Information on data protection for persons providing hints and persons affected by the hints

rei­chert & rei­chert steuer- und rechts­be­ra­tungs­ge­sell­schaft mbH acts as a legal ombuds­man within the scope of exis­ting man­da­tes. The func­tion of legal ombuds­man has the advan­ta­ge for whist­le­b­lo­wers that we can gua­ran­tee a very high degree of anony­mi­ty towards the com­pa­nies affec­ted by the information.

Our whist­le­b­lower report­ing sys­tem is available to whist­le­b­lo­wers for ente­ring and sub­mit­ting reports. In addi­ti­on to the online whist­le­b­lower cont­act form, this also includes our whist­le­b­lower hot­line at 0049.7731.9587.777, our whist­le­b­lower mail­box at the pos­tal address of our law firm at Max-Porzig-Straße 1 in 78224 Sin­gen and the employees of our whist­le­b­lower pro­tec­tion team on site at the pos­tal address of our law firm.

In the fol­lo­wing, we inform you as the whist­le­b­lower and, in the event that you are named in the whist­le­b­lower report, as the per­son affec­ted by the report, about the pro­ces­sing of your per­so­nal data and the rights to which you are entit­led vis-à-vis us under data pro­tec­tion law.

This infor­ma­ti­on on data pro­tec­tion appli­es in the event that we obtain and pro­cess per­so­nal data from you via a whist­le­b­lower report or as part of the sub­se­quent cla­ri­fi­ca­ti­on of the facts.

I. Respon­si­ble for data processing 
The data pro­ces­sor is rei­chert & rei­chert steuer- und rechts­be­ra­tungs­ge­sell­schaft mbH, Max-Porzig-Straße 1 in 78224 Sin­gen. You can reach us by tele­pho­ne on +49 (0)7731 9587–0 or by e‑mail at kanzlei@reichert-reichert.de.

II. Data pro­tec­tion officer

You can reach our data pro­tec­tion offi­cer at the abo­ve cont­act details or by e‑mail at datenschutz@reichert-reichert.de. The data pro­tec­tion offi­cer is only respon­si­ble for ques­ti­ons rela­ting to data pro­tec­tion law. He can­not pro­vi­de any infor­ma­ti­on on the con­tent or cour­se of refe­ren­ces or pro­cee­dings con­duc­ted at the ombudsman’s office.

III. Pur­po­se of data processing

We coll­ect and pro­cess your per­so­nal data in com­pli­ance with the pro­vi­si­ons of the Euro­pean Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR), the Ger­man Fede­ral Data Pro­tec­tion Act (BDSG) and all other rele­vant laws on the pro­ces­sing of per­so­nal data and data protection.

Data sub­ject cate­go­ry: per­sons pro­vi­ding the infor­ma­ti­on and per­sons affec­ted by the information

Data cate­go­ries:

Data of the whist­le­b­lower: If the whist­le­b­lower vol­un­t­a­ri­ly dis­c­lo­ses their iden­ti­ty and ther­eby wai­ves the pos­si­bi­li­ty of an anony­mous report, we pro­cess the sur­na­me and first name (so-called mas­ter data), cont­act details and the fact that you have made a report via our whist­le­b­lower report­ing sys­tem as well as such data that we beco­me awa­re of during the imple­men­ta­ti­on of the follow-up mea­su­res and as part of the cla­ri­fi­ca­ti­on of the report.

Data of per­sons named in the report: Depen­ding on the con­tent of the report sub­mit­ted, we pro­cess all per­so­nal data that may be named in the report or that we beco­me awa­re of during the imple­men­ta­ti­on of the follow-up mea­su­res and as part of the cla­ri­fi­ca­ti­on of the hint.

Pur­po­se of pro­ces­sing: We pro­cess all per­so­nal data for the pur­po­se of recei­ving com­pli­ance vio­la­ti­ons as an ombudsman’s office, taking the report­ing pro­ce­du­re and follow-up mea­su­res in accordance with the Whist­le­b­lower Pro­tec­tion Act (HinSchG), coope­ra­ting with our cli­ents to cla­ri­fy the infor­ma­ti­on and accu­sa­ti­ons, com­ply­ing with the sta­tu­to­ry obli­ga­ti­ons to pro­vi­de evi­dence and docu­men­ta­ti­on, and for the judi­cial and ext­ra­ju­di­cial asser­ti­on, exer­cise or defen­se of legal claims.

