vhistle – Portal für Hinweisgeber

Data Privacy

In the following we provide information in accordance with the legal requirements of data protection law (in particular according to the Federal Data Protection Act ‘BDSG’ and the European General Data Protection Regulation 'GDPR') about the type, scope, and purpose of the processing of personal data by our company. This data protection policy also applies to our websites and social media profiles. Furthermore, this privacy policy also applies to our whistleblower protection system. With regard to the definition of terms such as "personal data" or "processing", we refer to Art. 4 GDPR.

Name and contact details of the person responsible (hereinafter referred to as "controller") within the meaning of Art. 4 para. 7 GDPR is:
vhistle Schmitz Püschel Rechtsanwaltsgesellschaft bR
Neusser Strasse
9950670 Cologne
email: mail@verte.law

Data Protection Officer
Dirk Petri
Neusser Strasse
9950670 Cologne
email: dsb@verte.law

Types of data, purposes of processing, and categories of data subjects
Below we provide information about the type, scope, and purpose of the collection, processing, and use of personal data.

1. Types of data we process
Inventory data (name, address, etc.), contact data (telephone number, e-mail, fax, etc.), payment data (bank details, account data, payment history, etc.), contract data (subject matter of the contract, term, etc.), content data (text input, videos, photos, etc.).
If you choose to submit a confidential whistleblower report in our whistleblower protection system, your first and last name as well as your email-address, if you prióvide them, will be collected when you submit the tip. In addition, data is processed when the whistleblower submits a tip in the whistleblower portal. Within the whistleblowing (whistlenlowing text), the processing pf special categories of personal data within the meaning of Art. 9 GDPR cannot be excluded.

2. Purposes of processing pursuant to Article 13 (1) (c) GDPR
Processing of contracts, evidence purposes / preservation of evidence, contact in the event of legal complaints by third parties, fulfillment of legal retention obligations, support commercial use of the website, customer service and customer care, process contact requests, provide websites with functions and content, and uninterrupted, secure operation of our website.
With regard to the whistleblower protection system, the information provided is used for the purpose of verifying and documenting the tips.

3. Categories of data subjects pursuant to Article 13 (1) (e) GDPR
Visitors/users of the website, customers, suppliers, interested parties, applicants, employees.
The data subjects are collectively referred to as "users". With regard to the whistleblower protection system: employees of the principal, business partners of the principal, customers of the principal, whistleblowers, persons affected by the information.

Legal basis for the processing of personal data
Below we provide information about the legal basis of the processing of personal data:
If we have obtained your consent for the processing of personal data, Art. 6 para. 1 sentence 1 lit. a) GDPR is the legal basis.
If the processing is necessary for the performance of a contract or for the implementation of pre-contractual measures taken at your request, Art. 6 para. 1 sentence 1 lit. b) GDPR is the legal basis.
If the processing is necessary to fulfill a legal obligation to which we are subject (e.g. statutory retention obligations), Art. 6 para. 1 sentence 1 lit. c) GDPR is the legal basis.
A legal obligation to set up and operate a whistleblower system also follows from §§ 12 et seq. HinSchG.If processing is necessary to protect the vital interests of the data subject or of another natural person, the legal basis is Article 6 (1) sentence 1 lit. d) GDPR.If processing is necessary to safeguard our interests or those of a third party (f.e., in the detection and prevention of malpractive and the associated averting of damage and liability risks for our client) and if your interests or fundamental rights and freedoms do not prevail in this respect, Art. 6 para. 1 sentence 1 lit. f) GDPR is the legal basis.
Finally, data processing may be based on section 26 (1) BDSG insofar as it serves to uncover criminal offences in the employment relationship.

Disclosure of personal data to third parties and processors
In principle, we do not pass on any data to third parties without your consent. If this is the case, the transfer takes place due to the aforementioned legal bases, e.g., when passing on data to online payment providers for the fulfilment of a contract, or because of a court order or a legal obligation to surrender the data for the purpose of criminal prosecution, or to avert danger or to enforce intellectual property rights.
After data received through the whistelblower protection system has been passed on to our client, it is also used there for the purpose pf reviewing and documenting the reports, for internal investigations (including passing on to external lawyers, auditors or other professionals bound by professional secrecy as well as to affected Group companies) and, if necessary, for passing on to government agenncies (such as the police, public prosecutor´s office or courts). All whistleblowers are assured of confidential processing.
We also use processors (external service providers, e.g., for web hosting of our websites and databases) to process your data. If data is passed on to the processors within the framework of an agreement on order processing, this is always done in accordance with Article 28 GDPR. We carefully select our processors, check them regularly and have been granted the right to issue instructions with regard to the data. In addition, the processors must have taken appropriate technical and organizational measures and comply with the data protection regulations in accordance with the BDSG and GDPR.

