Joint data protection statement of CLAGE and Compliance Kompakt GmbH

With this data protection statement, we, CLAGE GmbH (CLAGE) and Compliance Kompakt GmbH (CK), would like to inform you, as a user of CLAGE`s internal whistleblowing system „easyline“ set up and operated by CK, what data we collect in the course of a report, for what purposes this data is processed, how your data is protected and to what extent it is transferred, what rights you have with regard to this data, as well as useful contact details. Personal data are collected and processed in accordance with applicable law, namely the General Data Protection Regulation (GDPR)), the current Federal Data Protection Act and the Whistleblower Protection Act (HinSchG).

1. Purpose of the whistleblowing system

The easyline whistleblowing system is an internal reporting channel in the sense of the European Whistleblowing Directive and the German Whistleblower Protection Act. Its purpose is to give CLAGE employees, business partners and customers, as well as other persons, who are in contact with CLAGE in the course of their professional activites, the opportunity to report facts that have come to their attention that indicate serious wrongdoing within this company. For this purpose, your data will be processed if you provide us with them. However, you can also remain anonymous when making a report - just as you can when communicating further with us. We recommend this for the reason stated under 2.

2. Data processing

We only collect and process personal data that you disclose with your report and in subsequent messages. Your IP address is not accessible to us. Cookies are not set. Concerned are therefor your personal data (if you do not submit an anonymous report) and personal data of third parties, if they are disclosed in the context of your report.

The personal data you disclose will be processed for the purpose of evaluating your report and the possible subsequent case handling by CLAGE, CK and case handlers commissioned by CLAGE and expressly obliged to maintain confidentiality.

a. Your personal data

We recommend that you submit your report anonymously.

Important notes in this context:

If you disclose your identity to us despite our recommendation, we will treat your data as strictly confidential. However, it cannot be ruled out that third parties concerned by your report must be informed in accordance with Art. 14 GDPR about the source of the data concerning them. It is therefore possible that data subjects will be informed of your identity. If applicable, this information must be provided within one month of the notification, as provided by law as a rule, but at the latest if it no longer seriously affects the clarification of the facts or necessary actions. You should take this into account when deciding whether to disclose your identity.

In case of disclosure of your own personal data, your own consent pursuant to Art. 6 I a GDPR forms the legal basis for our processing. You can revoke this consent pursuant to Art. 7 GDPR, but this is ineffective insofar as the data was disclosed with your consent and the aforementioned information of affected third parties has already taken place.

We also cannot rule out the possibility that your data may have to be disclosed to a public authority or court within the framework of the applicable laws.

b. Personal data of third parties

Please limit the input of personal data of third parties to what is absolutely necessary for the evaluation and processing of your report.

The legal basis for the processing the personal data of third parties, which is essential for the evaluation of your report and the possible subsequent case handling, is provided by the legitimate interest of CLAGE to be able to investigate and correct possible internal grievances (Art. 6 I 1 f GDPR).

3. Communication with you

Your report and any subsequent communication with you are stored in encrypted form in the IT system and are not accessible to unauthorized persons. The only key to protected communication consists of a case ID and a password generated by the system after your report and communicated to you. You are requested to log in with your password and the case ID assigned to your report at intervals that are not too long in order to take note of messages from our case handlers and to be able to answer questions. Files (text files, PDFs and photos) can be uploaded to the platform. They are also stored with encrypted content.

CLAGE and CK have password-protected access to communicate with you.

For necessary internal investigations of the facts, external case handlers commissioned by CLAGE and expressly obliged to maintain confidentiality will, if necessary, be informed about the content of the report and the subsequent communication with the respective whistleblowers.

4. Data security and data transmission

We ensure the security of the data we collect and process by taking technical and organizational measures to ensure this protection. Only CLAGE, CK or, if applicable, case handlers designated by CLAGE have access to the content of the reports. This can be an external law firm or a case handler in the company concerned who is expressly obliged to maintain confidentiality and is investigating free from conflicts of interest. The content of your reports is immediately encrypted and stored on the platform in this way. Any subsequent communication with you will also be encrypted. Decryption only takes place when you log in with your case ID + password or when a case handler of CLAGE or CK logs in.

The IT supervisor of the platform and the host do not have access to the contents of the report or the communication with you at any time. The servers on which the reports are stored are located in the Federal Republic of Germany. The processing of personal data by the IT administrator and the host is carried out on our behalf and strictly in accordance with our instructions on the basis of corresponding contracts for commissioned processing in accordance with Art. 28 GDPR.

The data contained in the notification and further communication will not be transferred outside the EU/EEA at any time.

5. Deletion of your data

If you have transmitted your personal data to us in the dialog, this data will be stored for as long as is necessary for the clarification and final assessment of the reported facts. After the processing of the reported information has been completed, this data will be deleted in accordance with the legal requirements.

6. Our distribution of roles

Together we form the internal reporting office of CLAGE, whereby your report will first be received and processed by CK. If necessary, CK will also take over further communication with you. Within the scope of the internal reporting office, we will jointly analyze the content of the report and take any necessary follow-up measures.

CLAGE and CK will fulfill your rights and the information obligations towards you. If members of CLAGE are affected by the report, their rights and the information obligations towards them will be fulfilled by CLAGE.

7. Your rights as a data subject of the processing of your personal data

You have the following rights under applicable data protection laws:
  • Right to information about your personal data stored by us
  • Right to erasure and restriction of processing of your personal data
  • Right to rectify your personal data
  • Right to data portability
  • Right to complain to a supervisory authority
  • You can revoke your consent to the collection, processing and use of your personal data at any time with effect for the future.
If you wish to exercise your rights, please send your request to the following e-mail address:

datenschutz@compliancekompakt.de or

datenschutz@clage.de

8. Responsible for data protection

Responsible for data protection are jointly

CLAGE GmbH
Pirolweg 4
21337 Lüneburg

Compliance Kompakt GmbH
Walter-Heinze-Str. 23
04229 Leipzig

9. Right of appeal

If you consider that the processing of personal data concerning you violates the GDPR, the BDSG or the Whistleblower Protection Act, you have the right to lodge a complaint at a competent data protection supervisory authority.




Status: 06/2023