Privacy Policy

Data protection information on the whistleblower system

Information in accordance with Art. 13 EU GDPR

Dear informant,

DE-VAU-GE Gesundkostwerk Deutschland GmbH (hereinafter: DE-VAU-GE) (hereinafter “company”, “we” and “us”) attaches great importance to the protection of your personal data. This data protection notice informs you about the processing of personal data within the framework of the DE-VAU-GE whistleblower system (hereinafter referred to as “wbs” or “internal reporting system”) and your rights in connection with this data processing.

The following information shows you how we handle your personal data as part of the internal reporting system for the preventive prevention of violations of applicable law or company guidelines (e.g. fraud or corruption as well as other criminal offences) and/or for the detection of such violations.

The term personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”). Personal data therefore includes, for example, first and last name, address, date of birth, email addresses or telephone numbers.

DE-VAU-GE informs you as follows:

1. name and address of the data controller

The controller within the meaning of the General Data Protection Regulation and other data protection laws applicable in the Member States of the European Union is

DE-VAU-GE Gesundkost Deutschland GmbH

Lüner Rennbahn 18

21339 Lüneburg

Phone: +49 (0) 4131 – 98 50 1

E-mail: info@de-vau-ge.de

Website: www.de-vau-ge.deDie Rights and obligations of the joint controllers are agreed between them in accordance with Art. 26 GDPR. The respective controller is responsible for the duty to provide information. If you have any questions regarding data protection or the exercise of your rights (see below), please contact the contact person named below.

2. name and address of the data protection officer

Our data protection officer can be contacted as follows for all matters relating to data protection:

DE-VAU-GE Gesundkost Deutschland GmbH

– Data Protection Officer –

Lüner Racecourse 18

21339 Lüneburg

Phone: +49 (0) 4131 – 98 50 1

E-mail: datenschutz@de-vau-ge.de

3. categories of personal data

The following data is processed as part of the whistleblower system Details of the accused person (e.g. surname, first name, title, contact details, position and employment details), details of the (alleged) breaches of conduct and the relevant facts. As the DE-VAU-GE reporting procedure stipulates that reports can be made anonymously, no personal data is collected unless the whistleblower states otherwise. Otherwise, personal data such as the name of the reporting person, their contact details and, if applicable, the circumstances of their observation may be considered.

4. categories of personal data and purpose of the data processing

The purpose of the wbs is to receive and process reports from our employees and external persons on the behaviour of employees that is unlawful or contrary to the aim or purpose of legal provisions in a secure and confidential manner.

The following categories of your personal data may be collected and subsequently processed by us via the whistleblower system:

• Information for the personal identification of the whistleblower (unless the report is made anonymously), such as your surname and first name, professional position, place of employment and your professional or private contact details and/or the corresponding data of the employees affected by your report,
  
• the fact that you have used our whistleblowing system for the purposes of a report

• reported behaviour of the employees concerned,

• other (possibly special) categories of personal data, insofar as these are entered into the whistleblower system as part of the reports or in the subsequent investigation procedure

• company documents such as performance records, travel expense reports, logbooks, invoices and similar documents, which may also contain personal data, insofar as they are required to clarify the reported facts,

information on behaviour when using company communication systems such as metadata, log data or the content of company e-mails, insofar as they are required to clarify the reported facts.

We process the aforementioned personal data in particular for the following purposes:

• Checking whether the information provided to us appears plausible and suggests a violation of laws or other legally binding requirements or breaches of duty under the employment contract,
  
• if necessary, further clarification of the reported facts with regard to any violations of laws or other legally binding requirements or breaches of duty under employment contracts,
  
• if necessary, further clarification for the purpose of exonerating wrongly suspected employees,
  
• if necessary, for the defence against imminent economic and other disadvantages and for the assertion and/or enforcement of our company’s rights and
  
• where applicable, the fulfilment of any obligations to cooperate on the part of our company in the context of investigations by law enforcement or other authorities.

5. legal basis for data processing

The legal basis for the processing of your personal data is Art. 6 para. 1 lit. c GDPR in conjunction with Art. 17 of Directive (EU) 2019/1937 (“EU Whistleblower Directive”) and any national provisions implementing the EU Whistleblower Directive.

The processing of your personal data in the whistleblower system is also carried out on the legal basis of our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR in conjunction with any applicable provisions of national law for the prevention and detection of criminal offences, breaches of duty and other violations as well as our legitimate interest in the associated prevention of damage and liability risks for our company. We have a legitimate interest in the processing of personal data for the prevention and detection of offences within our company, to check the legality of internal processes and to safeguard the integrity of our company.

