of the subsidiary? If "only" the subsidiary has influence over the subsidiary of the subsidiary? Or must decisive influence also be exercised by the parent company?
The parent company is considered to have a decisive influence if it exerts this influence itself. This may also come via an intermediary subsidiary.
13. In the case of foreign undertakings with German branches that are within the scope of the Supply Chain Act, is the due diligence obligation limited to matters that occur in Germany?
No. Same as in the case of German undertakings, the due diligence obligation covers all world-wide supply chains that are initiated or controlled by the foreign undertaking, regardless of where the branch is located.
V. Protected human rights and environmental issues in detail
1. Which human rights are at issue?
The Act on Corporate Due Diligence Obligations in Supply Chains lists the international conventions in which human rights are enshrined , and defines typical supply chain risks that need to be considered when fulfilling due diligence obligations. These include the prohibition of child labour, protection against slavery and forced labour, freedom from discrimination, protection against unlawful taking of land, occupational health and safety and related health hazards, prohibition of withholding an adequate living wage, the right to form trade unions and workers' representations, the prohibition of causing any harmful soil change or water pollution and protection against torture.
2. What environmental issues are considered?
Certain environment-related risks are also covered: When they lead to human rights violations (e.g., poisoned water), for example. Also, banning substances that are dangerous to humans and the environment. The Supply Chain Act focuses on certain environment-related obligations that are mandatory for enterprises taken from three international conventions: the Minamata Convention on Mercury, the Stockholm Convention on Persistent Organic Pollutants and the Basel Convention on the Control of Transboundary Movements of Hazardous Wastes and Their Disposal. Violations of environment-related obligations are also sanctioned by the monitoring authority.
3. Does the local statutory minimum wage always correspond to the “adequate living wage” within the meaning of section 2 (2) no. 8 Supply Chain Act?
No, the local statutory minimum wage only suffices as a general rule and is not adequate in every case. That said, the “adequate living wage” is not necessarily higher than the statutory minimum wage.
4. Which method is used to calculate the “adequate living wage”?
According to the wording of the Act, the standards that apply at the place of employment must be applied. If the enterprise is not able to determine a method of calculation that is recognised at the place of employment, it chooses, at its own discretion, one of the established methods (e.g., the Anker Methodology). The choice of method of calculation and a short explanation must be recorded.
VI. The basics of complying with due diligence obligations
1. What specific obligations are contained in the Act?
Enterprises must comply with due diligence obligations concerning human rights and environment-related issues in their supply chains in appropriate fashion. To comply with due diligence obligations, enterprises must implement appropriate and effective risk management systems. They must establish responsibilities within the enterprise for monitoring compliance with due diligence obligations, for example by appointing a human rights officer.
Initially, it is important to strive for transparency, to understand the undertaking’s own supply chain and to analyse risks. Enterprises must thus first identify the parts of their own business area that pose particularly high human rights and environment-related risks. For indirect suppliers, risk analysis must be undertaken if an enterprise has actual indications that suggest a violation of a human rights-related or an environment-related obligation at indirect suppliers to be possible (substantiated knowledge). In addition to what enterprises themselves have learned, actual indications of this may include reports on poor human rights situations in the production regions, the fact that a supplier is in a sector at particular risk of human rights or environment-related violations, and information from the competent authority. Moreover, an enterprise must consider indirect suppliers as part of its ad hoc risk analysis if it must expect a significantly changed or expanded risk situation in the supply chain, for example due to the introduction of new products, projects or a new business field.
When risks have been identified, appropriate preventive measures must be taken. The measures can include contractual agreements with the direct supplier containing appropriate human rights clauses or training measures. In particular, enterprises must establish procurement strategies and practices that prevent or minimise identified human rights risks and environment-related risks. It is also necessary to verify whether the contractual partner appropriately addresses risks identified in the supply chains. When a risk of a human rights violation has been identified at the enterprise’s own business location or in its supply chain, appropriate measures must be taken to eliminate that risk or minimise it, especially if there has already been a human rights violation.
When an enterprise has actual indications that an indirect supplier may be violating human rights obligations or environment-related obligations in more distant parts of the supply chain, it has to carry out a risk analysis immediately (see above) and, based on the result, lay down appropriate preventive measures vis-à-vis the party responsible. These include implementation of control measures, support in the prevention and avoidance of a risk or the implementation of sector-specific or cross-sector initiatives to which the enterprise is a party. When violations are imminent or have already occurred, a prevention, cessation or minimisation concept must be drawn up and implemented.
Enterprises must also either establish an internal complaint mechanism or participate in a corresponding external complaint mechanism that allows both direct victims and those with information about potential or actual violations to point out risks and violations.
Enterprises must submit an annual report on the fulfilment of due diligence obligations to the competent authority.
Further information on the due diligence obligations established in the Act and on how enterprises are already implementing them in practice can be found here.
2. By when must the obligations be fulfilled?
With regard to the time frame for the fulfilment of the due diligence obligations, a distinction must be made between obligations that must be fulfilled by 1 January 2023 and obligations whose fulfilment need only be started upon entry into force of the Act.
For enterprises that fall within the Act’s scope of application at a later date, the provisions apply accordingly.
a) Obligations that have to already be fulfilled upon entry into force of the Act are:
by 1 January 2023, or by the date on which an enterprise first falls within the Act’s scope of application, the responsibility for monitoring risk management – for example by appointing a human rights officer – has to be established within the enterprise.
In addition, enterprises must already have a functioning complaints mechanism in place at this point, through which the enterprise can be made aware of human rights or environmental-related risks or violations in its own business area and in the supply chain.
b) Obligations whose fulfilment need only be started upon entry into force of the Act:
From the date on which an enterprise falls within the Act’s scope of application, it must start to fulfil the other due diligence obligations. As part of the establishment of its effective risk management system, an enterprise must first establish clear responsibilities within the enterprise for the operational implementation of the individual due diligence obligations.
