1. Data Protection Information
General Notes
The following information provides an overview of what happens to your personal data when you use this website and submit a report via the internal reporting channel. Personal data means any information relating to an identified or identifiable natural person. Detailed information can be found in the privacy notice below.
Why are you receiving this information?
The company you work for or to which you wish to submit a report (hereinafter: the “Company”) has set up an internal reporting office to follow up on indications of violations of national or European law. The legal basis is the German Whistleblower Protection Act (Hinweisgeberschutzgesetz – HinSchG). When using the reporting office, personal data is processed. Pursuant to Article 13 of the General Data Protection Regulation (GDPR), we must inform you at the time of collection. This information relates exclusively to the use of the reporting channel via this website.
Data collection on this website
Who is responsible for data collection on this website?
The internal reporting office of the Company is responsible for receiving reports and taking follow-up action within the meaning of the HinSchG. It is operated by:
MORGENSTERN consecom GmbH, Johannesstraße 30, 67346 Speyer, Germany, Tel.: +49 6232 10011944.
In this capacity, MORGENSTERN consecom GmbH acts as an independent controller under the GDPR for providing the reporting channel and the initial handling of reports. As soon as the Company gains access to a case or takes follow-up action, the Company becomes an independent controller for those processing activities.
Our Data Protection Officer can be reached at Tel.: +49 6232 10011944 or by email at privacy@morgenstern-privacy.com. When contacting us, please indicate for which internal reporting office your inquiry is intended.
Disclosure to authorities
It may be necessary to transmit your report and—if required and legally permissible—your identity to competent law-enforcement or other public authorities, e.g., for the detection and prosecution of criminal offences. Those authorities are solely responsible for any further processing.
How do we collect your data?
Data is collected, on the one hand, because you provide it to us (e.g., information entered in the report form, attached documents). In addition, technically necessary data is collected when you visit the website (e.g., IP address, date and time of access, requested resource, browser/version, operating system). For details, see Section 3 (“Data collection on this website”).
For what purposes do we process your data?
If you disclose your identity, your name and/or email address are recorded together with the facts you report. The facts of the case may include additional personal data (e.g., organizational unit, presence at certain times, role/function). Please note that identifiability may also be possible without stating your name, e.g., if only a very small group of people is aware of certain information.
The internal reporting office and—where necessary—other involved parties process the data for documentation, for assessing the credibility of the report, for communicating with you, and for taking follow-up measures. The overarching purpose is to fulfil statutory obligations under the HinSchG and to investigate and remedy legal violations and/or grievances.
If you report anonymously, we will not store any identity data apart from technically necessary connection data. However, the content of your report will be reviewed and used for clarification.
Additionally, data is processed for the operation, security, and stability of the website (e.g., to defend against attacks).
What is the legal basis for processing?
Operation of the reporting website (technology, security, required cookies).
The processing of technically necessary data and the use of technically necessary session cookies are carried out to provide the website and the reporting form on the basis of Article 6(1)(f) GDPR (legitimate interest in a secure and functional online platform) in conjunction with Section 25(2) No. 2 of the German Telecommunications-Digital Services Data Protection Act (TDDDG) (storage/access to information that is strictly necessary).
Receipt, assessment and handling of reports (core process).
– For reports in the employment context (employees within the meaning of Section 26 of the German Federal Data Protection Act – BDSG): Article 6(1)(c) GDPR in conjunction with the HinSchG and Section 26(1) BDSG (compliance with employment-law obligations; investigation of breaches of duty).
– Where special categories of personal data within the meaning of Article 9(1) GDPR are concerned (e.g., health data), processing is based on Article 9(2)(b) GDPR in conjunction with Section 26(3) BDSG (employment law) and—depending on the case—additionally on Article 9(2)(f) (establishment, exercise or defence of legal claims) and/or Article 9(2)(g) GDPR in conjunction with the HinSchG (substantial public interest in effective whistleblowing case handling).