Legal basis: Art. 6 para. 1 lit. a GDPR if you con­sent to the rem­oval of your anony­mi­ty, for the pro­vi­si­on of your vol­un­t­a­ry per­so­nal data via the whist­le­b­lower report­ing sys­tem, for the per­ma­nent­ly retrie­va­ble audio recor­ding in the event of a tele­pho­ne report and for a com­ple­te and accu­ra­te recor­ding of the mee­ting in the event of a per­so­nal appoint­ment with our ombudsman’s office. Art. 6 para. 1 lit. c GDPR in con­junc­tion with Art. 10, 16 to 18 HinSchG in order to com­ply with our legal obli­ga­ti­ons under the Whist­le­b­lower Pro­tec­tion Act and Art. 6 para. 1 lit. c GDPR in order to com­ply with any other laws with an obli­ga­ti­on to pro­vi­de a report­ing sys­tem. Art. 6 para. 1 lit. e GDPR in con­junc­tion with Art. 10, 16 para. 1 sen­tence 4 HinschG appli­es if we pro­cess anony­mous reports. Art. 6 para. 1 sen­tence 1 lit. c GDPR and Art. 10, 12, 13, 18 no. 4 lit. a and 9 para. 3 and 4 no. 2 HinSchG app­ly to the fur­ther pro­ces­sing of per­so­nal data by intern­al­ly respon­si­ble bodies. We pro­cess spe­cial cate­go­ries of per­so­nal data on the basis of Art. 9 para. 2 lit. g GDPR in con­junc­tion with Art 10 sen­tence 2 HinSchG, inso­far as this is neces­sa­ry for the ful­fill­ment of our tasks. The legal basis for taking steps under labor law is Art. 6 para. 1 sen­tence 1 lit. b GDPR and § 26 BDSG. The legal basis for the pro­ces­sing of per­so­nal data of whist­le­b­lo­wers for the judi­cial or ext­ra­ju­di­cial asser­ti­on, exer­cise or defen­se of legal claims or pro­ces­sing for the exo­ne­ra­ti­on of accu­sed employees is our legi­ti­ma­te inte­rest pur­su­ant to Art. 6 para. 1 lit. f GDPR. If available, pro­ces­sing can also take place on the basis of a com­pa­ny agree­ment that regu­la­tes the estab­lish­ment and ope­ra­ti­on of a whist­le­b­lower report­ing office, Art. 88 para. 1 GDPR, Sec­tion 26 para. 4 BDSG.

Cate­go­ries of reci­pi­ents: If neces­sa­ry, we may dis­c­lo­se per­so­nal data to our cli­ent, other group com­pa­nies of the cli­ent, its works coun­cil or other inter­nal inte­rest groups, other tax con­sul­tants and law firms, audi­tors, pro­ces­sors bound by ins­truc­tions such as IT ser­vice pro­vi­ders, courts, aut­ho­ri­ties or public bodies that sup­port or advi­se us in pro­ces­sing and cla­ri­fy­ing the hint.

Trans­fer to a third coun­try: Data is not trans­fer­red to a third coun­try and is not plan­ned, but may beco­me neces­sa­ry as part of the inves­ti­ga­ti­on of infor­ma­ti­on and the imple­men­ta­ti­on of legal follow-up mea­su­res. A trans­fer of per­so­nal data to count­ries out­side the EU or the EEA only takes place eit­her in the con­text of order pro­ces­sing or if this is neces­sa­ry or requi­red by law. A trans­fer is only per­mit­ted if the Euro­pean Com­mis­si­on has estab­lished an ade­qua­te level of data pro­tec­tion for the third coun­try con­cer­ned or if sui­ta­ble gua­ran­tees are provided.

Data sources: To inves­ti­ga­te hints, we pro­cess per­so­nal data that we have recei­ved via the whist­le­b­lower report as well as per­so­nal data that we beco­me awa­re of during the inves­ti­ga­ti­on within the com­pa­ny. Plea­se note that we are not obli­ged to dis­c­lo­se the whist­le­b­lower as the source.