All due diligence obligations that must be fulfilled annually, must from now on be complied with every financial year. Specifically, an enterprise that falls within the Act’s scope of application must therefore, in every financial year,
- carry out a risk analysis in its own business area as well at its direct suppliers,
- the results of which must be communicated to the relevant internal decision-makers,
- after identifying any (possibly prioritised) risks during the risk analysis, immediately implement preventive measures in their own business area as well as at direct suppliers, namely issue the policy statement on its human rights strategy and take further preventive measures,
- take immediate remedial action in the event that actual or imminent violation of a human rights-related or environment-related obligation are identified in its own business area or with direct suppliers,
- review the effectiveness of the preventive and remedial measures taken as well as the complaints procedure and adjust them if necessary,
- ensure that senior management seeks information on a regular basis about the work of the human rights officer, as well as
- continuously document the fulfilment of the due diligence obligations.
If an enterprise has to expect a significantly changed or significantly expanded risk situation in its own business area or at direct suppliers, for example due to the introduction of new products, projects or a new business field, it must carry out a further risk analysis on an ad hoc basis and (re)examine the effectiveness of both preventive and remedial measures as well as the complaints procedure and make adjustments if necessary.
In addition, such an ad hoc risk analysis also includes indirect suppliers, insofar as the obviously new or significantly changed risks lie with them. In addition, if there are actual indications of a possible violation of human rights-related or environment-related obligations at indirect suppliers, enterprises must immediately take ad hoc action in accordance with section 9 (3) Supply Chain Act.
After the end of a financial year, a report on the fulfilment of the due diligence obligations in this financial year must be prepared and submitted to the Federal Office for Economic Affairs and Export Control (Bundesamt für Wirtschaft und Ausfuhrkontrolle – BAFA) no later than four months after the end of this financial year and published on the enterprise’s website (cf. XIII. 2. for details of the first report).
c) What applies if the first period of application is less than one year:
Enterprises whose financial year does not correspond to the calendar year or that only fall within the Act’s scope of application in the course of their current financial year will have less than one year for their first due diligence cycle. If, for example, the financial year of an enterprise, which falls within the Act’s scope of application as of 1 January 2023, ends on 31 March 2023, the Act generally also requires compliance with all of the obligations set out in the Act and listed above for the period from January to March. In these cases, however, enterprises are only required to do what they can reasonably be expected to implement within the shortened time frame. Plausible explanations of implementation processes that have not been completed will be given due consideration by the Federal Office for Economic Affairs and Export Control. This applies in particular to non-completed risk analysis/analyses and, accordingly, also to the preventive measures implemented based on their result(s).
3. How does the Supply Chain Act relate to existing liability under civil law?
A violation of the Supply Chain Act’s obligations does not give rise to any liability under civil law. Any liability under civil law arising independently of this Act remains unaffected (cf. section 3 (3) Supply Chain Act).
4. What scope for assessment is available to the enterprise with regard to the criterion of “the appropriate manner” of acting in accordance with the due diligence obligations (cf. section 3 (2) Supply Chain Act)?
The principle of “appropriateness” ensures that unreasonable burdens are not placed on enterprises, but that they do what they can reasonably be expected to do to prevent or eliminate risks that have been identified given their specific susceptibility to risk.
The principle of appropriateness gives an enterprise a great deal of leeway in deciding which risks to address first and which measures are appropriate.
Authorities must acknowledge this leeway and take it into account when monitoring compliance. Authorities must review whether an enterprise took appropriate action at the time of the decision, i.e., ex ante. They do not review enterprise decisions from an ex post facto point of view.
For the concept of appropriateness to be applicable to the myriad different types of enterprises and risks it is necessary not to define it precisely in legal terms.
The Act does, however, clearly indicates what the decisive criteria for appropriateness are: the type and scope of business activity, the enterprise’s ability to have an influence on the risk, the severity of violations and its role in causing the risk.
Enterprises that keep these criteria in mind and plausibly balance the trade-offs before implementing individual due diligence measures have done everything they have to, even if in retrospect it emerges that human rights violations have occurred.
The key reference documents of the Supply Chain Act provide an additional interpretation assistance. They show how the concept of appropriateness works in practice both in cases that cover the situation in specific sectors and cases that involve multiple sectors.
5. Are there relevant reference documents that specify what enterprises can do to fulfil their due diligence obligations?
Reviews of appropriateness should be based on the following documents in particular (they are also listed in the explanatory information on section 3 of the Federal Government’s draft of the Supply Chain Act):
- United Nations Guiding Principles on Business and Human Rights (2011),
- OECD Guidelines for Multinational Enterprises (2011),
- National Action Plan for Business and Human Rights (2016),
- UN OHCHR (2012): The Corporate Responsibility to Respect Human Rights: An Interpretive Guide,
- UN OHCHR (2018): Corporate human rights due diligence – Getting started, emerging practices, tools and resources,
- OECD (2018): OECD Due Diligence Guidance for Responsible Business Conduct.
- Sector-specific guidance documents, as relevant, in particular:
- OECD (2016: OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas,
- OECD/FAO (2016), OECD-FAO Guidance for Responsible Agricultural Supply Chains,
- OECD (2017): OECD Due Diligence Guidance for Meaningful Stakeholder Engagement in the Extractive Sector,
- OECD (2018): OECD Due Diligence Guidance for Responsible Supply Chains in the Garment and Footwear Sector,
- OECD (2017): Responsible business conduct for institutional investors: Key considerations for due diligence under the OECD Guidelines for Multinational Enterprises,
- OECD (2019): Due Diligence for Responsible Corporate Lending and Securities Underwriting: Key considerations for banks implementing the OECD Guidelines for Multinational Enterprises.
6. How must section 4 (2) Supply Chain Act be understood? When has an enterprise caused a risk? When has an enterprise contributed to the emergence of a risk or made the risk worse?
Within the framework of risk management systems, enterprises are only required to address those human rights and environment-related risks that they have caused or contributed to, regardless of whether the risks occur as part of their own business area, at their direct suppliers or at their indirect suppliers (see explanatory information Ref-E on section 4 (2) Supply Chain Act). “Causing” means that an enterprise has directly caused a risk by itself or has made a causal contribution to the emergence of a risk or made it worse through its actions.
This point has been reached when the enterprise has at least contributed to the emergence of a risk or made it worse through its actions, i.e., when it is not possible to think that if the enterprise had not taken that action, the specific consequences (emergence of the risk) would not have come about. What constitutes a relevant contribution is to be assessed on a case-by-case basis.
