Information on data protection for persons providing hints and persons affected by the hints
reichert & reichert steuer- und rechtsberatungsgesellschaft mbH acts as a legal ombudsman within the scope of existing mandates. The function of legal ombudsman has the advantage for whistleblowers that we can guarantee a very high degree of anonymity towards the companies affected by the information.
Our whistleblower reporting system is available to whistleblowers for entering and submitting reports. In addition to the online whistleblower contact form, this also includes our whistleblower hotline at 0049.7731.9587.777, our whistleblower mailbox at the postal address of our law firm at Max-Porzig-Straße 1 in 78224 Singen and the employees of our whistleblower protection team on site at the postal address of our law firm.
In the following, we inform you as the whistleblower and, in the event that you are named in the whistleblower report, as the person affected by the report, about the processing of your personal data and the rights to which you are entitled vis-à-vis us under data protection law.
This information on data protection applies in the event that we obtain and process personal data from you via a whistleblower report or as part of the subsequent clarification of the facts.
I. Responsible for data processing
The data processor is reichert & reichert steuer- und rechtsberatungsgesellschaft mbH, Max-Porzig-Straße 1 in 78224 Singen. You can reach us by telephone on +49 (0)7731 9587–0 or by e‑mail at kanzlei@reichert-reichert.de.
II. Data protection officer
You can reach our data protection officer at the above contact details or by e‑mail at datenschutz@reichert-reichert.de. The data protection officer is only responsible for questions relating to data protection law. He cannot provide any information on the content or course of references or proceedings conducted at the ombudsman’s office.
III. Purpose of data processing
We collect and process your personal data in compliance with the provisions of the European General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and all other relevant laws on the processing of personal data and data protection.
Data subject category: persons providing the information and persons affected by the information
Data categories:
Data of the whistleblower: If the whistleblower voluntarily discloses their identity and thereby waives the possibility of an anonymous report, we process the surname and first name (so-called master data), contact details and the fact that you have made a report via our whistleblower reporting system as well as such data that we become aware of during the implementation of the follow-up measures and as part of the clarification of the report.
Data of persons named in the report: Depending on the content of the report submitted, we process all personal data that may be named in the report or that we become aware of during the implementation of the follow-up measures and as part of the clarification of the hint.
Purpose of processing: We process all personal data for the purpose of receiving compliance violations as an ombudsman’s office, taking the reporting procedure and follow-up measures in accordance with the Whistleblower Protection Act (HinSchG), cooperating with our clients to clarify the information and accusations, complying with the statutory obligations to provide evidence and documentation, and for the judicial and extrajudicial assertion, exercise or defense of legal claims.
Legal basis: Art. 6 para. 1 lit. a GDPR if you consent to the removal of your anonymity, for the provision of your voluntary personal data via the whistleblower reporting system, for the permanently retrievable audio recording in the event of a telephone report and for a complete and accurate recording of the meeting in the event of a personal appointment with our ombudsman’s office. Art. 6 para. 1 lit. c GDPR in conjunction with Art. 10, 16 to 18 HinSchG in order to comply with our legal obligations under the Whistleblower Protection Act and Art. 6 para. 1 lit. c GDPR in order to comply with any other laws with an obligation to provide a reporting system. Art. 6 para. 1 lit. e GDPR in conjunction with Art. 10, 16 para. 1 sentence 4 HinschG applies if we process anonymous reports. Art. 6 para. 1 sentence 1 lit. c GDPR and Art. 10, 12, 13, 18 no. 4 lit. a and 9 para. 3 and 4 no. 2 HinSchG apply to the further processing of personal data by internally responsible bodies. We process special categories of personal data on the basis of Art. 9 para. 2 lit. g GDPR in conjunction with Art 10 sentence 2 HinSchG, insofar as this is necessary for the fulfillment of our tasks. The legal basis for taking steps under labor law is Art. 6 para. 1 sentence 1 lit. b GDPR and § 26 BDSG. The legal basis for the processing of personal data of whistleblowers for the judicial or extrajudicial assertion, exercise or defense of legal claims or processing for the exoneration of accused employees is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. If available, processing can also take place on the basis of a company agreement that regulates the establishment and operation of a whistleblower reporting office, Art. 88 para. 1 GDPR, Section 26 para. 4 BDSG.
