Privacy
Purpose of data processing
In accordance with the obligations set out in the German Banking Act (KWG) and other financial supervisory regulations, the provisions of the Money Laundering Act (GwG), and the obligations under the Whistleblower Protection Act (HinSchG) and any obligations under the Supply Chain Due Diligence Act (LkSG), a digital internal reporting channel has been established in the form of the AdvoWhistle whistleblowing system. AdvoWhistle forms part of the Compliance Management System and the risk management framework.
Employees, clients, business partners or other reporting individuals can use AdvoWhistle to report suspected breaches of laws and internal rules securely and confidentially. This is intended to promote the detection and prevention of significant breaches of rules and to avert substantial risks and damage.
Responsibility
The person responsible for the processing of personal data in the context of a lawyer-client relationship is: Bette Westenberger Brink Rechtsanwälte PartGmbB, Große Langgasse 1A, 55116 Mainz, Germany, telephone +49 6131 287700, e-mail advowhistle@bette.legal (hereinafter referred to as "trusted lawyers").
Responsible for the content are lawyer Stephanie Kappen and lawyer Christian Faber. The company data protection officer of Bette Westenberger Brink Rechtsanwälte can be contacted at the above address and at datenschutz@bette.legal.
Technical Infrastructure
The trusted lawyers use the whistleblower system software of the technical service provider iComply GmbH, Große Langgasse 1A, 55116 Mainz, Germany.
Personal data and information entered into the system are stored in a database operated by the technical service provider in an ISO/IEC 27001 certified data centre. Access to the data is only possible for the explicitly authorised trusted lawyers. End-to-end encryption of all data, multi-level password protection, technical and organisational measures and regular certification ensure that technical service providers, the data centre operator and other third parties have no access to the data.
Legal basis
The legal basis for the processing of information that falls within the scope of the Whistleblower Protection Act is the legal obligation pursuant to Art. 6 para 1 c) DSGVO in conjunction with Section 10 Whistleblower Protection Act (HinSchG).
The legal basis for the processing of reports relating to breaches of internal rules is the overriding legitimate interest in detecting and preventing significant breaches of rules and, consequently, in averting associated risks and damage, in accordance with Article 6(1)(f) of the GDPR.
Where a report concerns human rights or environmental risks or the breach of human rights or environmental obligations, the processing of personal data is based on Article 6(1)(c) of the GDPR in conjunction with Section 8 of the LkSG.
Where a report concerns breaches of anti-money laundering regulations, the processing of personal data is based on Article 6(1)(c) of the GDPR in conjunction with Section 11a of the Money Laundering Act (GwG).
If a report concerns breaches of banking supervisory regulations such as the German Banking Act (KWG) and regulations based thereon, as well as other provisions whose compliance is monitored by the Federal Financial Supervisory Authority (BaFin) within the framework of financial market supervision (e.g. CRR Regulation, Market Abuse Regulation, SSM Regulation, PRIIPS Regulation, Prospectus Regulation), the Securities Trading Act (WpHG) and regulations based thereon, the processing of personal data within the framework of this whistleblowing system is based on Article 6(1)(c) of the GDPR in conjunction with the relevant financial supervisory regulations.
Use of the reporting portal
The use of AdvoWhistle is on a voluntary basis. When submitting a report, AdvoWhistle collects the following personal data and information:
- person providing the report: name (if you disclose your identity), contact details (if you provide them).
- incident-affected persons: First name and surname, information about incidents and suspected violations of the law and rules.
- Witnesses and/or third parties named in the report (e.g. customers, suppliers, colleagues or business partners): first and last name, contact details.
File attachments may be sent when submitting a report and sending supplements. If anonymity is to be maintained, hidden personal data must be removed before sending. If this is not possible, only the text from these files can be copied into the digital report form, or printouts of these files can be sent to the postal address of the trusted lawyers.
Confidentiality
Incoming reports are received by a narrow circle of expressly authorised trusted lawyers and are always treated confidentially. The trusted lawyers examine the facts of the case and, if necessary, carry out further case-related clarification of the facts. Every person who receives access to the data is obliged to maintain confidentiality.
For further processing of incoming reports, it is regularly necessary to pass on information to the client. If agreed, the trusted lawyers will always obtain the express consent of the person providing the information before passing it on.
If the client is based outside the European Union and there are different regulations on the protection of personal data, the trusted lawyers will always ensure that the relevant data protection regulations are complied with when passing on reports.
Information of accused persons
In general, the trusted lawyers are not obliged to inform accused persons that they have received reports concerning them, as the exemption from professional secrecy under Art. 14 para. 5 d) GDPR applies to lawyers. The content of the reports is collected and processed within the client relationship.
Data subject rights
Persons whose personal data are processed (data subjects) have the right to receive, upon request and free of charge, information about the personal data stored about them, their origin and recipients and the purpose of the data processing. If we process your data on the basis of our legitimate interest, you have the right to object to the processing if there are legitimate grounds arising from your particular situation (right of objection).
In addition, data subjects have the right to rectification of inaccurate personal data, the right to erasure of personal data, the right to restriction of the processing of personal data, the right to data portability.
Data subjects also have the right to complain to a supervisory authority. For this purpose, data subjects may contact the supervisory authority of their usual place of residence or place of work or the confidential counsels.
Retention period of data
WHISTLEBLOWER PROTECTION ACT (HINSCHG)
The documentation of reports and the personal data contained therein are generally deleted three years after the conclusion of the procedure. In individual cases, the documentation may be kept longer in order to fulfil the requirements under the Whistleblower Protection Act (HinSchG) or other legal provisions, as long as this is necessary and proportionate. A final assessment is also stored for documentation purposes.
SUPPLY CHAIN DUE DILIGENCE ACT (LKSG)
The documentation of reports and the personal data contained therein are generally deleted seven years after the procedure has been completed. The documentation may be stored for longer in individual cases in order to fulfil the requirements of the German Supply Chain Due Diligence Act (LkSG) or other legal provisions, as long as this is necessary and proportionate. A final assessment is also stored for documentation purposes.