Obli­ga­ti­on to pro­vi­de: In prin­ci­ple, we only coll­ect the data requi­red to pro­vi­de and main­tain the whist­le­b­lower report­ing chan­nels. Wit­hout this data, we can­not set up and main­tain the whist­le­b­lower report­ing sys­tem and gua­ran­tee its tech­ni­cal secu­ri­ty. If you pro­vi­de fur­ther per­so­nal data, this pro­vi­si­on is vol­un­t­a­ry. Fail­ure to pro­vi­de this vol­un­t­a­ry infor­ma­ti­on has no direct nega­ti­ve con­se­quen­ces for the basic pro­ces­sing and cla­ri­fi­ca­ti­on of the report, but may make the pro­ces­sing and cla­ri­fi­ca­ti­on of the report or com­mu­ni­ca­ti­on with you more dif­fi­cult, delay­ed or impos­si­ble under cer­tain circumstances.

Pro­fil­ing: The per­so­nal data will not be used for auto­ma­ted decision-making, inclu­ding profiling.

Sto­rage peri­od: We dele­te per­so­nal data two months after com­ple­ti­on of the pro­ce­du­re if the report does not fall within the scope of the HinSchG or if it turns out that the report was inten­tio­nal­ly fal­se, unless the data must be stored lon­ger for the judi­cial or ext­ra­ju­di­cial asser­ti­on, exer­cise or defen­se of legal claims.

We pro­cess per­so­nal data from reports that fall under the scope of appli­ca­ti­on of the HinSchG and from the imple­men­ta­ti­on of follow-up mea­su­res for as long as requi­red for cla­ri­fi­ca­ti­on and final assess­ment, a legi­ti­ma­te inte­rest of the com­pa­ny or a legal requi­re­ment exists. The dura­ti­on of sto­rage depends in par­ti­cu­lar on the seve­ri­ty of the sus­pi­ci­on resul­ting from the report and the repor­ted pos­si­ble breach of duty. After com­ple­ti­on of the pro­ce­du­re, we regu­lar­ly dele­te the data after three years, if and inso­far as the­re are no legal requi­re­ments to the contrary.

IV. Tech­ni­cal and orga­niza­tio­nal secu­ri­ty measures

The data sub­mit­ted via the web por­tal of the whist­le­b­lower report­ing sys­tem is sent content-encrypted and stored password-protected on the ser­vers of our legal ombudsman’s office, so that access is rest­ric­ted to a very nar­row cir­cle of express­ly aut­ho­ri­zed ombuds­per­sons. The per­sons at our ombudsman’s office who are invol­ved in exami­ning the facts of the case and, if neces­sa­ry, fur­ther cla­ri­fy­ing the facts of the case are also bound to con­fi­den­tia­li­ty in data pro­tec­tion, so that all per­so­nal data pro­ces­sed is always trea­ted confidentially.

V. Rights of data subjects

You have the right of access to your per­so­nal data as well as the right to rec­ti­fi­ca­ti­on or era­su­re or rest­ric­tion of pro­ces­sing and the right to data por­ta­bi­li­ty (Art. 15–20 GDPR) and the right not to be sub­ject to a decis­i­on based sole­ly on auto­ma­ted pro­ces­sing, inclu­ding pro­fil­ing (Art. 22 GDPR). You have the right to lodge a com­plaint with a super­vi­so­ry aut­ho­ri­ty (Art. 77 GDPR)

You have the right to with­draw your con­sent at any time wit­hout affec­ting the lawful­ness of pro­ces­sing based on con­sent befo­re its with­dra­wal. If you with­draw your con­sent, we will stop the cor­re­spon­ding data pro­ces­sing and dele­te your data pro­ces­sed for this pur­po­se, unless you have express­ly con­sen­ted to fur­ther use of your data or the­re is a legal reason for fur­ther processing.

If data is coll­ec­ted on the basis of Art. 6 para. 1 sen­tence 1 lit. f GDPR (data pro­ces­sing to safe­guard legi­ti­ma­te inte­rests), you have the right to object to the pro­ces­sing at any time for reasons ari­sing from your par­ti­cu­lar situa­ti­on. We will then no lon­ger pro­cess the data unless the­re are demons­tra­b­ly com­pel­ling legi­ti­ma­te grounds for the pro­ces­sing which over­ri­de your inte­rests, rights and free­doms, or the pro­ces­sing ser­ves the estab­lish­ment, exer­cise or defen­se of legal claims.

