Introduction
We are pleased that you have contacted us. The ALTENLOH, BRINCK & CO.- Group (hereinafter “ABC Group”, “we” or “us”) attaches great importance to the security of users’ data and compliance with data protection regulations. We would like to inform you below about the processing of your personal data in the context of compliance reporting.
Responsible body and data protection officer
Responsible body:
ALTENLOH, BRINCK & CO. GmbH & Co. KG
Kölner Straße 71-77
58256 Ennepetal
Tel.: +49 2333 799-0
E-Mail: info@altenloh.com
External data protection officer:
DDSK GmbH
Tel.: 07542 949 21 -0
E-Mail: datenschutz@altenloh.com
Terms
The technical terms used in this data protection declaration are to be understood as legally defined in Art. 4 GDPR.
Information on data processing in the event of reports of compliance violations
We offer the possibility to contact our ombudsman for the purpose of reporting compliance breaches. In the event of a compliance report, we process the data of the reporting person to the extent necessary for processing the report. If facts are brought forward that concern a specific or identifiable person in our company, we process the data about the person affected by this notice to the extent that they have been communicated to us by the reporting person. You can find out about the further processing of your personal data by our ombudsman here.
Data we collect about you as the reporting person:
Categories of data subject: | Reporting person |
Categories of data: | Name, contact details (e.g. your address, email address, telephone or fax number), factual data relating to you, if any (depending on the individual case and the notification made, the data you provide may vary). |
Purposes of processing: | The processing the report of a compliance breach based on and in accordance with our legal or operational obligations, in particular under European and national whistleblower laws. Contacting you to obtain further information about the breaches you have reported. Evaluation of your information in connection with the reported violations |
Legal grounds: | legitimate interest in complying with internal requirements and ethical principles (Art. 6(1)(f) GDPR), compliance with legal obligation (Art. 6(1)(c) GDPR in conjunction with. RL (EU) 2019/1937) |
Data we collect about you as a data subject of a tip-off:
Categories of data subject: | person affected by a tip-off. |
Categories of data: | Name, contact details, if applicable further characteristics for the exact identification of the respective person in the company. |
Content of the report: | Details of the alleged violation of internal, national or European law, provided that these allow conclusions to be drawn about a natural person. |
Purposes of processing: | processing of the notification of compliance violations on the basis of and in accordance with our legal and internal obligations, in particular on the basis of the relevant national and European laws
Contacting you to clarify the facts in order to obtain further information about the violations alleged in connection with you Analysis of the facts and comparison with past reports |
Legal grounds: | legitimate interest in complying with internal requirements and ethical principles (Art. 6(1)(f) GDPR), compliance with legal obligation (Art. 6(1)(c) GDPR in conjunction with. RL (EU) 2019/1937) |
Recipients of the data
Within the EU
Within our company, those internal offices or organisational units receive your data that need it to achieve the above-mentioned purposes, in particular the investigation of reported compliance violations. In addition, within our group of companies, all findings and reports in connection with compliance reports are consolidated in order to be able to check them for specific patterns across countries. Only facts without personal reference are used for this purpose. We store all reports in our database, which is also used for passing on data to official databases. We will only pass on data in such a way that a direct conclusion to your person is not possible (pseudonymised). We do not transfer any data beyond the cases listed above. We use a specialised service provider as a so-called ombudsman to record and process reports of compliance violations in accordance with legal and internal requirements. Your data is subject to the same security standards there as it is with us. The data may only be used within the framework of the contractual agreement, to the extent absolutely necessary and for the purposes specified by us.
Outside the EU
We transfer data to countries outside the EEA, so-called third countries. The transfer takes place for the fulfilment of our contractual and legal obligations or on the basis of a previously granted consent of the data subject. In addition, data is transferred in compliance with the applicable data protection laws, in particular in consideration of Art. 44 et seq. GDPR, e.g. on the basis of adequacy decisions issued by the European Commission or other suitable guarantees (e.g. standard data protection clauses, etc.).
