The Supply Chain Act requires companies to comply with certain due diligence requirements to protect human rights.

The government's explanatory memorandum clarifies that the implementation of these due diligence obligations is not a one-time process. The draft law prescribes a repetitive cycle of various procedural activities that build on each other and are interrelated.

In principle, however, no duty of success is imposed on companies. Companies do not have to guarantee that no human rights are violated in their supply chains. However, it is necessary to prove that the company has adequately implemented the measures described in more detail in §§ 4 to 10 in order to fulfill its due diligence obligations. This means that evidence must be generated in all affected processes of the company.

The following measures must be implemented for this purpose:

The company must establish an appropriate and effective risk management system. The focus of risk management in relation to the Supply Chain Act (Due Diligence Act) is to identify human rights risks and violations of legal rights along the supply chains of the company and to prevent or end these risks, but at least to minimize them - if the human rights risks and violations of legal rights cannot be ended or are associated with a disproportionate effort (§ 4 LkSG).

The focus here is only on risks that the company itself has caused. Causing in this context means that the company has directly caused the risk itself or has contributed to the creation or intensification of the risk through its actions.

It is irrelevant whether the risk lies within the company itself or with an indirect or direct supplier.

According to § 4 (3) LkSG, the company's management must define clear responsibilities in the risk management system as to who is to carry out the monitoring of due diligence. This can be done, for example, by the following functions:

The management must provide the appropriate resources for this.

In accordance with $ 4 (4) LkSG, the interests of the following groups must be adequately taken into account when establishing and implementing the risk management system:

The company must carry out a risk analysis in accordance with § 5 LkSG. The content is the identification, evaluation and prioritization of relevant human rights and environmental risks in the own company as well as at direct suppliers.

Step 1: Identification

The first step of the risk analysis is prepared by means of a risk mapping. Depending on the company, this may include business areas, divisions, countries, sites, products or countries of origin.

The company must then obtain an overview of its own procurement processes, the structure of and parties involved in direct suppliers, and the key groups of people who may be affected by the company's business activities.

Step 2: Risk prioritization

If the company cannot manage all risks at the same time, risk prioritization must be performed. Possible criteria for this can be:

Mitigation options of the risk

Probability of occurrence of the risk

Scope of the risk

Management decides on the selection of appropriate risk countermeasures and methods for obtaining the necessary information depending on the risk. Information gathering measures can be, for example:

Risk analyses must be carried out and updated at regular intervals, but at least once a year. Depending on the occasion, a risk analysis may also have to be carried out during the year. Occasions can be for example

Management must issue a policy statement on its human rights strategy immediately after becoming aware of a risk. This must be communicated to the employees, if applicable the works council, the immediate suppliers and the public.

§6 para. 2 LkSG formulates the following minimum requirements for the content of the policy statement:

Description of the procedure by which the company fulfills its due diligence obligations,

Mention of the priority human rights and environmental risks identified on the basis of the risk analysis,

Specification of the human rights and environmental expectations that the company places on its employees and suppliers in the chain. A small LkSG policy of the company, so to speak.

The company must anchor appropriate prevention measures in its own business area (cf. § 6 (3) LkSG), in particular:

In addition, companies must anchor appropriate preventive measures vis-à-vis direct suppliers (Section 6 (4) LkSG), including:

The effectiveness of the preventive measures is to be reviewed once a year and on an ad hoc basis if the company must expect a significantly changed or significantly expanded risk situation in its own business area or at the direct supplier, for example due to the introduction of new products, projects or a new business area. Findings from the processing of notices pursuant to § 8 (1) shall be taken into account. The measures shall be updated without delay as required.

[6] §7 (1-3) LkSG - Remedial Measures

If the company discovers that a violation of a human rights or environmental obligation has already occurred or is imminent in its own business area or at a direct supplier, it must take appropriate remedial action without delay (Section 7 LkSG).

In the company's own business area in Germany, the remedial action must lead to a cessation, and in the company's own business area abroad, it must "normally" lead to a cessation of the violation. The closer the company is to the threatened or already occurred violation and the more it contributes to it, the greater its efforts must be to end the violation.

In the event of a violation of human rights or environmental obligations at a direct supplier that the company cannot end in the foreseeable future, it must immediately draw up and implement a concept to end or minimize the violation (cf. Sec. 7 (2) LkSG).

An internal company complaints procedure must be established to enable persons (whistleblowers) to point out human rights or environment-related risks and violations of human rights or environment-related obligations (cf. § 8 LkSG).

The company must make clear and comprehensible information on accessibility and responsibility and on the implementation of the complaints procedure publicly available in a suitable manner.

The company must review the effectiveness of the complaints procedure at least once a year and on an ad hoc basis if, for example, it anticipates a change in the risk situation as a result of the introduction of new products.

This is actually where a whistleblower protection system is required, as companies with 250 or more employees will have to set up from 17.12.2021 under the Whistleblower Protection Act in Germany.

The company must implement due diligence with regard to risks at indirect suppliers.

This includes the corresponding measures and the evidence for this.

The fulfillment of due diligence obligations in accordance with § 3 must be continuously documented within the company. The documentation must be kept for at least seven years from the date of its creation.

The company shall prepare an annual report on the fulfillment of its due diligence obligations in the previous fiscal year and make it publicly available free of charge on the company's website for a period of seven years no later than four months after the end of the fiscal year. The report shall state in a comprehensible manner at least:

If the company has not identified any human rights-related or environment-related risk or any violation of a human rights-related or environment-related obligation and has plausibly explained this in its report, no further explanations pursuant to paragraph 2 sentence 2 numbers 2 to 4 are required.

Due consideration shall be given to the protection of trade and business secrets.

In summary, the Supply Chain Act (Due Diligence Act) formulates comprehensive requirements for companies. The Act speaks of comprehensive documented, implemented and communicated procedures. Thus, companies are required to have defined processes and associated regulations such as guidelines and declarations or reports.

With the level 3,000 employees (01.01.2023), 1,000 employees (01.01.2024) and SMEs via EU Supply Chain Act from 01.01.2024 almost all companies are affected. It is recommended not to underestimate the effort and to plan appropriate projects.