Information on data protection when using the whistleblower portal

In the fol­lo­wing, we inform you about the pro­ces­sing of per­so­nal data when using our whist­le­b­lower por­tal. We pro­cess your per­so­nal data in com­pli­ance with the pro­vi­si­ons of the Euro­pean Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR), the Ger­man Fede­ral Data Pro­tec­tion Act (BDSG) and all other rele­vant laws on the pro­ces­sing of per­so­nal data.

I. Gene­ral information

1. Per­son respon­si­ble for data pro­ces­sing and its data pro­tec­tion officer

The “per­son respon­si­ble” pur­su­ant to Art. 4 (7) GDPR is
Law firm rei­chert & reichert
tax con­sul­tant and law firm
Sole pro­prie­tor Dr. Hans­jörg Reichert
Max-Porzig-Straße 1
78224 Singen
Tele­pho­ne num­ber: +49 (0)7731 9587–0
E‑mail: kanzlei@reichert-reichert.de

2. Cont­act details of our data pro­tec­tion officer

You can reach our data pro­tec­tion offi­cer using the cont­act details abo­ve or by email at datenschutz@reichert-reichert.de.

The data pro­tec­tion offi­cer is exclu­si­ve­ly respon­si­ble for data pro­tec­tion issues. He can­not pro­vi­de any infor­ma­ti­on on the con­tent or cour­se of infor­ma­ti­on or pro­cee­dings con­duc­ted by the ombudsman’s office.

3. Secu­ri­ty of pro­ces­sing, processors

Your per­so­nal data is pro­tec­ted against loss and misu­se at all times by appro­pria­te tech­ni­cal and orga­niza­tio­nal mea­su­res. The data sub­mit­ted via the web por­tal of the whist­le­b­lower report­ing sys­tem is sent content-encrypted and stored password-protected on the ser­vers of our legal ombudsman’s office, so that access is rest­ric­ted to a very nar­row cir­cle of express­ly aut­ho­ri­zed ombuds­per­sons. The per­sons at our ombudsman’s office who are invol­ved in exami­ning the facts of the case and, if neces­sa­ry, fur­ther cla­ri­fy­ing the facts of the case are also bound to con­fi­den­tia­li­ty in data pro­tec­tion, so that all per­so­nal data pro­ces­sed is always trea­ted confidentially.

In some cases, we rely on the sup­port of third par­ties and/or pro­ces­sors to pro­vi­de the web­site. As part of the sup­port acti­vi­ties, pro­ces­sing may be car­ri­ed out by the third par­ties / pro­ces­sors. If the­se are ser­vice pro­vi­ders, they have been careful­ly sel­ec­ted and com­mis­sio­ned by us. Pro­ces­sors in par­ti­cu­lar are con­trac­tual­ly bound to our ins­truc­tions in accordance with Art. 28 GDPR and are regu­lar­ly moni­to­red. A con­tract for order pro­ces­sing has been con­cluded with all of them to ensu­re the pro­tec­tion of your per­so­nal data.

4. Pro­vi­si­on of per­so­nal data and profiling

The pro­vi­si­on of your per­so­nal data on our web­site is gene­ral­ly not requi­red by law or con­tract. If per­so­nal data is requi­red for the con­clu­si­on of a con­tract, it is mark­ed sepa­ra­te­ly. Howe­ver, if you do not pro­vi­de your data, it may not be pos­si­ble to use the web­site or only to a limi­t­ed extent.

The data coll­ec­ted on our web­site is not used for auto­ma­ted decision-making, inclu­ding profiling.

