Joint data protection statement of DRK KV LG and Compliance Kompakt GmbH
With this data protection statement, we, Deutsches Rotes Kreuz Kreisverband Lüneburg e.V. (DRK KV LG), consisting of- Deutsches Rotes Kreuz Kreisverband Lüneburg e.V.,
- Deutsches Rotes Kreuz Kreisverband Lüneburg gemeinnützige Gesellschaft für soziale Einrichtungen mbH,
- Deutsches Rotes Kreuz Kreisverband Lüneburg gem. Pflege- und Betreuungsges. mbH,
and Compliance Kompakt GmbH (CK), would like to inform you, as a user of DRK KV LG`s internal whistleblowing system „easyline“ set up and operated by CK, what data we collect in the course of a report, for what purposes this data is processed, how your data is protected and to what extent it is transferred, what rights you have with regard to this data, as well as useful contact details. Personal data are collected and processed in accordance with applicable law, namely the General Data Protection Regulation (GDPR)), the current Federal Data Protection Act and the Whistleblower Protection Act (HinSchG).
1. Purpose of the whistleblowing system
The easyline whistleblowing system is an internal reporting channel in the sense of the European Whistleblowing Directive and the German Whistleblower Protection Act. Its purpose is to give DRK KV LG employees, business partners and customers, as well as other persons, who are in contact with DRK KV LG in the course of their professional activites, the opportunity to report facts that have come to their attention that indicate serious wrongdoing within this company. For this purpose, your data will be processed if you provide us with them. However, you can also remain anonymous when making a report - just as you can when communicating further with us. We recommend this for the reason stated under 2.2. Data processing
We only collect and process personal data that you disclose with your report and in subsequent messages. Your IP address is not accessible to us. Cookies are not set. Concerned are therefor your personal data (if you do not submit an anonymous report) and personal data of third parties, if they are disclosed in the context of your report.The personal data you disclose will be processed for the purpose of evaluating your report and the possible subsequent case handling by DRK KV LG, CK and case handlers commissioned by DRK KV LG and expressly obliged to maintain confidentiality.
a. Your personal data
We recommend that you submit your report anonymously.
Important notes in this context:
If you disclose your identity to us despite our recommendation, we will treat your data as strictly confidential. However, it cannot be ruled out that third parties concerned by your report must be informed in accordance with Art. 14 GDPR about the source of the data concerning them. It is therefore possible that data subjects will be informed of your identity. If applicable, this information must be provided within one month of the notification, as provided by law as a rule, but at the latest if it no longer seriously affects the clarification of the facts or necessary actions. You should take this into account when deciding whether to disclose your identity.We also cannot rule out the possibility that your data may have to be disclosed to a public authority or court within the framework of the applicable laws.
b. Personal data of third parties
Please limit the input of personal data of third parties to what is absolutely necessary for the evaluation and processing of your report.
The legal basis for the processing the personal data of third parties, which is essential for the evaluation of your report and the possible subsequent case handling, may be the legitimate interest of DRK KV LG in being able to investigate internal grievances (Art. 6 para. 1 lit. f GDPR) and Art. 6 para. 1 lit. c GDPR / § 10 HinSchG.
3. Communication with you
Your report and any subsequent communication with you are stored in encrypted form in the IT system and are not accessible to unauthorized persons. The sole key for protected communication consists of a case ID and password, which are generated by the system and communicated to you after your report. You are requested to log in with your password and the case ID assigned to your report at intervals that are not too long in order to take note of messages from our case handlers and to be able to answer questions. Files (text files, PDFs and photos) can be uploaded to the platform. They are also stored with encrypted content.DRK KV LG and CK have password-protected access to communicate with you.
For necessary internal investigations of the facts, external case handlers commissioned by DRK KV LG and expressly obliged to maintain confidentiality will, if necessary, be informed about the content of the report and the subsequent communication with the respective whistleblowers.
4. Data security and data transmission
We ensure the security of the data we collect and process by taking technical and organizational measures to ensure this protection. Only DRK KV LG, CK or, if applicable, case handlers designated by DRK KV LG have access to the content of the reports. This can be an external law firm or a case handler in the company concerned who is expressly obliged to maintain confidentiality and is investigating free from conflicts of interest. The content of your reports is immediately encrypted and stored on the platform in this way. Any subsequent communication with you will also be encrypted. Decryption only takes place when you log in with your case ID + password or when a case handler of DRK KV LG or CK logs in.The IT supervisor of the platform and the host do not have access to the contents of the report or the communication with you at any time. The servers on which the reports are stored are located in the Federal Republic of Germany. The processing of personal data by the IT administrator and the host is carried out on our behalf and strictly in accordance with our instructions on the basis of corresponding contracts for commissioned processing in accordance with Art. 28 GDPR.
The data contained in the notification and further communication will not be transferred outside the EU/EEA at any time.
5. Deletion of your data
If you have transmitted your personal data to us in the dialog, this data will be stored for as long as is necessary for the clarification and final assessment of the reported facts. After the processing of the reported information has been completed, this data will be deleted in accordance with the legal requirements.6. Our distribution of roles
Together we form the internal reporting office of DRK KV LG, whereby your report will first be received and processed by CK. If necessary, CK will also take over further communication with you. Within the scope of the internal reporting office, we will jointly analyze the content of the report and take any necessary follow-up measures.DRK KV LG and CK will fulfill your rights and the information obligations towards you. If members of DRK KV LG are affected by the report, their rights and the information obligations towards them will be fulfilled by DRK KV LG.
7. Your rights as a data subject of the processing of your personal data
You have the following rights under applicable data protection laws:- Right to information about your personal data stored by us
- Right to erasure and restriction of processing of your personal data
- Right to rectify your personal data
- Right to data portability
- Right to complain to a supervisory authority
- You can revoke your consent to the collection, processing and use of your personal data at any time with effect for the future.
datenschutz@compliancekompakt.de or
Herr Lukas Biniossek
Betrieblicher Datenschutzbeauftragter (GDDcert-EU)
Tel.: 02224 988290
E-Mail: l.biniossek@sco-consult.de
8. Responsible for data protection
Responsible for data protection are jointlyDeutsches Rotes Kreuz
Kreisverband Lüneburg e.V.
Schnellenberger Weg 42
21339 Lüneburg
Compliance Kompakt GmbH
Stresemannstraße 1
21335 Lüneburg
and – if the report concerns the following company –
Deutsches Rotes Kreuz
Kreisverband Lüneburg
gemeinnützige Gesellschaft für soziale Einrichtungen mbH
Schnellenberger Weg 42
21339 Lüneburg
Deutsches Rotes Kreuz
Kreisverband Lüneburg
Gem. Pflege- und Betreuungsges. mbH
Röntgenstraße 34
21365 Adendorf
9. Right of appeal
If you consider that the processing of personal data concerning you violates the GDPR, the BDSG or the Whistleblower Protection Act, you have the right to lodge a complaint at a competent data protection supervisory authority.Status: 08/2024