deen
Privacy policy

PHW Gruppe - Data-protection declaration according to the General Data-Protection Regulations

I. Name and address of the responsible entity

The responsible legal entity for the purposes of the General Data-Protection Regulations and other national data-protection laws of the EU's Member States as well as other legal data-protection provisions is:

LOHMANN & CO. AG, PHW Group, Paul-Wesjohann-Strasse 45, D 49429 Visbek, Germany. Tel. (0049) 44458910 Fax (0049) 4445891250 Web site: www.phw-gruppe.de

Members of the Managing Board: Mr. Peter Wesjohann and Mrs. Doris Wesjohann. The company is entered in the Company Register that is held by the District Court of Oldenburg .

Reg. no. B 110760. Turnover tax I.D. code: DE 115168160. E-mail: info@phw-gruppe.de
 

II. Contact address of the data-protection officer

The data-protection officer of the responsible legal entity can be contacted at:

FB Datenschutz Paul-Wesjohann-Strasse 45, D 49429 Visbek, Germany.

Telephone: (0) 44458910 E-Mail: datenschutz@gvo-ds.de
 

III. General information about data processing

1. Extent of processing personal data We only collect or compile and utilize the personal data of our users insofar as this is required for providing a functional web site, our contents and services. The personal data of our users is only collected or compiled and utilized regularly according to the user's consent. An exception applies in those cases where it is impossible to obtain a consent beforehand for actual reasons and the legal regulations permit the data to be processed.

2. Legal basis for processing the personal data Art. 6, Para. 1, Part a of the EU's General Data-Protection Regulations serves as the legal basis insofar as we obtain the affected person's consent to the processing operations concerning the personal data. Art. 6, Para. 1, Part b of the General Data-Protection Regulations serves as the legal basis for processing the personal data which is required for fulfilling a contract when the affected person is one of the contracting parties. This rule also applies to the processing operations that are required for taking the pre-contractual measures. Art. 6, Para. 1, Part c of the General Data-Protection Regulations serves insofar as it is required to process the personal data for fulfilling a legal obligation to which our company is subjected.

Art. 6, Para. 1, Part d of the General Data-Protection Regulations serves as the legal basis for the case that the interests which are important in the life of the affected person or another natural person make it necessary to process the personal data. Art. 88 of the General Data-Protection Regulations (processing of data in the context of employment) and Article 26 of the revised Federal Data-Protection Law (processing of data for the purposes of the employment relationship) serve as the legal basis for the case of arranging, implementing or ending an employment relationship which makes it necessary to process the personal data. If the processing is not required for safeguarding the justified interest of our company or of a third party, nor is the first-mentioned interest mainly in the interests, basic rights and basic freedoms of the affected person, then Art. 6, Para. 1, Part f of the General Data-Protection Regulations serves as the legal basis for the processing.

3. Deletion of data and duration of storage The personal data of the affected person will be deleted or blocked as soon as the purpose of the storage becomes inapplicable. Apart from that, the data can be stored if this has been foreseen by the European or national legislators in the EU's legal ordinances, laws or other regulations to which the responsible legal entity is subjected. The data can also be deleted or blocked whenever the storing period that is prescribed by the mentioned standards has expired, unless it is required to continue storing the data for concluding a contract or for fulfilling a contract.
 

IV. Provision of the web site and drawing up the log files

1. Description and extent of the data-processing Our system automatically records the data and information from the system of the computer that calls up our web site, during every time that a page of it is called up on the internet. The following data will be collected or compiled while doing so. (1) Information about the type of browser and the utilized version. (2) The user's operating system. (3) The user's internet service-provider. (4) The user's IP address. (5) The data and time of the access. (6) The web sites via which the user's system reaches our internet site. (7) The web sites that the user's system calls up via our web site. The data will also be stored in our system's log files. This data will not be stored together with the user's other personal data.

2. Legal basis for the data-processing The legal basis for storing the data and the log files temporarily is Art. 6, Para. 1, Part f of the General Data-Protection Regulations.

3. Purpose of the data-processing It is necessary for the system to store the IP address temporarily in order to enable the web site to supply information to the user's computer. The user's IP address must remain stored during the session for this purpose.

