Privacy policy

1 Purpose of data processing
1.1 In accordance with our obligation under the Whistleblower Protection Act (HinSchG), we have established a digital internal reporting office. The internal reporting office is part of our compliance management system.
1.2 Employees, customers, business partners or other persons providing information can use it to report suspected violations of laws and internal rules safely and confidentially. This is intended to promote the detection and prevention of significant breaches of rules and to avert considerable risks and damage.

2 Responsibility
2.1 Our company is responsible for the processing of your personal data.
2.2 The internal reporting office is operated on our behalf by the company Hinweisgeberexperte (Compliance Beratung + Service GmbH), Maximilianstraße 24, 80539 Munich, 
2.3 As part of the processing of reports and the follow-up measures to be taken, it may be necessary to pass on information on a reported incident to legal advisors or competent authorities.

3 Technical Infrastructure
3.1 For its part, the Processor uses the whistleblowing system software AdvoWhist-le of the technical service provider iComply GmbH.
3.2 Personal data and information entered into the whistleblowing system are stored in a database operated by the technical service provider in an ISO/IEC 27001 certified data centre. Access to the data is only possible for expressly authorised processors. End-to-end encryption of all data, multi-level password protection, technical and organisational measures and regular certification ensure that the technical service provider, the data centre operator and other third parties have no access to the data.

4 Legal basis
4.1 The legal basis for the processing of information that falls within the scope of the Whistleblower Protection Act is the legal obligation pursuant to Art. 6 (1) c) DSGVO in conjunction with Section 10 of the Whistleblower Protection Act (HinSchG).
4.2 The legal basis for the processing of information relating to breaches of internal rules is the overriding legitimate interest in the detection and prevention of material breaches of rules and the associated prevention of risks and damage pursuant to Art. 6 (1) f) DSGVO.

5 Use of the whistleblower portal
5.1 The use of the whistleblower system is on a voluntary basis. When a whistleblower submits a report, the whistleblower system collects the following personal data and information: 
(a) whistleblower: name (if you disclose your identity), contact details (if you provide them). 
(b) Incident Affected Persons: First name and surname, information about incidents and suspected violations of laws and regulations  
(c) Witnesses and/or third parties named in the notice (e.g. customers, suppliers, colleagues or business partners): first and last name, contact details.
5.2 When submitting a notice and sending supplements, file attachments may be transmitted. If anonymity is to be maintained, hidden personal data must be removed before sending. If this is not possible, only the text from these files can be copied into the digital notification form, or printouts of these files can be sent to the postal address of the processor.

6 Confidentiality
Incoming information is received by a narrow circle of expressly authorised processors and is always treated confidentially. The processors examine the facts of the case and, if necessary, carry out further case-related clarification of the facts. Every person who has access to the data is obliged to maintain confidentiality.

7 Rights of data subjects
7.1 Persons whose personal data is processed (data subjects) have the right to request information free of charge about the personal data stored about them, its origin and recipients and the purpose of the data processing. If we process your data on the basis of our legitimate interest, you have the right to object to the processing (right of objection) if there are legitimate reasons arising from your particular situation. 
7.2 In addition, data subjects have the right to correct incorrect personal data, the right to delete personal data, the right to restrict the processing of personal data, the right to data portability. 
7.3 Data subjects also have the right to complain to a supervisory authority. For this purpose, data subjects may contact the supervisory authority of their usual place of residence or workplace.

8 Retention period of data
The documentation of notices and the personal data contained therein are generally deleted three years after the conclusion of the procedure. In individual cases, the documentation may be kept longer in order to fulfil the requirements under the German Whistleblower Protection Act (HinSchG) or other legal provisions, as long as this is necessary and proportionate. A final assessment is also stored for documentation purposes.