The German Supply Chain Act - Our Guide & What You Need to Know

What is the German Supply Chain Due Diligence Act?

With severe, ongoing breaches in human rights and environmental pollution, the 21st century has been marked with unsustainable practices - on top, the COVID-19 pandemic has amplified their visibility. Governments were forced to act and move from voluntary corporate social responsibility (CSR) to a more rigid set of mandatory regulation. The UK published the Modern Slavery Act in 2015, France adopted its own Corporate Duty of Vigilance Law in 2017 and the Netherlands made a strong commitment by issuing the 2019 Child Labor Due Diligence Act. More importantly, not only individual governments are taking a stand: the EU is pushing for a harsher regulation on supply chain due diligence, and though drafts have been delayed, they are expected shortly. We know from current market trends that regulation will be becoming stricter, will mandate the collection and disclosure of more accurate data, and will be increasingly burdensome for companies.

‍

On June 11, 2021, the German Federal Parliament passed the so-called Supply Chain Due Diligence Act ("Lieferkettensorgfaltspflichtengesetz", or in short "LkSG"). The LkSG will officially enter into force on January 1, 2023, and as of such date it will be imposing an increased scope of corporate responsibility on companies with regards to human rights and environmental protection. The German Supply Chain Act is applicable to companies, regardless of their legal form (foreign companies are included) which: 

1. Have their head office, main establishment, administrative headquarters, statutory seat or a branch office in Germany; and 
2. Employ more than 3,000 employees in Germany as of January 1, 2023 (or more than 1,000 employees as of January 1, 2024).

‍

As a consequence, organizations will almost immediately face an increased number of audits and will frequently be asked to supply data on environmental and human rights performance. That is why it is essential to be duly prepared. To enable this, we have created a short checklist of the main obligations under the Germany Supply Chain Due Diligence Act which can guide you and your company to be on time and avoid potential penalties or repercussions.

Stage A: Generally Applicable Obligations (regardless of identified risks or breaches)

1) Set up a Risk Management System 

Your company needs an effective risk management system that makes it possible to identify and reduce risks to human rights and the environment. In addition, the system needs to prevent, end or minimize the participation of your company to these violations.

The most effective way to do so would be to have a clear overview of all suppliers, conduct regular risk analyses (at least yearly) and request risk-related data sharing on human rights and environmental obligations. It is possible to use already existing guidelines for setting up a risk management system, for example, the ISO 31000 standard.

‍

2) Appoint a responsible person within the company  

One person must be appointed as responsible for sustainable business practices - this could be a human rights officer, the head of CSR or an ombudsman. The person needs to inform the senior management on their work, progress and performance at least once per year.

‍

3) Perform regular risk analyses

In the event of a change in risk status, but at least once per year, your company needs to conduct a supply chain analysis, assessing its own performance as well as the performance of all direct suppliers. In some cases, for example after a confirmed manipulation of the supply chain structure or direct knowledge of an ongoing violation, indirect suppliers must also undergo a risk analysis. The findings of these assessments need to be documented and communicated to the company's management and, in particular, to the people in charge of purchasing or partnerships.

‍

4) Establish a complaints procedure 

Your company needs to have an internal and external complaints whistleblowing procedure in place. It should address breaches of human rights or environmental risks arising from internal business, direct suppliers or indirect suppliers. The procedure should consist of:

1. Appointing a designated, independent person (or multiple) to conduct the complaints procedure; and
2. Issuing a publicly available rulebook on the implementation of the complaints procedure.

The effectiveness of the complaints procedure must be reviewed at least once per year and, in case of relevant changes, more regularly.

‍

5) Document all actions

The fulfilment of all obligations set out in this guide needs to be continuously documented and stored for at least 7 years from its creation.