The log files are stored in order to ensure that the web site is functional. Furthermore, the data serves us for optimizing the web site and for ensuring that our IT system operates properly. No evaluation of the data for marketing purposes takes place in this connection.

Our justified interest in processing the data according to Art. 6, Para. 1, Part 1 of the General Data-Protection Regulations is also one of these purposes.

4. Duration of the storage The data will be deleted as soon as it is not required any more in order to achieve the purpose for which it was collected or compiled: this is the case when the respective session has ended concerning the data which was recorded for providing the web site.

This deletion will take place after seven days at the latest in the case of storing the data in log files. It is possible to store the data beyond that: the user's IP address will be deleted or made anonymous in this case, so that it is impossible to allocate the calling client any more.

5. Possible objections and remedies It is absolutely necessary for operating the internet site that the data is recorded in order to provide the web site and that the data is stored in log files. Consequently, the user does not have any possibility of making objections.
 

V. Utilization of cookies

a) Description and extent of the data-processing Our web site utilizes cookies. Cookies are data files of text which will be stored in the internet browser or by the internet browser on the user's computer system. If a user calls up a web site, then a cookie can be stored on the user's operating system. This cookie contains a characteristic signature, which enables the browser to be clearly identified when the web site is called up again. We install cookies in order to arrange our web site in a 'user-friendly' or convenient way. Some of our internet site's elements or components require that the browser which calls it up can also be identified after changing the web site's pages. The following data is stored and transmitted in the cookies while doing so. (1) Language settings. (2) Information about the log-in. Apart from that, we use cookies on our web site which enable the user's surfing behaviour to be analysed. The following data can be transmitted in this way. (1) Input searching terms. (2) Frequency of calling up the web site's pages. (3) Using the web site's functions. The user's data that is collected or compiled in this way will be pseudo-anonymized by taking technical precautionary measures. Therefore, it is impossible to allocate the data to the calling user any more. The data will not be stored together with the user's other personal data. The user will be informed about the cookies being utilized for analytical purposes when he calls up our web site and he will be referred to the Data-Protection Declaration. He will also be advised in this connection about how the cookies can be prevented from being stored on the browser's settings. The user will be informed about the cookies being utilized for analytical purposes when he calls up our web site and his consent will be obtained for processing the personal data which will be utilized in this connection. He will also be advised about this Data-Protection Declaration in this connection. b) Legal basis for the data-processing The legal basis for processing the personal data by means of utilizing technically necessary cookies is Art. 6, Para. 1, Part f of the General Data-Protection Regulations. The legal basis for processing the personal data by means of utilizing cookies for analytical purposes is Art. 6, Para. 1, Part 1 of the General Data-Protection Regulations whenever there is a consent from the user regarding this matter. c) Purpose of the data-processing The purpose of utilizing the technically necessary cookies is to simplify the use of the web site for the user. Some functions of our internet site cannot be offered without using the cookies. It is required for these functions that the browser will also be recognized after changing a page on the web site. We need cookies for the following applications. (1) Undertaking the language settings. (2) Noting the search terms. The user's data that is collected or compiled via the technically necessary cookies will not be utilized for drawing up the user's profiles. The analytical cookies are utilized for the purpose of improving the quality of our web site and its contents. We learn through the analytical cookies how the web site is being used and we can constantly optimize our offer. These purposes also include our justified interest in processing the personal data according to Art. 6, Para. 1, Part f of the General Data-Protection Regulations.

e) Duration of the storage; possibilities of objection and elimination Cookies will be stored on the user's computer and data will be transmitted from there to our site. Therefore, you as the user also have full control over utilization of the cookies. You can deactivate or limit the transfer of cookies by means of altering the settings in your internet browser. The cookies that have been stored already can be deleted: this can be done automatically too. If the cookies are deactivated for our web site, then it is possible that not all of the web site's functions could be used to the full extent any more.
 

VI. E-mail contact

1. Description and extent of the data-processing There is a contact e-mail on our internet site, which can be used for making contact electronically. If a user makes use of this opportunity, then the data will be transmitted to us and stored.

Furthermore, the following data will be stored at the point in time when the message is sent. (1) The user's IP address. (2) The date and time of the registration. Your consent will be obtained for processing the data within the framework of the sending or transmitting operation and reference will be made to this Data-Protection Declaration.

