Privacy
1 Purpose of data processing
1.1 In accordance with our obligation under the Whistleblower Protection Act (HinSchG), we have set up a digital internal reporting office. The internal reporting office is part of our compliance management system and is managed by employees of the VascoMed compliance department, as the employees are independent and have the appropriate expertise.
1.2 Employees, customers, business partners or other whistleblowers can report suspected violations of laws and internal rules securely and confidentially. This is intended to promote the detection and prevention of significant breaches of regulations and avert considerable risks and damage.
1.2 Employees, customers, business partners or other whistleblowers can report suspected violations of laws and internal rules securely and confidentially. This is intended to promote the detection and prevention of significant breaches of regulations and avert considerable risks and damage.
2 Responsibility
2.1 The controller for the processing of your personal data is (hereinafter also referred to as the organisation):
VascoMed GmbH, Hertzallee 1, 79589 Binzen, Germany, mail info@vascomed.com
2.2 As part of the processing of reports and follow-up measures to be taken, it may be necessary to provide information on a reported incident to legal advisors or competent authorities.
2.3 If you have any questions about data protection, please contact our data protection officer at datenschutz@vascomed.com.
VascoMed GmbH, Hertzallee 1, 79589 Binzen, Germany, mail info@vascomed.com
2.2 As part of the processing of reports and follow-up measures to be taken, it may be necessary to provide information on a reported incident to legal advisors or competent authorities.
2.3 If you have any questions about data protection, please contact our data protection officer at datenschutz@vascomed.com.
3 Technical Infrastructure
3.1 The internal reporting office is operated with the whistleblowing software iWhistle of the technical service provider iComply GmbH, Große Langgasse 1A, 55116 Mainz, Germany.
3.2 Personal data and information entered into the whistleblower system will be stored in a database operated by the technical service provider in an ISO/IEC 27001 certified data centre. Access to the data is only possible for expressly authorised processors. End-to-end encryption of all data, multi-level password protection, technical and organisational measures and regular certification ensure that technical service providers, the data centre operator and other third parties have no access to the data.
3.2 Personal data and information entered into the whistleblower system will be stored in a database operated by the technical service provider in an ISO/IEC 27001 certified data centre. Access to the data is only possible for expressly authorised processors. End-to-end encryption of all data, multi-level password protection, technical and organisational measures and regular certification ensure that technical service providers, the data centre operator and other third parties have no access to the data.
4 Legal basis
4.1 The legal basis for the processing of information that falls within the scope of the Whistleblower Protection Act is the legal obligation pursuant to Art. 6 para. 1 c) DSGVO in conjunction with Section 10 of the Whistleblower Protection Act (HinSchG).
4.2 The legal basis for the processing of tips relating to breaches of internal rules is the overriding legitimate interest in the detection and prevention of material breaches of rules and the associated prevention of risks and damage pursuant to Art. 6 para 1 f) DSGVO.
4.2 The legal basis for the processing of tips relating to breaches of internal rules is the overriding legitimate interest in the detection and prevention of material breaches of rules and the associated prevention of risks and damage pursuant to Art. 6 para 1 f) DSGVO.
5 Use of the reporting portal
5.1 The use of iWhistle is on a voluntary basis. When submitting a tip-off, iWhistle collects the following personal data and information:
- person providing the tip-off: name (if you disclose your identity), contact details (if you provide them).
- incident-affected persons: First name and surname, information about incidents and suspected violations of the law and rules.
- witnesses and/or third parties named in the notice (e.g. customers, suppliers, colleagues or business partners): first and last name, contact details.
5.2 File attachments may be sent when submitting reports and sending supplements. If anonymity is to be maintained, hidden personal data must be removed before sending. If this is not possible, only the text from these files can be copied into the digital report form, or printouts of these files can be sent to the postal address of the persons responsible.
6 Confidentiality
Incoming reports are received by a small group of expressly authorised persons and are always treated confidentially. The persons in charge examine the facts and, if necessary, carry out a further case-related clarification of the facts. Any person who has access to the data is obliged to maintain confidentiality.
7 Rights of data subjects
7.1 Persons whose personal data are processed (data subjects) have the right to receive, upon request and free of charge, information about the personal data stored about them, their origin and recipients and the purpose of the data processing. If we process your data on the basis of our legitimate interest, you have the right to object to the processing if there are legitimate grounds arising from your particular situation (right of objection).
7.2 In addition, data subjects have the right to have inaccurate personal data corrected, the right to have personal data deleted, the right to restrict the processing of personal data, the right to data portability.
7.3 Data subjects also have the right to complain to a supervisory authority. Data subjects may contact the supervisory authority of their usual place of residence or workplace for this purpose.
8 Retention period of data
The documentation of reports and the personal data contained therein are generally deleted three years after the conclusion of the procedure. The documentation may be kept longer in individual cases in order to fulfil the requirements under the Whistleblower Protection Act (HinSchG) or other legal provisions, as long as this is necessary and proportionate. A final assessment is also stored for documentation purposes.