Data Protection Notice
We take data protection and confidentiality very seriously and adhere to the provisions of the EU General Data Protection Regulation (GDPR) as well as current national data privacy regulations. Please read this data protection notice carefully before submitting a report.
Purpose of the whistleblower system and legal basis
The whistleblower system (BKMS® System) shall serve the purpose of securely and confidentially receiving, processing and managing reports regarding specific criminal offenses as well as violations of the law, serious breaches of internal regulations and corruption. The processing of personal data in the BKMS® System is based on our legitimate interests to detect and prevent misconduct and thus avoid damage to the Fraunhofer-Gesellschaft, its employees and customers. Art. 6 (1) (f) GDPR shall serve as a legal basis for this data processing.
Further processing of the data can be based on other legal bases.
Responsible entity, contracted processor
The entity responsible for the protection of data in the whistleblower system shall be Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e. V., Hansastrasse 27 c, 80686 München, Germany.
The whistleblower system shall be operated by EQS Group AG, Karlstrasse 47, 80333 München, Germany, a company specialized in these systems. The Fraunhofer-Gesellschaft has concluded a commissioned processing agreement with EQS in accordance with Art. 28 GDPR, which ensures that EQS may only process personal data on the instructions of the Fraunhofer-Gesellschaft and in compliance with data protection law.
The Fraunhofer-Gesellschaft has appointed a data protection officer. You can contact this officer at firstname.lastname@example.org.
Type of personal data collected
Use of the whistleblower system is voluntary. If you submit a report via the whistleblower system, we will collect the following personal data and information:
- your name, should you choose to reveal your identity,
- whether you are employed by the Fraunhofer-Gesellschaft, and
- names of persons and other personal data of persons that you name in your report, if applicable.
Confidential handling of reports
Only a few expressly authorized and specifically trained employees in the compliance department at the Fraunhofer-Gesellschaft shall receive incoming reports, and they are bound to always handle them confidentially. These employees shall evaluate the report and carry out further investigations as required for the specific case, if applicable.
When processing a report or carrying out special investigations, it may become necessary to share reports with additional employees of the Fraunhofer-Gesellschaft or employees of other organizational groups, e.g., if the reports refer to incidents in subsidiaries. The latter may be based in countries outside the European Union or the European Economic Area with different regulations concerning the protection of personal data. We shall always make sure that the applicable data privacy regulations are complied with when sharing reports.
Personal data and information entered into the whistleblower system shall be stored in a database operated by EQS in a high-security data center. EQS and other third parties shall not have access to these data. This shall be ensured in a certified procedure that requires extensive technical and organizational measures.
All data shall be stored in encrypted form with multiple levels of password protection so that access is restricted to only a few expressly authorized employees at the Fraunhofer-Gesellschaft.
Every employee who is granted access to the data shall be bound to maintain confidentiality.
Information on the accused person
As a basic principle, we shall be bound by law to inform the accused persons that we have received a report concerning them, unless this threatens further investigations into the report. In doing so, your identity as a whistleblower shall not be revealed, as far as this is legally possible.
Rights of data subjects
According to European data protection law, you and the persons named in the report have the right to inquiry, rectification, erasure, restriction of processing and the right to object to processing of personal data concerning them. If the right of objection is claimed, we shall immediately examine to what extent the stored data is still necessary for the processing of a report. Any data that is no longer required shall be deleted immediately. In addition, you shall have the right to lodge a complaint with a supervisory authority.
Information on your right to object pursuant to article 21 GDPR
At any time, you shall have the right to object to the processing of your personal data pursuant to article 6 (1) point (e) GDPR (data processing conducted in the public interest) and article 6 (1) point (f) GDPR (data processing for the purposes of legitimate interests) on grounds relating to your particular situation. This also applies to profiling as described in the provisions of article 4 (4) GDPR.
If you file an objection, we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or unless the processing serves the establishment, exercise or defense of legal claims.
Where you object to processing of data for direct marketing purposes, we shall no longer process your personal data for such purposes. In this case, it is not necessary to specify a particular situation. This shall also apply to profiling to the extent that it is related to such direct marketing.
If you would like to make use of your right to withdraw your consent, simply send an email to email@example.com.
Personal data will be retained for as long as is necessary for the clarification and final assessment of the report, or if there is a legitimate interest on the part of the company, or if this is required by law. After the processing of the information has been completed, this data shall be deleted in accordance with the legal requirements.
Use of the whistleblower portal
Communication between your computer and the reporting system takes place via an encrypted connection (SSL). Your IP address will not be stored during your use of the whistleblower portal. In order to maintain the connection between your computer and the BKMS® System, a cookie will be stored on your computer that merely contains the session ID (a so-called session cookie). This cookie will only be valid until the end of your session and will expire when you close your browser.
You have the option of setting up a mailbox within the whistleblower system that is secured with an individually chosen username and password. This will allow you to send reports to the responsible employee at the Fraunhofer-Gesellschaft either with your name or in an anonymous, secure manner. This system only stores data inside the whistleblower system, which makes it particularly secure. It is not ordinary email communication.
Note on sending attachments
When submitting a report or sending supplemental information, you can send attachments to the responsible employee at the Fraunhofer-Gesellschaft. If you wish to submit an anonymous report, please take note of the following privacy security advice: Files can contain hidden personal data that could compromise your anonymity. Remove this data before sending. If you are unable to remove this data or are unsure how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the reporting process.
Last updated: February 08, 2023