Categories of recipients: If necessary, we may disclose personal data to our client, other group companies of the client, its works council or other internal interest groups, other tax consultants and law firms, auditors, processors bound by instructions such as IT service providers, courts, authorities or public bodies that support or advise us in processing and clarifying the hint.
Transfer to a third country: Data is not transferred to a third country and is not planned, but may become necessary as part of the investigation of information and the implementation of legal follow-up measures. A transfer of personal data to countries outside the EU or the EEA only takes place either in the context of order processing or if this is necessary or required by law. A transfer is only permitted if the European Commission has established an adequate level of data protection for the third country concerned or if suitable guarantees are provided.
Data sources: To investigate hints, we process personal data that we have received via the whistleblower report as well as personal data that we become aware of during the investigation within the company. Please note that we are not obliged to disclose the whistleblower as the source.
Obligation to provide: In principle, we only collect the data required to provide and maintain the whistleblower reporting channels. Without this data, we cannot set up and maintain the whistleblower reporting system and guarantee its technical security. If you provide further personal data, this provision is voluntary. Failure to provide this voluntary information has no direct negative consequences for the basic processing and clarification of the report, but may make the processing and clarification of the report or communication with you more difficult, delayed or impossible under certain circumstances.
Profiling: The personal data will not be used for automated decision-making, including profiling.
Storage period: We delete personal data two months after completion of the procedure if the report does not fall within the scope of the HinSchG or if it turns out that the report was intentionally false, unless the data must be stored longer for the judicial or extrajudicial assertion, exercise or defense of legal claims.
We process personal data from reports that fall under the scope of application of the HinSchG and from the implementation of follow-up measures for as long as required for clarification and final assessment, a legitimate interest of the company or a legal requirement exists. The duration of storage depends in particular on the severity of the suspicion resulting from the report and the reported possible breach of duty. After completion of the procedure, we regularly delete the data after three years, if and insofar as there are no legal requirements to the contrary.
IV. Technical and organizational security measures
The data submitted via the web portal of the whistleblower reporting system is sent content-encrypted and stored password-protected on the servers of our legal ombudsman’s office, so that access is restricted to a very narrow circle of expressly authorized ombudspersons. The persons at our ombudsman’s office who are involved in examining the facts of the case and, if necessary, further clarifying the facts of the case are also bound to confidentiality in data protection, so that all personal data processed is always treated confidentially.
V. Rights of data subjects
You have the right of access to your personal data as well as the right to rectification or erasure or restriction of processing and the right to data portability (Art. 15–20 GDPR) and the right not to be subject to a decision based solely on automated processing, including profiling (Art. 22 GDPR). You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
You have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. If you withdraw your consent, we will stop the corresponding data processing and delete your data processed for this purpose, unless you have expressly consented to further use of your data or there is a legal reason for further processing.
If data is collected on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR (data processing to safeguard legitimate interests), you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the data unless there are demonstrably compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.
Information on data protection when using the whistleblower portal
In the following, we inform you about the processing of personal data when using our whistleblower portal. We process your personal data in compliance with the provisions of the European General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and all other relevant laws on the processing of personal data.
I. General information
1. Person responsible for data processing and its data protection officer
The “person responsible” pursuant to Art. 4 (7) GDPR is
Law firm reichert & reichert
tax consultant and law firm
Sole proprietor Dr. Hansjörg Reichert
Max-Porzig-Straße 1
78224 Singen
Telephone number: +49 (0)7731 9587–0
E‑mail: kanzlei@reichert-reichert.de
2. Contact details of our data protection officer
You can reach our data protection officer using the contact details above or by email at datenschutz@reichert-reichert.de.