Data transfer to third countries
The adoption of the European General Data Protection Regulation (GDPR) has created a uniform basis for data protection in Europe. Your data will therefore be processed primarily by companies to which the GDPR applies. Should the processing take place by third-party services outside the European Union or the European Economic Area, these must meet the special requirements of Art. 44 et seq. GDPR. This means that the processing is carried out on the basis of special guarantees, such as the determination by the EU Commission of a level of data protection corresponding to the EU or the observance of officially recognized special contractual obligations, the so-called "standard contractual clauses". Insofar as we obtain your express consent to the transfer of data to the USA due to the ineffectiveness of the so-called "Privacy Shield" pursuant to Art. 49 para. 1 sentence 1 lit. a) GDPR, we point out the risk of secret access by US authorities and the use of the data for surveillance purposes, possibly without legal remedies for EU citizens.

Deletion of data and storage period
Unless expressly stated in this data protection declaration, your personal data will be deleted or blocked as soon as the consent given for processing is revoked by you or the purpose for storage no longer applies or the data is no longer required for the purpose, unless their further storage is necessary for evidence purposes or this conflicts with statutory retention obligations. This includes, for example, commercial retention obligations for business letters pursuant to Section 257 (1) HGB (6 years) and tax retention obligations pursuant to Section 147 (1) AO of receipts (10 years). The duration of storage depends in particular on the severity of the suspicion and the reported possible breach of duty. When the prescribed retention period expires, your data will be blocked or deleted, unless the storage is still necessary for the conclusion or fulfilment of the contract.
Existence of automated decision-makingWe do not use automated decision-making or profiling.
Provision of our website and creation of log filesIf you only use our website for informational purposes (i.e., no registration or other transmission of information), we only collect the personal data that your browser transmitted to our server. If you wish to view our website, we collect the following data:

• IP address;
• User's Internet service provider;
• Date and time of retrieval;
• Browser type;
• Language and browser version;
• Content of the retrieval;
• Time zone;
• Access status/HTTP-Status code;
• Amount of data;
• Websites from which the request comes;
• Operating system.

This data is not stored together with other personal data from you.
This data serves the purpose of user-friendly, functional, and secure delivery of our website to you with functions and content, as well as their optimization and statistical evaluation.
The legal basis for this is our legitimate interest in data processing, which also lies in the above purposes, in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR.For security reasons, we store this data in server log files for a storage period of 180 days. After expiration of this period, the data is automatically deleted, unless we need to store them for evidence purposes in the event of attacks on the server infrastructure or other infringements.

Cookies
We use so-called cookies when you visit our website. Cookies are small text files that your Internet browser stores and stores on your computer. When you visit our website again, these cookies provide information to automatically recognize you. Cookies also include the so-called "user IDs", where user information is stored by means of pseudonymised profiles. When you visit our website, we inform you by means of a reference to our data protection declaration about the use of cookies for the aforementioned purposes and how you can object to them or prevent their storage ("opt-out").

1. A distinction is made between the following types of cookies:
• Necessary, essential cookies: Essential cookies are cookies that are absolutely necessary for the operation of the website in order to store certain functions of the website such as logins, shopping cart or user input, e.g. regarding the language of the website.
• Session cookies: Session cookies are required to recognize multiple uses of an offer by the same user (e.g., if you have logged in to determine your login status). When you visit our site again, these cookies provide information to automatically recognize you. The information obtained in this way serves to optimize our offers and to provide you with easier access to our site. When you close the browser or log out, the session cookies are deleted.
• Persistent cookies: These cookies remain stored even after closing the browser. They are used to store the login, range measurement and for marketing purposes. These are automatically deleted after a specified period, which may vary depending on the cookie. You can delete cookies at any time in the security settings of your browser.
• Cookies from third-party providers (especially from advertisers): You can configure your browser settings according to your wishes and, for example, refuse to accept third-party cookies or all cookies. However, we would like to point out at this point that you may not be able to use all the functions of this website. Read more about these cookies in the respective privacy statements of the third-party providers.

2. Data categories:
user data, cookie, user ID (especially the pages visited, device information, access times and IP addresses).

3. Purposes of processing:
The information obtained in this way serves the purpose of technically and economically optimising our web offers and enabling you to access our website more easily and securely.

