In the following, we inform you about the collection, processing, and use of personal data as part of our complaints procedure, i.e., if you submit a complaint or report a potential grievance or violation via one of our reporting channels or if you are a witness or accused of such a grievance. This privacy policy does not apply to reports to the external reporting office at the German Federal Office of Justice, whose data processing we are not responsible for.
Please read this privacy policy carefully before submitting a complaint or report.
I. Information on the controller:
For complaints or reports sent to the internal reporting office via compliance-meldung@esolutions.de and for reports focussing on “data protection” sent to datenschutzbeauftragter@esolutions.de, e.solutions GmbH, Despagstr. 4a, 85055 Ingolstadt, Germany, is the controller within the meaning of the GDPR, i.e., the body that determines the handling of data.
e.solutions GmbH has appointed a data protection officer who you can contact directly if you have any questions about data protection:
Dr. Carlo Piltz
PL Services GmbH
Südwestkorso 3
12161 Berlin, Germany
Tel: + 49 30 814 53 50 00
Fax: + 49 30 814 53 50 09
Mail: datenschutzbeauftragter@esolutions.de
Web: www.piltz.legal
If you send a complaint or report to our ombudsperson's office by e-mail to compliance-meldung@ombudsstelle.net, it will be sent to a separate, independently responsible controller: the law firm Dr. Etzel Seifert Bär Rechtsanwälte PartmbB, Campestraße 10, 90419 Nürnberg, Germany. The privacy policy of the ombudsperson's office can be found at the following URL: https://esb-compliance.de/datenschutz/ (in German). If the ombudsperson's office informs e.solutions GmbH of the report, e.solutions GmbH alone will be responsible for the processing of personal data contained therein from the time of receipt of the information.
II. Information on the scope and purpose of personal data processing
We have implemented the complaints procedure to enable notifications of (suspected) violations of the law, potential grievances within the company or along the supply chain, or serious violations of internal rules. The complaints procedure is therefore an important part of safeguarding our corporate values. It serves to detect and prevent grievances and to avert the associated damage and liability risks.
In the event of reports or complaints to the above-mentioned internal reporting office and to the data protection officer, the following personal data are collected and processed if you provide them to us or the ombudsperson's office in the individual case. Generally, these are the following details and any documents and evidence sent to us:
We use the data from your report, while maintaining confidentiality within the framework of the legal regulations, to examine the report, i.e., to clarify the facts and to eventually be able to implement remedial measures, sanctions, or preventive measures if necessary.
III. Legal basis for personal data processing
Your use of the reporting system is voluntary; the legal basis for data processing is Art. 6 (1) (c) GDPR (for compliance with a legal obligation) and Art. 6 (1) (f) GDPR (for the purposes of the legitimate interests pursued by the controller or by a third party). In addition, we are obliged under the German Whistleblower Protection Act (Hinweisgeberschutzgesetz, “HinSchG”), the German Supply Chain Act (Lieferkettensorgfaltspflichtengesetz, “LkSG”), and the German Federal Lawyers' Act (Bundesrechts¬anwaltsordnung, “BRAO”) to carry out a number of activities, including the storage of information, and these activities also require the processing of personal data.
The legal basis for data processing to fulfil obligations under the HinSchG is Art. 6(1)(c) GDPR in conjunction with Sections 8, 11 Subsections 1 and 5, 12 Subsection 1 HinSchG, or in conjunction with Section 10 Sentence 1 HinSchG, and Sections 13 – 18 HinSchG. If we process special categories of personal data within the scope of application of the HinSchG for the fulfilment of obligations under this law, the legal basis is Art. 6(1)(c) GDPR in conjunction with Art. 9(2)(b) and (g) GDPR in conjunction with Section 10 Sentence 2 HinSchG.
The legal basis for data processing when we fulfil obligations under the LkSG is Art. 6 (1) (c) GDPR in conjunction with Sections 5, 6, 8, and 10 LkSG.
In addition, we process personal data on the basis of our legitimate interests in the assertion, exercise, and defence of legal claims or the detection and prevention of grievances and the associated prevention of material and non-material damage and liability risks on the basis of Art. 6 (1) (f) GDPR. If also special categories of personal data are processed, the additional legal basis is Art. 9 (2) (f) GDPR.
The processing of personal data of persons mentioned in a report or complaint (e.g., accused and witnesses) is also carried out to safeguard our legitimate interests in detecting and remedying violations of the law and breaches of duty within the company. The legal basis is Art. 6 (1) (c), (f) GDPR and Section 10 HinSchG.
If you give us your separate consent to process your data, the legal basis is Art. 6 (1) (a) GDPR.
IV. Nature and duration of processing
It is not possible to determine in general terms exactly how long each category of data is stored, as this requires a case-by-case assessment. Your personal data are mainly processed internally and securely according to the state of the art. They will be stored as long as required for the clarification and final assessment and as long as there is a legitimate interest of the company or a legal requirement. Afterwards, these data will be deleted in accordance with the legal requirements.
The duration of storage of your personal data is determined in particular by legal obligations to retain data. The criterion for determining the storage period is the necessity of continued storage in order to be able to fulfil the purposes specified above. This is at least as long as it takes to process your report or complaint. As the employees working at our internal reporting office are admitted as in-house lawyers, they are subject to the statutory retention periods under Section 50 Subsection 1 BRAO. Once the processing of a reported potential violation has been completed, we therefore store the data associated with the report for 6 years in accordance with Section 50 Subsection 1 BRAO. If data provided to us are obviously not relevant for the processing of a report, we will delete such data as soon as we become aware of their irrelevance.
V. Recipients and sources of the data
The recipients of some data on whistleblowers include – insofar as disclosure is legally required – the accused and witnesses named by the whistleblowers. We may also pass on data on whistleblowers, accused, and witnesses to legal advisors or make data available to an investigating authority or court. For the internal processing of reports, we use supporting systems whose providers are also recipients of the data.
If you are an accused or witness, the source of your personal data is primarily the whistleblower. If a whistleblower contacts the ombudsperson's office, the source of the data on the whistleblower, accused, and witnesses is the ombudsperson's office.
VI. Your rights with regard to your personal data
Pursuant to Art. 15 GDPR, you have the right to obtain confirmation as to whether or not personal data concerning you are processed and the right to obtain access to these personal data and further information. Pursuant to Art. 16 GDPR, you also have the right to obtain without undue delay the rectification of inaccurate personal data concerning you and to have incomplete personal data completed Moreover, you have the right to obtain the erasure of personal data concerning you without undue delay where one of the grounds stated in Art. 17 (1) GDPR applies. You also have the right to request restriction of processing if one of the grounds stated in Art. 18 (1) GDPR applies, and pursuant to Art. 20 GDPR you have a right to data portability.
Finally, pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR or national requirements of the member states. The competent supervisory authority for e.solutions GmbH is: Bayerisches Landesamt für Datenschutzaufsicht, Promenade 27 (Schloss), 91522 Ansbach, Germany.
Pursuant to Art. 21 GDPR, you have a right to object to processing if the processing takes place based on Art. 6 (1) (f) GDPR. If you exercise your right to object, the controller will no longer process your personal data unless compelling legitimate grounds for the processing apply on the part of the controller which override your interests, rights, and freedoms of the data subject or the processing serves for the establishment, exercise, or defence of legal claims.
If processing of your personal data is based on consent, you have the right to withdraw your con-sent at any time with effect for the future pursuant to Art. 7 (3) GDPR. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Please note, however, that in this case processing of the relevant data will no longer be possible in the future.