Data protection information for whistleblowers
We act as trusted attorneys for numerous companies and organizations, setting up and operating the internal reporting systems in accordance with the Whistleblower Protection Act.
In the following, we inform you about the collection of personal data when using our digital whistleblower system. Personal data in the sense of Art. 4 No. 1 of the EU General Data Protection Regulation (GDPR) is all information that can be related to you personally, such as name, address, e-mail addresses, user behavior.
Who is responsible for data processing and who is the data protection officer?
The controller for the processing activities of personal data according to Art. 4 No. 7 GDPR is:
SLK Schenk Lechleitner Krösch.
Rechtsanwälte Steuerberater PartGmbB
Äußere Plauensche Str. 7
08056 Zwickau
Phone: +49 375 211 857-0
Fax: +49 375 211 857-28
E-mail: info@slk-rechtsanwaelte.de
You can reach our data protection officer at:
Attorney Dr. Sebastian Kraska
Marienplatz 2
80331 Munich
Phone: +49 89 1891 7360
E-mail: skraska@iitr.de.
Collection and processing activities of personal data
Visiting the whistleblowing system
When you merely visit the whistleblower system, we only collect the personal data that your browser transmits to our server and that is technically necessary for the presentation of our website and to ensure stability and security. These are the IP address, the request of your browser and the time of this request. In addition, the status and the amount of data transferred are recorded as part of this request. We also collect product and version information about the browser used and the operating system of your system. We further record from which website our page was accessed.
The temporary storage of the IP address by the system is necessary to enable delivery of the website to your browser. For this purpose, your IP address must remain stored for the duration of the session. The processing activities of the remaining data are carried out to ensure the functionality of the website. In addition, the data serve us to optimize the website and to ensure the stability and security of our systems. The legal basis is Art. 6 (1) (f) GDPR, based on a weighing of our legitimate and overriding interests mentioned above.
We transfer the collected data to external service providers (hosting provider, IT service provider, web agency), which support us in data processing for the above-mentioned purposes.
The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.
Cookies
When using the whistleblower system, we may collect information through the use of cookies or similar technologies ("cookies"). Cookies are small text files that are placed on your terminal device by your browser to store certain information. When you later visit our website again using the same terminal device, the information stored in Cookies is subsequently sent back either to our website or to another website to which the Cookie belongs. Through the stored and returned information, the respective website recognizes that you have already called up and visited it with the browser of your end device. Only the cookie itself is identified on your end device.
In doing so, we only use so-called strictly necessary cookies, without which you would not be able to use our whistleblowing system as intended or without which we would not be able to provide our whistleblowing system to you. These include, for example, functions such as filling in and saving user input as well as security functions. These cookies are used without your consent. However, you have the option to deactivate these cookies via your browser settings. The legal basis for the processing of personal data using strictly necessary cookies is Art. 6 (1) (c) GDPR or Art. 6 (1)( f) GDPR, based on a consideration of our legitimate and overriding interests in the technically smooth provision of our website and the services offered through it.
You have the option via your browser to delete all cookies once they have been set. In addition, you can set your browser so that websites are prevented from storing and reading cookies.
Whistleblower System
We process your personal data for the purpose of fulfilling the mandate contract as trusted attorneys with the respective companies/organizations. We are entrusted with the establishment and operation of an internal reporting system in accordance with the Whistleblower Protection Act. The purposes of the data processing therefore already essentially result from the necessary implementation of the legal requirements of the Whistleblower Protection Act as a legal obligation of our clients and include in particular,
- the establishment and operation of the internal reporting system and of reporting channels,
- the performance of the reporting procedure, the examination and forwarding of tips
- the performance of follow-up measures and communication with whistleblowers,
- documentation of the reporting process in accordance with legal requirements, and
- the security of the established reporting channels.
The processed categories of personal data of whistleblowers and persons who are the subject of a report, as well as other persons affected by a report or disclosure, include in particular contact data (e.g., name, e-mail address, telephone number), content data (e.g., information about an incident in the form of text input, photos, voice recordings, videos, documents), and authentication data in the digital whistleblower system (e.g., identifier, password).
The personal data of you as a whistleblower is collected from you by submitting a report and, with the exception of the report itself, is voluntary. The provision of personal data is neither legally nor contractually required, nor are you obliged to do so. There will be no consequences for you if you do not provide it.
The processing activities of the above-mentioned data of the whistleblowers and possible other persons named in the notification are based on Art. 6 (1) (c) GDPR in conjunction with § 10 HinSchG for the fulfillment of a legal obligation of our clients, as far as the notification falls within the scope of the Whistleblower Protection Act according to §§ 1, 2 HinSchG, as well as for the fulfillment of the mandate contract according to Art. 6 (1) (b) GDPR. If, in the context of this processing, the processing of special categories of personal data is necessary for the performance of the tasks of the internal reporting office, this is permitted under Art. 9 (2) (g) GDPR in conjunction with § 10 HinSchG, § 22 (2) 2 BDSG. Otherwise, the legal basis for the processing activities of personal data is Art. 6 (1) (f) GDPR. On the basis of our mandate as trusted attorneys/internal reporting system for our clients, we have a legitimate interest in the review, evaluation and documentation of incoming reports as well as in the performance of follow-up measures.
As part of the review of your notice and in the event of follow-up measures, it may be necessary or requested by you to also transmit personal information on a reported incident to the respective company/organization concerned or to the competent authorities.
We otherwise share your personal data with external service providers (e.g., IT service providers, providers, software service providers) to fulfill the purposes described in this Privacy Policy. We are also required by law to provide information to certain public authorities upon request. These are primarily law enforcement agencies, authorities that prosecute administrative offenses subject to fines and the tax authorities.
We delete your personal data as soon as it is no longer necessary for the above-mentioned purposes. Your data stored by us will be kept for a period of six years from the end of the year in which the report is received in accordance with the professional retention obligation pursuant to § 50 (1) 2 and 3 German Federal Lawyers' Act (BRAO) and will be deleted upon its expiry. Your data may be kept longer to meet requirements under the Whistleblower Protection Act or other legislation, as long as this is necessary and proportionate. This may be the case in particular if internal investigations are ongoing or administrative and/or legal proceedings have not yet been concluded due to the facts of the report. In addition, personal data may be retained for the period during which claims can be asserted against us (statutory limitation period of three or up to thirty years).
In the context of follow-up actions to verify the validity of a report, a joint controllership under Art. 26 GDPR may exist between us and our respective clients. In such cases, we have entered into an agreement with our clients pursuant to Art. 26 (1) GDPR. This agreement governs the data protection rights and obligations of the contracting parties in the context of cooperation in follow-up actions and specifies in particular the distribution and fulfillment of data protection tasks and duties. The subject of the data processing is the possible cooperation in follow-up actions according to § 18 HinSchG, for which both contracting parties jointly process personal data of whistleblowers and individuals who are the subject of a report. The contracting parties are equally responsible for these processing activities. Both parties equally fulfill the data subject rights under Art. 12 et seq. GDPR and are therefore equally available for any related inquiries.
What data protection rights can you assert as a data subject?
You have the right of access (Art. 15 GDPR), rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR) or restriction of processing activities (Art. 18 GDPR) as well as the right to object (Art. 21 GDPR) and data portability (Art. 20 GDPR). You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).
If we process your data to protect legitimate interests, you may object to this processing activities on grounds relating to your particular situation. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
