Data Protection
Privacy Information According to Articles 13, 14 of the GDPR
Notes on Data Processing for Whistleblowers using the digital reporting channel of Buchler GmbH.
1. General
1.1. Definitions
This privacy policy is based on the definitions of the GDPR, see: https://dsgvo-gesetz.de/art-4-dsgvo/.
Notes on Data Processing for Whistleblowers using the digital reporting channel of Buchler GmbH.
1. General
1.1. Definitions
This privacy policy is based on the definitions of the GDPR, see: https://dsgvo-gesetz.de/art-4-dsgvo/.
1.2. Name and Address of the Controller
The entity responsible for processing your personal data is the internal reporting office for Buchler GmbH pursuant to §§ 12 ff. HinSchG[1], § 14 Abs. 1 S. 1 HinSchG, assigned to the ombudsman law firm:
The entity responsible for processing your personal data is the internal reporting office for Buchler GmbH pursuant to §§ 12 ff. HinSchG[1], § 14 Abs. 1 S. 1 HinSchG, assigned to the ombudsman law firm:
RA Prof. Dr. jur. Hendrik Schneider
Law Firm for Economic &
Medical Criminal Law
Taunusstraße 7 65183 Wiesbaden
Tel. +49 (0) 611 950 081 10
E-Mail: info@hendrikschneider.eu
Law Firm for Economic &
Medical Criminal Law
Taunusstraße 7 65183 Wiesbaden
Tel. +49 (0) 611 950 081 10
E-Mail: info@hendrikschneider.eu
For further information about our law firm, please refer to the legal notice on our website: https://hendrikschneider.eu/impressum/.
2. Visiting the Whistleblower Portal - What personal data do we process about you?
2.1. Log Data
When you visit the whistleblower portal, no so-called server log files are stored. Therefore, no activities of you as a user of the reporting channel website and no personal data such as the IP address are stored.
2.1. Log Data
When you visit the whistleblower portal, no so-called server log files are stored. Therefore, no activities of you as a user of the reporting channel website and no personal data such as the IP address are stored.
2.2 Data from a Report:
When using the whistleblower channel, the data transmitted through it is processed, provided that you provide or specify it. This may include the following personal data:
When using the whistleblower channel, the data transmitted through it is processed, provided that you provide or specify it. This may include the following personal data:
- Names and contact details,
- In connection with this: the fact that you have made a confidential report through this whistleblower system,
- Whether you are an employee of Buchler GmbH,
- The same and other personal data of the persons you mention in your report or subsequent communication.
The data submitted to the whistleblower system is multiply encrypted and protected by strong authentication procedures. Only the responsible employees of the law firm RA Prof. Dr. jur. Hendrik Schneider have access.
2.3 Cookies
The digital whistleblower channel or the website uses the minimum number of technically necessary cookies. Cookies can contain data that allow the device used to be recognized. Sometimes cookies only contain information about specific settings that are not personal. However, cookies can directly identify a user. A distinction is made between:
The digital whistleblower channel or the website uses the minimum number of technically necessary cookies. Cookies can contain data that allow the device used to be recognized. Sometimes cookies only contain information about specific settings that are not personal. However, cookies can directly identify a user. A distinction is made between:
- Session cookies, which are deleted as soon as you close your browser, and
- Permanent cookies, which are stored beyond the individual session.
- In terms of their function, the reporting office only uses a cookie in the technical category. These are essential to navigate the website, use basic functions, and ensure the security of the website; they neither collect information about you for marketing purposes nor store which websites you have visited. Specifically, it is the following cookie:
- _app_db_session (used to authenticate the user session to the user authentication gateway (Identity Server), is deleted after the respective access session ends when you log out of the reporting system)
3. For What Purposes and on What Legal Basis Are Your Personal Data Processed?
3.1. Under a specific legal authorization
We process your personal data according to Art. 6(1)(c) GDPR based on the specific legal authorization of § 10 HinSchG for the purpose of fulfilling the tasks of the internal reporting office according to § 13 HinSchG. These include:
- Operation of reporting channels according to § 14(1), § 16 HinSchG,
- Procedures for internal reports according to § 17 HinSchG (review of the report, maintaining contact with you as the whistleblower, requesting further information),
- Follow-up measures according to § 18 HinSchG (e.g. internal investigations, conclusion of the procedure, forwarding to a competent authority for further investigations).
