Data protection information from EBAWE Anlagentechnik GmbH for the internal whistleblower system
Introduction
It is very important to us that personal data is handled carefully and in compliance with the law. This applies in particular to data that is collected and used as part of the internal reporting system of EBAWE Anlagentechnik GmbH (hereinafter referred to as ‘EBAWE’). The following information explains how we handle your personal data in connection with information from the internal reporting system.
The term personal data means any information relating to an identified or identifiable natural person (hereinafter ‘data subject’). Personal data includes, for example, first and last name, address, date of birth, e-mail addresses or telephone numbers.
1. contact details of the responsible body
The following organisation is responsible for processing your data:
EBAWE Anlagentechnik GmbH
Dübener Landstraße 58, D-04838 Eilenburg
Tel. 03423 / 665 0
info@ebawe.de
EBAWE has appointed the lawyers Dr. Detlev Heinsius and Markus Gerhardt from the law firm RSM Ebner Stolz as ombudspersons to receive reports from the whistleblower system. You can contact them using the contact details below:
RSM Ebner Stolz
Wirtschaftsprüfer Steuerberater Rechtsanwälte Partnerschaft mbB
Ludwig-Erhard-Straße 1, 20459 Hamburg
Tel.: 040 / 37097-0
2. contact details of the data protection officer of the controller
You can contact EBAWE's data protection officer using the following contact details if you have any questions about data protection:
EBAWE Anlagentechnik GmbH
z.H. der Datenschutzbeauftragte
Dübener Landstraße 58
04838 Eilenburg
E-Mail: dataprivacy@ebawe.de
3. Types and purposes of the processing of personal data
EBAWE processes the following types of personal data, among others, when entering and processing reports in the internal reporting system:
- Information for personal identification of the whistleblower, such as first and last name, gender, telephone number and e-mail address (unless an - also possible - anonymous report is made);
- Employment status at EBAWE;
- Information on data subjects, i.e. natural persons designated in a report as a person who has committed an offence or with whom the designated person is associated. Such information includes, for example, first and last name, gender, address, telephone number and e-mail address or other information that enables the person to be identified;
- Information about offences that may allow conclusions to be drawn about a natural person.
EBAWE processes the personal data for the purpose of investigating the reports in order to prevent, detect and/or follow up on violations of applicable law or company policies. This may include, for example, measures to verify the validity of the allegations made in the report and, if necessary, to take action against the reported violation, including through internal enquiries, investigations, prosecutions, measures to (re)recover funds or close the case.
- Automatically stored data (log files)
Personal usage data of the internal reporting system is not stored there. Only a time stamp, the HTTP request type and the address/endpoint called up are stored in the log file of the internal reporting system - this is done for the purpose of possible error analysis. Other data (such as the IP address, client data, etc.) is processed but not saved. Operation of the internal reporting system without the above-mentioned
(minimum) data would not be possible.
4. legal bases
We only process information for the personal identification of the reporting person if the reporting person has given us their consent in accordance with Art. 6 para. 1 lit. a GDPR and has not chosen the anonymous reporting option. According to that provision, processing is only lawful if the data subject has given their consent to the processing of their personal data for one or more specific purposes.
We process information on employee status, information on data subjects and other information that allows conclusions to be drawn about natural persons on the basis of Art. 6 para. 1 lit. f GDPR. This states that processing is lawful if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Depending on the specific individual case to be examined, our legitimate interest lies in the processing of reports in order to be able to carry out follow-up measures, for example to check the validity of the allegations made in the report and, if necessary, to take action against the reported violation, including through internal enquiries, investigations, criminal prosecution measures, measures to (re)recover funds or conclude the proceedings. Whether the interests or fundamental rights and freedoms of the data subject conflict with such data processing is examined on a case-by-case basis, including with regard to the offence.
We may process personal data of EBAWE employees on the basis of Section 26 (1) sentence 2 BDSG. According to this, personal data of employees within the meaning of Section 26 (8) BDSG may be processed to uncover criminal offences if there are factual indications to be documented that justify the suspicion that the person concerned has committed a criminal offence in the employment relationship, the processing is necessary for detection and the employee's legitimate interest in the exclusion of processing does not prevail; and in particular the type and extent are not disproportionate with regard to the reason.
5. your rights
The provision of personal data as part of a notification is neither required by law or contract nor necessary for the conclusion of a contract. Depending on the individual case, there may be legal obligations to submit a report to EBAWE. However, the processing of the above-mentioned data is necessary for a meaningful processing and investigation of the report.
Unless you have submitted an anonymous notification, you have the following rights vis-à-vis EBAWE with regard to the personal data concerning you:
- Right of access (Art. 15 GDPR),
- Right to rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR),
- Right to restriction of processing (Art. 18 GDPR),
- Right to data portability (Art. 20 GDPR),
- Right to object to processing (21 GDPR).
You can exercise your rights, among other things, by sending an email to the following email address: dataprivacy@ebawe.de
You also have the right to complain to a data protection supervisory authority about the processing of your personal data by EBAWE. You can contact the supervisory authority of EBAWE's registered office for this purpose. You can also find the address under the following link on the Internet:
www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html
6. general information on the recipients or categories of recipients
The personal data processed in the context of a notification is processed by the company Trusty AG, Bösch 82, 6331 Hünenberg, Switzerland, on behalf of and in accordance with the instructions of EBAWE. The use of this company as a service provider based outside the EU is permitted on the basis of an adequacy decision by the EU Commission regarding Switzerland.
Personal data is only transferred to third parties if there is a legal basis for this. This is the case in particular if the transfer serves to fulfil legal requirements according to which EBAWE is obliged to provide information, report or pass on data, if you have given us your consent to do so, or if a weighing of interests justifies this.
In addition, external service providers, such as external data centres or telecommunications providers, process personal data on behalf of EBAWE as processors.
Depending on the focus of responsibility of the report and for the effective initiation of follow-up measures, the personal data may be passed on to our EBAWE investigation teams, who are obliged to maintain confidentiality.
Should disclosure to other third parties be necessary, we will only do so with your prior consent, unless this is already permitted by law (for example, to initiate follow-up measures with investigating authorities or in legal proceedings).
7. retention period and deletion
The data from the internal reporting system is normally stored until the follow-up measures have been completed. As a rule, the data from a report pursuant to Section 11 (5) HinschG is deleted three years after the proceedings have been finally concluded, unless the initiation of further legal action requires further storage (e.g. initiation of criminal proceedings or disciplinary proceedings). Personal data in connection with reports will be deleted by EBAWE immediately if there is obviously no objective reason for storing them.