Privacy Policy Whistleblowing System and Internal Reporting Office

With this privacy statement we would like to inform you about the processing of your personal data when submitting reports via the whistleblowing system to the internal reporting office. The whistleblowing system is primarily used to receive reports of violations within the meaning of the Whistleblower Protection Act of May 31, 2023 ("HinSchG"). It goes without saying that the requirements of the European General Data Protection Regulation (GDPR) and the applicable national data protection regulations are observed.

This privacy policy has been most recently updated on August 24, 2023.

Note: For better readability, this privacy policy does not use the language forms for male, female and diverse (m/f/d). All personal terms apply equally to all genders.

Table of contents
1. Data Controller and Data Protection Officer 
2. Data Processing Operations 
3. Data Subjects 
4. Types of Personal Data Collected 
5. Purposes and Legal Basis 
6. Data Retention Period and Deletion 
7. Confidentiality 
8. Recipients of Data 
9. Data Transfer 
10. Joint Responsibility
11. Your Rights 
12. No Automated Decision Making or Profiling 
13. Security Standards 
14. Amendment of the Privacy Statement.
 

1. Responsible Persons and Data Protection Officers


For the processing operations related to the whistleblowing system and the internal hotline, the 

 Felsomat GmbH & Co. KG, utenbergstraße 13, 75203 Koenigsbach-Stein, email: info@felsomat.de, telephone number: +49 (0) 7232 401-0, 

 - hereinafter also referred to as "Employment Provider" -.

and the 

L|A Business Services GmbH & Co. KG
Brienner Straße 29 
80333 Munich 
Email: hgs@lutzabel.com 
Phone number: +49 89 544147-0

- hereinafter also referred to as "LUTZ | ABEL" -

jointly determine the purposes and means of the processing operations described in detail below. In this respect, they are joint controllers within the meaning of Art. 4 No. 7, 26 GDPR. 
 
You can reach the Felsomat's data protection officer at: Bernd Schieber, schieber@felsomat.de. 

 You can reach the data protection officer of LUTZ | ABEL at: datenschutz@lutzabel.com. 
 

2. Data Processing Operations

Data processing in the context of the whistleblowing system and the internal reporting office is divided into three areas. 
 
2.1 Area 1: Operation of the Vispato whistleblowing system (reporting channel)
The Employment Provider has set up a software-based reporting channel (as defined in Sec. 16 HinSchG) through which reports can be submitted to LUTZ | ABEL (internal reporting office). The Employment Provider uses the digital whistleblowing system of the German service provider Vispato GmbH, Hansaallee 299, 40549 Düsseldorf ("Vispato") as reporting channel. The system can be accessed via Internet. For security reasons, it is end-to-end encrypted so that the Employment Providers can not view the entries in the whistleblowing system. The system also allows anonymous reports.

The reporting channel via Vispato is secured by order processing. The Employment Provider is responsible under data protection law for the operation of the reporting channel as far as their employees and reports concerning them are concerned.

2.2 Area 2: Receipt and evaluation of reports (Internal Reporting Office)
The Employment Provider has commissioned LUTZ | ABEL with the operation of the internal reporting office (as defined in Sec. 12, 13 HinSchG). In this context, LUTZ | ABEL sights the incoming reports, checks the responsibility and forwards the reports for further processing and evaluation. Only employees and attorneys who have previously been specially obligated to maintain confidentiality are given access to the reports. 

 LUTZ | ABEL is responsible for this area of data processing.

 2.3 Area 3: Provision of information to the Employment Provider and further procedure
After LUTZ | ABEL, as the internal reporting office, has conclusively conducted the process concerning the report, it passes on the information from the report in a statement to the Employment Provider for taking appropriate follow-up measures. In doing so, the confidentiality of the whistleblower is maintained in accordance with the legal requirements (see more on this below). 

The Employment Provider is responsible for this area of data processing.

The Employment Provider then decides whether to discontinue the procedure or what kind of follow-up measures to take. For the data processing occurring in this context, the Employment Provider is the sole data controller within the meaning of Art. 4 No. 7 GDPR. The data subject rights (see more on this below under Number 11) can only be asserted against the Employment Provider for associated data processing.
 

3. Data Subjects

The following categories of data subjects may be subject to the processing of personal data:
  • Clue-giving persons. 
  • Persons named in the report or subsequent communication.
If you submit your report anonymously, no personal data will be processed. In particular, your report will not be linked to the IP address of the terminal through which the report is made.
 

