Privacy Notice for Whistleblowers
Below, we inform you about the collection of personal data when using our digital whistleblower system. Personal data, in the sense of Article 4 No. 1 of the EU General Data Protection Regulation (GDPR), are all information that can be personally related to you, such as name, address, email addresses, user behavior.
Who is responsible for data processing, and who is the data protection officer?
The responsible party for processing personal data according to Article 4 No. 7 GDPR is:
Cabka Group GmbH
Wintersteinstr. 22
10587 Berlin
Germany
Phone: +49364846450
Email: info@cabka.com
You can reach our data protection officer at:
SLK Compliance Services GmbH
Christian Krösch
Königsbrücker Str. 76
01099 Dresden
Phone: +49 351 89676360
Email: kroesch@slk-compliance.de
Collection and Processing of Personal Data
Visiting the Whistleblower System
With a mere visit to the whistleblower system, we only collect the personal data that your browser transmits to our server, which is technically necessary for displaying our website and ensuring stability and security. These are the IP address, your browser's request, and the time of this request. In addition, the status and the amount of data transmitted in the context of this request are recorded. We also collect product and version information about the browser and the operating system of your system. We further capture from which website the access to our page occurred.
The temporary storage of the IP address by the system is necessary to enable the delivery of the website to your browser. For this purpose, your IP address must remain stored for the duration of the session. The processing of the other data takes place to ensure the functionality of the website. Furthermore, the data serve to optimize the website and to ensure the stability and security of our systems. The legal basis is Article 6(1)(f) GDPR, based on a balancing of our aforementioned legitimate and overriding interests.
We transmit the collected data to external service providers (hosting providers, IT service providers, web agency) that support us in processing the data for the above-mentioned purposes.
The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. In the case of collecting data for providing the website, this is the case when the respective session has ended.
Cookies
When using the whistleblower system, we may collect information through the use of cookies or similar technologies ("cookies"). Cookies are small text files that are stored on your end device by your browser to store certain information. If you visit our website again later with the same end device, the information stored in cookies will subsequently be sent back to our website or another website to which the cookie belongs. Through the stored and returned information, the respective website recognizes that you have already accessed and visited it with the browser of your end device. Here, only the cookie itself is identified on your end device.
We use so-called strictly necessary cookies, without which you could not use our whistleblower system as intended or without which we could not provide our whistleblower system to you. These include, for example, functions such as filling and saving user entries as well as security features. The use of these cookies occurs without your consent. However, you have the option to deactivate these cookies via your browser settings. The legal basis for processing personal data using strictly necessary cookies is Article 6(1)(c) GDPR or Article 6(1)(f) GDPR, based on a balancing of our legitimate and overriding interests in the technically smooth provision of our website and the services offered via it.
You have the option via your browser to delete all cookies set at any time. In addition, you can configure your browser to prevent websites from storing and reading cookies.
Whistleblower System
We process your personal data for the purpose of fulfilling the legal requirements of the Whistleblower Protection Act, particularly concerning
- the establishment and operation of the internal reporting office and reporting channels,
- the execution of the reporting procedure, examination and forwarding of tips,
- the implementation of follow-up measures and communication with whistleblowers,
- documentation of the reporting procedure according to legal requirements, and
- the security of the established reporting channels.
Among the processed categories of personal data of whistleblowers and persons who are the subject of a report, as well as other individuals affected by a report or disclosure, are especially contact data (e.g., name, email address, phone number), content data (e.g., tips about an incident in the form of text entries, photos, voice recordings, videos, documents) and authentication data in the digital whistleblower system (e.g., identifier, password).
The personal data from you as a whistleblower is collected from you through the submission of a report and is, with the exception of the tip itself, voluntary. The provision of personal data is neither legally nor contractually required, nor are you obliged to do so. There are no consequences for you from not providing it.
The processing of the above-mentioned data of whistleblowers as well as possible other individuals mentioned in the report is based on Article 6(1)(c) GDPR in conjunction with § 10 German Whistleblower Protection Act (HinSchG) for fulfilling a legal obligation, insofar as the report falls within the scope of the German Whistleblower Protection Act according to §§ 1, 2 HinSchG. If the processing of special categories of personal data is required to fulfill the tasks of the internal reporting office, this is allowed according to Article 6(1)(c), 9(2)(g) GDPR in conjunction with § 10 HinSchG, § 22(2)(2) BDSG. Otherwise, the legal basis for processing personal data is Article 6(1)(f) GDPR. We have a legitimate interest in reviewing, evaluating, and documenting the incoming reports as well as in conducting follow-up measures.
In the context of reviewing your tip and in follow-up measures, it may be necessary or desired by you to also transmit personal information about a reported incident to the competent authorities.
We otherwise pass on your personal data to external service providers (e.g., IT service providers, providers, software service providers) for fulfilling the purposes described in this privacy statement. We are legally obligated to provide information upon request to certain public entities. These are primarily law enforcement agencies, authorities that pursue fine-bearing offenses, and the tax authorities.
We delete your personal data as soon as it is no longer required for the purposes mentioned above. According to § 11 HinSchG, your data stored with us will be deleted three years after the conclusion of the procedure. Your data may be stored longer to meet the requirements of the Whistleblower Protection Act or other legal regulations, as long as this is necessary and proportionate. This may particularly be the case if internal investigations are ongoing or administrative and/or court proceedings related to the subject matter of the report have not yet been concluded. Moreover, personal data may be retained for the period during which claims can be asserted against us (statutory limitation period of three or up to thirty years).
What data protection rights can you assert as a data subject?
You have the right to access (Article 15 GDPR), correction (Article 16 GDPR), deletion (Article 17 GDPR), or to restriction of processing (Article 18 GDPR), as well as to objection (Article 21 GDPR) and data portability (Article 20 GDPR). You also have the right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR).
If we process your data to protect legitimate interests, you can object to this processing for reasons arising from your particular situation. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of legal claims.
