In the following, in accordance with Article 13 of the GDPR, we provide information about how personal data is processed within the framework of the reporting system and about the associated data protection regulations, claims and rights.  

The August-Wilhelm Scheer The Institute for Digital Products and Processes gGmbH uses web-based software, a cloud solution hosted in Germany, to assist in uncovering operational malpractice. By implementing such a system, criminal, illegal, morally reprehensible, or unfair practices can be detected and prevented at an early stage, as well as incalculable material and immaterial damages and reputational losses can be averted.

 

Who is responsible for processing? 

The company to which you submit a report is generally responsible within the meaning of Art. 4 No. 7 GDPR. You make this selection yourself, for example by specifying in the system which company you are sending your report to. Information about the person responsible can be found below: 

August-Wilhelm Scheer Institute for Digital Products and Processes gGmbH 

For the attention of data protection whistleblower system 

Uni-Campus D 5 1, 66123 Saarbrücken 

Email: datenschutz-tippgebersystem@aws-institut.de

 

Data protection officer 

If you have any questions about data protection, please contact the Privacy Team at the above address of the August-Wilhelm Scheer Institute with the addition “Attention Data Protection Whistleblower System” or electronically at: datenschutz-hinweisgebersystem@aws-institut.de

 

For what purposes do we process the data?  

The person responsible for the August-Wilhelm Scheer Institut für digitale Produkte und Prozesse gGmbH processes the personal data of the reporting person, unless the report was submitted anonymously, as well as the personal data of the accused person(s), such as name and other communication and content data, for the purpose of investigating the reports in order to prevent, detect and/or follow up on violations of applicable law or company policies (such as measures to verify the validity of the allegations made in the report and, if necessary, to act on the reported violation, including through internal inquiries, investigations, prosecutions, measures to (re)conquer funds or to conclude the proceedings).

 

On what legal basis do we process the data?  

The collection of the reporting person's personal data in the case of a non-anonymous report is based on consent to the processing through the transmission of the data (implied consent) (Art. 6 Para. 1 Sentence 1 Letter a GDPR).  

The collection, processing and transfer of personal data of the persons named in the report serves to protect the legitimate interests of the above-mentioned person responsible (Article 6 Paragraph 1 Sentence 1 Letter f GDPR). It is a legitimate interest of the company to detect, process, remedy and sanction violations of the law and serious breaches of duty by employees effectively and with a high degree of confidentiality and to avert associated damages and liability risks for companies (Sections 30, 130 OWiG). Directives (EU) 2019/1937 (“EU Whistleblower Directive”) and the Whistleblower Protection Act in Germany also require the establishment of a reporting system in order to give employees and third parties the opportunity to make protected reports of legal violations in the company in an appropriate manner. 

The transfer of personal data to other recipients in the case of non-anonymous reporting (Article 4 No. 7 GDPR) may be necessary due to a legal obligation (Article 6 Paragraph 1 Sentence 1 Letter c GDPR). 

The processing of personal data of employees (for those responsible within the scope of the BDSG) is carried out on the basis of Section 26 Paragraph 1 Sentence 2 BDSG. According to this, personal data of employees within the meaning of Section 26 Paragraph 8 BDSG may be processed to detect criminal offenses if actual evidence to be documented gives rise to the suspicion that the person concerned has committed a criminal offense in the employment relationship, the processing is necessary for detection and the legitimate interest is worthy of protection of the employee does not predominate in the exclusion of processing, in particular the type and extent are not disproportionate in view of the occasion.

 

Which categories of data are processed? 

In principle, we process personal data that we receive directly as part of a report. These can include: 

1. Information about the reporting person (unless they wish to remain anonymous) and the accused, how
   - First and Last Name
   - Contact details
   – if necessary, other personal data related to the employment relationship
2. Personal information, such as data subjects identified in a report as a person suspected of wrongdoing, identified in the investigation, including details of the allegations made and evidence supporting them.
3. Date and time of calls (if the report was received via telephone).
   