5. Your rights as a data subject

In accordance with the GDPR, you have the fol­lo­wing rights vis-à-vis us with regard to your per­so­nal data

  • Right of access, Art. 15 GDPR
  • Right to rec­ti­fi­ca­ti­on, Art. 16 GDPR
  • Right to era­su­re (“right to be for­got­ten”), Art. 17 GDPR
  • Right to rest­ric­tion of pro­ces­sing, Art. 18 GDPR
  • Right to data por­ta­bi­li­ty, Art. 20 GDPR
  • Right to object to the pro­ces­sing, Art. 21 GDPR
  • Right not to be sub­ject to a decis­i­on based sole­ly on auto­ma­ted pro­ces­sing, inclu­ding pro­fil­ing (Art. 22 GDPR)

If you belie­ve that the pro­ces­sing of data con­cer­ning you vio­la­tes data pro­tec­tion regu­la­ti­ons, you have the right to lodge a com­plaint with a super­vi­so­ry aut­ho­ri­ty in accordance with Art. 77 GDPR. The right to lodge a com­plaint can be asser­ted in par­ti­cu­lar with a super­vi­so­ry aut­ho­ri­ty in the Mem­ber Sta­te in which you are resi­dent or the place of the alle­ged infringement.

II. Spe­cial information

1. infor­ma­tio­nal use of the website

When you visit our web­site, your brow­ser auto­ma­ti­cal­ly trans­mits per­so­nal data to our ser­ver and stores it in log files. The data is stored in access logs when the page is acces­sed; incor­rect page views are stored in error logs.

Data cate­go­ries: Access logs con­tain the fol­lo­wing data: IP address (anony­mi­zed), direc­to­ry pro­tec­tion user, date, time, pages acces­sed, logs, sta­tus code, data volu­me, refer­rer, user agent, host name acces­sed. In addi­ti­on to the error mes­sa­ges, error logs con­tain the acces­sing IP address and, depen­ding on the error, the web­site accessed.

Pur­po­se: Ensu­ring func­tion­a­li­ty, error ana­ly­sis of mal­func­tions, unlawful inter­ven­ti­ons and ille­gal use and trou­ble­shoo­ting, tech­ni­cal opti­miza­ti­on and fur­ther deve­lo­p­ment of the web­site and its func­tions, ensu­ring IT secu­ri­ty and IT infrastructure.

Legal basis: Art. 6 para. 1 sen­tence 1 lit. f GDPR in the legi­ti­ma­te inte­rest in ensu­ring the trouble-free ope­ra­ti­on of our website.

Third-party reci­pi­ents: For the web and ser­ver hos­ting of this web­site and the tech­ni­cal sup­port for its ope­ra­ti­on, data is trans­fer­red to Mitt­wald CM Ser­vice GmbH & Co. KG.

Right to object: In accordance with Art. 21 GDPR, you have the right to object, on grounds rela­ting to your par­ti­cu­lar situa­ti­on, at any time to pro­ces­sing of per­so­nal data con­cer­ning you which is based on Art. 6 para. 1 lit. f GDPR. We will then no lon­ger pro­cess the per­so­nal data unless the­re are demons­tra­b­ly com­pel­ling legi­ti­ma­te grounds for the pro­ces­sing which over­ri­de the inte­rests, rights and free­doms of the data sub­ject or for the estab­lish­ment, exer­cise or defen­se of legal claims.

Sto­rage peri­od: The logs are stored for 60 days. Sto­rage bey­ond this peri­od is pos­si­ble in the case of security-relevant events. In this case, the data is anony­mi­zed if it is not requi­red to cla­ri­fy the events, or dele­ted after the respec­ti­ve security-relevant event has been ful­ly exami­ned and clarified.

2. Sub­mit­ting a hint via the whist­le­b­lower portal

You can cont­act us via our web­site using our whist­le­b­lower cont­act form and sub­mit a hint. Requi­red man­da­to­ry infor­ma­ti­on is spe­ci­al­ly mark­ed. If you do not pro­vi­de this infor­ma­ti­on, it will not be pos­si­ble to send the cont­act form. Howe­ver, for your con­ve­ni­ence, you can also pro­vi­de a pseud­ony­mi­zed e‑mail address. Other­wi­se, the­re are no nega­ti­ve con­se­quen­ces asso­cia­ted with the non-provision of vol­un­t­a­ry data. Howe­ver, in indi­vi­du­al cases, fail­ure to pro­vi­de data may make com­mu­ni­ca­ti­on with you more dif­fi­cult or delay it.

For all fur­ther infor­ma­ti­on on data pro­tec­tion when using our enti­re whist­le­b­lower report­ing sys­tem, plea­se refer to our infor­ma­ti­on on data pro­tec­tion for whist­le­b­lo­wers and per­sons affec­ted by whist­le­b­lo­wing at the top of the page.