The data will not be forwarded to third parties in this connection regarding general enquiries. The data will be utilized solely for processing the conversation or correspondence.

The data will be forwarded to the firm of Engel & Zimmermann AG Unternehmensberatung für Kommunikation Schloss Fussberg, of Am Schlosspark 15, D 82131 Gauting, Germany in this connection, regarding enquiries from the press.

The data will be utilized solely for processing the conversation or correspondence. The data will be forwarded to the personal departments in our group of companies in this connection, regarding initiative applications. The data will be utilized solely for processing the conversation or correspondence.

We will forward the data solely to the appropriate quality-assurance departments in our group of companies, regarding complaints.

2. Legal basis for the data-processing The legal basis for the data-processing is Art. 6, Para. 1, Part a of the General Data-Protection Regulations whenever the user has given his consent.

The legal basis for the data-processing which will be transmitted during the course of sending an e-mail is Art. 6 Para. 1, Part f of the General Data-Protection Regulations. If the contact via e-mail withdraws from concluding a contract, then Art. 6, Para. 1, Part b of the General Data-Protection Regulations is an additional legal basis for the processing.

3. Purpose of the data-processing The processing of personal data from the input mask serves us solely for processing when the first contact is made. The requisitely justified interest in the data-processing is also relevant in this case when making the first contact by e-mail. The other personal data that is processed during the sending or transmitting operation serves the purpose of preventing misuse of the contact form and ensuring that our IT systems are securely protected.

4. Duration of the storage The data will be deleted as soon as it is not required any more for achieving the purpose for which it was collected or compiled. This will be the case for the personal data from the contact form's input mask and for the data that has been sent by e-mail whenever the respective conversation or correspondence with the user has ended. The conversation or correspondence has ended whenever one can assume from the circumstances that the relevant facts have been clarified conclusively.

The personal data that has been additionally collected or compiled during the sending operation or transmission will be deleted after a period of seven days has passed.

5. Possibilities of objection and elimination The user has the possibility of revoking his consent to processing of the personal data at any time. If the user makes contact with us by e-mail, then he can object at any time to his personal data being stored through notifying us at . The conversation or correspondence cannot be continued in such a case. All of the personal data that has been stored during the course of making the first contact will be deleted in this case.

VII. Web analysis by Google Analytics 1. Extent of processing the personal data This web site uses Google Analytics, which is a web analysis service of Google Inc., (1600 Amphitheatre Parkway Mountain View, CA 94043, USA; "Google"). The usage comprises the "Universal Analytics" operating mode. It is possible by these means to allocate the data, sessions and interactions via several devices with a pseudonymous (i.e., fictitious) user's ID and to analyse a user's activities across the devices in this way. This advice about data-protection is provided by www.intersoft-consulting.de.

Google Analytics utilizes so-called cookies, which are data files of text that will be stored on your computer and they enable an analysis to be made of how you use the web site. The information that is generated by the cookie about using this web site will be transferred to one of Google's servers in the USA as a rule and stored there. Google will abbreviate your IP address within the European Union's Member States or in other states that are contractual parties of the Convention about the European Economic Area during the course of activating the IP anonymization on this web site. The full IP address will only be transferred to one of Google's servers in the USA and abbreviated there in exceptional cases. Google will not combine the IP address that has been transmitted from your browser within the framework of Google Analytics with other data. Google will use this information on behalf of this web site's operator, in order to evaluate your usage of the web site, as well as to draw up reports about the activities on the web site and to provide further services that are connected with usage of the web site and of the internet vis-à-vis the web site's operator. These purposes also include our justified interest in the data-processing. The legal basis for using Google Analytics is Art. 15, Para. 3 of the Tele-Media Law and Art. 6, Para. 1, Part f of the General Data-Protection Regulations respectively.

2. Legal basis for processing the personal data The legal basis for processing the user's personal data is Art. 6, Para. 1, Part f of the General Data-Protection Regulations.

3. Purpose of the data-processing The processing of the user's personal data enables us to analyse the surfing behaviour of our users. We are able compile information about how the individual components of our web site are used through evaluating the gained data. What is more, this information helps us to constantly improve our web site and its 'user-friendliness' or convenience. These purposes also include our justified interest in processing the data according to Art. 6, Para. 1, Part f of the General Data-Protection Regulations. Sufficient consideration is given to the user's interest in protecting his personal data by means of anonymizing the IP address.