4. Legal basis:
If we process your personal data with the help of cookies on the basis of your consent ("opt-in"), then Art. 6 para. 1 sentence 1 lit. a) GDPR is the legal basis. Otherwise, we have a legitimate interest in the effective functionality, improvement and economic operation of the website, so that in this case Art. 6 para. 1 sentence 1 lit. f) GDPR is the legal basis. The legal basis is also Art. 6 para. 1 sentence 1 lit. b) GDPR if the cookies are set to initiate contracts, e.g. when placing orders.

5. Storage period/deletion:
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.Cookies are otherwise stored on your computer and transmitted from there to our site. Therefore, as a user, you also have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

Here you will find information on how to delete cookies by browser:
Chrome: https://support.google.com/chrome/answer/95647
Safari: https://support.apple.com/de-at/guide/safari/sfri11471/mac
Firefox: https://support.mozilla.org/de/kb/cookies-und-website-daten-in-firefox-loschenInternet
Explorer: https://support.microsoft.com/de-at/help/17442/windows-internet-explorer-delete-manage-cookies
Microsoft Edge: https://support.microsoft.com/de-at/help/4027947/windows-delete-cookies

6. Objection and "opt-out":
You can generally prevent the storage of cookies on your hard drive, regardless of consent or legal permission, by selecting "do not accept cookies" in your browser settings. However, this may result in a functional restriction of our offers. You can object to the use of third-party cookies for advertising purposes via a so-called "opt-out" via this American Website (https://optout.aboutads.info) or this European Website (http://www.youronlinechoices.com/de/praferenzmanagement/).

Processing of contracts
We process inventory data (e.g. company, title/academic degree, names and addresses as well as contact details of users, e-mail), contract data (e.g. services used, names of contact persons) and payment data (e.g. bank details, payment history) for the purpose of fulfilling our contractual obligations (knowledge of who is the contractual partner; Justification, content and execution of the contract; Checking for plausibility of the data) and services (e.g. contacting customer service) in accordance with Art. 6 para. 1 sentence 1 lit b) GDPR. The entries marked as mandatory in online forms are required for the conclusion of the contract.
In principle, this data will not be passed on to third parties, unless it is necessary to pursue our claims (e.g. transfer to a lawyer for collection) or to fulfil the contract (e.g. transfer of data to payment providers) or there is a legal obligation to do so pursuant to Art. 6 para. 1 sentence 1 lit. c) GDPR.
We may also process the data you provide to inform you about other interesting products from our portfolio or to send you e-mails with technical information.
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. This is the case for the inventory and contract data if the data is no longer required for the execution of the contract and no claims can be asserted from the contract because they are statute-barred (warranty: two years / standard limitation period: three years). Due to commercial and tax regulations, we are obliged to store your address, payment and order data for a period of ten years. However, upon termination of the contract after three years, we will restrict processing, i.e. Your data will only be used to comply with legal obligations. Information in the user account remains until it is deleted.

Contact via contact form / email / fax / post
When contacting us via contact form, fax, post or email, your details will be processed for the purpose of processing the contact request.
The legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. a) GDPR if you have given your consent.
The legal basis for the processing of data transmitted in the course of a contact request or e-mail, letter or fax is Art. 6 para. 1 sentence 1 lit. f) GDPR. The controller has a legitimate interest in processing and storing the data in order to be able to answer user inquiries, to preserve evidence for liability reasons and, if necessary, to be able to comply with its statutory retention obligations for business letters. If the contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 para. 1 sentence 1 lit. b) GDPR.We may store your details and contact request in our customer relationship management system ("CRM System") or a similar system.
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. For the personal data from the input screen of the contact form and those sent by e-mail, this is the case when the respective conversation with you has ended. The conversation is terminated when it can be inferred from the circumstances that the facts in question have been conclusively clarified. We store inquiries from users who have an account or contract with us until two years after termination of the contract. In the case of statutory archiving obligations, the deletion takes place after their expiry: End of commercial law (6 years) and tax law (10 years) retention obligation.
You have the option at any time to revoke your consent to the processing of personal data in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. If you contact us by email, you can object to the storage of personal data at any time.

Contact by phone
When contacting us by telephone, your telephone number will be processed to process the contact request and its processing and temporarily stored or displayed in the RAM / cache of the telephone device / display. The storage takes place for liability and security reasons, to be able to prove the call and for economic reasons, to enable a callback. In the case of unauthorized advertising calls, we block the phone numbers. The legal basis for the processing of the telephone number is Art. 6 para. 1 sentence 1 lit. f) GDPR. If the contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b) GDPR. The device cache stores the calls for days and successively overwrites or deletes old data, when the device is disposed of, all data is deleted and the memory is destroyed if necessary. Blocked telephone numbers are checked annually for the necessity of blocking. You can prevent the phone number from being displayed by calling with the phone number suppressed.

