Information pursuant to Art. 13 of the General Data Protection Regulation (DSGVO) 

on the processing of personal data within the framework of the whistleblower system

In the following, we inform you about the processing of personal data by Gurtec GmbH (hereinafter “Gurtec”) in the context of the whistleblower system as well as about the associated data protection regulations, claims and rights.  

Gurtec uses web-based software, a cloud solution hosted in Germany, which assists in the detection of operational wrongdoing. By implementing such a system, criminal, illegal, morally reprehensible, or unfair actions can be detected and prevented at an early stage.  As a result, incalculable material, and immaterial damages as well as reputational damage can be averted.  

  • Purpose of data processing  

Gurtec processes the personal data of the whistleblower, unless the whistleblower has submitted the information anonymously, as well as the personal data of the accused person(s), such as name and other communication and content data, solely for the purpose of receiving and following up on tips about criminal, illegal, morally reprehensible or unfair acts in a secure and confidential manner.  

  1. Categories of data processing within the whistleblower system 
  • Information about the whistleblower (unless he/she wishes to remain anonymous) and the accused(s), such as

o First and last name  

o Function/Title 

o Contact details  

o If applicable, other personal data related to the employment relationship   

  • Personal information identified in the reconnaissance team reports (see paragraph 4),  including details of the         allegations made and evidence supporting those allegations
  • Date and time of calls (when the tip is received via the telephone hotline).
  • Any other information identified in the results of the investigation and in the further proceedings following the report, e.g., information on criminal conduct or data on unlawful or improper conduct, to the extent reported
  1. Legal basis of data processing 

 

The collection of the personal data of the whistleblower(s) in the case of a non-anonymous whistleblowing is based on consent to the processing by the transmission of the data (implied consent) (Art. 6 para. 1 p. 1 lit. a DSGVO).  

The collection, processing and transfer of personal data of the persons named in the notification serves to protect the legitimate interests of Gurtec (Art. 6 para. 1 p. 1 lit. f DSGVO). It is a legitimate interest of Gurtec to detect, process, stop and sanction violations of the law and serious breaches of duty by employees’ centre-wide, effectively and with a high degree of confidentiality, and to avert associated damages and liability risks for Gurtec (Sections 30, 130 OWiG).  Directive (EU) 2019/1937 (“EU Whistleblower Directive”) or the future Whistleblower Protection Act (currently in draft form) also require the establishment of a whistleblower system in order to provide employees and third parties with the opportunity in a suitable manner to provide protected information about legal violations within the company.   

The disclosure of personal data to other recipients in the event of non-anonymous reporting may be necessary due to a legal obligation (Art. 6 (1) sentence 1 letter c DSGVO).  

 

  1. Recipients of the data and third country transfer (EU/EEA foreign countries)

All personal data collected via the web-based software is only made available to those persons who have a legitimate need to process this data due to their function.   

 

Gurtec’s Compliance Department is tasked with the initial processing of incoming tips.   

If the tip is received via the telephone hotline, the tip is recorded in the whistleblower system, while preserving the anonymity of the whistleblower.  The hotline staff is bound to secrecy (see below).  

In some cases, the Company is required to disclose the data to authorities (such as those having legal or regulatory jurisdiction over the employer, law enforcement agencies and legal bodies) or external advisors (such as auditors, accountants, lawyers).  

If the whistleblower has provided his or her name or other personal data (non-anonymous whistleblower), the identity will not be disclosed – to the extent legally possible – and it will also be ensured that no conclusions can be drawn about the identity of the whistleblower.  

If personal data is processed by external service providers, this is generally done on the basis of order processing contracts in accordance with Art. 28 DSGVO. In these cases, we ensure that the processing of personal data is carried out in accordance with the provisions of the GDPR and that all persons authorized to process personal data have committed themselves to confidentiality or are subject to an appropriate legal duty of confidentiality. The whistleblower system is operated on our behalf by LegalTegrity GmbH, Platz der Einheit 2, 60327 Frankfurt/Main.  

             There is no transfer of personal data to third countries (EU/EEA foreign countries).  

  1. Duration of processing, deletion of data  

The personal data will be kept in the respective proceedings as long as it is required for the clarification and final assessment, a legitimate interest of Gurtec or a legal requirement exists.  Afterwards, this data will be deleted in accordance with the legal requirements. The duration of storage depends in particular on the severity of the suspicion and the reported possible breach of duty.  

  1. Technical notes on the use of the whistleblower system

Communication between your computer and the whistleblower system takes place via an encrypted connection (SSL).  The IP address of your computer is not stored during the use of the whistleblowing system.  To maintain the connection between your computer and the whistleblower system, a cookie is stored on your computer, which only contains the session ID. The cookie is only valid until the end of your session and becomes invalid when you close the browser.