4. Duration of the storage The data that we send, which is linked with the cookies, user's signatures (e.g., the user's ID) or advertising IDs, will be automatically deleted after 14 months. The data will be deleted automatically once a month when the safekeeping period has expired. You can find more detailed information about the conditions of use and data-protection at https://www.google.com/analytics/terms/de.html and at https://policies.google.com/?hl=de respectively.

5. Possibilities of objection and elimination Cookies will be stored on the user's computer and transmitted from it to our web site. Therefore, you as the user also have full control over the utilization of cookies. You can deactivate or limit the transmission of cookies by altering the settings in your internet browser. Cookies that have already been stored can be deleted at any time: this can be done automatically too. You can prevent the cookies from being stored by means of suitably setting your browser's software; however, we wish to point out that you might not be able to use all of this web site's functions to the full extent in that case. Apart from that, you can prevent the recording of the data (including your IP address) relating to your usage of the web site, which is generated by the cookie, from being sent to Google and you can also prevent Google processing this data by means of downloading the Browser-Add-on and installing it. Opt-out cookies prevent your data from being recorded in future whenever you visit this web site. You must implement the opt-out [cookie] on all of the used systems in order to prevent Universal Analytics recording the data via various devices. The opt-out cookie will be set if you click here: Deactivate Google Analytics.
 

VIII. The affected person's rights

If your personal data will be processed, then you are the affected person for the purposes of the General Data-Protection Regulations and the following rights vis-à-vis the responsible person or legal entity are vested in you.

1. Right of information You can demand a confirmation from the responsible person or legal entity about whether the personal data that affects or refers to you will be processed by us. If there is such processing, then you can demand details about the following information from the responsible person or legal entity. (1) The purposes for which the personal data will be processed. (2) The categories of personal data which will be processed. (3) The recipients or categories of recipients vis-à-vis whom the personal data that affects you has been disclosed or will still be disclosed. (4) The planned duration of storing the personal data that affects or refers to you, or the criteria for stipulating the storing duration, if it is impossible to give definitive information concerning this matter. (5) The existence of a right to correct or delete the personal data that affects or refers to you, or a right to limit the processing by the responsible person or legal entity, or a right of objection to this processing. (6) The existence of a right to complain to a supervisory authority. (7) All of the available information about the origin of the data, if the personal data will not be collected or compiled from the affected person. (8) The existence of an automated decision-making procedure including profiling according to Art. 22, Paras. 1 and 4 of the General Data-Protection Regulations and - at least in these cases - convincing information about the involved logic as well as the significance or implications and the intended effects of such processing for the affected person. The right is vested in you to demand detailed information about whether the personal data that affects or refers to you will be transmitted in or to a third-party country or to an international organization. You can demand to be informed in this connection about the suitable guarantees that apply according to Art. 46 of the General Data-Protection Regulations in connection with the transmission.

2. Right of correction You have a right of correction or completion, or both, via-à-vis the responsible person or legal entity, insofar as the processed personal data that affects or refers to you is incorrect or incomplete. The responsible person or entity has to make the correction immediately.

3. Right to limit the processing You can demand to limit processing of the personal data which affects or refers to you, subject to the following prerequisites. (1) If you dispute the accuracy of the personal data that affects or refers to you for a period which enables the responsible person or legal entity to check the accuracy of the personal data. (2) The processing is unlawful and you refuse the deletion of personal data, instead of which you demand that the usage of the personal data be limited. (3) The responsible person or legal entity does not need the personal data for the purposes of processing any longer but you need to assert, exercise or defend your legal claims to it. (4) If you have made objections to the processing according to Art. 21, Para. 1 of the General Data-Protection Regulations and it has not been established yet whether the justified reasons of the responsible person or legal entity takes precedence vis-à-vis your reasons. If processing of the personal data that affects you has been limited, then this data - from the aspect of storing it - will only be processed with your consent or for asserting, exercising or defending legal claims, or for protecting the rights of another natural person or legal entity, or for reasons concerning an important public interest of the European Union or of a Member State. If the limitation of processing is restricted according to the aforementioned prerequisites, then the responsible person or legal entity will inform you about it before the limitation will be annulled.

