Protection des données

Data protection information on the whistleblower system


Information on data protection in the whistleblower system of BRAND and all group companies in Germany and abroad

In the following, we would like to inform you about the collection, processing and use of personal data within the framework of the whistleblowing system, if you submit a notice via our IT-supported contact form, by e-mail, telephone call, letter or personal appearance with us. Therefore, please read this data protection information very carefully before submitting a report. The data controller is Compliance Beratung + Service GmbH, Maximilianstraße 24, 80539 Munich, Germany, as a commissioned data processor bound by instructions. This also applies to all other companies indicated in the IT-supported contact form, hereinafter referred to as BRAND, as we make use of the regulation to provide a whistleblowing system for several companies.

Purpose of the whistleblowing system and data processing

The purpose of the whistleblower system is to receive and process information about (suspected) violations of the law or serious internal violations of rules against one or more companies within BRAND in a secure and confidential manner. The processing of personal data within the framework of the whistleblower system is based on the legitimate interest in the detection and prevention of wrongdoing and the associated prevention of damage and liability risks (Art. 6 para. 1 lit. F DSGVO in conjunction with §§ 30, 130 OWiG). The establishment of a whistleblower system is intended to give employees and third parties the opportunity to provide protected information about violations of the law within the company in a suitable manner. If a tip-off received concerns an employee, the processing also serves to prevent criminal offences or other violations of the law in connection with the employee relationship (Section 26 (1) BDSG). Your data will be processed on the basis of your consent (Art. 6 para. 1 lit. a DSGVO), which is given by the fact that the notice can also be given anonymously. As a rule, consent can only be revoked within one month of receipt of the notification, as in certain cases we are obliged under Art. 14 (3) lit. a DSGVO to inform the accused person of the allegations made against him or her and the investigations carried out within one month. This includes the storage, the type of data, the purpose of the processing, the identity of the controller and - if legally required - the notifier, so that it is no longer possible to stop the data processing or delete the identification data. The withdrawal period may be shortened; for example, if the nature of the notification requires the immediate involvement of an authority or court; because once a disclosure has been made to the authority or court, the identification data is held by both us and an authority or court.

Processing of your personal data

Use of the whistleblower system is on a voluntary basis. We collect the following personal data and information when you submit a report:

- Your name, if you disclose your identity,
- your contact details, if you provide them to us,
- the fact that you have made a report through the whistleblower system,
- names of persons, if applicable, and other personal data of the persons named in the report.

The data submitted to the whistleblower system is encrypted and stored with multi-level password protection, so that access is restricted to a very narrow circle of expressly authorised employees of Compliance Beratung + Service GmbH and BRAND. The employees check the reported facts and, if necessary, carry out further case-related clarification of the facts; in doing so, the data is always treated confidentially. However, confidentiality cannot be guaranteed if false information is knowingly provided with the aim of discrediting a person (denunciation). In certain cases, there is an obligation under data protection law to inform the accused person of the accusations made against him or her. This is required by law if it is objectively determined that the provision of information to the accused person can no longer affect the concrete clarification of the information at all. As far as legally possible, your identity as the reporting party will not be disclosed and it will also be ensured that no conclusions can be drawn about your identity. In the course of processing a report or conducting an investigation, it may be necessary to pass on information to other employees or other employees of other companies within BRAND. We always ensure that the relevant data protection regulations are observed when passing on information. In the event of a corresponding legal obligation or data protection law necessity for the clarification of information, further possible categories of recipients are law enforcement authorities, cartel authorities, other administrative authorities, courts and commissioned law and auditing firms. Any person who gains access to the data is obliged to maintain confidentiality. Personal data will be kept for as long as it is necessary for clarification and final assessment, for a justified interest of the company or for a legal requirement. Afterwards, this data is deleted in accordance with the legal requirements. Within this framework, the duration of storage depends on the severity of the suspicion and the possible breach of duty, the complexity of the clarification and the like. The whistleblower system is operated by the specialised software service provider iComply GmbH, Große Langgasse 1a, DE-55116 Mainz, on our behalf. iComply GmbH is contractually obliged to maintain strict confidentiality and to comply with all data protection requirements. The data centre operator has no access to data of any kind, it is used exclusively to store the application and the data stored in it.

Your rights

You and the persons named in the notice have the right to information, correction, deletion, restriction of processing and, in certain cases, the right to data transfer. You may also object to the processing of your personal data on grounds relating to your particular situation, provided that the data processing is carried out in the public interest or on the basis of a balance of interests. The objection can be made form-free and should, if possible, be sent to the contact details listed in this data protection notice.
 If the right to object is exercised, we will immediately check the extent to which the stored data is still required, in particular for the processing of a notice. Data that is no longer required will be deleted immediately. You can also revoke your consent at any time. In this context, please note the information under the first point of this statement "Purpose of the whistleblower system and data processing". You also have the right to lodge a complaint with a supervisory authority.
Contact details:
The contact person for exercising your rights and further information is the person responsible for the whistleblowing system. Please use the following contact details: Thank you.