The data protection officer is exclusively responsible for data protection issues. He cannot provide any information on the content or course of information or proceedings conducted by the ombudsman’s office.
3. Security of processing, processors
Your personal data is protected against loss and misuse at all times by appropriate technical and organizational measures. The data submitted via the web portal of the whistleblower reporting system is sent content-encrypted and stored password-protected on the servers of our legal ombudsman’s office, so that access is restricted to a very narrow circle of expressly authorized ombudspersons. The persons at our ombudsman’s office who are involved in examining the facts of the case and, if necessary, further clarifying the facts of the case are also bound to confidentiality in data protection, so that all personal data processed is always treated confidentially.
In some cases, we rely on the support of third parties and/or processors to provide the website. As part of the support activities, processing may be carried out by the third parties / processors. If these are service providers, they have been carefully selected and commissioned by us. Processors in particular are contractually bound to our instructions in accordance with Art. 28 GDPR and are regularly monitored. A contract for order processing has been concluded with all of them to ensure the protection of your personal data.
4. Provision of personal data and profiling
The provision of your personal data on our website is generally not required by law or contract. If personal data is required for the conclusion of a contract, it is marked separately. However, if you do not provide your data, it may not be possible to use the website or only to a limited extent.
The data collected on our website is not used for automated decision-making, including profiling.
5. Your rights as a data subject
In accordance with the GDPR, you have the following rights vis-à-vis us with regard to your personal data
- Right of access, Art. 15 GDPR
- Right to rectification, Art. 16 GDPR
- Right to erasure (“right to be forgotten”), Art. 17 GDPR
- Right to restriction of processing, Art. 18 GDPR
- Right to data portability, Art. 20 GDPR
- Right to object to the processing, Art. 21 GDPR
- Right not to be subject to a decision based solely on automated processing, including profiling (Art. 22 GDPR)
If you believe that the processing of data concerning you violates data protection regulations, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. The right to lodge a complaint can be asserted in particular with a supervisory authority in the Member State in which you are resident or the place of the alleged infringement.
II. Special information
1. informational use of the website
When you visit our website, your browser automatically transmits personal data to our server and stores it in log files. The data is stored in access logs when the page is accessed; incorrect page views are stored in error logs.
Data categories: Access logs contain the following data: IP address (anonymized), directory protection user, date, time, pages accessed, logs, status code, data volume, referrer, user agent, host name accessed. In addition to the error messages, error logs contain the accessing IP address and, depending on the error, the website accessed.
Purpose: Ensuring functionality, error analysis of malfunctions, unlawful interventions and illegal use and troubleshooting, technical optimization and further development of the website and its functions, ensuring IT security and IT infrastructure.
Legal basis: Art. 6 para. 1 sentence 1 lit. f GDPR in the legitimate interest in ensuring the trouble-free operation of our website.
Third-party recipients: For the web and server hosting of this website and the technical support for its operation, data is transferred to Mittwald CM Service GmbH & Co. KG.
Right to object: In accordance with Art. 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 para. 1 lit. f GDPR. We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
Storage period: The logs are stored for 60 days. Storage beyond this period is possible in the case of security-relevant events. In this case, the data is anonymized if it is not required to clarify the events, or deleted after the respective security-relevant event has been fully examined and clarified.
2. Submitting a hint via the whistleblower portal
You can contact us via our website using our whistleblower contact form and submit a hint. Required mandatory information is specially marked. If you do not provide this information, it will not be possible to send the contact form. However, for your convenience, you can also provide a pseudonymized e‑mail address. Otherwise, there are no negative consequences associated with the non-provision of voluntary data. However, in individual cases, failure to provide data may make communication with you more difficult or delay it.
For all further information on data protection when using our entire whistleblower reporting system, please refer to our information on data protection for whistleblowers and persons affected by whistleblowing at the top of the page.