Information about Data Protection
Background Information regarding the processing of your data
In the following, we would like to inform you about the collection, processing and use of personal data within the framework of the Whistleblower System of the secunet Security Networks AG in accordance with Art. 13 and 14 DSGVO. Your personal data is collected, processed and used as soon as you submit a report by e-mail, telephone call, letter, personal appearance at the Compliance Office or via the BKMS Whistleblower System. The legal requirements for the processing of personal data are derived from the Data Protection Regulation (DSGVO) and the Federal Data Protection Act (BDSG). Please read this data protection information carefully before submitting a report.
Who is responsible for processing your data?
Within the meaning of the General Data Protection Regulation (GDPR) and other data protection laws applicable in the member states of the European Union is:
secunet Security Networks AG
Kurfürstenstraße 58
45138 Essen
Board of Directors: Axel Deininger (Chairman of the Board of Directors), Torsten Henn, Dr. Kai Martius, Jessica Nospers
Tel.: +49 (0) 201 5454-0
Fax.: +49 (0) 201 5454-1000
E-Mail: info@secunet.com
You can contact our data protection officer at the above address or at datenschutz@secunet.com
Which data or categories of data are affected by investigatory measures?
Use of the Whistleblower System is on a voluntary basis. When you submit a report through the Whistleblower System, we collect the following personal data and information:
- your name and contact details (business and/or personal), if you disclose your identity,
- the fact that you have made a report and in what form,
- further data on the report (e.g. time, content and other circumstances of the report),
- details of relevant facts including, if applicable, any attachments provided by you and, if applicable, privately described contents,
- whether you are employed by secunet,
- if applicable, names of persons and other personal data of the persons you name in your report,
- if applicable, special categories of personal data, insofar as your report contains such data and the clarification measures make it necessary to process the data in accordance with the law.
For what purposes do we process your data?
secunet Security Networks AG must ensure compliance with the applicable statutory provisions within the scope of its business operations. This applies to the requirements of criminal law, the German Administrative Offences Act (Ordnungswidrigkeitengesetz), tax law, data protection law, stock corporation law, labour law, antitrust law, the German Supply Chain Compliance Obligations Act (Lieferkettensorgfaltspflichtengesetz - LkSG) and other binding legal requirements. In the event of a breach of the aforementioned legal regulations, secunet Security Networks AG is threatened with fines or imprisonment, penalties, claims for damages or damage to its reputation. In order to counteract these, secunet Security Networks AG has taken suitable measures to ensure compliance with statutory regulations and internal rules within the company. One of these measures is the Whistleblower system/complaints procedure.
The Whistleblower system is used to receive and process information about violations of the law or internal regulations against secunet Security Networks AG in a secure and confidential manner. The purpose of data processing within the scope of the complaint’s procedure is the acceptance and clarification of serious suspected cases of violations of human rights and environmental due diligence obligations.
secunet Security Networks AG processes your data within the framework of the applicable laws, in particular for the following specific compliance and clarification purposes:
- review the plausibility of tips
- if necessary, communication with the Whistleblower, e.g. in the event of further questions regarding the facts reported
- investigation of misconduct e.g. acts of fraud, corruption offences, cartel violations, tax offences, money laundering and other violations of the secunet Code of Conduct
- clarification of serious suspected cases of violations of human rights and environmental due diligence obligations
- implementation of legal obligations, e.g. §§30, 130 OWiG, §§ 93, 111 AktG (German Stock Corporation Act)
- prevention of future misconduct
- legal proceedings
- examination of relevance for other Group Companies
- implementation of duties of cooperation
- documentation of Whistleblower procedures
If the Compliance Office intends to further process the personal data for a purpose other than that for which the personal data were collected, it shall provide the data subject with information about that other purpose and any other relevant information in accordance with Art. 13(2) GDPR prior to the disclosure.
On what legal basis do we process your data?
The processing of personal data within the framework of the Whistleblower system is carried out on the basis of the legal provisions applicable to secunet (Art. 6 para. 1 lit. c DSGVO), in particular Section 8 of the LkSG and Directive 2019/1937 of the EU or the Whistleblower Protection Act.