The idea of “contributing" makes clear that cases in which the enterprise did not act alone are also covered. For example, when several enterprises order from the same factory, each enterprise is contributing. How an enterprise can appropriately respond to risk depends largely on the criteria set out in section 3 (2).
Enterprises are not accountable for events that an objective, informed third party would consider to fall completely outside of what they have experienced and would expect given their normal perspective.
7. Is there a detailed, legally binding catalogue of which requirements enterprises have to fulfil under the Act on Corporate Due Diligence Obligations in Supply Chains? Is there any kind of checklist with fulfilment criteria?
For every enterprise, implementing the Supply Chain Act’s corporate due diligence obligations is an individual, ongoing process that must be regularly reviewed and improved. Checklists alone cannot cover this process comprehensively. The explanatory information on the Act (e.g., on section 3 Supply Chain Act) mentions pertinent guidance documents that are relevant for practical implementation. More support for fulfilling due diligence obligations can be found at www.wirtschaft-menschenrechte.de. Development of practice-oriented guidelines on all due diligence obligations will continue in the multi-stakeholder process within the framework of the sector dialogues on the National Action Plan for Business and Human Rights. These will also be available starting in the summer of 2022. Review of other support possibilities is ongoing.
8. Does an enterprise have any due diligence obligations in relation to risks and violations in the downstream supply chain?
No. In the case of direct suppliers and indirect suppliers the due diligence obligations refer to the risks within the own business area pursuant to section 2 (5) Supply Chain Act.
9. Do financial institutions have due diligence obligations in relation to risks on the part of the end costumer?
No, even in the case of all financial and bank transactions – irrespective of the scope of the transaction – the end customers are not a part of the supply chain, which means that the due diligence obligations do not apply to them.
10. Who is an “end customer” in relation to products within the meaning of the Act?
An end customer is (a) the person for whom the product is intended and who actually uses it or (b) the entity that processes the product so that, according to generally accepted standards, it becomes a new product. The determination of the end customer therefore depends on the perspective and/or the role of the enterprise within the supply chain. End costumers are not necessarily direct contractual partners. To put it in simple terms this means that manufacturers deliver semi-finished products to producers who then turn them into end products.
11. Who is an end customer in relation to a service?
If a service is being provided, the end customer is the person for whom the service is intended and who uses the service. These are generally direct contractual partners. In some circumstances one or several people act as intermediaries who procure the service for the person who uses it. In the case of a contract for the benefit of third parties the end customer is also the person who uses the service.
12. What due diligence obligations exist with regard to the delivery of a product?
This needs to be assessed in accordance with the circumstances of the individual case. If the enterprise that falls within the scope of application undertakes to distribute or deliver the product to the end customer itself, then this is part of its own business area. If the enterprise instructs a third party with the delivery of the product, then that enterprise as a supplier is part of the supply chain pursuant to section 2 (5) Supply Chain Act.
13. What exactly is “substantiated knowledge” within the meaning of section 9 (3) Supply Chain Act?
Substantiated knowledge means that the enterprise has actual indications that suggest that a violation of a human rights-related or an environment-related obligation at indirect suppliers may be possible.
“Actual indications” are not merely opinions or rumours, but they at least contain a verifiable nugget of fact.
The following apply:
- the principles of knowledge attribution,
- the principles of knowledge aggregation within the group and
- organisational obligations including the efficient processing of information (cf. sections 4 (3) sentence 2 and 5 (3) Supply Chain Act).
14. Which “degree of possibility” is required with regard to “substantial knowledge”? Is there an obligation for the enterprise to carry out pro-active research to gain such knowledge?
It is sufficient that indications exist, i. e. have reached the sphere of control of the enterprise, so that they can readily be noticed. These include for example:
- notifications via the complaints mechanism,
- handouts by the Federal Office for Economic Affairs and Export Control prescribed by law (cf. section 20 Supply Chain Act) and of whose publication the respective human rights officer is expected to take note,
- media reports, reports by NGOs and notifications on the internet if they are
- common knowledge because they are known industry-wide or
- are passed on to the enterprise.
In the case of handouts, case lists and databases of multi-stakeholder or industry initiatives, the more widely the information has been disseminated throughout the industry, the more likely it is that substantiated knowledge within the the meaning of section 9 (3) Supply Chain Act can be assumed.
The degree of possibility of substantiated knowledge is determined by the following guiding principles:
- The violation does not need to be evident, certain, obvious, or even probable. “Possible” events also include events whose likelihood of occurrence is less than 50 percent.
- The information available does not need, in and of itself, indicate that a violation has occurred with a supplier.
- It must at least be possible to locate the risk in the enterprise’s own supply chain with reasonable efforts using methods recognised in the industry. Reasonableness is measured in accordance with the overall circumstances, and in particular in accordance with the principle of proportionality. The more specific a suspicion has become, the greater the effort that can reasonably be expected in terms of locating the cause.
- Even the state of the discussion within a sector can have an indicative effect: any knowledge within the sector that has become established, for instance alerts, is part of substantiated knowledge.
- It comes down to the objective-normative horizon of understanding. The following central question must be answered:
Would an employee entrusted with due diligence obligations and with average experience and understanding, who works in an enterprise where risk management is organised in accordance with the statutory requirements, consider an actual or imminent violation within the supply chain to be possible?
VII. Due diligence obligation to establish a risk management system
1. Are there any special requirements that must be met by the person(s) responsible for monitoring risk management within the enterprise? Does it have to be a lawyer? Does the person responsible have to be based in Germany? Can the person responsible also be an external appointee (rather than being appointed from among the enterprise’s own staff)?
The Supply Chain Act does not state any special requirements. However, the enterprise is obliged to implement an effective risk management system. The enterprise can best judge in which department or at which level the responsible person(s) will be located in the enterprise and which qualification is suitable in the respective context of the enterprise.
The person(s) responsible for monitoring risk management does/do not have to be based in Germany. The place of work and work equipment must be such that the person(s) responsible can use their authority and resources effectively.
The responsible person(s) must be appointed “within” the enterprise, which means that they cannot be external appointees. However, enterprises may use external assistance to support the person(s) appointed for the task within the enterprise.
