Transparency and information obligations for whistleblowers and other persons involved in the matter as part of the whistleblower system
in accordance with the General Data Protection Regulation (GDPR)
This document informs you about the processing of your personal data by Zeller+Gmelin GmbH & Co. KG and all participating companies and the rights to which you are entitled under data protection law.
Responsible body/data protection
The entity responsible for data processing is the participating company to which the notification relates.
Contact Data protection
datenschutz@zeller-gmelin.de
Categories/origin of the data
If you make a report via our whistleblower system, the personal data you provide will be processed in order to process your report and, if necessary, take further action. In principle, you have the option of making anonymous reports. Which personal data is processed accordingly depends on the content of your message.
We may process your personal data in the event that you are an accused person or other person involved in the matter in order to check the report made via the whistleblower system and to investigate the suspected compliance and legal violations. Which data is processed in this context depends on the specific report in each individual case and also on what information, for example, a reporting person has provided about you. For example, the following data may be processed:
- Contact details (e.g. private address, mobile or landline number, e-mail address)
- Master data (surname, first name, name affixes, date of birth)
- Photos/video recordings
- Time recording data
- Special types of personal data:
- Health data
Purposes and legal bases of data processing
When processing your personal data, the provisions of the GDPR, the BDSG and all other legal provisions (such as the BetrVG, ArbZG, etc.) are always complied with.
If you are a reporting person, your data will be processed on the basis of your voluntary information and within the framework of the statutory provisions under the Whistleblower Protection Act, Art. 6 para. 1 p. 1 lit. a, lit. c DS-GVO in conjunction with § 10 HinSchG and, if you are employed by us, in accordance with Art. 88 DS-GVO in conjunction with § 26 para. 2 BDSG. If we provide the whistleblower system without being legally obliged to do so, your data will be processed on the basis of Art. 6 para. 1 p. 1 lit. f GDPR.
In addition, we process your personal data as a data subject if this is necessary to protect the legitimate interests of the company or a third party (Art. 6 para. 1 lit. f, lit. c GDPR in conjunction with § 10 HinSchG or § 130 OWiG). We have a legitimate interest in the processing of personal data for the prevention and detection of violations and grievances that are reported via the whistleblower system. In addition, your personal data will be processed if this is necessary to fulfill legal obligations.
Storage duration of the data
As soon as your data is no longer required for the above-mentioned purposes and there are no further retention obligations, it will be deleted.
Recipients of the data/categories of recipients
In our company, we ensure that only those persons receive your data who need it to process the report submitted via the whistleblower system.
The internal reporting office is taken over by atarax. Further information on the processing of your data can be found at https://www.atarax.de/de/datenschutz.
Furthermore, in certain cases, service providers (e.g. IT service providers) support us in the fulfillment of our tasks. The necessary data protection contracts were concluded with all service providers.
Depending on the focus of responsibility of the report and for the effective initiation of follow-up measures, the personal data may be passed on to our relevant specialist departments.
Furthermore, in cases prescribed by law, we are obliged to transmit certain information to bodies, such as: Investigating authorities.
Third country transfer/intention to transfer to a third country
Data will only be transferred to third countries (outside the European Union or the European Economic Area) if this is absolutely necessary for processing the report, is required by law or if you have given us your consent to do so.
We do not (currently) transfer your personal data to any service providers or group companies outside the European Economic Area.
Rights of the data subjects
The rights for you as a data subject are standardized in Art. 15 – 22 GDPR.
This includes:
- The right to information (Art. 15 GDPR)
- The right to rectification (Art. 16 GDPR)
- The right to erasure (Art. 17 GDPR)
- The right to restriction of processing (Art. 18 GDPR)
- The right to object to processing (Art. 21 GDPR)
- The right to data portability (Art. 20 GDPR)
If you have voluntarily provided data as the reporting person, you can revoke your consent for any data processing at any time with effect for the future. To withdraw your consent and assert your other rights, please contact: compliance@atarax.de. The same applies if you have any questions about data processing in our company. You can also lodge a complaint against the data processing with a data protection supervisory authority.
If we process your data to protect legitimate interests, you can object to this processing at any time on grounds relating to your particular situation.
We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defense of legal claims.
Automated decisions in individual cases
We do not use purely automated processing to reach a decision.
Commercial Management
Alexandra Scaglione