On 1 January 2023, the Act on Corporate Due Diligence Obligations in Supply Chains (the “Supply Chain Act” or the “Act”) entered into force in Germany. For the first time, many German companies, as well as foreign companies with German branches, will be obliged to address human rights-related and environment-related due diligence obligations in their supply chains in an appropriate manner. These requirements will pose compliance challenges on an unprecedented scale, in particular for multinational German companies with business activities in high risk countries.
In this article we have summarized the main requirements of the law and describe some of the practical problems which may arise as a result of its implementation.
Affected companies
Companies which have their central administration, principal place of business, administrative headquarters or statutory seat in Germany must now comply with the due diligence obligations set out in the Supply Chain Act, provided that they have at least 3,000 employees in Germany. These obligations must also be complied with by foreign companies which have a branch in Germany with the same number of employees. From 1 January 2024, the law will also apply to companies which have at least 1,000 employees in Germany.
Obligations along supply chain
The Supply Chain Act imposes on companies due diligence obligations which must be complied with, with the aim of preventing or ending certain human rights or environmental violations. “Supply chain” under the Act includes all steps in Germany and abroad which are required to produce the products and provide the services of a company – starting from the extraction of raw materials up to the delivery to the end customer. The due diligence obligations along the supply chain extend to the company’s own business area and direct suppliers as well as – in less strict form – indirect suppliers.
Protected legal positions
The Supply Chain Act provides for a comprehensive catalogue of protected human rights-related and environment-related legal positions, based on eleven relevant conventions on the protection of human rights.
The human rights-related provisions include ones related to: various forms of child labor, forced labor, slavery, occupational health and safety obligations, freedom of association, unequal treatment in employment, the withholding of an adequate living wage, negative impacts on the environment affecting persons, unlawful eviction as well as the hiring of security forces for the protection of a company’s project where this leads to certain human rights violations due to a failure by the company to supervise or control the security forces.
The environmental protections under the Act include a prohibition on the use of mercury and persistent organic pollutants (PoPs) as well as the handling and export and import of hazardous waste.
Specific due diligence obligations
The Supply Chain Act lists nine specific due diligence obligations that a company must comply with:
- Risk management: companies must establish an appropriate and effective risk management system to comply with the due diligence obligations under the Act in all relevant business processes;
- Human rights officer: companies must determine who is responsible for monitoring risk management, for example by appointing a human rights officer;
- Risk analysis and assessment: companies must conduct an annual risk analysis in its own business area and towards direct suppliers, and further risks analysis on an ad hoc basis, if the company expects a significant change in the risk level of the supply chain. As part of each risk analysis, it must evaluate and prioritize the identified risks;
- Policy statement: companies must issue a policy statement by the company’s senior management which describes the procedure for fulfilling the due diligence obligations under the Act, and lists the risks identified in the course of the risk analysis as well as the human rights-related and environment-related expectations placed by the company on its employees and suppliers;
- Preventive measures: if the company has identified a risk in the course of its risk analysis, it must take, without undue delay, appropriate preventive measures in its own business area (e.g. through training) and towards direct suppliers (e.g. by seeking contractual assurances with respect to human rights-related and environment-related expectations);
- Remedial action: companies must take appropriate remedial action if the violation of a human rights-related or environment-related obligation in the company’s own business area or at a direct suppliers has already occurred or is imminent. The termination of a business relationship is only required if the company has no less severe means at its disposal (based on the principle: “stay and change instead of cut and run”);
- Complaints procedure: companies must establish an appropriate internal complaints procedure or participate in an external procedure to receive reports on human rights-related and environment-related risks;
- Indirect suppliers: companies must also comply with the due diligence obligations under the Act (but in less strict form) in relation to their indirect suppliers; and
- Documentation and reporting: companies must continuously document the fulfilment of the due diligence obligations within the company and prepare an annual report on this which must be made publicly available on the company’s website and be submitted electronically to the German Federal Office for Economic Affairs and Export Control (“BAFA”).
Monitoring by authorities
The competent authority for monitoring compliance with the due diligence obligations under the Act is BAFA which takes a risk-based approach in the performance of this task. BAFA may subpoena persons, enter the company’s premises and/or require the company to take specific action to fulfil its obligations. BAFA may also impose a fine up to EUR 50,000 if the company does not take the required action.