2. Section 4 (4) of the Supply Chain Act stipulates that the interests of employees and those who may otherwise be directly affected by the economic activities of the enterprise must be given due consideration when establishing and implementing risk management systems. How must the term “employee” (for purposes of section 4 (4) Supply Chain Act) be understood?
The term “employee” is to be interpreted broadly in order to effectively protect human rights. It also covers an enterprise’s self-employed suppliers and employees who are not covered or inadequately covered by statistics and labour and social law and those not allowed to work.
3. When does section 4 (4) Supply Chain Act require involving “those who may otherwise be directly affected ... by the economic activities of the enterprise”?
Those who are directly affected by the consequences of the enterprise's commercial activity in its supply chains must be involved. Typical situations in which this is the case include residents/communities near production sites (of one’s own business area, of the direct suppliers or of the indirect suppliers) directly affected by the production (e.g., environmentally harmful emissions/land expropriation). Involvement can take the form of direct consultations or consultations with an authorised stakeholder group.
VIII. Due diligence obligation to carry out regular risk analyses
1. When must the initial risk analysis be carried out? When must the first policy statement then be issued?
The initial risk analysis is to be carried out as part of an appropriate, effective risk management system after the entry into force of the Act (2023 or 2024). Analyses must be performed annually (also in the first financial year) and on an ad hoc basis. Analyses must be carried on an ad hoc basis if an enterprise must expect a significantly changed or significantly expanded risk situation in the supply chain. Knowledge obtained from information gained in the complaints procedure must be taken into account. Several ad hoc analyses may be necessary in the first financial year as well.
When the initial risk analysis must be completed varies from case to case, because the time required depends on the enterprise’s particular circumstances and susceptibility to risk. When in the course of this analysis an enterprise identifies risks as defined by the Supply Chain Act, it must take appropriate preventive measures without undue delay. This includes, in particular, a policy statement pursuant to section 6 (2) Supply Chain Act.
2. Is it possible to limit the regular risk analysis (to be carried out once a year) to risks in the enterprise’s own business area and in the business area of its direct suppliers?
Yes, pursuant to section 5 (1) Supply Chain Act the risk analysis concerns risks within an enterprise’s own business area and those of its direct suppliers. This does not mean, however, that risk management and, in particular, the preventive measures may be limited to these risks. The risk management system as a whole must be designed appropriately and effectively so that it is suitable to prevent any prioritised risks that the enterprise has caused or contributed to in the supply chain (section 4 (1) and (2) Supply Chain Act). The Act therefore provides that the preventive measures also address the risks “at suppliers in the supply chain” (cf. section 6 (2) sentence 3 no. 3, (4) no. 2 Supply Chain Act).
3. What is appropriate risk analysis? How does risk analysis work? How far down the supply chain is it necessary to look in a dynamic global network of suppliers with numerous sub-suppliers?
Enterprises should use risk analysis to identify, assess and prioritise human rights and environment-related risks.
In the first step of the process, enterprises should aim for transparency in their supply chains and gain an overview of their own procurement processes as well as the structure and actors of their supply relationships. This can take the form of mapping risks according to business fields, locations, products, raw materials or countries of origin (cf. explanatory information on section 5 (1) of the Federal Government’s draft).
The second step is to assess and, if necessary, prioritise the risks. On the basis of this, enterprises can decide which risks (and which supply relationships) to look more closely at and address first. Enterprises have a large amount of leeway for this. The crucial factor here is that enterprises be able to plausibly justify why a certain risk is being addressed as a priority in accordance with the criteria of appropriateness laid down in section 3 (2) Supply Chain Act. For example, one criterion is the severity of the identified risk in connection with a causal contribution in causing harm (e.g., large purchasing volume of a certain raw material).
Enterprises must undertake more detailed assessments of prioritised risks when they need more information to take action. This might concern the severity of possible human rights violations and their likelihood, or it might concern the groups of people affected, the suppliers where there are risks. It might also concern the political, legal or cultural situation where production takes place.
In the explanatory information concerning section 3, the Act refers to relevant guides that are especially suitable as introductions to the issue of due diligence obligations.
Risk analysis must be carried out annually as well as on an ad hoc basis (cf. section 5 (4) Supply Chain Act). This enables enterprises to react to supply network dynamics.
4. What happens when risk analysis cannot be undertaken because an enterprise was not able to achieve transparency in the supply chain despite making an effort?
The due diligence obligations establish an obligation to make an effort, not an obligation to succeed. That means that enterprises must make continuous, reasonable efforts to fulfil their due diligence obligations: this includes aiming for supply chain transparency. If they are unable to achieve this for plausible reasons, they are nevertheless acting in line with the Supply Chain Act. Risk analysis must be updated on an ad hoc basis as required and at least annually.
5. Do goods that are not intended for resale, such as office supplies and software, fall under priority risks according to section 5 (2) Supply Chain Act when they are very similar to the goods of the core business?
All goods that an enterprise purchases to manufacture its products or provide its services are part of the supply chain (cf. section 2 (5) Supply Chain Act) and are therefore part of the risk analysis. This also applies to goods that enterprises purchase to ensure they continue to exist, but which are not directly incorporated into the final product.
However, enterprises do not have to consider all risks in equal detail. They should focus on the most important ones (cf. section 5 (2) Supply Chain Act), i.e., prioritise them. Whether risks associated with the production of these goods are to be prioritised by the enterprise depends on the criteria for appropriateness defined in section 3 (2), in particular on how serious the risks are considered to be and what the enterprise’s potential influence is on effectively countering these risks.
6. Does the ad hoc risk analysis within the meaning of section 5 (4) Supply Chain Act go beyond risks at the direct supplier? Must it be applied to any significantly changed or expanded risks anywhere in the supply chain?
Yes, any risk that the undertaking must expect to change significantly or any new risk that appears in the supply chain pursuant to section 2 (5) Supply Chain Act must be analysed. Two types of risk analysis result from section 5 (1) and (4) Supply Chain Act:
- The subject of the regular risk analysis (“once a year”) are all risks in the enterprise’s own business area and at all direct suppliers.
- The ad hoc obligation to carry out a risk analysis relates to any risks that have changed significantly or new risks that have arisen due to any new circumstances and anywhere in the supply chain, both at direct and at indirect suppliers. Risks that must be analysed are those that are obviously new or change significantly.