The processing of personal data within the framework of the Whistleblower system is based on secunet's legitimate interests in the detection and prevention of wrongdoing and the associated prevention of damage and liability risks for secunet Security Networks AG (Art. 6 para. 1 lit. f DSGVO) in conjunction with. §§ Sections 30, 130 of the German Administrative Offences Act (OWiG) and Sections 93, 111 of the German Stock Corporation Act (AktG).
If a tip-off or complaint received relates to an employee of secunet Security Networks AG, the processing also serves to prevent criminal offences and other breaches of the law in connection with the employment relationship (Section 26 (1) BDSG).
Personal data of the Whistleblower will only be processed with his/her consent (Art. 6 para. 1 lit. a DSGVO), which is given by the fact that the Whistleblower can also submit the information anonymously.
To whom will we transfer your data?
If you submit a report via secunet´s Whistleblower system, your data will be forwarded directly to the Compliance Office for the purpose of processing and checking the report.
The Compliance Office examines the reported facts and, if necessary, carries out further clarification of the facts; the data is always treated confidentially. In the event that false information is knowingly provided with the aim of discrediting a person, the confidentiality of the data is always guaranteed; if necessary, the data will be disclosed to the competent authorities/agencies.
In certain cases secunet Security Networks AG has a legal obligation to inform the accused person of the accusations made against him or her. This is required by law if it is objectively determined that the provision of information to the accused person can no longer impair the concrete clarification of the information.
Your identity as a Whistleblower will not be disclosed - as far as legally possible - and it will also be ensured that no conclusions can be drawn about your identity (Art. 14 para. 3 lit. a DSGVO).
If necessary to clarify the facts of the case, personal data may be transmitted to individually selected persons of secunet Security Networks AG or - if also affected by the facts of the case - to subsidiaries of secunet to the extent required. Any person who gains access to the personal data is obliged to maintain confidentiality. In the event of a corresponding legal obligation or in justified cases, data may be transmitted to law enforcement agencies, cartel authorities, other administrative authorities, courts and commissioned law firms and auditing companies.
How long do we store your data?
secunet Security Networks AG uses technical and organisational measures (TOMs) to protect the personal data to be managed through use of the Whistleblower system/complaints procedure from unauthorised access, disclosure, misuse, manipulation, loss and destruction during its collection, processing and use. Our security measures are continuously improved and adapted according to the state of the art.
Personal data is stored for as long as it is required for clarification and final assessment, for a justified interest of secunet or for a legal requirement. The duration of storage depends in particular on the criticality of the reported breach of duty in individual cases. Your data will be deleted in accordance with legal requirements as soon as it is no longer required to achieve the purpose of data processing, secunet has no legitimate interest in storing it or the legally prescribed storage period has expired.
To what extent are automated individual decision-making or profiling measures taken?
No automated decision-making including profiling pursuant to Art. 22 GDPR takes place within the framework of the Whistleblower System.
Third country transfers
Personal data is processed within the EEA and the EU. Should the Compliance Office intend to transfer the personal data to third countries, e.g. to clarify the facts or due to a legal obligation, this intention will be communicated to the data subject at the time of collection. The BKMS server is located in a high-security data centre in Germany, so that a transfer of data to a third country can be excluded.
What data protection rights do you have?
In the context of the processing of your personal data, you are also entitled to certain rights under the EU GDPR:
- the right to information according to Art. 15 GDPR - whether and which of your data is processed,
- the right to have inaccurate or incomplete data corrected in accordance with Art. 16 GDPR,
- the right to erasure of data under the conditions specified in detail in Art. 17 GDPR,
- the right to restriction of processing to specific purposes under the conditions set out in Art. 18 of the GDPR,
- the right to data portability under the conditions listed in Art. 20 GDPR,
- the right to withdraw consent at any time. Your revocation does not affect the lawfulness of the processing of the data processed until then on the basis of your consent,
- the right to object to certain data agreements referred to in Article 21 of the GDPR,
- the right to lodge a complaint with a supervisory authority pursuant to Art. 77 of the GDPR if you are of the opinion that the processing of your data violates the GDPR.
You can send this objection by e-mail or by post informally to the contact details listed under "Who is responsible for processing your data?".
Amendment of the data protection declaration
We reserve the right to change the data protection declaration in order to adapt it to changed legal situations or in the event of changes to the services and data processing.
secunet Security Networks AG