Data protection information for whistleblowers

Below you will find the data protection information in accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR) for the internal reporting channel of our whistleblower protection system.

1. Who is responsible for data processing?

Law firm Dr. Konle

Dr. Christian Konle, Attorney

Romanstr. 33

80639 Munich

Email: Hinweisgebergesetz@bosig.de

2. Contact details for the Data Protection Officer

MSO Consulting Daniel Voigtländer Zeisigweg 11 71397 Leutenbach Email: datenschutz@bosig.de

3. Processing purposes and legal basis

Your personal data will be processed in accordance with the provisions of the Whistleblower Protection Act (HinSchG), the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). You can find further details on the processing purposes in our guidelines on the Whistleblower Protection Act.

3.1 Consent (Art. 6 Para. 1 Letter a GDPR)

If you have given us your consent to process personal data, the respective consent is the legal basis for the processing mentioned there. You can revoke your consent at any time with future effect.

3.2 Fulfilment of legal obligations (Art. 6 Para. 1 Letter b GDPR in conjunction with Section 10 HinSchG )

We process personal data to fulfil the reporting office’s tasks.

3.3 Compliance with legal obligations (Art. 6 Para. 1 Letter c GDPR)

We process your personal data if this is necessary to fulfil legal obligations.

4. Categories of personal data processed by us

The following data is processed:

  • Last name, first name
  • Contact details
  • Contents of the messages (can also affect other people)
  • Communication content (from emails, post, etc.)
  • Prepared minutes from meetings

5. Who will receive your data?

The reporting office works as an intermediary and protects the identity of whistleblowers. The reporting office only passes on factual information that does not allow any conclusions to be drawn about a person.

The reporting office will only pass on data about the person who provided the information if this is necessary for follow-up measures or if you have previously consented to this.

In addition, competent authorities may receive information about the identity of a reporting person or about other circumstances that allow conclusions to be drawn about the identity of this person:

  • in criminal proceedings at the request of the law enforcement authorities,
  • based on an order in an administrative procedure following a report, including administrative fine procedures,
  • due to a court decision.

Furthermore, the processors we use (according to Art. 28 GDPR) or service providers (e.g. law firms) may have access to the personal data.

We will take appropriate measures to ensure that these service providers only process your data within the framework of the relevant data protection regulations.

The reporting office will inform the person providing the information in advance about the disclosure. This is to be avoided if the law enforcement authority, the competent authority or the court has informed the reporting office that the information would jeopardize the relevant investigations or legal proceedings. The person providing the information must be given the reasons for passing on the information in writing or electronically.

We will forward your personal data if incorrect information about violations is reported intentionally or through gross negligence and the defamed person takes legal action, for example. In this case, you are not protected according to Section 8 Para. 1 of the Whistleblower Protection Act.

Information about the identity of persons who are the subject of a report and other persons named in the report may be passed on to the relevant competent authority:

1) if there is consent in this regard,

2) from internal reporting offices, if this is necessary as part of internal investigations at the respective employer or in the respective organizational unit,

3) if necessary to take follow-up action,

4) in criminal proceedings at the request of the law enforcement authorities,

5) based on an order in an administrative procedure following a report, including administrative fine procedures,

6) based on a court decision,

7) … (see Section 9 Para. 4 Whistleblower Protection Act)

6. Transfer of your data to a third party country or an international organisation

Does not take place.

7. How long do we store your data?

Reporting offices are legally obliged to keep documents for 3 years after the procedure has been completed.

8. To what extent is there automated decision-making in individual cases (including profiling)?

Does not take place.

9. Your data protection rights

You have the right of access under Art. 15 GDPR, the right to rectification according to Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR and the right to data portability according to Art. 20 GDPR. In principle, according to Art. 21 GDPR, there is a right to object to the processing of personal data by us, provided that the processing is based on a legitimate interest (Art. 6 Para. 1 Letter f GDPR). However, this right to object only applies in the event of very special circumstances of your personal situation, whereby our company's rights may conflict with your right to object.

If you would like to assert one of these rights, please contact our data protection officer mentioned above.

You have a right to lodge a complaint with the data protection supervisory authority (Art. 77 GDPR). The supervisory authority responsible for us is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit (The State Commissioner for Data Protection and Freedom of Information)

Lautenschlagerstrasse 20

70173 Stuttgart.

10. Scope of your obligations to provide us with your data

We are not legally obliged to investigate anonymous reports. We may do this if there is a certain degree of seriousness in the report. However, you will then receive no feedback about follow-up actions or the reasons for them.

You only need to provide the data required to process reports.

Only submit reports where you have reasonable grounds to believe that the requirements are met, for example, when inaccurate information is disclosed in good faith.

The reporting office will contact you if further information is required, otherwise the procedure may not be able to be carried out.

It is not permitted to provide data that contains abusive or malicious incorrect information or pure speculation.

Go to top