4. Types of Personal Data Collected

4.1 The following applies to processing areas 1 and 2:
You are not obliged to provide any data. The provision of information is voluntary. Should you submit a report, the following applies:

The following personal data may be processed:
  • The name of the whistleblower, if the whistleblower discloses his identity when making the report.
  • The whistleblower's employment status and other personal circumstances concerning him or her (such as the email address), if disclosed in the report.
  • If applicable, the names of persons and other personal data of the persons named in the report.
  • The other content of the message, insofar as this is personal.
  • In some circumstances, voice recordings and other media, such as photographs, if you provide them through the whistleblower portal.
If you make the report stating your name and other personal details (e.g. your email address), this data is stored in the whistleblowing system in encrypted form and used to process the report and for further communication with you. However, the Employment Provider has no access to this data due to the end-to-end encryption of the whistleblowing system. Only LUTZ | ABEL, as the internal reporting office obligated to confidentiality, has access. With regard to the transfer of data, please refer to the further details in this privacy policy.
 
4.2 The following applies to processing area 3:
If whistleblowers disclose personal data about themselves as part of the report, LUTZ | ABEL removes clearly identifying references to the whistleblowers before the statement containing the information from the report is given to the Employment Provider. This is to ensure the greatest possible confidentiality of the whistleblowers. Please note, however, that it cannot be ruled out with absolute certainty that in individual cases the content of a statement may indirectly allow conclusions to be drawn about the possible group of whistleblowers. 

The statements may also contain the following personal data and information:
  • Names of persons and other personal data of the persons to whom the statement relates.
  • The other content of the message, insofar as this is personal.
 

5. Purposes and Legal Basis

The purpose of data processing is primarily to fulfill the obligations arising from the HinSchG. This includes in particular:
  • The provision of a reporting channel for internal reports within the meaning of Sec. 16 HinSchG, 
  • the examination and processing of reports within the framework of the procedure according to Sec. 17 HinSchG, which may also include the provision of feedback on the follow-up measures planned and/or taken on the basis of the report, 
  • the initiation of follow-up measures in accordance with Sec. 18 HinSchG and
  • the documentation of the report and the procedure according to Sec. 11 HinSchG.
The legal basis for the associated data processing is Art. 6 para. 1 letter c GDPR in connection with Sec. 10 HinSchG.

Furthermore, in cases where the HinSchG is not applicable, the following applies: If personal data is contained in the reports, its processing is based, on the one hand, on the legitimate interest 
  • in the detection and prevention of wrongdoing and thus in preventing employees from harm,
  • in the detection and investigation of potential compliance violations.
The legal basis for this processing of personal data is Art. 6 para. 1 letter f GDPR. The interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, do not prevail in this respect. If special categories of personal data as defined in Art. 9 para. 1 GDPR are included in the report, the processing is based on Art. 9 para. 2 letter f GDPR, insofar as it is necessary for the assertion, exercise or defense of legal claims.

After LUTZ | ABEL as internal reporting office has handed over the statement on a report according to processing area 3 to the Employment Provider, the Employment Provider decides whether to discontinue the procedure or what kind of follow-up measures to take. For the data processing occurring in this context, the Employment Provider is the sole data controller within the meaning of Art. 4 No. 7 GDPR. The Employment Provider shall provide separate information about the purposes and legal basis of this processing.
 

6. Storage Period and Deletion of the Data

Personal data is only stored for as long as it is necessary to achieve the purpose and fulfill legal retention obligations. 

Reports subject to the HinSchG must be documented (Sec. 11 HinSchG). In principle, the documentation is deleted three years after completion of the procedure. Exceptionally, longer storage is permissible in order to fulfill the other requirements under the HinSchG or other legal provisions, as long as this is necessary and proportionate.

If the data is passed on to law firms for legal processing, the statutory retention periods for lawyers apply. Accordingly, case files and the data contained therein are subject to the six-year retention period from Sec. 50 para. 1 sentence 2 of the Federal Lawyers' Act (BRAO), if applicable in connection with Sec. 50 para. 4 BRAO.
 

7. Confidentiality

The internal reporting office observes the confidentiality requirements pursuant to Sec. 8 HinSchG. In particular, the confidentiality of the identity of the persons providing the information is maintained in accordance with the legal requirements. Reference is made to the exception to the confidentiality requirement in Sec. 9 HinSchG. 
 

