Data Protection Information
of About You Holding SE, Domstraße 10, 20095 Hamburg (as at: June 2022)
In the following data protection information, we inform you about the processing of personal data and information carried out by About You Holding SE, Domstraße 10, 20095 Hamburg ("ABOUT YOU" and/or "we" and/or the "responsible party") in accordance with the German Data Protection Regulation ("DSGVO") and the German Federal Data Protection Act (BDSG 2018). Our data protection information applies to all websites, applications as well as further services and performances (hereinafter jointly referred to as "Services") which are offered by ABOUT YOU in Europe and which are specified in its scope of application.
Please read our privacy information carefully. If you have any questions or comments about our data protection information, please contact us at datenschutzbeauftragter@aboutyou.de.
Content
- Name and contact details of the controller
- Contact details of the data protection officer
- Purposes of data processing, legal bases and legitimate interests pursued by the controller or a third party and categories of recipients
- Purpose of data processing and legal basis of the whistleblowing system
- Encryption and cookies
- Categories of data
- Storage period and data deletion
- Your rights
- Overview
- Right to object
- Right to withdraw
Name and contact details of the Controller responsible for processing
About You Holding SE
Domstraße 10
20095 Hamburg
Hamburg Local Court
Registration number: HRB 170972
Sales tax ID: DE341641169
Tax number no.: 27/240/02458
Phone: 0800 / 30 15 085
Email: kundenservice@aboutyou.de
represented by the Board of Directors: Tarek Müller, Sebastian Betz, Hannes Wiese
Chairman of the Supervisory Board: Sebastian Klauke
Website: www.aboutyou.de
for the following website / application: www.bkms-system.com/aboutyou
Contact details of the Data Protection Officer
You can contact the company Data Protection Officer for the Controller at
About You Holding SE
FAO Sebastian Herting - Datenschutzkanzlei
Domstraße 10
20095 Hamburg, Germany
Email: datenschutzbeauftragter@aboutyou.de
Purposes of data processing, legal bases and legitimate interests pursued by the Controller or a third party, as well as categories of recipients
Purpose of data processing and legal basis of the whistleblowing system
The whistleblowing system (BKMS® System) is used for the secure and confidential receipt, processing and management of reports on breaches of compliance rules by ABOUT YOU and affiliated companies. The processing of personal data within the framework of BKMS® System is based on the legitimate interest of our company to detect and prevent abuses and thus prevent damage to ABOUT YOU, its employees and customers. The legal basis for our processing of personal data is Article 6(1)(f) DSGVO.
The whistleblowing system is operated by EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin in Germany on behalf of ABOUT YOU (Article 28 DSGVO).
Personal data and information entered into the whistleblowing system is stored in a database of a high-security data centre operated by EQS Group GmbH. Only ABOUT YOU and companies associated with ABOUT YOU have access to the data. EQS Group GmbH and other third parties have no access to the data. This is ensured in the certified procedure by extensive technical and organisational measures as well as an order processing agreement (Art. 28 DSGVO).
All data is stored in encrypted form with several levels of password protection, so that access is limited to a very small selection of expressly authorised persons at ABOUT YOU and companies associated with ABOUT YOU.
It is possible to set up a secured postbox within the whistleblowing system which is secured with an individually selected pseudonym / user name and password. This allows you to send reports or additions to your reports to ABOUT YOU anonymously and securely.
Note on sending attachments
When you submit a message or an addendum, you can send attachments at the same time. If you wish to submit an anonymous report, please note the following security advice: Files may contain hidden personal data that could compromise your anonymity. Remove this data before sending. If you cannot remove this data or are not sure how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address given in the footer, quoting the reference number received at the end of the reporting process.
Encryption and cookies
Communication between your computer and the whistleblower system takes place via an encrypted connection (SSL). The IP address of your computer is not stored while using the whistleblower portal. To maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that only contains the session ID (so-called session cookie). The cookie is only valid until the end of your session and becomes invalid when you close the browser.
