Data protection information for the receipt and processing of reports (external ombudsman's office)
Compliance with data protection regulations is a high priority for us.
In the following, we would like to inform you about the collection and processing of your personal data, which you provide to us as part of your report of possible violations of legal requirements or company-specific regulations (" non-compliance").
We act as an ombudsperson for our clients and accept your information as an reporting centre within the meaning of § 12 of the German Whistleblower Protection Act (HinSchG). We are obliged to maintain confidentiality. Please note, however, that we may not be able to treat your identity confidentially in the case of reports that contain grossly negligent or intentionally incorrect information.
Controller
Controller for the data processing in the context of the receipt of reports, the assession of accuracy, contacting you and sending confirmations of receipt and the documentation of reports is
datenschutz nord GmbH
Konsul-Smidt-Straße 88
28217 Bremen
Tel.: +49 421 69 66 32-0
E-mail: office@datenschutz-nord.de
Processing of your personal data
The use of the reporting channel is voluntary. In addition to the content of your message, the following personal data in particular will be processed by you:
- name, if you disclose your identity,
- position in the company (if you specify this),
- contact details, if you provide them to us,
- acknowledgment of receipt of the report and further communication with you,
- if applicable, names of persons and other personal data of the persons named in your report.
Purpose and legal basis of data processing
Your data will be processed within the framework of the applicable laws, in particular for the following compliance and clarification purposes:
- Investigating the plausibility of information provided: Before initiating clarification measures, we check, among other things, whether the information provided by you appears plausible and indicates a breach of regulations by employees of one of our customers.
- Clarification of misconduct: If there is a plausible tip-off, investigative measures can be initiated to clarify the facts and possible violations or criminal offences. This concerns, for example, the detection and prosecution of fraud, corruption, tax offences, antitrust violations, money laundering or other economic crimes or violations of our internal Code of Conduct. For this purpose, the information contained in your report and other available information will be forwarded to the respective company. If conclusions about your identity are foreseeable in this context, we will only forward the information if this is necessary for the implementation of follow-up measures and you have given your prior consent in accordance with § 9 (3) HinSchG.
- Implementation of duties to co-operate: We may be required by law to pass on the data collected as part of the investigation measures to law enforcement agencies or other authorities. This may be the case, for example, if a law enforcement agency initiates a criminal investigation against a data subject as a result of clarification measure.
The data processing is generally carried out on the basis of Art. 6 para. 1 lit. c GDPR in conjunction with § 10 sentence 1 HinSchG. However, the above-mentioned data processing may also be carried out on the basis of other regulations, depending on the purpose of processing. In particular, pursuant to Art. 6 para. 1 lit. c GDPR in conjunction with
- §§ 16 ff. HinSchG for the purposes of setting up and organising the reporting channel, conducting an internal procedure or initiating follow-up measures.
- § 11 HinSchG for the fulfilment of documentation obligations. We require your consent for the recording or word for word logging of your report made by telephone or voice message. In this case we will separately ask for consent.
Insofar as your report relates to human rights and environmental risks as well as violations of human rights or environmental obligations arising from the business activities of a company based in Germany of one of our customers or a direct supplier, Art. 6 para. 1 lit. c GDPR in conjunction with § 8 of the Supply Chain Due Diligence Act (LkSG) is the legal basis for the processing of personal data for the processing of complaints under the LkSG.
If the processing of special categories of personal data is absolutely necessary to fulfil the tasks of the reporting channel, this is done in accordance with Art. 9 para. 2 lit. g GDPR in conjunction with § 10 sentence 2 HinSchG.
In individual cases, data processing is carried out on the basis of our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR, provided that no interests of the data subjects worthy of protection prevail. This may be the case in particular in connection with the assertion or defence of legal claims and the improvement of compliance structures.
Recipients of your data
Your data will not be transferred to third parties. If it is necessary to transfer your data in order to initiate follow-up measures, your personal information will only be passed on if you have given your prior consent or if this is legitimised in accordance with § 9 (1) or (2) HinSchG.
In individual cases, your data may be passed on to law enforcement agencies, antitrust authorities, other administrative authorities, courts and our external legal counsel if there is a corresponding legal obligation or if it is necessary under data protection law for the clarification of reports. Every person who receives access to the data is contractually or legally obliged to maintain confidentiality.
Your data will not be transferred to bodies outside the EU or the EEA in this context.
Storage duration
Your personal data will be stored for four years after the end of the procedure (§ 11 (5) HinSchG). In exceptional cases, data may be stored for longer if other legal provisions require longer storage. In the case of complaints under the LkSG, data is stored for at least seven years (§ 9 (1) LkSG).
Your data protection rights
In accordance with Art. 15 GDPR, you have the right to obtain information about the personal data concerning you and to rectification of incorrect data in accordance with Art. 16 GDPR or to erasure if one of the reasons stated in Art. 17 GDPR applies, e.g. if the data is no longer required for the purposes mentioned above. You also have the right to restriction of processing if one of the conditions specified in Art. 18 GDPR applies and, in the cases specified in Art. 20 GDPR, the right to data portability.
In cases in which we process your personal data on the legal basis of Art. 6 para. 1 lit. f GDPR, you also have the right to object at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.
To assert your rights, please use the following contact address:
meldestelle@re-move-this.datenschutz-nord.de
You also have the right to lodge a complaint with a supervisory authority if you are of the opinion that the processing of the data concerning you violates data protection regulations. The right to lodge a complaint may be exercised in particular with a supervisory authority in the Member State of the data subject's habitual residence or place of the alleged infringement.
Contact details of the data protection officer
We are supported by our data protection officer in the fulfilment of our data protection obligations. Please find below the contact details of our data protection officer:
E-mail: dsb@re-move-this.dsn-group.de
Phone: +49 931 30 49 76-0