Data privacy whistleblower system hintcatcher
We take the protection of personal data very seriously. In compliance with the EU General Data Protection Regulation (GDPR), we inform you which of your data is processed by whom and for what purpose when using the "hintcatcher" whistleblowing system, what rights you have as a user and who is responsible for data processing.
The technical implementation of the whistleblowing system is carried out by the company product kitchen GmbH, Rehsteige 12, 73035 Göppingen in Germany, on behalf of THORWART Consult GmbH and its clients
Responsible for data processing
THORWART Consult GmbH
Am Stadtpark 2
90409 Nuremberg, Germany
Telephone: 09114007990
E-Mail: consult@thorwart.de
Website: https://www.thorwart-consult.de/
If you have any questions about the protection of your data, please contact our THORWART data protection officer:
E-mail: datenschutz@thorwart.de
Personal data
In principle, it is possible to use the whistleblowing system without providing personal data. However, due to the free text fields in the reporting form, you can voluntarily disclose personal data. The information you provide may also contain personal data of third parties.
You have the option of sending attachments with your information or additional information. Please note that attachments may also contain personal data. If you wish to submit a report anonymously, please remove the personal data from the attachment before sending it.
Purpose of the whistleblower system
The whistleblower system allows you to contact us and report compliance and legal violations on behalf of our client. We process your personal data in order to review the report made by you via the whistleblower system and to investigate the suspected compliance and legal violations. In doing so, we may have further questions for you. We use communication via the whistleblower system for this purpose.
Your information will be received by employees of THORWART Consult GmbH and will always be treated confidentially. All persons authorized to view the information are expressly obliged to maintain confidentiality.
Disclosure of personal data
In the course of processing a report, it may be necessary to pass on information to our client. It may also be passed on to affiliated companies of our client. This occurs in particular if the information relates to processes in the subsidiaries or sub-subsidiaries. Our client is obliged to ensure that the relevant data protection regulations are complied with when passing on information.
In order to fulfill the aforementioned purpose, it may also be necessary for us to transfer your personal data to external bodies such as law firms, criminal or competition authorities. In particular, a transfer to the law firms THORWART Rechtsanwälte Steuerberater Wirtschaftsprüfer PmbB, Nuremberg and THORWART Rechtsanwälte Steuerberater Wirtschaftsprüfer PmbB Gera, Gera, may be considered.
Legal basis
The processing of your identification data as a whistleblower is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR. The voluntary nature of the consent is given by the fact that the notification can always be made anonymously. If you disclose special categories of personal data to us, we process these on the basis of your consent (Art. 9 para. 2 lit. a GDPR).
You can withdraw your consent at any time without giving reasons. However, a withdrawal of consent can (in certain cases) only take full effect for a limited period of time.
This results (in certain cases) from the obligation of the controller pursuant to Art. 14 para. 3 lit. a GDPR to inform accused persons about the allegations made against them and the investigations carried out within one month of receipt of the notification at the latest, provided that this does not conflict with the purpose of the collection.
The information regularly includes the type of data, the purpose of the processing, the storage period, the identity of the data controller and, if applicable, the person providing the information. From an advanced stage of processing/investigation, it is generally no longer possible to stop processing or to delete the identification data of the whistleblower. As soon as information, including names, has been disclosed to the competent authorities or jurisdictions, it is stored both in our records and with the aforementioned recipients and cannot be deleted without further ado.
Furthermore, we process your personal data insofar as this is necessary to fulfill legal obligations. This includes, in particular, reports of matters relevant under criminal, competition and labor law (Art. 6 para. 1 lit. c GDPR).
Finally, your personal data will be processed if this is necessary to protect the legitimate interests of THORWART Consult GmbH, our client and its affiliated companies or a third party (Art. 6 para. 1 lit. f GDPR). We or our client have a legitimate interest in particular in the processing of personal data for the prevention and detection of violations within the company and to check the legality of internal processes.
In individual cases, we also collect special categories of personal data within the meaning of Art. 9 para. 1 GDPR as part of reconnaissance measures. This may be the case, for example, if a report submitted by a whistleblower contains corresponding data. Special categories of personal data include, in particular, health data, data on possible trade union membership or data on political or religious views. If you disclose special categories of personal data to us, we process these on the basis of Art. 9 para. 2 lit. b) and g) GDPR.
If a report received concerns an employee of our client, the processing also serves to prevent criminal offenses or other legal violations in connection with the employment relationship. This is based on Art. 88 para. 1 in conjunction with. § 26 para. 1 BDSG.
We expressly point out that cases are conceivable in which the processing could be based on several legal bases that apply in parallel. In such a case, we reserve the right to base the processing on another legal basis, even if consent is withdrawn. We will inform you accordingly if you withdraw your consent.
We also use your personal data in anonymized form for statistical purposes.
Technical implementation and security of your data
The whistleblowing system includes an option for anonymous communication via an encrypted (TLS) connection (between client (browser) and server). In addition to the client-side end-to-end encryption of the whistleblowing data, all database data is encrypted before being written to the storage medium in accordance with the current state of the art.
In accordance with the technical necessity of network connections on the Internet, IP addresses are only recorded temporarily and then deleted. The pseudonym/user name and password are generated dynamically by the system automatically after a notice is submitted. The access data is only valid for accessing the mailbox for this one case, for example to retrieve feedback from the person responsible or to submit additional information. No access data is required to submit a report - this is generated after the report has been submitted and displayed to the whistleblower.
For the secure and reliable provision of the whistleblowing system service, product kitchen GmbH uses processors based in a member state of the European Union in compliance with the applicable data protection regulations, in particular the GDPR. The encrypted whistleblowing data is processed in European and certified data centers. Due to the end-to-end encryption of the whistleblowing data between the whistleblower and case handlers, there is no other access to the plain text of the report.
Compliance with the applicable data protection regulations is ensured by appropriate technical and organizational measures.
Duration of storage
Your personal data will be stored for the period required to process, clarify and document the matter (resulting from your report) and then deleted. The duration of storage depends in particular on the severity of the suspicion and the reported possible breach of duty. By default, a period of 6 months after rejection or completion of a process is stored, which can only be extended in justified exceptional cases.
This does not apply if applicable statutory provisions require otherwise (e.g. in connection with pending court proceedings), in which case the corresponding procedural files are generally stored for 10 years.
Right to information, deletion, blocking & objection
If your personal data is processed, you have the right to obtain information about the personal data stored about you (Art. 15 GDPR).
If incorrect personal data is processed, you have the right to rectification (Art. 16 GDPR).
If the legal requirements are met, you can request the erasure or restriction of processing and object to processing (Art. 17, 18 and 21 (1) GDPR).
Right to withdraw consent to data processing at any time without affecting the lawfulness of data processing based on consent before its withdrawal.
If you make use of your above-mentioned rights, the responsible department will check whether the legal requirements for this are met.
Right to lodge a complaint with a supervisory authority
Every data subject has the right to lodge a complaint with a data protection supervisory authority if they consider that the processing of data relating to them infringes data protection regulations (Art. 77 of the GDPR). The complaint to the supervisory authority can be made informally. The following supervisory authority is responsible for data protection at THORWART Consult GmbH:
Landesamt für Datenschutzaufsicht (Data Protection Authority)
Promenade 18
91522 Ansbach
Postfach 1349
91504 Ansbach
Tel.: 0981/180093-0
Fax: 0981/180093-800
poststelle@lda.bayern.de,
https://www.lda.bayern.de
The supervisory authority responsible for our client depends on the respective headquarters of the client. In Germany, the respective authorities of the federal state in which the head office is located are responsible. An overview of the state authorities can be found here:
https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html