Whistleblower System
Whistleblower System of Energieanlagen Greifswald GmbH
General Information
The following information provides a simple overview of what happens to your personal data when you use our whistleblower system. We ensure compliance with laws and regulations through an appropriate compliance organization, legally secure processes, and other measures for the prevention and response to possible rule violations. To achieve this, we have introduced a reporting system. Our employees (including applicants and interns), shareholders, as well as employees of contractors, subcontractors, and suppliers can use the whistleblower system to report information about possible violations of legal requirements or internal regulations ("report") and contribute to their clarification and prosecution.
1. Controller
Responsible for the processing of personal data within the meaning of the EU General Data Protection Regulation (GDPR) is:
Energieanlagen Greifswald GmbH
Eckhardsberg 5
17498 Greifswald
2. Hosting
This website is hosted by an external service provider (host). The personal data collected on this website is stored on the servers of the host. This includes the data you enter into the system; other data (log files such as IP address, location, used browser, etc.) is not collected. The use of the host is for the fulfillment of legal requirements (Art. 6 Para. 1 lit. c GDPR) and in the interest of a secure, fast, and efficient provision of our whistleblower system by a professional provider (Art. 6 Para. 1 lit. f GDPR). Our host will process your data only to the extent necessary to fulfill its obligations and will follow our instructions regarding this data. We have concluded a contract for order processing with our host to ensure the data protection-compliant processing.
3. Type and Scope of Data Processing
When you submit reports through the whistleblower system, your information from the form, including the contact details provided by you, will be stored for processing the request and for follow-up questions if necessary. To submit a report, you must enter at least a brief description of the incident; all other information is voluntary. After receiving a report, we are obligated to review it and, if necessary, initiate follow-up measures. In the course of this process, we may, under certain circumstances and in compliance with legal requirements, process additional data to clarify the incident.
4. Purpose and Legal Basis
Your data will be processed for the following purposes, based on the following legal bases:
- Implementation of the employment relationship (§ 26 Para. 1 Sentence 1 BDSG): Data processing in the context of investigative measures may be necessary for the implementation and termination of the employment relationship with employees. This applies, for example, to investigative measures to uncover breaches of employment contract obligations that do not constitute a criminal offense.
- Investigation of criminal offenses (§ 26 Para. 1 Sentence 2 BDSG): If investigative measures serve to uncover possible criminal offenses in the context of employment relationships, these can be justified according to § 26 Para. 1 Sentence 2 BDSG. We will base the corresponding data processing on § 26 Para. 1 Sentence 2 BDSG only if documented factual evidence gives rise to suspicion of a criminal offense in the employment relationship and the interests of the data subject do not prevail.
- Implementation of legal requirements (Art. 6 Para. 1 lit. c GDPR): We are subject to certain laws that obligate us to accept and process reports of compliance violations.
- Legitimate interests (Art. 6 Para. 1 lit. f GDPR): We have an interest in improving our compliance management and in clarifying received reports.
5. Storage Duration
We will store your data until the clarification of the respective incident. Legal provisions, especially retention periods, remain unaffected.
6. Disclosure of Data
We will only disclose your data if there is a legal basis for this. In the course of the clarification process and for initiating follow-up measures, the data may be forwarded to the following recipients:
- Internal company departments: To clarify the report and initiate follow-up measures, the report may be passed on to an impartial entity within our company while adhering to legal provisions, especially confidentiality.
- Courts, authorities, public bodies & service providers: We may disclose your data to public authorities if we are obligated to do so, for example, in the context of criminal investigations. In the course of clarifying reports, we may additionally pass on the data to external service providers (law firms, data protection officers, etc.) while adhering to legal requirements.
7. Data Subject Rights
Revocation of Your Consent to Data Processing
Many data processing operations are only possible with your express consent. You can revoke previously given consent at any time. The legality of the data processing carried out before the revocation remains unaffected.
Right to Object to Data Collection in Special Cases (Art. 21 GDPR)
If data processing is carried out on the basis of Art. 6 Para. 1 lit. e or f GDPR, you have the right to object to the processing of your personal data for reasons that arise from your particular situation, including profiling based on these provisions. The respective legal basis on which a processing is based can be found in this data protection declaration. If you object, we will no longer process your personal data affected unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights, and freedoms or the processing serves to assert, exercise, or defend legal claims (objection under Art. 21 Para. 1 GDPR).
Right to Lodge a Complaint with the Supervisory Authority
In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the member state of their habitual residence, their place of work, or the place of the alleged violation. The right to lodge a complaint exists without prejudice to other administrative or judicial remedies.
Right to Data Portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another responsible party, this will only be done to the extent technically feasible.
Information, Deletion, and Correction
Within the framework of the applicable legal provisions, you have the right to free information about your stored personal data, its origin and recipient, and the purpose of data processing at any time, as well as a right to correction or deletion of this data. For this purpose and for further questions about personal data, you can contact us at any time using the address provided in the legal notice.
Right to Restriction of Processing
You have the right to request the restriction of the processing of your personal data. To do this, you can contact us at any time using the address provided in the legal notice. The right to restrict processing exists in the following cases:
- If you dispute the accuracy of your personal data stored by us, we usually need time to verify this. For the duration of the check, you have the right to request the restriction of the processing of your personal data.
- If the processing of your personal data is unlawful, you can request the restriction of data processing instead of deletion.
- If we no longer need your personal data, but you need it for the exercise, defense, or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
- If you have lodged an objection under Art. 21 Para. 1 GDPR, a balance must be struck between your interests and ours. As long as it is not clear whose interests prevail, you have the right to request the restriction of the processing of your personal data.
If you have restricted the processing of your personal data, this data may only be processed – apart from its storage – with your consent or for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the European Union or a member state.
Profiling
Automated decision-making, including profiling, does not take place.
Submit a Report:
Please note the following:
- Unfounded allegations may be considered false suspicion under § 164 of the German Criminal Code (StGB). Depending on the context, false accusations can be prosecuted and punished as defamation under § 186 StGB or as slander under § 187 StGB.
- Make only sincere reports. Unfounded or denunciatory reports, as well as case descriptions from which no specific violations or grievances are recognizable, will not be processed.
- Describe the case in detail but limit yourself to the essentials.
- Avoid personal references (e.g., names of those involved) in the case description if possible.
- If you provide information about yourself in the email (such as your name, contact details), this is voluntary. For the most effective processing of the report, it may be helpful if you provide us with your data (name and/or contact details). However, your personal data will not be disclosed at any time unless you have explicitly given us your consent. The ombudsman is obliged to maintain confidentiality and preserve your confidentiality during the processing of your reports.
- Even if you are personally and possibly emotionally affected in the specific case, please remain polite when describing the case and report the circumstances as objectively and factually as possible.
- Only report cases that are relevant to the employment relationship and/or specifically concern the company. Please do not report cases from areas such as customer service/customer complaints, product complaints, or private matters. Also, not reportable are personal opinions, suggestions for optimizing individual organizational or procedural issues, private conflicts within the team, general criticism of colleagues, supervisors, or company management. Please contact your superiors and/or request a confidential personnel discussion for these matters.
- The whistleblower system/the ombudsman does not act as a mediator and does not intervene in internal company or company policy processes. Reports received through the whistleblower system are anonymized and forwarded to the appropriate entities and responsible parties within the company.
Please send your report to:
compliance@eag-mv.de