skip to content

Privacy policy for the reporting office in accordance with the Whistleblower Protection Act (HinSchG)

As part of the Compliance Management System, we have set up an internal reporting office in accordance with the Whistleblower Protection Act (HinSchG): You have the opportunity to provide information on matters that are subject to the Whistleblower Protection Act (HinSchG) or that we otherwise have a legitimate interest in knowing about.

We have commissioned the law firm HEUKING (hereinafter referred to as ‘HEUKING’) to act as an outsourced internal reporting office, responsible for receiving and reviewing such information.

Entries can be submitted to the reporting office using the online form, by telephone, by email, by post or in person.

Reports can be made anonymously to the reporting office.

Use of the reporting office is voluntary.

When a report is submitted to the reporting office, the information provided is recorded. This includes any personal data you disclose, as well as the names and other personal details of the individuals that you mention in your report. Further details on how the reporting office handles your personal data can be found in the reporting office’s privacy policy.

a) Categories of personal data that we process 

Once the reporting office has checked the report, we receive a notification from them, which may contain the following personal data:

  • names and other personal details about the person providing the information only if this person does not wish to remain anonymous and agrees to this information being passed on to us;
  • names and other personal data resulting from the reporting of the persons named in the report.

Other personal data may be collected and processed by us when clarifying and processing the reported facts.

b) Purposes of data processing, legal basis

We process the data transmitted to us by the reporting office in order to manage and process reports of compliance violations, legal violations and violations relating to our business operations, whether committed by employees, customers, suppliers or other third parties.
Your consent provides the legal basis for the processing of your personal data as a whistleblower (Art. 6 subsection 1 sentence 1 lit. a GDPR), as long as you disclose your identity and agree to your name being passed on to us by the reporting office.

With regard to matters that are subject to the Whistleblower Protection Act (HinSchG), Section 10 HinSchG provides the legal basis for processing your personal data as the whistleblower, as well as the personal data of those affected by the whistleblowing.

Outside the scope of the HinschG, the legal basis for processing your personal data and that of the individuals affected by the report is our legitimate interest in detecting and preventing legal violations and misconduct (Art. 6 subsection 1 sentence 1 lit. f GDPR). We have a legitimate interest in uncovering and preventing legal violations and misconduct insofar as we are legally obliged to do so in certain areas. In addition, such offences can not only cause considerable economic damage, but also lead to a significant loss of reputation.

If the data subject is one of our employees, the legal basis for handling the reported facts during the course of processing or further investigation is Section 26 subsection 1 sentence 1 BDSG (processing for the purposes of the employment relationship) or Section 26 subsection 1 sentence 2 BDSG (processing for the detection of criminal offences), and our legitimate interest described above (Art. 6 subsection 1 sentence 1 lit. f GDPR), if applicable.

c) Disclosure to third parties

The reporting office ensures that all reports and data are kept confidential at all times and throughout every processing step. This applies in particular to the personal data of the person making the report and the person(s) affected by the report. Access to incoming reports and information about the processing of the report or follow-up measures is restricted to individual, previously appointed, authorized persons who are committed to confidentiality.
If the report concerns another company within our group, we will share its contents and the results of any further clarifications with that company.
We may disclose the contents of the report and the results of any further clarification of the reported facts to courts, authorities and other public bodies. This may be necessary if we are legally obliged to disclose the data, or if it is required for the assertion, exercise or defence of legal claims. 

During the clarification process and when asserting, exercising or defending legal claims, we may also seek the assistance of law firms or auditing companies.
Additionally, we may involve technical service providers to clarify and process the reported facts. These providers work for us as processors within the meaning of Art. 28 GDPR, and are bound by instructions under corresponding agreements. These service providers may also become aware of the content of the whistleblower report, but they are obliged to handle the relevant data confidentially.

Personal data relating to the whistleblower and the data subject may be disclosed to authorities, courts or third parties despite the confidentiality obligation. This would be the case if we were required to disclose this information as part of an official investigation, for example, or if it were necessary for the assertion, exercise or defence of legal claims. We must also disclose the reported information to the persons affected by the report under certain conditions.

d) Duration of data storage

Personal data will be stored for as long as necessary to clarify the report and any subsequent measures, or for as long as we have a legitimate interest or are required to do so by law. After this time, the data will be deleted in accordance with legal requirements.