EBZ Group Whistleblower System

The responsible body in terms of the GDPR (General Data Protection Regulation) and other national data protection laws and data protection regulations is:
EBZ SE
Bleicherstraße 7
88212 Ravensburg
Germany

Authorized representatives: Thomas Bausch (CEO), Alexander Schmeh (COO), Markus Müller (CFO)
Phone: +49 751 886 0; e-mail: info(at)ebz-group.com

Data Protection Officer of the EBZ Group
Bleicherstraße 7
88212 Ravensburg
Germany
E-mail: Datenschutz(at)ebz-group.com

EBZ SE
Legal Department
Phone: +49 751 886 140 3
E-mail: hinweisgeber(at)ebz-group.com

External Reporting Center of the Federal Government at the German Federal Office of Justice
Federal Office of Justice
External Reporting Center of the Federal Government
53094 Bonn
Germany

Phone: +49 228 99 410-6644
E-mail: hinweisgeberstelle(at)bfj.bund.de
Link: Externe Meldestelle des Bundes beim Bundesamt für Justiz

1. Description and scope
The internal reporting office provides you with an option for contacting us and submitting indications of possible breaches of compliance and legal infringements. We use information provided by you in this context for the purpose of reviewing and documenting the report and for internal and external investigations (including disclosure to external lawyers, auditors or other professionals sworn to secrecy under professional law) and, where appropriate, disclosure to government agencies.
The following data protection information applies if you reveal your identity to the reporting office. Only data that you have voluntarily and actively communicated to us is processed in this respect. There is no obligation to reveal your name or contact details. We can assure all whistleblowers that processing of their communications will be confidential.
However, not providing us with contact details may prevent us from informing you about the course of the investigation and, potentially, it may not be possible to ensure an adequate appraisal of the circumstances.

2. Legal basis
The legal basis for processing is Article 6 Paragraph 1 Clause 1 (c) GDPR in conjunction with Sections 10 et seq. of the German Whistleblower Protection Act (§§ 10 ff. HinSchG). Its purpose is to meet a legal obligation to which the responsible body is subject. 
The legal basis for processing of data and the disclosure of your identity is the existence of a declaration of consent on the part of the whistleblower pursuant to Article 6 Paragraph 1 Clause 1 (a) GDPR, Article 9 Paragraph 2 (a) GDPR and Sections 9 Paragraph 3, 11 Paragraph 2 and 16 Paragraph 3 of the German Whistleblower Protection Act (§§ 9 Abs. 3, 11 Abs. 2, 16 Abs. 3 HinSchG).

3. Purpose of processing
Processing of personal data serves compliance with the German Whistleblower Protection Act (HinSchG). We shall use information disclosed by you in the context of our internal whistleblower system for the purpose of reviewing and documenting the disclosure and for internal and external investigations. Information may be disclosed to responsible government agencies pursuant to Section 9 Paragraph 1 and 2 of the German Whistleblower Protection Act (§ 9 Abs. 1 und 2 HinSchG).

4. Duration of storage
Documentation is deleted three years after conclusion of the proceedings. Documentation can be stored for a longer period to meet the requirements of the German Whistleblower Protection Act (HinSchG) or other legislation, provided this is necessary and proportionate. You are entitled to revoke your declaration of consent under data protection regulations at any time. You can communicate your revocation by e-mail or post to those responsible. Following elimination of the purpose or the revocation or retraction of your consent, the data provided by you shall be processed to comply with statutory storage obligations or the protection of our legitimate interests. Moreover, we can also store any instances of consent which are revoked for up to three years for the protection of our legitimate interests and, also, to prove that consent which was formerly given existed after it is revoked. You may object to this storage if your interests outweigh our legitimate interests.

5. Access
Data in our internal whistleblower system can only be accessed by the authorized representative of our legal counsel. During the course of investigations within the EBZ Group, individuals and/or bodies may, where applicable, obtain information about your personal data if they need this to meet legal obligations or for the aforementioned purposes. These include in particular the board, management, the works council, the personnel department, the data protection officer and the information security officer. If an additional legal obligation or requirement exists pursuant to Article 6 Paragraph 1 Clause 1 (c), (f) GDPR, the disclosure of personal data to public bodies such as the police, the public prosecutor’s office, courts or supervisory authorities or, indeed, to external lawyers and auditors may be considered. Any disclosure occurs, where possible, without revealing personal information.

As an affected person, you have a variety of rights under the GDPR which arise in particular from Article 15 to 21 GDPR:

1.    Right to information, Article 15 GDPR
2.    Right to rectification, Article 16 GDPR
3.    Right to erasure, Article 17
4.    Right to restriction of processing, Article 18
5.    Right to data portability, Article 20 GDPR
6.    Right to object, Article 21
7.    Right to withdraw consent, Article 7
8.    Right to complain to a supervisory authority

The supervisory authority responsible for you is: The State Authority for Data Protection and Freedom of Information for the German State of Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart, Germany.