Insofar as special categories of personal data, such as information on racial and ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, health data or data on sex life or sexual orientation, are entered into the whistleblower system as part of the reports or in the subsequent investigation procedure, we process these additionally on the legal basis of Art. 9 para. 2 lit. b GDPR in conjunction with Art. 9 para. 2 lit. f GDPR and applicable national regulations.

6. recipients or categories of recipients of the personal data

DE-VAU-GE generally ensures that your personal data is only accessible to a limited number of authorised persons who need to know this data for the provision of the above-mentioned processing purposes.

If necessary to clarify the facts of the case, personal data may be forwarded to individual, carefully selected persons of DE-VAU-GE or – if they are also affected by the facts in question – to subsidiaries of DE-VAU-GE to the extent necessary. Every person who receives access to the data is obliged to maintain confidentiality.

If the processing of the report leads to the result that an offence has been committed, personal data of the accused or, in the case of non-anonymous information, also of the whistleblower may be transmitted to law enforcement authorities or courts as well as to lawyers or consultants commissioned by us for the purposes of criminal prosecution.

Insofar as it is necessary for the assertion and enforcement of claims of our company and no interests of data subjects worthy of protection conflict with this, personal data may also be transferred to opposing parties or insurers.

It may also be necessary to transfer data to other authorities.

If a transfer of your personal data to a court or authority in a non-European country without an adequate level of data protection is necessary and legally permissible for the assertion, exercise or defence of legal claims of our company, this can be done on the basis of Art. 49 para. 1 sentence 1 lit. e GDPR without the need for additional measures to ensure an adequate level of data protection.

In certain cases, we are obliged under data protection law to inform the person(s) named in your report of the allegations made against them. This is required by law, for example, if it is objectively established that the provision of information to this person(s) can no longer affect the clarification of the reported facts. If you have not submitted your report anonymously, we will not disclose your identity as a whistleblower – to the extent permitted by law – and we will also ensure that no other conclusions can be drawn about your identity. Please note that in the event of a knowingly false report with the intention of discrediting another person, we may be obliged to disclose your identity to that person.

Otherwise, your personal data will only be passed on to third parties (outside our company) in cases where this is necessary for the performance of the activity, e.g. to external auditing companies for the performance of an audit. Here too, data is always passed on and processed for a specific purpose on a legal basis. 

7. duration of data storage

In principle, documentation must be stored in accordance with the respective national regulation for the implementation of the EU Whistleblower Directive, relevant from Art. 18 of the EU Whistleblower Directive, and will be deleted by us after the conclusion of the procedure, unless the initiation of further legal steps requires further storage.

Personal data will be retained for the period necessary to clarify and finalise the assessment of the report. Once the investigation has been completed, the personal data will be deleted within a reasonable period of regularly 1 month and in accordance with the legal requirements. In the event that judicial and/or disciplinary proceedings are initiated, the data may be stored until the conclusion of the proceedings or until the expiry of the time limits for legal remedies. Personal data in connection with unfounded reports will be deleted immediately. The documentation will be deleted 3 years after the proceedings have been concluded, in accordance with Section 11 (5) HinSchG. The documentation may be kept for longer in order to fulfil the requirements of the HinSchG or other legal provisions, as long as this is necessary and proportionate.

8. data security

DE-VAU-GE uses technical and organisational measures to protect the personal data to be managed through the use of the wbs from unauthorised access, disclosure, misuse, manipulation, loss and destruction during its collection, processing and use. Service providers used by DE-VAU-GE are obliged to the same extent.

9. automated decision-making

No automated decision-making pursuant to Art. 22 GDPR takes place within the framework of the wbs.

10. rights of data subjects

With regard to the processing of your personal data by us, you can contact us, for example, in writing at the above address or by e-mail to the above e-mail address in order to exercise your following rights:

Every data subject has the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR and the right to data portability under Art. 20 GDPR. To exercise the aforementioned rights, you can contact the offices listed under point 1. If you have given us your consent to data processing, you can revoke this at any time without any formal requirements. If we process your data to protect legitimate interests, you can object to this processing at any time for reasons arising from your particular situation. To do so, you can contact the office named in section 1 or 2. You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).

11. employees of our company

Employees of our company receive further information about the processing of their personal data in the data protection information for employees.