3.2. Based on legal obligations, Art. 6(1)(a) or Art. 9(2)(a) GDPR
The information you provide to us through the reporting channel contains personal data (see 2.2). We need to process this to comply with our legal obligations. We do this in addition to the legal authorization from 3.1 for the following purposes (§ 10 HinSchG):
The information you provide to us through the reporting channel contains personal data (see 2.2). We need to process this to comply with our legal obligations. We do this in addition to the legal authorization from 3.1 for the following purposes (§ 10 HinSchG):
- Documentation of reports according to § 11 HinSchG
- Confidentiality requirement according to § 8 HinSchG
3.3. As part of the balancing of interests, Art. 6(1)(f) GDPR
To the extent necessary in addition to the specific authorization or legal obligation from 3.1 and 3.2, we process your data to protect the legitimate interests of ourselves or third parties (e.g., Buchler GmbH or persons whose rights are endangered or violated).
To the extent necessary in addition to the specific authorization or legal obligation from 3.1 and 3.2, we process your data to protect the legitimate interests of ourselves or third parties (e.g., Buchler GmbH or persons whose rights are endangered or violated).
3.4. Based on your consent, Art. 6(1)(a) or Art. 9(2)(a) GDPR
To the extent that you have given us consent to process personal data, the respective consent is the legal basis for the processing.
To the extent that you have given us consent to process personal data, the respective consent is the legal basis for the processing.
4. How do we receive your personal data?
We process your personal data that you provide directly as part of your report via the digital whistleblower system.
We process your personal data that you provide directly as part of your report via the digital whistleblower system.
5. To whom do we pass on your personal data, if applicable?
Your personal data will only be disclosed in the case of a confidential report if this is absolutely necessary to fulfill our contractual and legal obligations or if the internal organization requires the disclosure. This only applies to persons responsible for receiving reports or taking follow-up measures, as well as persons supporting them in fulfilling these tasks (§ 8(1) No. 3 HinSchG). Within the law firm RA Prof. Dr. jur. Hendrik Schneider, appropriate measures that meet legal requirements have been taken to protect your personal data. Only attorneys have access to the reports.
Your personal data will only be disclosed in the case of a confidential report if this is absolutely necessary to fulfill our contractual and legal obligations or if the internal organization requires the disclosure. This only applies to persons responsible for receiving reports or taking follow-up measures, as well as persons supporting them in fulfilling these tasks (§ 8(1) No. 3 HinSchG). Within the law firm RA Prof. Dr. jur. Hendrik Schneider, appropriate measures that meet legal requirements have been taken to protect your personal data. Only attorneys have access to the reports.
Your personal data will not be disclosed to third parties unless you have consented or there is a legal obligation.
A legal obligation particularly exists under § 9(2) and (3) HinSchG. According to this, information about the identity of a reporting person or other circumstances that allow conclusions to be drawn about the identity of this person may be disclosed:
- in criminal proceedings at the request of law enforcement authorities,
- based on an order in a subsequent administrative procedure, including administrative fine procedures,
- based on a court decision.
We will inform you in advance about the disclosure and the reasons for it. This does not apply if the law enforcement authority, the competent authority, or the court has informed us that the information would jeopardize the respective investigations, examinations, or court proceedings.
Furthermore, we use the services of Vispato GmbH, a service provider (processor according to Art. 28 GDPR), which we contractually bind to comply with the legal requirements of the GDPR and whose compliance we monitor. The service provider has no access to the encrypted content of the report and communication, and therefore also to the personal data contained therein, at any time.
If your report does not fall under the HinSchG, the same principles apply based on a contractual agreement.
If your report does not fall under the HinSchG, the same principles apply based on a contractual agreement.
Further processing or transmission of the data may be necessary to prosecute criminal offenses or administrative offenses or to avert a serious impairment of the rights of a third party (§ 24(1) BDSG[2]).
6. Is data transferred to a third country or an international organization?
We are a law firm operating in the Federal Republic of Germany, and your data, which you provide through the reporting offices, is only processed within the European Union through the service provider mentioned in section 5.
We are a law firm operating in the Federal Republic of Germany, and your data, which you provide through the reporting offices, is only processed within the European Union through the service provider mentioned in section 5.
7. How long will your personal data stored?
Your personal data will be stored for the duration of the contractual or legal obligations and will be deleted in compliance with data protection regulations after the purpose has been fulfilled or at your request, in accordance with the relevant legal retention obligations of the controller (§ 11(5) HinSchG).
