Information on data protection
The protection of your data and the confidentiality of your identity are very important to us. Naturally, we process your personal data exclusively in accordance with the EU General Data Protection Regulation (EU-GDPR) and the applicable national data protection regulations. In addition, the BKMS® System developed by EQS Group GmbH with its outstanding encryption and permission concept guarantees an exceptional level of protection for the data in the whistleblowing system – including your identity. The BKMS® System also offers you the ability to submit your report anonymously. Please read this data protection information carefully before submitting a report.
Version: February 2019
Responsible party
The party responsible for data protection in the whistleblowing system is:
- FS-PP Berlin
- Dr. Frank Dr. Auffermann
- Partnerschaft von Rechtsanwälten mbB
- Potsdamer Platz 8
- 10117 Berlin, Germany
- Phone +49 (0)30/31 86 85-3
- Fax +49 (0)30/31 86 85-55
- Email: mail@fs-pp.de
- (hereafter also: “FS-PP”).
In case of questions and suggestions, please contact our data protection officer:
- FS-PP Berlin
- Dr. Frank Dr. Auffermann
- Partnerschaft von Rechtsanwälten mbB
- Attn.: Data protection officer
- Potsdamer Platz 8
- 10117 Berlin, Germany
- Phone +49 (0)30/31 86 85-3
- Fax +49 (0)30/31 86 85-55
- Email: datenschutzbeauftragter@fs-pp.de
Before contacting us, please examine the current version of the privacy statement of FS-PP at https://fachanwaelte-strafrecht-potsdamer-platz.de/de/datenschutz.
Processing
The whistleblowing system is operated by a specialised company, EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin, Germany, as a data processor in accordance with Art. 28 GDPR.
Personal data and information that you enter into the whistleblowing system are stored in a database of a high security data centre operated by EQS Group GmbH. The decryption and viewing of the data are only possible by FS-PP. Neither EQS Group GmbH nor other third parties have access to interpretable data. This is ensured in the certified procedure through extensive technical and organisational measures. All data are stored encrypted with multiple levels of password protection so that access is restricted to a very small selection of expressly authorised persons at FS-PP. These are the attorneys appointed as ombudspersons: Dr Rainer Frank and/ or Dr Niklas Auffermann and/ or Dr. Leonie v. Holtzendorff.
Definition of terms
Whistleblower: The person who submits a report via the whistleblowing system.
Data subject: A person whose identity is included in the content of a report.
Principal: The company or institution that has commissioned FS-PP to provide the ombudsperson/ trusted attorney within the framework of its compliance management system.
Purpose of the whistleblower-system and legal basis for processing personal data
We process personal data exclusively for the purpose of fulfilling our duties as ombudspersons in the framework of a whistleblower-system and/or as a reporting channel pursuant to § 16 Hinweisgeberschutzgesetz (HinSchG) of our contractual partners. The system “BKMS
® System” is used to receive, process and manage reports of whistleblowers via a secure and confidential channel. The whistleblower system is applicable to reports relating to violations of laws and violations of regulations within the client's organization as well as outside the client's organization, if they have an impact on the client.
The processing of personal data is justified by Art. 6 Abs. 1 c) DSGVO in conjunction with §§ 10, 13 Abs. 1 HinSchG, insofar as the report falls within the area of application of the HinSchG pursuant to §§ 1, 2 HinSchG and FS-PP Berlin acts as part of the internal reporting office of its contractual partners. In other cases, the processing is based on Art. 6 Abs. 1 lit. b DSGVO, insofar as it serves to fulfill the contractually assigned tasks of an ombudsperson. Otherwise, the legal basis for the processing of personal data is Art. 6 Abs. 1 lit. f DSGVO. FS-PP Berlin has a legitimate interest in reviewing and evaluating incoming reports on the basis of the position of an ombudsperson for their contractual partners.
Use of the whistleblowing portal
Communication between your computer and the whistleblowing system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the whistleblowing system. In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that contains only the session ID (a so-called session cookie). This cookie is only valid until the end of your session and expires when you close your browser.
You can set up a postbox within the whistleblowing system that is secured with an individually chosen pseudonym/ user name and password. This allows you to send additional information to or answer the questions of the employee of FS-PP responsible for processing your report either using your name or anonymously. All data sent via the postbox are encrypted and stored exclusively in the whistleblowing system, ensuring that the data receive special protection superior to that of typical email communication.
Type of personal data collected
Use of the whistleblowing system takes place on a voluntary basis. When you submit a report via the whistleblowing system, we initially collect only the personal data that you provide. These data generally consist of:
- your name, if you choose to voluntarily reveal your identity,
- whether and in which department you are employed at your organisation,
- other personal data that are included in your report or the provided attachments, and
- the names and other personal data of persons whom you list in your report, if applicable.
