Information on the processing of personal data when using a whistleblowing system
In accordance with Article 13 of the General Data Protection Regulation (GDPR), the following declaration gives all the necessary information on the processing of personal data concerning you by medac GmbH when using a whistleblowing system insofar as you voluntarily provide personal data when submitting a report. The whistleblowing system we use enables an anonymous report to be submitted without any personal data being processed.
1. Controller within the meaning of Article 4 (7) GDPR
Medac Gesellschaft für klinische Spezialpräparate m.b.H. (medac GmbH)
Theaterstrasse 6
22880 Wedel
2. Data protection officer
medac GmbH
Data protection officer
Theaterstrasse 6
22880 Wedel
Telephone +49 (0)4103 - 8006-0
mail@planit.lega
3. Categories of personal data
Use of the whistleblowing system takes place on a voluntary basis. When you submit a report via the whistleblowing system, your name and any other personal data that you may provide when describing the case are only processed if you voluntarily disclose them when submitting your report.
You must set up a secured postbox when submitting a report. A user name and password must be set up in order to do so. To remain anonymous, you can use a pseudonym as your user name. If you use your name or your email address as your user name, either your name or your email address is processed.
Information concerning the device you are using is processed when using the whistleblowing system. To prevent any attribution to you personally, we recommend using a personal device and not a device provided by medac GmbH because it would then in theory be possible to attribute the device to you personally.
If you would like to submit a report anonymously and are including any attachments, please note that files may contain hidden personal data so that conclusions about your identity could be drawn. Please delete this information before sending. If you are unable to delete this data or are unsure of how to do so, copy the text of your attachment into your report text or send the printed document to medac GmbH anonymously, citing the reference number received at the end of the reporting process.
4. Legal basis and purposes
If you voluntaryly provide personal data when submitting a report, we will process your data on the basis of a legal duty in accordance with point (b) of Article 6 (1) GDPR in conjunction with the Whistleblower Protection Act (Hinweisgeberschutzgesetz).
The whistleblowing system enables the secure, confidential receipt, processing and management of reports of violations. These violations can primarily concern the following business areas:
- Accounting, auditing and internal financial controls (e.g. irregularities in bookkeeping, invoicing and accounts auditing, financial malpractice within the context of internal controls)
- Corporate integrity (e.g. bribery, corruption and fraud, gifts and hospitality, document falsification, conflicts of interest, competition and antitrust law, confidentiality and data protection breaches)
- Environment, health and safety (e.g. violations of environmental regulations, labour regulations and health and safety regulations, including bodily injuries)
- Human Resource Management, diversity and respect in the workplace (e.g. discrimination, (sexual) assault and harassment, violations of human rights, other malpractice or inappropriate behaviour)
- Misuse/misappropriation of assets or services (e.g. unauthorised use of company resources or equipment for non-business reasons, theft of company property, working time fraud)
- Other (other violations of regulations, laws and policies)
5. Recipients/data transfer to third countries
When violations are reported, the Compliance department and the responsible department based on the violation that has been reported are given the personal data for further internal processing insofar as personal data has been provided voluntarily when submitting the report. While processing a report or conducting a special investigation, it may be necessary to share reports with other employees of medac GmbH or employees of other group companies, e.g. if the reports refer to incidents in subsidiaries. Where this involves sharing information with branches or subsidiaries which are based outside the European Union or the European Economic Area, data may be transferred to these countries accordingly. Otherwise, your data is not routinely transferred to third countries outside the European Union and the European Economic Area.
As part of data processing, your personal data are processed with the supplier of the solution that is being used, EQS Group AG, Bayreuther Str. 35, 10789 Berlin, which carries out the technical operation of the whistleblowing system for medac. For such cases, medac GmbH has concluded contractual agreements concerning the protection of your personal data. Such agreements have also been concluded with EQS Group AG.
Ultimately, medac GmbH is in principle legally obliged to inform the accused persons that it has received a report about them provided that this information does not jeopardise the investigation of the incident. Your identity as a whistleblower will not be disclosed unless we are legally bound to do so.
6. Retention period
Your personal data is stored for as long as necessary to examine and perform a conclusive assessment of the report or for as long as required pursuant to a statutory retention obligation, after which time it is erased in accordance with the provisions of data protection law.
7. Your rights as a data subject
As a data subject, you have the right to obtain confirmation as to whether or not personal data concerning you is being processed and, if this is the case, the right of access to this personal data (Article 15 GDPR), as well as the right to rectification of inaccurate data concerning you (Article 16 GDPR), the right to erasure (Article 17 GDPR) and the right to restriction of processing (blocking) of your data (Article 18 GDPR). Whether and in which cases these rights are granted is subject to the legally defined conditions.
In the case of processing on the basis of point (e) or (f) of Article 6 (1) GDPR, you also have the right to object to the processing (Article 21 GDPR). We will then only continue to process your personal data if there are compelling reasons for this and your own interests do not override these.
Insofar as you have supplied data, you have the right to data portability (Article 20 GDPR). Whether and to what extent these rights are granted in specific cases and under which conditions they apply is provided for by law in the specified regulations. You also have the right to lodge a complaint with the competent supervisory authority (Article 77 GDPR). If you have any questions or complaints regarding data protection, we recommend that you contact our data protection officer first.
8. Automated decision-making/profiling
Processing is not used for automated decision-making as defined in Article 22 GDPR.