Data Protection Notice
The Fraunhofer-Gesellschaft takes data protection and confidentiality very seriously and adheres to the provisions of the EU General Data Protection Regulation (GDPR) as well as to applicable national data protection rules. Please read this data protection notice carefully before submitting a report.
Purpose of the Fraunhofer reporting system and legal basis
The Fraunhofer reporting system (BKMS® system) is used to securely and confidentially receive, process and manage reports on certain criminal offenses as well as on violations of the law, major breaches of internal regulations and corruption. The BKMS® system processes personal data to comply with the obligations imposed by the German Whistleblower Protection Act (Hinweisgeberschutzgesetz, HinSchG) and to allow Fraunhofer to pursue its legitimate interest in the detection and prevention of wrongdoing and thus in averting damage to the Fraunhofer-Gesellschaft, its employees and customers. The legal basis for this processing of personal data is set forth in section 10 HinSchG as well as article 6 (1) (f) GDPR and article 6 (1) (c) GDPR in conjunction with section 8 of the German Supply Chain Act (Lieferkettensorgfaltspflichtengesetz, LkSG).
Further processing of data may be based on other legal grounds.
Controller and processor
The controller that is responsible for data protection in the Fraunhofer reporting system is the Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e. V., Hansastrasse 27 c, 80686 Munich, Germany.
The Fraunhofer reporting system is operated by a company specialized in this field: EQS Group GmbH, Karlstrasse 47, 80333 Munich, Germany. The Fraunhofer-Gesellschaft has concluded a data processing agreement with EQS Group GmbH pursuant to article 28 GDPR, which ensures that EQS Group GmbH may only process personal data on the instructions of the Fraunhofer-Gesellschaft and in accordance with data protection law.
The Fraunhofer-Gesellschaft has appointed a data protection officer. You can reach the data protection officer at datenschutz@zv.fraunhofer.de.
Type of personal data collected
The Fraunhofer reporting system is used on a voluntary basis. When you use the Fraunhofer reporting system to submit a report, we collect the following personal data and information:
- your name, if you disclose your identity,
- whether you are employed by the Fraunhofer-Gesellschaft and,
- if applicable, names and other personal data of the persons you name in your report.
Confidential treatment of reports
Incoming reports are received by a small group of expressly authorized and specially trained employees in the Fraunhofer compliance team (reporting office) and are always treated confidentially. These employees examine the report and, if necessary, conduct further case-related investigations.
In the scope of processing a report or a special investigation, information may be required to be passed on to external parties as well as to selected internal decision-makers and other employees of the Fraunhofer-Gesellschaft or to employees from other locations, e.g., if the information relates to an incident at a representative office. The latter may also be based in countries outside the European Union or the European Economic Area, which may have different regulations on the protection of personal data. We always ensure that relevant data protection regulations are complied with when passing on information.
Personal data and information entered into the Fraunhofer reporting system are stored in a database operated by EQS Group GmbH in a high-security data center. EQS Group GmbH and other third parties
do not have access to that data. Comprehensive technical and organizational measures ensure this as part of the certified process.
All data is encrypted and stored with multi-level password protection and requires specific authorizations so that access is restricted to a very narrow group of expressly authorized persons at the Fraunhofer-Gesellschaft.
Every person who has access to the data is obliged to maintain confidentiality.
Information on the person(s) accused and named in the report
We are legally obliged to inform the person(s) named in a report that we have received a report or personal data about them, provided that informing them does not (or no longer) jeopardize investigations. To the extent permitted by law, your identity as the whistleblower will not be disclosed.
Rights of data subjects
Under European data protection law, you and the person(s) named in the report may exercise the right of access, rectification, erasure, restriction and, pursuant to article 21 GDPR, of objection in relation to the processing of personal data. If the right to object is exercised, we will immediately check the extent to which the stored data is still required for processing a report. Any data that is no longer required will be deleted immediately. You also have the right to lodge a complaint with a supervisory authority.
Information on your right to object pursuant to article 21 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data according to article 6 (1) (e) GDPR (data processing in the public interest) and article 6 (1) (f) GDPR (data processing based on a balance of interests).
If you file an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or unless the processing serves the establishment, exercise or defense of legal claims.
If you would like to assert your right to object, simply send an email to datenschutz@zv.fraunhofer.de.
Storage period
Personal data will be retained for as long as is necessary to investigate and conclusively assess the report or for as long as the Fraunhofer-Gesellschaft has a legitimate interest in retaining it or is required to do so by law. After the report has been processed, the data is deleted in accordance with legal requirements.
Using the whistleblower portal
Your computer and the Fraunhofer reporting system communicate via an encrypted connection (SSL). Your computer’s IP address is not stored while you are using the whistleblower portal. To remember you during your session, the BKMS® system stores a cookie on your computer that only contains the session ID (a so-called session cookie). The cookie is only valid until the end of your session and expires when you close your browser.
You can set up a protected mailbox in the Fraunhofer reporting system with a pseudonym/username and password of your choice. This will allow you to securely send reports to the responsible employee of the Fraunhofer-Gesellschaft by name or anonymously. The data is stored exclusively in the Fraunhofer reporting system, which adds an additional layer of security; the system does not work like ordinary email communication.
Sending attachments
You can also include attachments when submitting a report or providing additional information. If you would like to submit your report anonymously, please bear in mind that files may contain hidden personal data that might jeopardize your anonymity. Make sure to remove this data before submitting your report. If you are unable to remove this data or are unsure how to do so, please copy the text from your attachment and add it to your report text.
You can also send a printed version anonymously to the following address, quoting the reference number you will receive at the end of the reporting process:
Fraunhofer Gesellschaft zur Förderung der angewandten Forschung e. V.
C33 Compliance
Hinweisgeber-Meldestelle
-Vertraulich-
Hansastrasse 27 c
80686 Munich
Germany
Last updated: December 11, 2024