The responsible party for the data processing is the Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH.
Friedrich-Ebert-Allee 32 + 36, 53113 Bonn
Dag-Hammarskjöld-Weg 1–5, 65760 Eschborn
Contact data of the data protection officer
Information on processing of collected data
The Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH is a public-benefit federal enterprise for international cooperation. We work as a federal enterprise under private law. Our aim is to achieve the development-policy objective of improving the living conditions of people worldwide and conserving the natural resources on which livelihoods depend.
The whistleblowing system is operated by a specialized company, Business Keeper AG, Bayreuther Str. 35, 10789 Berlin in Germany, on behalf of the Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH.
Personal data and information entered into the whistleblowing system are stored in a database of a high security data center operated by Business Keeper AG. Only authorised persons at GIZ can access the data. Business Keeper AG and other third parties do not have access to the data. This is ensured in the certified procedure through extensive technical and organizational measures. All data are stored encrypted with multiple levels of password protection.
Type of personal data collected
Use of the whistleblowing system takes place on a voluntary basis. If you submit a report via the whistleblowing system, we collect the following personal data and information:
- your name, if you choose to reveal your identity,
- whether you are employed at GIZ, and
- the names and other personal data of persons whom you list in your report, if applicable.
Purpose and legal foundation of the data processing
The whistleblowing system (BKMS® Incident Reporting) serves for securely and confidentially receiving, processing and managing reports concerning violations of the compliance rules of GIZ. The processing of personal data within the framework of the BKMS® Incident Reporting is based on the legitimate interest of our company in discovering and preventing abuses and thereby averting damage to GIZ, its employees and customers. The legal foundation for this processing of personal data is Article 6(1)(f) EU-GDPR.
Confidential handling of reports
Incoming reports are received by a small selection of expressly authorised and specially trained employees of the compliance organization and are always handled in confidence. All persons who receive access to the data are obligated to maintain confidentiality.
When processing reports, we will always ensure that the applicable data protection regulations are complied with.
Information about the accused
We are obligated in some circumstances to inform accused parties of any reports received against them as soon as the disclosure of this information no longer jeopardizes the investigation. Your identity as a whistleblower will not be disclosed unless we are legally bound to do so.
Rights of the data subject
Pursuant to European data protection legislation, you and the persons named in the report have a right of access, rectification, erasure, restriction of processing and objection to processing of your personal data. If the right to object to the processing of the personal data is invoked, the necessity of the stored data for the examination of a report will be evaluated immediately. Data that are no longer needed will be deleted at once. If you would like to make use of your right to object, please contact firstname.lastname@example.org.
You also have the right to lodge a complaint with the competent data protection authority. The competent authority is the Federal Commissioner for Data Protection and Freedom of Information (BfDI).
Retention period of personal data
Personal data are retained for as long as necessary to clarify the situation and issue a final assessment of the report or until existing contractual and/or legal obligations are met, unless overriding statutory retention periods prevent erasure of the data. The same applies if you have revoked your consent.