4. Any other information identified in the investigation results and in any further proceedings, such as information about criminal behavior or data about unlawful or improper behavior, if reported.
5. Information about violations, which may also allow conclusions to be drawn about a natural person.

Who has access to the personal data? 

Personal data collected via the web-based software will only be made available to those individuals who have a legitimate need to process this data due to their role. If the report is received via the telephone hotline, the report will be recorded in the reporting system while maintaining the anonymity of the reporting person.  

To receive and qualify a report, we have commissioned a neutral compliance ombudsman: THS Treuhand Saar Compliance GmbH, Feldmannstraße 103, 66119 Saarbrücken. 

This operates our internal reporting office on our behalf using a web-based application from lawcode GmbH, Universitätsstraße 3, 56070 Koblenz. 

Depending on the focus of responsibility for the report and in order to effectively initiate follow-up measures, the personal data required as part of the report may be passed on to the internally responsible specialist departments at the person responsible.  

In some cases, the data controller is obliged to communicate the data to authorities (such as those having legal or regulatory jurisdiction over the employer, law enforcement authorities and legal bodies) or external advisors (such as auditors, auditors, lawyers).  

If the reporting person has provided their own name or other personal data (not anonymous reporting), the identity will not be disclosed - as far as legally possible - and it will also be ensured that no conclusions can be drawn about the identity of the reporting person.  

If personal data is processed by external service providers, this is generally done on the basis of order processing contracts in accordance with Art. 28 GDPR. In these cases, we ensure that the processing of personal data is carried out in accordance with the provisions of the GDPR and that all persons authorized to process personal data have committed themselves to confidentiality or are subject to an appropriate legal obligation of confidentiality.

 

Your rights as a data subject 

You have a variety of rights in relation to the processing of your personal data within the framework of the respective regulations (in particular Articles 15-21 GDPR):  

• Right to information,  
• right to rectification,  
• right to deletion,  
• Right to demand processing restrictions  
• Right to data portability.  
• You also have the right to be subject to a decision on a case-by-case basis that is not exclusively automated.  
• Right to complain to a responsible data protection supervisory authority. 

The right to information and the right to deletion are subject to legal restrictions. If we process your data to protect legitimate interests, you can object to this processing if your particular situation gives rise to reasons that speak against data processing.  

According to Art. 7 GDPR, you have the right to revoke your consent to data processing at any time. The revocation of consent does not affect the lawfulness of the processing carried out based on the consent before its revocation. 

Further information on the right to object can be found below. 

 

 

Is exclusively automated decision-making taking place? 

No.

 

Is profiling taking place? 

No.

 

Duration of data storage 

The personal data will be stored in the respective procedure for as long as necessary for clarification and final assessment, for a legitimate interest of the company or for a legal requirement. This data will then be deleted in accordance with legal requirements. The duration of storage depends in particular on the severity of the suspicion and any reported breaches of duty. 

Personal data in connection with reports will be deleted immediately by the compliance ombudsman if the compliance ombudsman considers them to be obviously objectively baseless.

 

Right to object according to Art. 21 GDPR 

According to Art. 21 GDPR, you have the right to object to the processing of your own personal data if there are reasons for doing so that arise from your particular personal situation. Your own data will then no longer be processed unless the person responsible can demonstrate compelling reasons for the processing that outweigh the interests, rights and freedoms of the data subject, or that the processing serves to assert or defend legal claims.  

The objection can be made informally and should, if possible, be addressed to the above-mentioned person responsible or their internal reporting office.

 

Information in accordance with Article 13 Paragraph 2 Letter e GDPR  

The provision of data via a report is neither contractually required nor necessary for the conclusion of a contract. Depending on the individual case, there may be legal obligations to report to us. However, the data must be processed in order to process and investigate the report in a meaningful way. 

 

Other information 

We reserve the right to update this data protection notice if necessary. 

 

As of: December 2023