Cookies are small text files that are automatically created by your browser and stored on your respective end device (laptop, tablet, smartphone or similar) when you call up the whistleblowing system. Cookies do not cause any damage to your end device and do not contain viruses, Trojans or other malware. Information is stored in the cookie that arises in connection with the specific end device used. This does not mean, however, that we can gain direct knowledge of your identity and/or draw conclusions about your person.
The legal basis for setting the above-mentioned cookie is Sec. 25 TDDSG. The legal basis for the connected data processing is Art. 6 para. 1 f) DSGVO (legitimate interest in the stable use of the whistleblowing system).
Data categories
Use of the whistleblowing system takes place on a voluntary basis. If you submit a report via the whistleblowing system, we collect the following personal data and information:
- name, first name (if you wish to disclose your identity),
- whether yyou are an employee of ABOUT YOU or a company affiliated with ABOUT YOU, and
- where applicable, the names and other personal data of persons you have listed in your notification.
Confidential handling of reports and information
Incoming reports are handled by a small selection of expressly authorised and specially trained employees of the compliance organisation of ABOUT YOU and of ABOUT YOU affiliated companies and are always treated confidentially. The employees assess the matter and conduct further investigations as required for the specific report.
During the processing of a report or the conduct of a specific investigation, it may be necessary to share reports with additional employees of ABOUT YOU and/or companies affiliated with ABOUT YOU and/or third parties (e.g. investigating authorities, regulatory authorities), e.g. if the report relates to incidents in subsidiaries. All persons who have access to the data are obliged to maintain confidentiality. We are legally obliged to inform accused persons about reports received against them as soon as the disclosure of this information would no longer jeopardise the investigation. Your identity as a whistleblower will only be disclosed if it is known to us and if we are legally obliged to do so.
Storage period and erasure of data
Personal data will be stored for as long as is necessary to clarify the situation, process the notification and carry out a final assessment, or for as long as there is a legitimate interest on the part of the company or storage is required by law. After the processing of the notification has been completed, the data will be deleted in accordance with the statutory provisions - at the latest after the expiry of the applicable limitation periods.
Your rights
Overview
In addition to the right to revoke consent given to us, you are entitled to the following further rights if the respective legal requirements are met:
- the right to information about your personal data stored by us (Art. 15 DSGVO), in particular you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the origin of your data if it has not been collected directly from you;
- the right to have inaccurate data corrected or to have correct data completed (Art. 16 GDPR),
- the rright to have your data stored by us deleted (Art. 17 DSGVO), insofar as no legal or contractual retention periods or other legal obligations or rights to further storage are to be observed by us,
- the right to restrict the processing of your data (Art. 18 DSGVO), insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure; the controller no longer requires the data, but you need it to assert, exercise or defend legal claims or you have objected to the processing pursuant to Art. 21 DSGVO,
- the right to data portability pursuant to Art. 20 DSGVO, i.e. the right to have selected data stored by us about you transferred in a common, machine-readable format, or to demand that it be transferred to another person responsible.
- the rto lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters for this purpose.
You can exercise the aforementioned rights to which you are entitled at datenschutzbeauftragter@aboutyou.de.
Right to object
Under the conditions of Article 21(1) of the GDPR, data processing may be objected to on grounds relating to the specific situation of the data subject.
The above general right to object applies to all processing purposes described in this privacy statement that are processed on the basis of Article 6(1)(f) DSGVO. Unlike the specific right to object to data processing for marketing purposes, the GDPR only requires us to implement such a general right to object if you provide us with reasons of overriding importance (e.g. a possible risk to life or health).
Right to withdraw consent
If we process data on the basis of your consent, you have the right to revoke this consent. However, we would like to point out that this is only effectively possible within one month. The revocation of the consent does not have the consequence that the data processing carried out on the basis of the consent up to the time of the revocation becomes ineffective.