IX. Due diligence obligation to issue a policy statement
1. According to section 6 (2) sentence 2 Supply Chain Act, policy statements must be adopted by senior management. In the case of a German subsidiary GmbH, does “senior management” mean “management board” (Geschäftsführung)? And in what form is the policy statement to be “adopted”? And to whom is it to be issued?
In the case of a German subsidiary GmbH, “senior management” means the “management board” (Geschäftsführung).
The policy statement is considered to have been adopted once it has been made publicly available by senior management, e.g. on the homepage of the enterprise. In addition, the prevention measures laid down in section 6 Supply Chain Act require that the policy statement is communicated to the employees, and where applicable, the works council. The same applies to communicating the policy statement to direct suppliers as part of the obligations under section 6 (4) Supply Chain Act. For the purpose of communicating the policy statement within the meaning of the Act, it is not sufficient to solely make it available passively, e.g. filing a document in systems or in the intranet. However, in this area it is sufficient with regard to direct suppliers, for the general terms and conditions of delivery or the purchase order to contain a link to the website of the enterprise where the policy statement has been published.
2. Do policy statements have to have a uniform, outwardly coherent form? Or is it sufficient to place the elements in separate documents (e.g., corporate policy, code of conduct for suppliers, integrated strategy report, risk assessment and implementation)?
The policy statement must contain all the elements required by law in a single document that is complete in this regard and comprehensible on its own. However, it is permissible to refer to other documents to the extent that they spell out individual elements contained in the policy statement in more detail.
3. Is the reference to a group-wide code of conduct sufficient?
If the group-wide code of conduct also satisfies the legal requirements for the policy statement for the subsidiary (cf. section 6 (2) Supply Chain Act), the reference to a group-wide code of conduct is sufficient. It is important that the statement also address the specific risk situation of the subsidiary.
X. Due diligence obligation to establish prevention measures
1. When should preventive measures be taken and which risks should be addressed?
Pursuant to section 6 (1) Supply Chain Act, preventive measures must be taken immediately if the regular risk analysis identifies any risks in the enterprise’s own business area and at direct suppliers and insofar as these have been prioritised in compliance with the principle of proportionality. Any preventive measures must, however, also address other risks in the supply chain to which the enterprise contributes and which must be prioritised accordingly if
- risk management staff, whose knowledge and experience appears suitable in view of the enterprise’s risk profile, draw the enterprise’s attention to the respective risk (cf. section 4 (3) sentence 1 Supply Chain Act),
- the enterprise identifies a risk when taking into account the interests of the groups of people affected by the economic activities of a supplier in its supply chains (cf. section 4 (4) Supply Chain Act),
- the enterprise becomes aware of risks beyond the immediate supplier during an ad hoc analysis (cf. section 5 (4) Supply Chain Act),
- the enterprise becomes aware of risks when
- it develops a policy statement that includes expectations placed on suppliers in the supply chain (cf. section 6 (2) no. 3 Supply Chain Act),
- iit seeks transparency within the supply chain in the course of developing and implementing suitable procurement strategies and purchasing practices (section 6 (3) no. 2),
- it enshrines suitable measures vis-à-vis suppliers within the meaning of section 6 (4) no. 1 and 2 Supply Chain Act or
- the enterprise gains substantiated knowledge within the meaning of section 9 (3) Supply Chain Act.
2. Do enterprises have to review the complete supply chain for each individual product as part of their preventive measures?
No. The important thing is for preventive measures to be linked to prioritised risks, not to the entire range of products that the enterprise deals with.
3. Can affected enterprises require their suppliers to provide lists of their business relationships and audit reports of their suppliers in particular?
The Act does not specify in detail which documentation must be provided by suppliers or agreed upon with suppliers in specific cases. Audits may be evidence of the fulfilment of expectations, provided that the audit in question takes into account the requirements of the Supply Chain Act.
4. Is a self-disclosure statement signed by a supplier sufficient to fulfil the due diligence obligation with regard to that supplier?
Due diligence obligations are not automatically fulfilled by relying solely on written assurances. Rather, all other obligations set out in the Supply Chain Act regarding risk analysis and preventive measures and remedial action must also be fulfilled.
XI. Due diligence obligation to take remedial action
1. When is there an obligation to withdraw from a business relationship in line with section 7 (3) Supply Chain Act?
The Supply Chain Act’s provisions in section 7 (2) and (3) encourage enterprises to work with suppliers or with the sector’s stakeholders first to find solutions to complex problems that are difficult to solve before withdrawing from a business field. The principle here is: staying and helping is better than cutting and running. The termination of business relationships is only required if, first of all, the violation of a protected legal position or an environment-related obligation is assessed as very serious; second, the implementation of the measures developed -- together with the supplier -- in the concept does not remedy the situation after the time specified in the concept has elapsed; third, the enterprise has no other less severe means at its disposal; and fourth, increasing the ability to exert influence has no prospect of success.
It should be kept in mind that the mere fact that a state has not ratified one of the conventions listed in the Annex to this Act or has not implemented it into its national law does not automatically result in an obligation to terminate the business relationship.
The ratification of conventions and their implementation into national law is the responsibility of states and not enterprises. Not having ratified human rights or environmental conventions or not having implemented them into national law does not in itself give rise to an obligation to break off a business relationship or an obligation not to enter into that relationship in the first place.
The deficits of states in the field of human rights or violations of human rights by states can, however, give rise to relevant human rights risks or exacerbate them in the context of corporate due diligence. Enterprises can thus in particular be expected to take the lack of ratification or implementation into account in their risk analysis and to review the consequences of that for the risk situation as a whole.
XII. Due diligence obligation to establish a complaints procedure
1. In the case of global groups, what constitutes an “internal” complaints procedure in line with section 8 Supply Chain Act? Must the complaints procedure be (organisationally) at the level of the German subsidiary? Or is it sufficient for it to be at the global, group-wide level?
A group-wide complaints procedure is sufficient if it meets the legal requirements. It is possible for enterprises to participate in external complaints procedures, so internal group-level procedures are all the more sufficient.