Presence on social media
We maintain profiles or fan pages on social media. When you use and access our profile in the respective network, the respective data protection notices and terms of use of the respective network apply.

Data categories and description of data processing: usage data, contact data, content data, inventory data. Furthermore, user data is usually processed within social networks for market research and advertising purposes. For example, user profiles can be created on the basis of the usage behavior and the resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the user's computers, in which the usage behavior and interests of the users are stored. Furthermore, data may also be stored in the usage profiles independently of the devices used by the users (in particular if the users are members of the respective platforms and are logged in to them). For a detailed description of the respective forms of processing and the possibilities of objection (opt-out), we refer to the data protection declarations and information provided by the operators of the respective networks. Also in the case of requests for information and the assertion of data subject rights, we point out that these can be asserted most effectively with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. If you still need help, you can contact us.

Purpose of processing
communication with users connected and registered on social networks; Information and promotion of our products, offers and services; Presentation and image cultivation; Evaluation and analysis of the users and contents of our presence in the social media.

Legal basis: The legal basis for the processing of personal data is our legitimate interest in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR. If you have given us or the person responsible for the social network your consent to the processing of your personal data, the legal basis is Art. 6 para. 1 sentence 1 lit. a) in conjunction with Art. 7 GDPR.Data transfer/recipient category: Social network.
The data protection information, information options and opt-out options of the respective networks / service providers can be found here:
• Twitter – Service provider: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) - Privacy Policy: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization
• LinkedIn – Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) – Privacy Policy: https://www.linkedin.com/legal/privacy-policy, Cookie Policy and Opt-Out: https://www.linkedin.com/legal/cookie-policy.

Rights of the data subject

Objection or revocation against the processing of your data
Insofar as the processing is based on your consent pursuant to Art. 6 para. 1 sentence 1 lit. a), Art. 7 GDPR, you have the right to revoke your consent at any time. This does not affect the legality of the processing carried out on the basis of the consent until revocation.
Insofar as we base the processing of your personal data on the balancing of interests pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR, you and the persons named in the tip may object to the processing. This is the case if, in particular, the processing is not necessary for the performance of a contract with you, which is described by us in the following description of the functions. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either discontinue or adapt the data processing or show you our compelling reasons worthy of protection, on the basis of which we will continue the processing.

You can object to the processing of your personal data for advertising and data analysis purposes at any time. You can exercise your right of objection free of charge. You can inform us about your objection to advertising under the following contact details:

vhistle Schmitz Püschel Rechtsanwaltsgesellschaft bR
Neusser Strasse
9950670 Cologne
email: mail@verte.law

Right of access to information
You and the persons named in the tip have a right to information about your personal data stored by us in accordance with Article 15 GDPR. This includes in particular information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the origin of your data, if it was not collected directly from you.

Right to rectification
You and the persons named in the tip have the right to have incorrect data corrected or correct data supplemented, in accordance with Article 16 GDPR.

Right to erasure
You have the right to erasure of your data stored by us in accordance with Article 17 GDPR, unless statutory or contractual retention periods or other legal obligations or rights for further storage conflict with this.

Right to restriction
You and the persons named in the tip have the right to request a restriction in the processing of personal data if one of the conditions in Art. 18 (1) a) to d) GDPR is met.

Right to data transfer
You and the persons mentioned in the tip have a right to data transfer pursuant to Article 20 GDPR, which means that you can
receive the personal data we have stored about you in a structured, commonly used, and machine-readable format or request transmission to another controller.

Right to lodge a complaint
You and the persons mentioned in the tip have the right to lodge a complaint with a regulatory authority. As a rule, you can apply to the regulatory authority for this purpose in the member state of your residence, place of work, or place of the alleged infringement.

Data security
In order to protect all personal data transmitted to us, and to ensure that the data protection regulations are complied with by us as well as our external service providers, we have taken appropriate technical and organizational security measures. Therefore, among other things, all data between your browser and our server is transmitted encrypted via a secure SSL connection.

Google ads an conversion measurement
We use the online marketing method "Google Ads" to place ads in the Google advertising network (e.g., in search results, in videos, on web pages, etc.) so that they are displayed to users who have a presumed interest in the ads (so-called "conversion"). We also measure the conversion of the ads. However, we only learn the anonymous total number of users who clicked on our ad and were redirected to a page marked with a so-called "conversion tracking tag". However, we ourselves do not receive any information that can be used to identify users. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Further information: Types of processing as well as data processed: https://privacy.google.com/businesses/adsservices; Data processing conditions between data controllers and standard contractual clauses for third country transfers of data: https://business.safety.google/adscontrollerterms.