4. Right of deletion a) Deleting duty You can demand from the responsible person or legal entity that the personal data which affects or refers to you will be deleted immediately. The responsible person or legal entity is then obligated to delete this data immediately insofar as one of the following reasons applies. (1) The personal data that affects or refers to you is not necessary any more to serve the purposes for which it has been collected, compiled or processed in another way. (2) You revoke your consent on which the processing is based according to Art. 6, Para. 1, Part a or Art. 9, Para 2, Part a of the General Data-Protection Regulations and another legal basis for the processing is lacking. (3) You make an objection to the processing according to Art. 21, Para. 1 of the General Data-Protection Regulations and there is not any preferentially justified reason for the processing, or you make an objection to the processing according to Art. 21, Para. 2 of the General Data-Protection Regulations. (4) The personal data that affects or refers to you has been unlawfully processed. (5) The deletion of the personal data that affects or refers to you is done for fulfilling a legal obligation according to the European Union's law or the law of the Member States to which the responsible person or entity is subjected. (6) The personal data that affects or refers to you has been collected or compiled with reference to the information company's offered services according to Art. 8, Para. 1 of the General Data-Protection Regulations. b) Information to third parties. If the responsible person or legal entity has publicly announced the personal data that affects or refers to you and if he is obligated to delete it according to Art. 17, Para. 1 of the General Data-Protection Regulations, then he must take reasonable measures, even of a technical kind - subject to considering the available technology and cost of implementation - in order to inform the responsible person or legal entity who processes the personal data that you, as the affected person, have demanded from him that all of the links to this personal data must be deleted, or that the copies or replicas of this personal data must be deleted. c) Exceptions There is not any right of deletion insofar as the processing is required: (1) for exercising the right to free expression of opinion and information; (2) for fulfilling a legal obligation that requires the processing according to the European Union's law or the law of the Member States to which the responsible person or entity is subjected, or for safeguarding a task or duty which is in the public interest, or because of exercising a public authority which has been transferred to the responsible person or legal entity; (3) for reasons of public interest in the area of public health according to Art. 9. Para. 2, Parts h and i, as well as Art. 9, Para. 3 of the General Data-Protection Regulations; (4) for archiving purposes, scientific or historical research purposes, or for statistical purposes which are in the public interest according to Art. 89, Para. 1 of the General Data-Protection Regulations, insofar as the right that is mentioned in Section a) would probably make it impossible to achieve the objectives of this processing, or it would seriously affect them adversely; (5) for asserting, exercising or defending the legal claims.

5. Right of information If you have asserted the right to correct, delete or limit the processing vis-à-vis the responsible person or legal entity, then he or it is obligated to notify all of the recipients - to whom the personal data that affects or refers to you has been disclosed - to make this correction, delete the data or limit the processing, unless this action proves to be impossible or it is connected with an unreasonable cost or outlay. The right is vested in you vis-à-vis the responsible person or legal entity to be informed via these recipients.

6. Right of data-transferability You have the right to receive the personal data that affects or refers to you - which you provided to the responsible person or legal entity - in a structured, conventional format that can be read by machine. Apart from that, you have the right to transmit this data to another responsible person or legal entity without hindrance by the responsible person or legal entity to whom the personal data has been provided, insofar as: (1) the processing is based on a consent according to Art. 6, Para. 1, Part a of the General Data-Protection Regulations, or according to Art. 9, Para. 2, Part a of the General Data-Protection Regulations, or on a contract according to Art. 6, Para. 1, Part b of the General Data-Protection Regulations; (2) the processing is done with the aid of an automated procedure. Furthermore, you have the right when exercising this aforementioned right to ensure that the personal data that affects or refer to you will be directly transmitted by a responsible person or legal entity to another responsible person or entity, insofar as this is technically feasible. The freedom and rights of other persons are not allowed to be adversely affected while doing so. The right to data-transferability does not apply to processing of the personal data which is required for safeguarding a task or duty that is in the public interest or which takes place while exercising a public authority which has be transferred to the responsible person or legal entity.