– Where data on criminal convictions and offences is concerned, processing takes place pursuant to Article 10 GDPR on the basis of the applicable national legal provisions, in particular Section 26(1) sentence 2 BDSG (detection of criminal offences in the employment relationship) and—outside the employment context—where necessary for legal enforcement (Article 6(1)(f) in conjunction with Article 9(2)(f) GDPR).
– For reports outside an employment context (e.g., suppliers, other third parties), processing is generally based on Article 6(1)(c) GDPR (legal obligation under the HinSchG) and, where necessary, additionally on Article 6(1)(f) GDPR (the Company’s legitimate interest in investigating and remedying violations of law).
Consent.
If, in individual cases, we obtain your consent (e.g., disclosure of your identity to third parties, optional communication channels), processing is based on Article 6(1)(a) GDPR and—for special categories—Article 9(2)(a) GDPR. For reading/storing non-essential information on your device, Section 25(1) TDDDG also applies. You may withdraw consent at any time with effect for the future.
Who receives your personal data?
Your identity is treated confidentially and, as a rule, is disclosed only to the internal reporting office responsible for receiving reports and taking follow-up action. Among other things, your personal data may be disclosed to competent authorities in criminal proceedings at the request of law-enforcement agencies or on the basis of an order in administrative or court proceedings.
Under Article 14 GDPR, the accused person would also have to be informed about the processing of their personal data (at the latest one month after your report). However, we take the view that, in relation to the whistleblower (i.e., you), an exception to the information obligation applies pursuant to Section 29(1) BDSG. This provision states that data subjects (in this case, the accused) need not be fully informed about the data processing insofar as doing so would reveal information that, by its nature—particularly due to the overriding legitimate interests of a third party—must be kept confidential. We consider such an interest to exist on the part of the whistleblower. The accused will therefore only be informed of your identity if you give your consent. If we are obliged by an authority or a court to disclose your identity, we must comply.
How long do we store your personal data?
Reports are documented and deleted or anonymized three years after the procedure has been completed, unless a longer retention period is required and proportionate under the HinSchG or other legal provisions. If the case is handed over to authorities, a longer retention period may apply at those authorities, which is beyond our control.
What are your rights?
You have the right of access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18) and data portability (Article 20 GDPR). Where we process data on the basis of Article 6(1)(f) GDPR, you have the right to object pursuant to Article 21 GDPR. You may withdraw any consent given at any time. You also have the right to lodge a complaint with a competent data protection supervisory authority.
2. Hosting
External hosting
This website is hosted by an external service provider (host). Personal data collected on this website is processed on the host’s servers. This may include, in particular, IP addresses, timestamps, meta/communication data, content and form data, names, contact details, and access/usage data.
The host is used for the performance of a contract with our potential and existing clients (Article 6(1)(b) GDPR) and based on our legitimate interest in the secure, fast and efficient provision of our online offering (Article 6(1)(f) GDPR). Where consent is obtained on an optional basis, processing additionally relies on Article 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG.
Our host processes personal data only to the extent necessary to fulfil its services and exclusively on the basis of contractual arrangements.
We use the following processor:
LegalInnovate Technologies GmbH,
An der Niers 6, 47608 Geldern, Germany
The following host is used:
Hetzner Online GmbH,
Industriestr. 25,
91710 Gunzenhausen, Germany
Processing on behalf (data processing agreement)
A data processing agreement is in place in accordance with Article 28 GDPR. As a rule, data is not transferred to third countries.
3. Data collection on this website
Cookies
Our website uses only technically required “session cookies”. These are stored for the duration of your session and are automatically deleted thereafter. Processing is carried out to provide login/session functions on the basis of Article 6(1)(f) GDPR in conjunction with Section 25(2) No. 2 TDDDG. We do not use tracking or marketing cookies.
Server log files
When the website is accessed, requests are logged in server log files (e.g., IP address, date/time, requested URL, status code, data volume transferred, referrer URL, browser/operating system). Processing serves the technical provision, stability and IT security (e.g., error analysis, defence against attacks) and is based on Article 6(1)(f) GDPR. Log data is retained only for a short period (as a rule, no longer than 30 days) and stored for a longer period only on a case-by-case basis where necessary to clarify security-relevant incidents.