XIII. Due diligence obligations on documentation and reporting
1. What reporting obligations do affected enterprises have?
Enterprises must submit an annual report on their implementation of their due diligence obligations to the Federal Office for Economic Affairs and Export Control and they must publish it online. Both actions must be taken no later than four months after the end of the financial year to which the report relates.
The report must state in a comprehensible manner,
- whether the enterprise has identified any human rights and environment-related risks and if so, which ones,
- what the enterprise has done to fulfil its due diligence obligations,
- how the enterprise assesses the impact and effectiveness of the measures,
- what conclusions it draws from the assessment for future measures.
The report must be made publicly available online no later than four months after the end of the financial year and must be kept available for seven years. Trade and business secrets are to be given due protection. The reports must be submitted to the Federal Office of Economics and Export Control. An electronic procedure is being developed to keep the burden on enterprises as light as possible. This will be made available to enterprises in good time.
All information on how to submit the report to the Federal Office for Economic Affairs and Export Control and in which form to publish it on the enterprise’s website can be found here: bafa.de/Reporting_Obligation
The response to question IV.7. contains information on the reporting obligation in affiliated enterprises.
2. When must an initial report be submitted in line with the Supply Chain Act?
Initial reports in line with the Supply Chain Act must be submitted to the competent authority no later than four months after the end of the financial year that ends during the calendar year 2023 (for enterprises with 3,000 or more employees) or 2024 (for enterprises with 1,000 or more employees). The reporting period does not begin until 1 January 2023 (or 1 January 2024).
The following applies to all reports to be submitted to the Federal Office for Economic Affairs and Export Control (BAFA) between 1 January 2023 and 1 June 2024 and that have to be published on the website of the enterprise:
BAFA will only start checking from 1 June 2024 onwards whether the reports have been submitted and published. Even if the submission of a report to BAFA and its publication under the Supply Chain Act was already due before this date, BAFA will not impose a sanction on enterprises that fail to meet the deadline, provided the report is submitted to it by 1 June 2024. If such a report is submitted after 1 June 2024, BAFA may issue a reminder for the missing or late submission/publication and impose a sanction if necessary. For reports whose submission deadline is on or after 1 June 2024, no special provisions apply. BAFA is entitled to immediately issue a reminder for a failure to submit (and publish) a report or submit (and publish) it on time and, if necessary, impose sanctions.
BAFA may, where necessary and as part of report audits pursuant to section 13 of the Supply Chain Act, provide guidance to enterprises that submit reports prior to 1 June 2024 on how to take account of the requirements of section 10 (2) and (3) of the Supply Chain Act in the next reports. BAFA will refrain from requesting actions to rectify any errors in the content of these reports. For reports submitted from 1 June 2024 onwards, BAFA will, if necessary, demand actions to rectify reports pursuant to section 13 of the Supply Chain Act if the requirements pursuant to section 10 (2) and (3) of the Supply Chain Act have not been met and, where necessary, impose sanctions in the event of a breach.
The special rules for reports submitted by 1 June 2024 do not affect the fulfilment of the other due diligence obligations pursuant to sections 4 to 10 (1) of the Supply Chain Act as well as their monitoring and any imposition of sanctions by BAFA, which may also arise due to information provided in a report.
3. Can sustainability seals, audits and certificates serve as evidence within the framework of the Supply Chain Act?
When seals, certificates and audits demonstrably fulfil the legal due diligence requirements, they can be used as important indications of the fulfilment of the due diligence obligations.
4. What reporting obligations do subsidiaries abroad have?
Subsidiaries abroad have no reporting obligations because they do not fall under the scope of application according to section 1 Supply Chain Act (not located in Germany, no branch office).
5. Is it necessary to report on the 2022 financial year starting on 1 January 2023?
No. It is only necessary to report on the state of affairs starting on 1 January 2023 if the enterprise falls under the scope of application starting on that date.
6. Can the reports be in English?
No. Section 12 (1) Supply Chain Act explicitly stipulates that reports must be in German.
XIV. Monitoring by the Federal Office for Economic Affairs and Export Control
1. Who monitors compliance with due diligence obligations? In what form?
Implementation of the Act is monitored by the Federal Office for Economic Affairs and Export Control.
Enterprises must submit their due diligence reports to the Federal Office for Economic Affairs and Export Control, which reviews the reports, no later than four months after the end of the financial year (cf. XIII. 2. for details of the first report).
The Federal Office for Economic Affairs and Export Control also carries out risk-based inspections of enterprises. It may summon persons, enter offices, inspect and examine documents and prescribe specific measures to remedy problems. It may also impose financial penalties and administrative fines.
2. What is the stance of the Federal Office for Economic Affairs and Export Control when assessing the appropriateness of measures taken by enterprises to fulfil their due diligence obligations?
The principle of appropriateness gives enterprises a great deal of leeway in deciding which risks they should address first and which measures are reasonable. Authorities acknowledge this leeway and take it into account when monitoring compliance. The Federal Office for Economic Affairs and Export Control reviews whether enterprises took appropriate action at the time of the decision, i.e., ex ante. Thus, enterprises have to show which criteria they used to assess risks and implement measures. The enterprise’s internal decision process must be plausible and comprehensible for the Federal Office for Economic Affairs and Export Control. It does not review the enterprise’s decision from an ex-post facto point of view, so enterprises should not be sanctioned for what in hindsight turns out to have been a mistake.
XV. Consequences of the Act for enterprises / questions of liability
1. What happens when enterprises do not comply with the Act?
Enterprises face fines of up to eight million euros or up to two percent of their annual turnover if they fail to meet their obligations to conduct risk analysis, establish a complaints procedure, take preventive measures and eliminate known human rights violations effectively. The turnover-based framework for fines only applies to enterprises with more than 400 million euros in annual turnover.
Similarly, enterprises in violation of the Act can be excluded from the award of public contracts within a period of up to three years if fined an amount above a certain minimum (the threshold depends on the severity of the violation: 175,000 euros or 1,500,000 euros, 2,000,000 euros or 0.35 percent of annual turnover). The Federal Office for Economic Affairs and Export Control will be given effective enforcement instruments and far-reaching powers of supervision to monitor enterprises' supply chain management.
2. Will German enterprises be held liable for their suppliers in the future?
No. Enterprises are not liable for the behaviour of third parties in the supply chain.