In the event that additional personal data are collected within the course of the investigation following from your report, these data may also be processed via the whistleblowing system.
Please note: If you do not provide your name and the content of your report and/ or the provided attachments do not provide any basis for directly or indirectly determining your identity, then the data in question do not constitute personal data as defined by Art. 4(1) EU-GDPR. In the case of an anonymous report, please also take note of the information about sending attachments at the end of this document.
Confidential handling of reports
Incoming reports are received by a small selection of expressly authorised and specially trained employees of the compliance organisation of FS-PP and always handled confidentially. The employees of the FS-PP compliance organisation evaluate the matter and perform any further investigation required by the specific case.
During the processing of a report or the conducting of a special investigation, it may become necessary to forward reports to additional employees of FS-PP. All persons who receive access to the data are obligated to maintain confidentiality.
The ombudsperson forwards a report to the appointed office of the principal only if and when the report submitter has granted consent for this. At the request of the report submitter, this can take place anonymously.
The identity of the report submitter will not be provided to the principal unless the report submitter has expressly given consent to the ombudsperson or there exists a strong suspicion that the report submitter has made intentional false accusations against the subject of the report.
Information about the accused
Information and notification obligations pursuant to data protection law with respect to the data subjects, with the exception of whistleblowers whose identity is not known to the principal, shall be fulfilled exclusively by the principal. Even if you have not submitted your report anonymously, your identity as a whistleblower will not be disclosed.
Rights of the data subject
Pursuant to European data protection legislation, you and the persons named in the report have the rights listed below as data subjects:
Right to object
If the processing takes for the performance of a task carried out in the public interest (Art. 6(1)(1)(e) GDPR) or based on a legitimate interest (Art. 6(1)(1)(f) GDPR), you have the right according to Art. 21 GDPR to object, on grounds relating to your particular situation, at any time to the processing of your personal data.
If you would like to make use of your right to object, it is sufficient to send an email to datenschutzbeauftragter@fs-pp.de. Before contacting us, please examine the current version of the privacy statement of FS-PP at https://fachanwaelte-strafrecht-potsdamer-platz.de/de/datenschutz.
If the right to object to the processing of the personal data is invoked, the necessity of the stored data for the examination of a report will be evaluated immediately. In this case, further processing will only take place if we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms.
Additional rights
You have
- according to Art. 7(3) GDPR the right to withdraw at any time your granted consent for processing of your data. This has the consequence that, as of the time of the withdrawal, the data processing based on the withdrawn consent may no longer be continued. To do this, it is sufficient to send an email to datenschutzbeauftragter@fs-pp.de. Before contacting us, please examine the current version of the privacy statement of FS-PP at https://fachanwaelte-strafrecht-potsdamer-platz.de/de/datenschutz.
- according to Art. 15 GDPR the right of access to your personal data processed by us.
- according to Art. 16 GDPR the right to immediate rectification of inaccurate or incomplete data concerning you.
- according to Art. 17 GDPR the right to erasure of your personal data.
- according to Art. 18 GDPR the right to restriction of processing of your personal data.
- according to Art. 20 GDPR the right to data portability. You thereby have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format or to request transmission of the personal data to another controller by us.
- According to Art. 77 GDPR, you have the right to lodge a complaint under data protection law with a supervisory authority, in particular in the Member State of your residence, place of work or place of the alleged infringement; for example, the
- Berliner Beauftragte für Datenschutz und Informationsfreiheit
- Friedrichstraße 219
- 10969 Berlin, Germany
- Phone: +49 (0)30/138 89-0
- Fax: +49 (0)30/215 50 50
- Email: mailbox@datenschutz-berlin.de
- Homepage: http://www.datenschutz-berlin.de
An overview of the supervisory authorities can be found here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
Retention period of personal data
Personal data are retained for as long as necessary to clarify the situation and perform a final assessment or for as long as a legitimate interest exists on the part of the respective principal or retention is required by law. After the report processing is concluded, the data are deleted in accordance with the statutory requirements. According to the legal retention periods according to § 50 BRAO no erasure will take place before the elapsing of six years from the end of the year in which the processing of the case by the ombudsperson ends. Personal data must be erased no later than after the elapsing of ten years after conclusion of the investigation. In place of erasure, a restriction will be placed on the personal data insofar as the data subject requires the personal data for the establishment, exercising or defence of legal claims.
Note on sending attachments
When submitting a report or an addition, you can simultaneously send file attachments to the employee of FS-PP responsible for the processing of your report. If you wish to remain anonymous, please take note of the following security advice: files can contain hidden personal data that could put your anonymity at risk. Remove this data before sending. If you are unable to remove this data or are uncertain about how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer of the BKMS® System, citing the reference number received at the end of the reporting process.