It is important to us that you are aware which personal data is collected when you use our offers and services and how we use this data afterwards.
Insofar as DEKRA processes personal data, this takes place for the respective purposes set out in this privacy statement.
The controller within the meaning of the GDPR for BKMS® Incident Reporting (hereinafter “whistleblowing system”) is DEKRA SE, Handwerkstrasse 15, 70565 Stuttgart, Germany (hereinafter “DEKRA”, “we” or “us”).
Email address of the responsible department: email@example.com
Processed data categories
Use of the whistleblowing system is voluntary. We collect the following personal data when you submit a report using the whistleblowing system:
- communication data (e.g. name if you reveal your identity),
- your employment status at DEKRA (if you choose to reveal your identity) and
- the names and other personal data of persons whom you list in your report, if applicable.
Processing purposes and legal basis
The whistleblowing system is a communication channel for the secure and confidential receipt, processing and management of reports of potential violations (see Article 2 DIRECTIVE (EU) 2019/1937).
The processing of personal data within the framework of the whistleblowing system is based on the legitimate interest of DEKRA in discovering and preventing abuses and thereby averting damage to DEKRA, its employees and customers. The legal basis for this processing of personal data is Article 6 (1) (f) GDPR.
Your IP address will not be stored during your use of the whistleblowing system. In order to maintain the connection between your computer and BKMS® Incident Reporting, a cookie is stored on your computer that only contains the session ID (session cookie). This cookie is only valid until the end of your session and expires when you close your browser.
It is possible to set up a secured postbox within the whistleblowing system with an individually chosen pseudonym/user name and password. This allows you to send reports to the respectively responsible DEKRA employee either by name or in an anonymous, safe way. This system only stores data inside the whistleblowing system, which makes it particularly secure. It is not a form of regular email communication.
Passing on to third parties
While processing a report, it may be necessary to share reports with additional DEKRA employees or employees of other DEKRA group companies, e.g. if the reports refer to incidents in DEKRA subsidiaries. Your information will only be made available to those employees who definitely require the information to process your report.
Your personal data will only be transmitted by us to other controllers if this is necessary to fulfil a legal obligation.
In addition, data may be shared with other competent parties (e.g. supervisory authorities or data subjects in the case of reporting processes) insofar as we are obligated to do so on the basis of statutory provisions or enforceable decisions by public authorities or courts.
Transmission of data to third countries
Insofar as this is necessary within the framework of the processing, personal data may also be transmitted to DEKRA group companies or authorities based in countries outside the European Union or the European Economic Area with different regulations about the protection of personal data. We always ensure that the applicable data protection regulations are complied with when sharing reports.
Incoming reports are received by a small selection of expressly authorised and specially trained employees of the compliance organisation of DEKRA and are always handled confidentially. The employees of the DEKRA compliance organisation evaluate the matter and perform any further investigation required by the specific case.
All persons who receive access to the data are obligated to maintain confidentiality.
DEKRA takes technical and organisational security measures to protect your data with which you provide DEKRA against accidental or deliberate manipulation, loss, destruction or access by unauthorised persons. This also applies where external services are used. The effectiveness of our security measures is reviewed and the measures are improved on an ongoing basis in line with technological developments. Communication between your computer and BKMS® Incident Reporting for data protection reporting and for data subject enquiries takes place over an encrypted connection (SSL).
Service provider (general)
The whistleblowing system is operated by a specialised company, Business Keeper GmbH, Bayreuther Str. 35, 10789 Berlin, Germany, on behalf of DEKRA.
Personal data and information entered into the whistleblowing system is stored in a database operated by Business Keeper GmbH in a high-security data centre. Only DEKRA employees can see the data. Business Keeper GmbH and other third parties do not have access to the data. This is ensured in the certified procedure through extensive technical and organisational measures.
All data is stored encrypted with multiple levels of password protection according to a system of permissions so that access is restricted to a very small selection of expressly authorised persons at DEKRA.
Rights of the data subjects
Pursuant to European data protection legislation, you and the persons named in the report have a right of access, rectification, erasure and restriction of processing and a right to object to the processing of your personal data. If the right to object to the processing of the personal data is exercised, the necessity of the stored data for the examination of a report will be evaluated immediately. Data that is no longer needed will be deleted at once. You also have the right to lodge a complaint with the supervisory authority.
Right of access
You have the right to receive access to personal data concerning you which we process on request at any time within the scope of Article 15 GDPR.
Right to the rectification of incorrect data
You have the right to ask us to rectify the personal data concerning you without undue delay insofar as it is incorrect (Article 16 GDPR). To do so, please contact the controller for which details are provided above.
Right to erasure
You have the right to have the personal data concerning you erased without undue delay (“right to be forgotten”) where a legal reason pursuant to Article 17 GDPR applies. This is deemed to apply, for example, in cases in which personal data is no longer required for the purposes for which it was originally processed or you have withdrawn your consent and if there is no other legal basis for processing; the data subject raises an objection to the processing (and there are no overriding reasons for processing, which does not apply to objections to direct marketing). To assert your rights set out above, please contact the controller.
Right to restriction of processing
You have the right to the restriction of processing if one of the prerequisites applies and in accordance with Article 18 GDPR. According to this, a restriction of processing may in particular be required if the processing is unlawful and the data subject rejects the erasure of personal data and instead requires the restriction of the use of the personal data or the data subject raises an objection to the processing pursuant to Article 21 (1) GDPR for the period for which it has not yet been established whether our legitimate reasons outweigh yours. To assert your rights set out above, please contact the controller.
Right to data portability
You have the right to data portability pursuant to Article 20 GDPR. According to this, you have the right to receive the personal data with which you have provided us in a structured, commonly used and machine-readable format and to have this data transmitted to another controller, for example another service provider. The prerequisite for this is that the processing is based on consent or on a contract and takes place in an automated manner. To assert your rights set out above, please contact the controller.
Right to object
Pursuant to Article 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 (1) (e) or (f) GDPR, for example. We will then stop the processing of your personal data, unless we can prove compelling legitimate reasons for the processing which outweigh your interests, rights and freedoms or if the processing serves the assertion, exercise or defence of legal claims. To assert your rights set out above, please contact the controller. No additional costs above and beyond the transmission costs according to the basic tariff are incurred for asserting your right to object.
Complaint to the supervisory authority
You have the right to lodge a complaint with the responsible data protection authority (e.g. the Baden-Württemberg State Commissioner for Data Protection and Information Security).
Duration of storage; retention periods
Your personal data is retained for as long as necessary to clarify the situation and perform a final assessment or for as long as a legitimate interest exists on the part of the company or retention is required by law. After the report processing is concluded, the data will be erased in accordance with statutory requirements.
If you wish to contact us, you can reach us at the address provided in the “Controller” section.
DEKRA has appointed a group data protection officer. Inquiries regarding data protection at DEKRA can be sent to firstname.lastname@example.org.
Version: June 2022