Intentional or negligent violations of the due diligence obligations can be punished with a fine of up to EUR 8 million. If the company has an average annual turnover of more than EUR 400 million, the fine can be up to 2 percent of the company’s average annual turnover.
To detect violations of the Supply Chain Act BAFA has set up an online complaints form in four languages (German, English, French and Spanish), where pending or already occurred violations of the Supply Chain Act can be reported, anonymously if needed.
EU CS3D
On 23 February 2022, the European Commission proposed a new Directive on Corporate Sustainability Due Diligence (the “CS3D”), which in certain parts significantly exceeds the requirements of the Supply Chain Act. For example, companies would be obliged to comply with the due diligence obligations if they employ more than 250 employees The scope of protected human rights-related and environment-related legal positions under the CS3D is also substantially broader than under the Act. Further, the CS3D provides for civil liability of companies for damages caused by their failure to comply with due diligence obligations.
Should the CS3D be adopted, the German legislator could therefore be obliged from 2025/26 to tighten further the requirements of the Supply Chain Act in the course of the transposition of the directive into national law.
Practical challenges for companies
Implementing the due diligence obligations under the Act will pose considerable practical challenges for companies. It has already been seen that problems may arise, in particular, in areas where the company must cooperate with suppliers and other third parties in order to fulfil its due diligence obligations. Below we briefly describe some of the problems which companies may face when conducting a risk analysis or taking preventive measures or remedial action to meet their requirements under the Act.
a) Weighing and prioritizing risks
From BAFA’s detailed guidance it is clear that the risk analysis required by the Supply Chain Act is much more extensive than a typical compliance due diligence. In particular, in addition to identifying risks typical for the relevant industry and country, the company must weigh and prioritize identified risks according to the following criteria: the nature and extent of the company’s business activities, the probability of violation occurring, the severity of the violation, the number of affected persons, the ability of the company to influence the party responsible for the violation as well as the contribution by the company itself to the specific risks or risk areas. In many cases, it will not be possible to evaluate the risks without instructing a specialized service provider to conduct an additional ESG due diligence or Human Rights Impact Assessment.
b) Preventive measures or remedial action
If the company has identified within the course of the risk analysis a human rights-related or environment-related risk, it must take preventive measures without undue delay. If the violation has already occurred or is imminent, the company must take, without undue delay, appropriate remedial action. The statutory requirements which apply to remedial action are significantly stricter than those applicable to preventive measures – for example, in the case of an identified violation by a direct supplier the company may be obliged to jointly develop and implement, at high cost, a plan to end the violation. Therefore it is crucial in practice to distinguish the mere risk of a violation from an already occurred or imminent violation. Often, however, it will not be possible to make a distinction between a risk and a violation with sufficient certainty. In these cases, it may be preferable for the company to go to the greater lengths of taking remedial action.
c) Agreement of industry standard
In order to simplify fulfilling its due diligence obligations under the Supply Chain Act a company may agree with a direct supplier that the supplier will implement an internally recognized industry standard and go through a third party certification process. However, the company should be aware that the use of recognized certification systems to verify compliance by direct suppliers with the company’s own human-rights standards does not exempt the company from its own responsibility under the Supply Chain Act. Therefore, the company would also have to conduct a gap analysis between the legal positions protected by the Supply Chain Act and those of the industry standard to ensure that all the legal positions under the Supply Chain Act will be covered by the certification. Further, the company would have to check to what extent identified risks will actually be weighted and prioritized according to the requirements of the Supply Chain Act and that the required preventive measures and remedial action will be taken.
Conclusion and outlook
The Supply Chain Act imposes strict due diligence obligations on companies with the aim of improving the minimum standards in international supply chains. The actual implementation of the due diligence obligations under the Act, however, will involve significant difficulties, in particular due to uncertainty regarding the interpretation of the statutory requirements. To date, the guidance which has been published by BAFA has answered only some of the open questions. At the same time, a company’s non-compliance with the due diligence obligations could be punished with substantial fines. A further tightening of the statutory requirements as a result of the upcoming EU CS3D is also on the horizon. Against this background, it is crucial for multinational companies to carefully check to what extent the due diligence obligations apply to them, and how – starting with their business activities in countries with a high risk for violations – these obligations can be practically addressed.