Recipient overview
The following recipients receive your data in the context of the data processing described here:
Recipients: | DDSK GmbH, Dr.-Klein-Str. 29, 88069 Tettnang |
Third country transfer: | A third country transfer does not take place. |
Recipient: | Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA |
Third country transfer: | There is no adequacy decision for the transfer. The transfer is based on Art. 46 of the GDPR. The services used are provided by Microsoft, a US provider. A processing of personal data therefore also takes place in a third country. We have concluded an order processing agreement with the provider of the services that meets the requirements of Art. 28 GDPR. The transfer of data to a third country only takes place when the special requirements of Art. 44 et seq. GDPR are fulfilled. The present transfer of data to the USA is based on the standard data protection clauses and the amended contractual conditions following the Schrems II ruling. Specifically, the following provisions were made in the new contractual clauses by Microsoft:
• the right to compensation for the data subject whose data has been unlawfully processed and who has suffered material or immaterial damage as a result; • the provision of information to the data subject if Microsoft has been legally obliged by a government order to hand over data to US security authorities; • Microsoft’s obligation to seek legal recourse in the U.S. courts to challenge the government order to turn over the data. |
Storage period
We store the data provided to us in connection with the reporting of compliance breaches for as long as this has been provided for the fulfilment of our obligation under national or European laws and regulations to which we are subject. In all other cases, we delete the personal data after the purpose has been fulfilled. In the case of reports of compliance violations, we delete the data 3 years after completion of the processing of the facts at the end of each year. Data that we process about you on the basis of existing contractual relationships or other permissions remain unaffected by this storage period.
Automated decision-making
We do not use automated decision-making or profiling, pursuant to Art. 22 GDPR.
Legal basis
The relevant legal bases are primarily derived from the GDPR. These are supplemented by national laws of the member states and are applicable together with or in addition to the GDPR where applicable.
Consent: | Art. 6(1)(a) GDPR serves as the legal basis for processing operations for which we have obtained consent for a specific processing purpose. |
Performance of a contract: | Art. 6(1)(b) GDPR serves as the legal basis for processing operations necessary for the performance of a contract to which the data subject is a party or for the performance of precontractual measures carried out at the request of the data subject. |
Legal obligation: | Art. 6(1)(c) of the GDPR serves as the legal basis for processing which is necessary for compliance with a legal obligation. |
Vital interests: | Art. 6(1)(d) GDPR serves as the legal basis if the processing is necessary to protect the vital interests of the data subject or another natural person. |
Public interest: | Art. 6(1)(e) GDPR serves as the legal basis for processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. |
Legitimate interest: | Art. 6(1)(f) of the GDPR serves as the legal basis for processing necessary for the purposes of the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child. |
Rights of the data subjects
Right to information: | Pursuant to Art. 15 of the GDPR, data subjects have the right to request confirmation as to whether we are processing data relating to them. They can request information about this data as well as the further information listed in Art. 15(1) GDPR and a copy of their data. |
Right to rectification: | Pursuant to Art. 16 GDPR, data subjects have the right to request the correction or completion of data concerning them and processed by us. |
Right to erasure: | Pursuant to Art. 17 of the GDPR, data subjects have the right to request the immediate erasure of data concerning them. Alternatively, they can demand that we restrict the processing of their data in accordance with Art. 18 of the GDPR. |
Right to data portability: | Pursuant to Art. 20 of the GDPR, data subjects have the right to request that the data they have provided to us be made available and transferred to another controller. |
Right to complain: | Data subjects also have the right to complain to the supervisory authority responsible for them in accordance with Art. 77 GDPR |
Right to object: | If personal data are processed on the basis of legitimate interests pursuant to Art. 6(1)(1)(f) GDPR, data subjects have the right to object to the processing of their personal data pursuant to Art. 21 GDPR, insofar as there are grounds for doing so that arise from their particular situation or the objection is directed against direct advertising. In the latter case, data subjects have a general right to object, which is implemented by us without specifying a particular situation. |