8. Recipients of Data

Vispato GmbH, Hansaallee 299, 40549 Düsseldorf, Germany, is involved as a processor in the provision and operation of the whistleblowing system. 

 In addition, personal data may be transferred to the following recipients or categories of recipients:  
  • Third parties, in particular legal advisors, in connection with the taking of follow-up measures pursuant to Sec. 18 HinSchG and other follow-up measures,
  • Government agencies such as public prosecutors, courts or authorities, insofar as legal obligations exist,
  • Other external processors within the meaning of Art. 28 GDPR. The strict applicable national and European data protection provisions are observed. The service providers are subject to instructions and are subject to strict contractual restrictions with regard to the processing of personal data. Accordingly, processing is only permitted insofar as it is necessary for the performance of the services or to comply with legal requirements. The rights and obligations of the service providers with regard to personal data are specified in advance.
 

9. Data Transmission

A transfer of personal data to non-European third countries does not take place.
 

10. Joint Responsibility

10.1   In order to guarantee your rights and taking into account the requirements GDPR, an agreement has been concluded with LUTZ | ABEL which establishes rules for the processing of your personal data (joint responsibility agreement within the meaning of Art. 26 GDPR). The data subject shall be provided with the essential contents of this agreement pursuant to Art. 26 para. 2 sentence 2 GDPR. You will already find important content on this in this privacy policy (in particular under Numbers 1 and 2). For the rest, the following applies:

10.2   Both the Employment Provider and LUTZ | ABEL shall take technical and organizational measures to adequately secure the data against misuse and loss that meet the requirements of the relevant data protection provisions GDPR.

10.3   Both the  Employment Provider and LUTZ | ABEL are obliged to implement the information obligations from Art. 12-14 GDPR and Art. 26 para. 2 sentence 2 GDPR towards the data subjects, as far as the respective party is responsible for the Processing Step(s) (see Number 2 of this Privacy Policy).

10.4   The data subjects may exercise their rights pursuant to Art. 15-21 GDPR both against the Employment Provider and LUTZ | ABEL. The parties shall inform each other about corresponding requests and their processing and shall support each other.

10.5   Both the Employment Provider and LUTZ | ABEL are equally obliged to inform the supervisory authority or the persons affected by a violation of the protection of personal data resulting from Art. 33 GDPR as well as Art. 34 GDPR.
 

11. Your Rights

Insofar as your personal data is processed, you are a "data subject" as defined in the GDPR. As a data subject, you are generally entitled to the following rights: 

The right, 
  • to receive information about the data processing as well as a copy of the processed data (right to information, Art. 15 GDPR), 
  • request the correction of inaccurate data or the completion of incomplete data (right to rectification, Art. 16 GDPR), 
  • demand the immediate deletion of personal data (right to erasure or “right to be forgotten”, Art. 17 GDPR), 
  • request the restriction of data processing (right to restriction of processing, Art. 18 GDPR), 
  • as well as to receive the personal data concerning you that you have provided to a controller in a structured, common and machine-readable format, and furthermore to transmit this data to another controller without hindrance by the controller (right to data portability Art. 20 GDPR),
  • the right to withdraw consent given for data processing (right to withdraw consent, Art. 7 GDPR).
  • Right of objection
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 para. 1 letter f GDPR (Art. 21 para. 1 GDPR). The consequence of the objection is that the personal data concerning you may no longer be processed, unless compelling legitimate interests for the processing can be demonstrated which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defense of legal claims. You can inform either the Employment Provider or LUTZ | ABEL about your objection using the contact details mentioned in Number 1 above.
  • If you believe that one of the parties involved in the processing violates the GDPR by processing the personal data concerning you, you have the right to complain to the competent supervisory authority pursuant to Art. 77 GDPR.

Please note that some data subject rights may not exist or are restricted in certain cases due to regulations such as Sec. 29 BDSG (in connection with the HinSchG).
 

12. No Automated Decision Making or Profiling

Automated decision making including profiling according to Art. 22 para. 1 and 4 GDPR does not take place.
 

13. Security Standards

Appropriate physical, technical and administrative security standards are implemented to protect your personal data from loss, misuse, alteration or destruction during data processing operations. All service providers are contractually obligated to maintain the confidentiality of personal data. In addition, they may not use the data for purposes that have not been approved in advance. 
 

14. Modification of the Privacy Policy

This privacy statement may be updated from time to time to ensure that it always complies with the latest legal requirements or to reflect changes in data processing. If anything has changed since your last visit, you can see from the date at the beginning of this privacy statement.