7. Right of objection You have the right - for reasons that arise from your particular situation - to make an objection at any time against processing of the personal data that affects or refers to you, which takes place on account of Art. 6, Para. 1, Part e or f of the General Data-Protection Regulations; this also applies to a profiling that is based on these provisions. The responsible person or entity does not process the personal data that affects or refers to you any more, unless he can prove compulsory reasons for the processing that are worthy of protection and which take precedence over your interests, rights and freedom, or that the processing serves for asserting, exercising or defending legal claims. If the personal data that affects or refers to you is processed in order to operate direct advertising, then you have the right to make an objection at any time to processing of the personal data that affects or refers to you for the purposes of such advertising; this also applies to the profiling insofar as it is connected with such direct advertising. If you object to the processing for the purposes of direct advertising, then the personal data that affects or refers to you will not be processed for these purposes any more. You have the possibility of exercising your right of objection through the automated procedure in connection with using the information company's services, irrespective of Guideline 2002/58/EG, for which the technical specifications will be utilized.

8. Right to revoke the consensual declaration according to the Data-Protection Law You have the right to revoke your consensual declaration according to the Data-Protection Law at any time. The legality of the processing that is done on account of the consent until it is revoked will not be affected by revoking the consent.

9. Automated decision in the individual case including profiling You have the right not to be subjected to a decision that is solely based on an automated processing including profiling, which has a legal effect on you or which considerably affects you adversely in a similar way. This right does not apply if the decision: (1) is required for concluding or fulfilling a contract that was made between you and the responsible person or legal entity; (2) is permissible on account of the legal regulations of the European Union or of the Member States, to which the responsible person or legal entity is subjected and these legal regulations contain reasonable measures for safeguarding your rights and freedom as well as defending your justified interests; (3) is made with your express consent. These decisions are certainly not allowed to be based on particular categories of personal data according to Art. 9, Para. 1 of the General Data-Protection Regulations, insofar as Art. 9, Para. 2, Part a or g of the General Data-Protection Regulations applies and reasonable measures have been taken to protect the rights and freedom as well as your justified interests. Regarding the cases that are mentioned in (1) and (3), the responsible person or legal entity will take reasonable measures in order to safeguard the rights and freedom as well as defend your justified interests, which at least include the right of access by a person who is acting for the responsible person or legal entity, as well as the right to present your own standpoint and the right to challenge or appeal against the decision.

10. Right of complaint to a supervisory authority Irrespective of another legal remedy according to administrative law or before a court of law, you are vested with a right of complaint to a supervisory authority, especially in the Member State of your residence or workplace or the place where the probable infringement occurred, if your opinion is that the processing of the personal data which affects or refers to you infringes the General Data-Protection Regulations. The supervisory authority to which the complaint has been made, will inform the plaintiff about the status and the results of the complaint as well as the possibility of seeking a legal remedy before a court of law according to Art. 78 of the General Data-Protection Regulations.

 

XI. Whistleblowing Unit

1. Reporting office

As part of our compliance management system, we have set up a whistleblower hotline. You have the possibility to use this hotline to provide information on facts that we have a legitimate interest in knowing about.

We have commissioned the law firm Heuking Kühn Lüer Wojtek as an outsourced internal whistleblower reporting office (hereinafter: "Whistleblower Reporting Office") to receive and review such information.

Reports to the Whistleblower Reporting Office can be submitted electronically via a web form on the website  https://whistlefox.heuking.de/start/phw-gruppe/en by telephone, by email, by fax, by post or in person.

Information can be provided anonymously to the whistleblowing office.

The use of the whistleblower hotline is voluntary.

Further details can be found in the Whistleblower 2023_Verfahrensordnung_Hinweisgebersystem_PHW_en.pdf

When you submit a report to the Whistleblower Reporting Centre, it collects the information you provide. This includes your personal data, if you disclose it, and usually the names and other personal data of the persons you name in your report. For more information on how the Whistleblower Reporting Office handles your personal data, please see the Whistleblower Reporting Office's privacy policy at 2023_Verfahrensordnung_Hinweisgebersystem_PHW_en.pdf

 

2. Categories of personal data we process

We receive a report from the whistleblower reporting office once they have reviewed the report, which may include the following personal data:

  • Names and other personal data of the person providing the information only if the person providing the information does not wish to remain anonymous and agrees to their disclosure to us;
  • Names and other personal data resulting from the notification of the persons named in the notification

In the course of further clarification of the reported facts and further processing, further personal data may be collected and processed by us.

