Dataprivacy Declaration

The Ombudslawyers of Rechtsanwälte Elke Schaefer acknowledge and the great importance to data protection and compliance with data protection regulations. In the interest of transparency under the data protection laws, the following data protection declaration intends to explain the "vertrauenssachen.de" Whistleblowing System and to inform the whistleblowers, when using this system, about how we deal with incoming reports and about the type, scope and purpose of the collection and use of data. As the body responsible for data protection, the Ombudslawyers recognize the following data protection declaration as a binding part of the anonymous Whistleblower System:

1. Legal Basics

Tis declaration is based on the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) in their current version, in particular Art. 6 Para. 1 lit. f DDPR, Art. 88 GDRR in conjunction with § ARTICLE 26 BDSG. Any regulations deviating from the law shall be null and void, the remaining objectives and/or regulations remain unaffected.

2. Rurpose of the Whistleblower System

The Whistleblower System serves to receive and clear up serious suspicions about violations of rules set by the respective client of the whistleblower system, in particular about criminal acts that may endanger its company assets. Reports outside this scope will not be pursued further and be deleted.

The purpose and goal of the Whistleblower System is to process the whistleblower's data while maintaining his anonymity. The anonymous Whistleblower System collects data on the type of use. These include the frequency of access, the number of reports, the number of dialogues and the number of concerns raised. The Whistleblower System cannot utilize any statistical data that would allow conclusions to be drawn about an individual user. The Whistleblower System represents an internet-based alternative to the usual communication channels to the Ombudsmen and/or the client’s company-internal points of contact and therefore does not request any personal data from the whistleblower. No personal data of the whistleblower is intended to be provided to the Whistleblower System.

3. Whistleblower

Employees and third parties (e.g. customers, business partners, suppliers, employees of affiliated companies) of the companies and institutions supported by the Ombudslawyers can report information and concerns through the Whistleblower System.

4. Setting up a Mailbox

Depending on the system, the whistleblower is given the option of using a user name and password for a virtual mailbox. The creation of such a mailbox implies the consent of the whistleblower to deposit the entered data in the database of the whistleblower system.

To set up a virtual mailbox, a user name can be chosen and a password must be selected. The user name is only visible to the users of the mailbox. The password is made unrecognizable by a hash function in the web application and database.

When communicating via mailbox, it is ensured that the account of a whistleblower in the dialogue cannot be identified.

5. Guarantee of Confidentiality and Anonymity

User behavior is recorded anonymously by the Whistleblower System.

a) IP Acquisition

The IP address of the whistleblower is not stored for processing a message within the application.

To ensure the availability, confidentiality and integrity of the server and the applications and interfaces connected to the server, accesses are logged on the server to record potential security breaches. Accesses that cannot be associated with a compliance violation are deleted after one calendar month at the latest according to maintenance intervals.

b) Logging

Rotes are clearly marked by an identification number (ID). This ID is not intended to identify the whistleblower, but to distinguish several whistleblowers from each other.

6. Storage of Personal Data of the Whistleblower

The provision of personal data is not requested in the whistleblower system. The personal data voluntarily disclosed through the dialogue with the Ombudslawyer can be viewed by whistleblowers at any time using a virtual mailbox. Further information about the personal data stored in the whistleblower system is not technically possible. All data entered by the whistleblower will be individually encrypted and stored in a database. Neither administrators, website operators or other persons have the possibility to access the content of the personal data stored by the whistleblower.

7. Transmission of Personal Data

The personal data voluntarily provided during a dialogue can only be viewed by the Ombudslawyer and the whistleblower himself. Even if the whistleblower has disclosed his identity to the Ombudslawyer, the anonymity of the whistleblower is always preserved. Any transfer and processing of the data to an employee in the company affected by the report, insofar as this is necessary for clarification, requires the prior consent of the whistleblower. We would like to point out that in the event of such consent, the recipient may be obliged in accordance with Art. 14 GDPR to inform the person affected by the report of the identity of the whistleblower one month after it becomes known, but at the latest if this information would not jeopardize an effective investigation of the allegation or the collection of the necessary evidence. If a whistleblower gives his consent to the disclosure of his identity, he may revoke this consent in accordance with Art. 7 para. 2 GDPR up to one month after notification.

8. Personal Data of a the Person affected

The processing of personal data of the person affected by the notice does not require consent in cases of Art. 6 para. 1 letter f GDPR and § 26 para. 1 sentence 2 BDSG. In the event that personal data is stored, the person concerned will be informed about the processing and use of this data as soon as there is no danger to the clarification of the facts of the case at hand. In this case, the person affected by the notice also has a right to information about the personal data stored about him. The identity of the whistleblower is generally excluded from this right of information, subject to the above provisions.

9. Deletion and Modification

Whistleblowers and affected persons have the right to have incorrect data corrected, amended, blocked or deleted, provided that the legal requirements are met. Messages sent to the Ombudslawyer can only be deleted by the him. The statutory periods of deletion apply. If whistleblowers have transmitted personal data in the course of the dialogue, this data will be kept for as long as it is necessary to clarify and conclusively assess the reported facts. After completion of the processing of the report raised, this data will be deleted in accordance with the legal requirements.

In order to maintain the integrity of the data, regular backups are made of the application and the database. The retention period of a backup is a maximum of one calendar month. Older backups and all corresponding copies are automatically deleted.

10. Services Used

ReCaptcha: We integrate the "ReCaptcha" function to detect bots. Users' behavioral data (e.g. mouse movements or queries) are evaluated to distinguish humans from bots. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://www.google.com/recaptcha/; privacy policy: https://policies.google.com/privacy; opt-out: opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying ads: https://adssettings.google.com/authenticated