We operate an internal whistleblower system that meets the requirements of the HinweisgeberInnenschutzgesetz (HSchG). We would like to inform you about the associated data processing as follows:
Controller
The following are joint controllers for the operation of our internal whistleblower system within the meaning of Art 26 GDPR:
Purposes of the processing
The purpose of data processing as part of our internal whistleblower system is:
- to process reports in accordance with the HSchG,
- to protect certain persons in accordance with § 2 HSchG in the event of indications of legal violations in connection with the activities of a legal entity in the private sector,
- to process reports on other serious compliance mattersand
- to forward necessary data for the processing of (potential) legal violations to the internal and external bodies involved in the investigation, to the extent required by law or in the interests of FACC AG, FACC Operations GmbH or CoLT Prüf und Test GmbH or third parties if a corresponding public interest exists.
Your data will not be further processed for other purposes by the internal Whistleblower System.
Legal basis for the processing and legitimate interests
- Art 6 para 1 lit c GDPR: Directive (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law; HinweisgeberInnenschutzgesetz
- Art 6 para 1 lit f GDPR: to protect the legitimate interests of FACC AG, FACC Operations GmbH, CoLT Prüf und Test GmbH or third parties (to prevent or punish legal violations and for this purpose to check the validity of notices)
Receiving and transmitting personal data/information for joint processing
Our internal Whistleblower System is managed by FACC's compliance department. When processing a report, data may be disclosed to internal departments (in particular HR, internal audit, data protection department, compliance department, legal department, finance department) as well as to external reporting channels, law enforcement authorities, courts, supervisory authorities, lawyers, data protection officers in accordance with legal regulations. Such disclosures may also be made to countries within the European Union or to the European Union.
In principle, your data will not be transferred or processed outside the European Union. However, as part of processing using our IT systems, transfer to the United States (USA) cannot be completely ruled out. In this context however, there exists an adequacy decision by the European Commission (Adequacy decision for the EU-US Data Privacy Framework) and the IT partner used is certified accordingly.
Our internal Whistleblower System is set up as a joint controllership in accordance with § 13 para 4 HSchG. The above-mentioned companies act as joint controllers. The responsibility of the joint controllers can be found here. The data subject may exercise his rights in respect of and against each of the controllers. A strict “need-to-know” principle is followed when involving individual internal departments. The channels of our internal whistleblower system are access-protected (access via password and encryption of data transmission).
Provision of data
There is no obligation to transmit personal data to our internal whistleblower system. It is possible to report anonymously.
Collection of data from other sources
The collection of data from other sources is not mandatory as part of the processing of your report by our internal whistleblower system. If you are the person affected by a tip, the data comes from the whistleblower.
Type of personal data
The personal data processed in the course of a report via our internal whistleblower system arises primarily from the content of the report. Reporting is done on a voluntary basis.
The content of the report may include, in particular, the following personal data:
- name and function of the reporting person,
- name and function of other persons, associated to the report,
- other personal data a spart of the report.
Retention period of personal data
To the extent that data processing occurs within the scope of HSchG, the following applies: The personal data in the context of a report are generally stored for five years from their last processing or transmission and beyond that for as long as is necessary to carry out administrative or judicial proceedings that have already been initiated or to carry out an investigation which is required by the Strafprozeßordnung 1975 (StPO). The personal data will then be deleted. Three years from this point in time, log data (e.g. about changes or queries in connection with a report) will be destroyed.
If a report is made outside the scope of HSchG, the following applies: Two months after the end of the investigation, personal data will be deleted if it is no longer needed for the appropriate enforcement or defense of the law.
Timely deletion is guaranteed by an appropriate calendaring and resubmission system.
Rights of the data subject
To the extent that data processing occurs within the scope of HSchG, the following applies: As long as and to the extent that this is necessary to protect the whistleblower and the people supporting them or people who, for example, have to fear retaliation measures (in particular for the duration of the implementation of an administrative or judicial procedure or an investigation according to the StPO), the following rights of the data subject do not apply to the persons affected by the report:
- Right to information (§ 43 DSG, Art 13 und 14 GDPR),
- Right of access (§ 1 Abs. 3 Z 1 und § 44 DSG, Art 15 GDPR),
- Right to rectification (§ 1 Abs. 3 Z 2 und § 45 DSG, Art 16 GDPR),
- Right to erasure (§ 1 Abs. 3 Z 2 und § 45 DSG, Art 17 GDPR,
- Right to restriction of processing (§ 45 DSG, Art 18 GDPR),
- Right to object (Art 21 GDPR) as well as
- Right to be notified of a personal data breach (§ 56 DSG und Art 34 GDPR).
If a report is made outside the scope of HSchG, the following applies: In accordance with the general data protection regulations, you can contact us free of charge if you have any questions about the collection, processing or use of your personal data and their correction, blocking, deletion, objection or revocation of a consent. We would like to point out that you have the right to correct inaccurate data, delete personal data or restrict processing if these rights do not conflict with a legal retention obligation.
The obligation to exercise your data subject rights applies to all those jointly responsible in accordance with point 1.
Complaint rights
You have the right to lodge a complaint with a supervisory authority.