Your personal data will be stored for the duration of the contractual or legal obligations and will be deleted in compliance with data protection regulations after the purpose has been fulfilled or at your request, in accordance with the relevant legal retention obligations of the controller (§ 11(5) HinSchG).
The general deletion obligation for the documentation of your personal data is three years after the conclusion of the procedure.
The documentation can be retained longer to meet the requirements under the HinSchG or other legal provisions, as long as this is necessary and proportionate.
8. Is your personal data processed based on automated decisions?
The reporting channel does not use fully automated decision-making or profiling.
The reporting channel does not use fully automated decision-making or profiling.
9. What rights do you have and whom can you contact?
You have so-called data subject rights, i.e., rights that you can exercise as an affected person in individual cases. You can assert these rights against the law firm at info@hendrikschneider.eu. They arise from the GDPR.
You have so-called data subject rights, i.e., rights that you can exercise as an affected person in individual cases. You can assert these rights against the law firm at info@hendrikschneider.eu. They arise from the GDPR.
9.1 Right of access
You have the right to request information at any time about the personal data concerning you that we have stored.
You have the right to request information at any time about the personal data concerning you that we have stored.
9.2 Right to correction
If you find that incorrect data concerning your person are being processed, you can request rectification. Incomplete data must be completed, taking into account the purpose of the processing.
If you find that incorrect data concerning your person are being processed, you can request rectification. Incomplete data must be completed, taking into account the purpose of the processing.
9.3 Right to erasure
You have the right to request the deletion of your data if certain reasons for deletion exist. This is particularly the case if they are no longer necessary for the purpose for which they were originally collected or processed.
You have the right to request the deletion of your data if certain reasons for deletion exist. This is particularly the case if they are no longer necessary for the purpose for which they were originally collected or processed.
9.4 Right to restriction of processing
You have the right to restrict the processing of your data. This means that your data will not be deleted but will be marked to limit its further processing or use.
You have the right to restrict the processing of your data. This means that your data will not be deleted but will be marked to limit its further processing or use.
9.5 Right to data portability
You have the right to receive the personal data concerning you, which you have provided to one of our controllers, in a structured, commonly used, and machine-readable format, as well as the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided.
You have the right to receive the personal data concerning you, which you have provided to one of our controllers, in a structured, commonly used, and machine-readable format, as well as the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided.
9.6 Right to object to unreasonable data processing
You generally have a general right to object to lawful data processing, which is in the public interest, in the exercise of official authority, or based on the legitimate interest of an entity.
You generally have a general right to object to lawful data processing, which is in the public interest, in the exercise of official authority, or based on the legitimate interest of an entity.
9.7 Right to withdraw your consents
If the processing of your data is based on your consent, which you have given to us, you have the right to withdraw your consent at any time for the future. You can send this declaration in writing/by mail/fax to the law firm RA Prof. Dr. jur. Hendrik Schneider, preferably via the reporting channel you used. No reasons are required for this. The processing of your data up to the point of withdrawal remains lawful.
If the processing of your data is based on your consent, which you have given to us, you have the right to withdraw your consent at any time for the future. You can send this declaration in writing/by mail/fax to the law firm RA Prof. Dr. jur. Hendrik Schneider, preferably via the reporting channel you used. No reasons are required for this. The processing of your data up to the point of withdrawal remains lawful.
9.8 Complaint to the supervisory authority regarding data protection violations
Regardless of your right to seek judicial assistance, you have the right to lodge a complaint with the data protection supervisory authority under Art. 77 GDPR if you believe that the processing of your data is not legally permissible. The complaint to the data protection supervisory authority can be made informally.
Regardless of your right to seek judicial assistance, you have the right to lodge a complaint with the data protection supervisory authority under Art. 77 GDPR if you believe that the processing of your data is not legally permissible. The complaint to the data protection supervisory authority can be made informally.
The responsible data protection supervisory authority for the controller is:
The Hessian Commissioner for Data Protection and Freedom of Information
P.O. Box 3163
65021 Wiesbaden
Telephone: +49 611 1408-0
E-Mail: poststelle@datenschutz.hessen.de
P.O. Box 3163
65021 Wiesbaden
Telephone: +49 611 1408-0
E-Mail: poststelle@datenschutz.hessen.de
[1] The Whistleblower protection act is abbreviated as “HinSchG”.
[2] The Federal Data Protection Act is abbreviated as “BDSG”.
[2] The Federal Data Protection Act is abbreviated as “BDSG”.