 

3. Purposes of data processing, legal basis

The purpose of processing the data provided to us by the whistleblower reporting office is to process and manage reports of compliance violations, violations of legal regulations and violations related to our business operations by employees, customers, suppliers and other third parties.

The legal basis for the processing of your personal data as a whistleblower is, if you disclose your identity and agree to your name being passed on to us by the whistleblower reporting office, your consent (Art. 6 para. 1 sentence 1 lit. a DSGVO).

The legal basis for the processing of the personal data of the persons affected by the notification is our legal obligation to detect and prevent breaches of the law and misconduct (Art. 6 para. 1 sentence 1 lit. c DSGVO). The need to detect and prevent legal violations and misconduct exists insofar as we are legally obliged to do so in certain areas. Moreover, such violations can not only cause considerable economic damage, but also lead to a significant loss of reputation (Art. 6 para. 1 p. 1 lif. f DSGVO).

If the data subject is one of our employees, the legal basis for processing in the course of processing or further investigation of the reported facts is Section 26 (1) sentence 1 BDSG (processing for purposes of the employment relationship) or Section 26 (1) sentence 2 BDSG (processing for the detection of criminal offences) and, if applicable, our legitimate interest described above (Art. 6 (1) sentence 1 lit. f DSGVO).

 

4. Disclosure to third parties

If the report concerns another company of our group of companies, we will pass on the contents of the report and the results of the further clarification of the facts to this company of our group of companies.

We may disclose the contents of the report and the results of further clarification of the reported facts to courts, authorities and other public bodies. This may be the case if we are legally obliged to disclose the data or if this is necessary for the assertion, exercise or defence of legal claims.

In the course of clarification measures and in the assertion, exercise or defence of legal claims, we also make use of the support of law firms or auditing companies where necessary.

In addition, we may involve (technical) service providers in the clarification and processing of the reported facts, who act for us as processors within the meaning of Art. 28 of the GDPR and are bound by instructions on the basis of corresponding agreements.

 

5. Duration of data storage

The personal data will be stored for as long as is necessary for the clarification of the report and any subsequent measures, or for as long as there is a legitimate interest on our part or as long as this is required by law. Afterwards, the data will be deleted in accordance with the legal requirements.

 

6. Transfer of data to third countries

As a rule, no personal data from notifications will be transferred to countries outside the European Union (EU) or the European Economic Area (EEA), unless the notification concerns a company in our group of companies that is based in a country outside the EU or the EEA. Countries outside the European Union or the European Economic Area may have different rules on the protection of personal data. When sharing information in this way, we comply with the relevant data protection regulations.

 

7. Rights of the data subject

Insofar as you are considered a data subject within the meaning of Art. 4 No. 1 of the GDPR, you have the following rights with regard to the processing of your personal data under the GDPR.

(1) Right to confirmation and information

Under the conditions of Article 15 of the GDPR, you have the right to request confirmation as to whether personal data relating to you are being processed and to obtain free information about the personal data stored about you and a copy of this information from the controller at any time.

(2) Right of rectification

Under the conditions of Article 16 of the GDPR, you have the right to demand the immediate correction of incorrect personal data concerning you. In addition, you have the right to request the completion of incomplete personal data - also by means of a supplementary declaration - taking into account the purposes of the processing.

(3) Right to erasure

Under the conditions of Art. 17 of the GDPR, you have the right to demand that the personal data concerning you be deleted without delay, provided that one of the reasons stated in Art. 17 of the GDPR applies and insofar as the processing is not necessary.

(4) Right to restrict processing

Under the conditions of Art. 18 of the GDPR, you have the right to request the restriction of processing if one of the conditions listed in Art. 18 of the GDPR applies.

(5) Right to data portability

Under the conditions of Art. 20 of the GDPR, you have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format, and you have the right to transfer this data to another controller without hindrance from us, provided that the further conditions of Art. 20 of the GDPR are met.

(6) Right to withdraw consent

You have the right to revoke your consent to the processing of personal data at any time with effect for the future. Please send your revocation to the contact details above.

(7) Right of objection

Under the conditions of Article 21 of the GDPR, you have the right to object to the processing of your personal data at any time. If the conditions for an effective objection are met, we may no longer process the data.

(8) Right of appeal to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the requirements of the GDPR.