3. Are enterprises liable when human rights violations occur?
The Supply Chain Act itself does not change the current grounds for being held liable. However, employees abroad can already sue for damages in German courts if they feel that their rights have been violated by a German enterprise. However, the law of the country in which the damage occurred is then applicable.
A new aspect in this Act is that in the future affected persons will be able to authorise domestic trade unions and non-governmental organisations (NGOs) to bring civil proceedings in their own capacity. Special capacity to sue is a procedural tool. It is applicable when there are possible violations of very important legal positions set out in section 2 (1) Supply Chain Act, such as life or limb. In the respective proceedings, the law of the location where the damage occurred continues to apply, i.e., as a rule the law of a foreign country.
4. Can the Act cause German enterprises to withdraw from developing countries?
The principle of “staying and helping is better than cutting and running” is explicitly enshrined in the Act. Enterprises are encouraged not to withdraw from regions with weak standards, but to work with suppliers there or with other industry players to minimise risks. This provides them with legal certainty, especially when dealing with suppliers not yet appropriately addressing human rights risks.
Even in cases of severe human rights violations, terminating business relationships is only required given the following factors:
- severe breach or violation,
- attempts to mitigate the risk within the specified time have failed,
- there are no other less severe means available and
- increasing the ability to exert influence has no prospect of success.
The mere fact that a country has not ratified the international conventions listed in the Supply Chain Act does not oblige companies to break off business relationships.
XVI. Implementation aids for enterprises
1. Is information and support available to enterprises?
Within the framework of the NAP, the Federal Government offers extensive support for enterprises regarding the implementation of their due diligence obligations. This includes initial counselling provided by the Business & Human Rights Helpdesk (Helpdesk Wirtschaft & Menschenrechte), which was launched in 2017, and the establishment of support networks abroad around the embassies of the Federal Foreign Office. Another important way to offer support is through the sectoral dialogues on the implementation of the National Action Plan, which are moderated by the Federal Ministry of Labour. These include development of detailed guidance on implementing individual due diligence obligations. This makes the basis for taking action more secure, especially in sectors with special human rights challenges. On the Federal Government’s information portal at www.wirtschaft-menschenrechte.de you can find a good overview of the support offered by the Federal Government and other actors for implementing corporate due diligence, as well as detailed information on fulfilling due diligence obligations.
The Federal Office for Economic Affairs and Export Control, which is responsible for enforcing and monitoring the Act, also publishes cross-sector and sector-specific information and advice on compliance with the Act.
2. Selling both their own and third-party brands is part of their “own business area” for department stores, which offer a broad range of goods including their own brands and a high proportion of brands of manufacturers and third-parties. Do their due diligence obligations also extend to these third-party brands? The enterprise may have a direct contractual relationship with as many as 5,000 suppliers, but they usually have no knowledge of their supply chains. Or are the obligations arising from the Supply Chain Act limited exclusively to an enterprise’s own brands and their associated supply chains?
The Supply Chain Act’s definition of supply chain covers both an enterprise’s own brands and third-party brands. The capacity to exert influence may be greater in terms of their own brands. The Supply Chain Act takes this into account, for example on the issue of whether the measures taken were appropriate and the prioritisation of risks comprehensible.
3. The Supply Chain Act announced three statutory instruments: one on indirect suppliers, one on report audit by the authorities and another statutory instrument concerning action taken by the authorities. When are they expected?
The provisions provide for the possibility to issue statutory instruments, but not the obligation to do so. Currently (as of November 2021), no statutory instruments are being planned.
XVII. Effects of the Act on small and medium-sized enterprises
1. As an SME, under which circumstances might I be affected by the Supply Chain Act?
SMEs are not covered by the Supply Chain Act. However, an SME can still be affected by the requirements of the Act if it provides services or products to another enterprise that is itself subject to the obligations under the Supply Chain Act. This is because the SME is then considered a “direct supplier” of the enterprise to which the Supply Chain Act applies. Where it suspects a risk, the enterprise to which the Act applies must include direct suppliers in its specific risk analysis and, if necessary, in any preventive and remedial measures as well as in the establishment of its complaints procedure.
For the SME in question, this means specifically:
- in order to carry out their risk analysis, enterprises to which the Act applies may request information from suppliers (e.g. information on identified risks or violations; whether the supplier conducts its own risk analysis and, if so, according to which method; on raw materials, semi-finished products and services used for the product or service; information on upstream suppliers’ premises).
- Depending on the results of their risk analysis, enterprises to which the Act applies may have to implement preventive measures at their suppliers (e.g. training on an agreed supplier code, code of conduct, or the establishment of contractual control mechanisms).
- If enterprises to which the Act applies discover violations of obligations under the Supply Chain Act (e.g. child labour in the supply chain), they must make efforts to remedy the situation. In this case, they can ask a supplier to participate in these efforts if appropriate.
- When setting up complaints procedures, enterprises to which the Act applies can ask suppliers which persons might use this procedure (e.g. employees, residents) and request that suppliers make these groups aware of the procedure.
The Supply Chain Act contains such requests addressed to SMUs by the enterprise to which it applies.
2. As an SME, which obligations do not apply to me?
SMEs do not have to fulfil the obligations under the Supply Chain Act themselves. The Federal Office for Economic Affairs and Export Control – as the authority responsible for implementing and monitoring the Supply Chain Act – does not have the power to and will not monitor SMEs in that regard or impose sanctions such as fines.
The Supply Chain Act does not place obligations on SMEs:
- to carry out their own risk analysis in relation to their supply chain;
- to check themselves which preventive and remedial measures they should implement in relation to their supply chain;
- to establish their own complaints procedure;
- to submit reports to the Federal Office for Economic Affairs and Export Control or contribute to them.
3. As an SME, how should I react if an enterprise to which the Act applies asks me to cooperate in the context of the Supply Chain Act?
The Supply Chain Act is not directly aimed at SMEs, but requires that enterprises to which the Act applies cooperate with SMEs as their suppliers to fulfil the obligations imposed by the Act. In practice, there is usually no way around this because this is the only way the enterprise in question can comply with the law and will therefore make its cooperation requests part of contract negotiations. The Supply Chain Act allows enterprises to which it applies to request that their suppliers, including SMEs, cooperate in the context of the Supply Chain Act, e.g. as described in the example cases listed under XVII.1.