‍

6) Issue annual reports 

Your company needs to prepare an annual report on the fulfilment of its due diligence obligations and make it publicly available on the company's website no later than 4 months after the end of the financial year. These reports need to be available for a period of 7 years. The annual report should at least consist of:

1. Identified human rights or environmental risks
2. Measures the company undertook to fulfil its due diligence obligations; this also includes parts of the policy statement as well as measures taken as a result of complaints procedures
3. Self-assessment by the company of the impact and effectiveness of such measures
4. Conclusions regarding its assessment which carry consequences for future measures

If there were no breaches identified in the year for which the report is issued, the last three points are not required.

‍

‍

Stage B: Specific Obligations in case of Identified Risks

7) Prepare a policy statement 

Your company must provide a clear policy statement on its human rights and environmental strategy. This policy statement needs to consist of at least the following parts:

1. Description of procedure on how the company fulfils its obligations on supply chain due diligence
2. Declaration of the highest priority human rights and environmental risks identified during the risk analyses
3. Clear definition of the risk expectations from employees and suppliers of the company

‍

8) Prepare a list of preventative measures for your own business 

When it comes to direct business relationships of your company, compile a list of preventative measures, in particular:

1. Measures to implement the strategy from the policy statement
2. Development and implementation of procurement strategies and purchasing practices which prevent or minimize identified risks
3. Employee training on due diligence risks
4. Implementation of risk-based control measures to verify compliance with the policy statement

These measures need to be reviewed at least once per year and, in case of significant changes, on an ad hoc basis. Significant changes could include new products, projects or business activities.

‍

9) Prepare a list of preventative measures towards direct suppliers

In case there is a breach or an indication of a breach in the business of your company's direct suppliers, you should prepare a list of preventative measures, in particular:

1. Expectations regarding human rights and environmental risks performance
2. Contractual assurances on the compliance and monitoring of risks down its own supply chain
3. Implementation of training of its employees to comply with such assurances
4. Control mechanisms in the supplier contracts (supply chain analyses)

As previously, these measures need to be reviewed at least once per year and, in case of significant changes, on an ad hoc basis.

‍

10) Perform due diligence at indirect suppliers 

If there is a substantiated (evidenced) knowledge that a breach may happen at an indirect supplier:

1. Carry out an individual risk analysis
2. Issue a statement on preventative measures towards such indirect supplier and implement control mechanisms, and support them in the prevention and avoidance of risk
3. Draft and implement a prevention, cessation or minimization plan towards the breaches
4. Update your policy statement to cover such actions

‍

Stage C: Specific Obligations in case of a Certain Breach‍‍

11) React to breaches

If a breach has already happened or it appears to be unavoidable, there are a few things your company needs to do:

• If the breach happens/happened in your company's own business in Germany: immediately end the breach
• If the breach happens/happened in your company's own business abroad or if the breach relates to the freedom of trade unions to operate: perform actions leading to the end of the breach
• In all other cases: attempt to end, prevent or minimize the breach

If the breach took place at a direct supplier and it is not possible to end it within the foreseeable future, the company needs to issue and implement a concept with a concrete timeline for ending or minimising such breach. In certain cases, the termination of the business relationship with the respective supplier may be necessary. The effectiveness of these actions should be reviewed at least once per year and, in the event of significant changes, more frequently.

‍

We are here to support you

Given the initial scope of the law, not every company will immediately fall under the new rules of the German Supply Chain Act. But even if your organization is relatively small, it is likely that you will observe changes ranging from more frequent supplier audits to stricter customer codes of conduct and data requests. The time to ensure that your company is prepared for the upcoming changes is now - and we are happy to support you. To understand your own position, we offer an easy self-assessment to check your company's readiness. If you would like to understand more about how our Codio Impact platform allows you to collect and manage sustainability data to comply with new regulation and customer requests, please contact us directly. We are excited to be part of your sustainability story.

______

Disclaimer: Nothing in this article is nor should be taken as a legal opinion or advice. This article solely reflects the author's interpretation of existing information and pieces of legislation, and neither the author nor Codio Impact UG (haftungsbeschränkt) take responsibility for the application of the opinion laid out in this article.