SMEs should be aware of the following:
- if an enterprise to which the Act applies requests data from an SME on the origin of products or potential risks in production with reference to obligations imposed by the Supply Chain Act, suppliers should start by looking at the reasons given to justify the request. They should show that the enterprise to which the Act applies is conducting a risk analysis for purposes of the Supply Chain Act, the risks that have been identified so far and the questions that arise from this with regard to risks to the specific supplier. In the absence of such a justification, a supplier should request it from the enterprise in question and only provide the information once reasons have been provided.
- When transferring data to the enterprise to which the Act applies, the supplier should check which information it needs to protect, e.g. because it is a trade secret. The supplier should redact this information or summarise it in a suitable form. Alternatively, the supplier could agree confidentiality clauses with the enterprise to which the Act applies.
- SMEs should also ask the enterprise in question to share its resources, information and risk identification tools.
- When receiving a request for participation in preventive and remedial measures or the structuring of a complaints procedure, SMEs should ask to see what specific risks have been identified in their business or supply chain, how the requested participation can be put into practice and whether and how the enterprise to which the Act applies supports this with its own resources.
4. Human rights and environmental risks hardly play a role in my SME. What action should I take?
Enterprises to which the Act applies must take a risk-based approach to fulfilling their due diligence obligations. This also means distinguishing between low-risk and high-risk suppliers. If an SME is a supplier of an enterprise to which the Act applies and is asked to fill out an extensive questionnaire on the Supply Chain Act or to make corresponding declarations, although the human rights and environmental risks inquired about hardly play a role in its activities, then the SME should point this out and request that the enterprise in question justify its questions in more detail with regard to the individual case.
5. As an SME, how should I react if an enterprise wants to pass on its obligations under the Supply Chain Act to me?
The Supply Chain Act does not permit enterprises to which the Act applies to pass on their obligations to SMEs that act as suppliers. Enterprises who do this must expect control measures from the Federal Office for Economic Affairs and Export Control.
This would be the case, for example, if the enterprise in question:
- wants to replace its risk analysis with assurances from suppliers;
- imposes preventive or remedial measures on the SME that clearly impose too much of a burden on the SME
(e.g. financially or in terms of staffing);
- allows the supplier to give a blanket assurance regarding the absence from human rights risks in its supply chains.
SMEs should therefore bear the following in mind:
- SMEs should not give a blanket contractual assurance to an enterprise to which the Act applies that they will fulfil all obligations under the Supply Chain Act or ensure compliance with all Supply Chain Act requirements in their supply chains (e.g. assurance to “comply with all human rights in the supply chain”). If an enterprise to which the Act applies demands this, it could be in breach of the Supply Chain Act and the matter could result in an inspection by the Federal Office for Economic Affairs and Export Control if it is notified accordingly.
- If an enterprise to which the Act applies requires an SME to participate in or carry out preventive measures (e.g. initial or ongoing training on human rights and environmental risks in the supply chain), then the SME should first ask the enterprise in question for the following:
- provision of the policy statement detailing the identified human rights and environmental risks and expectations placed on suppliers;
- a concrete explanation of how the measures will mitigate the identified risks at the supplier.
- If an enterprise to which the Act applies requires an SME to participate in or implement remedial actions (e.g. back pay for withheld wages), the SME should first ask the enterprise in question for at least the following information:
- identification of the violations in the supply chain as identified by the enterprise in question;
- the plan for ending them;
- a suggestion on the part of the enterprise in question on how the costs of the measure(s) should be shared appropriately.
- If an SME feels overwhelmed by such a proposal, it should:
- explain to the enterprise in question why it cannot carry out the measure with its own resources and ask for support;
- if the enterprise in question does not comply with this request, seek individual legal advice to determine whether the request made by the enterprise in question may be inadmissible under contract law (law regarding terms and conditions etc.).
The above also applies in the event that an SME is requested to take measures by an enterprise to which the Act applies with which it does not have a direct supply relationship (i.e. as an "indirect supplier" as defined by the Supply Chain Act).
6. As an SME, where can I get further practical assistance in implementing due diligence processes?
In many cases, cooperation with enterprises to which the Supply Chain Act applies will also be helpful for the management of the SMEs’ own processes, because:
- such cooperation will enable them to identify risks at an early stage and address them proactively;
- they can gain a competitive advantage, especially in developing business relationships with customers who are subject to the obligations imposed by the Supply Chain Act;
- it can facilitate negotiations with their customers if suppliers understand the requirements for a robust due diligence-based risk management system.
Beyond the scope of the Supply Chain Act, there are due diligence expectations (e.g. from the German government’s National Action Plan for Business and Human Rights, the OECD Guidelines for Multinational Enterprises as well as the UN Guiding Principles on Business and Human Rights) that are also addressed to SMEs.
To support all companies in this endeavour, the Federal Government has established, among other things, the Business & Human Rights Helpdesk, which provides them with free, confidential and individual advice on the implementation of human rights due diligence and helps them to shape their actions in an environmentally and socially responsible manner:
- Further information is available here:
- Business & Human Rights Navigator
- SME "Due Diligence Compass"
- SME "Standards Compass"
- CSR risk check: Identify industry, product and country-specific risks.
XVIII. The Supply Chain Act in an international context
1. Are there due diligence regulations or legislation outside of Germany?
On 23 February 2022 the EU Commission has introduced a proposal for an EU legal framework on sustainable corporate governance, which will also include mandatory due diligence obligations in global value chains. An EU-wide arrangement will increase the effectiveness of human rights protection measures and create a level playing field within the internal market.
2. What is the relationship between the German legislation and the European legislation? What happens when an EU directive imposes “stricter” requirements on enterprises?
European Union law takes precedence over German law, i.e., if the two are in conflict, the EU requirements apply. In the case of a directive they must be transposed into German law.
3. What is the relationship of the reporting obligations under the Supply Chain Act to the new non-financial reporting requirements?
There is currently only a draft by the Commission. No new directive has been adopted yet. The Federal Government is committed to ensuring that regulations are as coherent as possible.