Privacy Notice for the whistleblower system
In compliance with Article 13 of the General Data Protection Regulation (hereinafter referred to as “GDPR”), this notice outlines how imc information multimedia communication AG (hereinafter referred to as “imc”) processes personal data within its whistleblower reporting system. Furthermore, it also encompasses associated data protection laws, the rights and claims.
imc employs a web-based cloud solution, hosted in Germany, aimed at detecting and addressing corporate misconduct. The implementation of this system plays a crucial role in early detection and prevention of criminal, illegal, unethical, or unfair actions, thus averting potential financial and non-financial damages, including reputational harm.
The data controller, as defined under Article 4(7) of the GDPR, is imc information multimedia communication AG. In line with the legal requirements of the Whistleblower Protection Act, imc AG has implemented a central reporting system for the entire imc Group.
Information on the Controller can be found below:
imc information multimedia communication AG
Scheer Tower, Uni-Campus Nord
3.1 For what purposes do we process the data?
imc processes the personal data of the reporting person, unless the report was submitted anonymously, as well as the personal data of the accused person(s), such as name and other communication and content data, for the purpose of investigating the reports in order to prevent violations of applicable law or company policies, detect and/or take follow-up action (such as measures to verify the validity of the allegations made in the report and, where appropriate, to address the reported violation, including through internal investigations, inquiries, prosecutions, measures to (re)recover funds or close the case).
3.2 On what legal basis do we process the data?
The collection of the reporting person's personal data in the case of a non-anonymous report is based on consent to the processing through the transmission of the data (implied consent) (Art. 6 para. 1 sentence 1 lit. a GDPR).
The collection, processing and disclosure of personal data of the persons named in the notification serves to safeguard the legitimate interests of the above-mentioned Controller (Art. 6 para. 1 sentence 1 lit. f GDPR). It is a legitimate interest of the company to detect, process, remedy and sanction violations of the law and serious breaches of duty by employees effectively and with a high degree of confidentiality and to avert associated damage and liability risks for companies (Sections 30, 130 Federal Act on Regulatory Offences). Directive (EU) 2019/1937 ("EU Whistleblower Directive") and the Whistleblower Protection Act in Germany also require the establishment of a reporting system in order to give employees and third parties the opportunity to report legal violations in the company in a protected manner.
The disclosure of personal data in the case of non-anonymous reporting to other recipients (Art. 4 No. 7 GDPR) may be necessary due to a legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR).
The processing of personal data of employees (for Controllers within the scope of the Federal Data Protection Act - BDSG) is carried out on the basis of Section 26 (1) sentence 2 BDSG. According to this, personal data of employees within the meaning of Section 26 (8) BDSG may be processed to uncover criminal offenses if there are factual indications to be documented that justify the suspicion that the person concerned has committed a criminal offense in the employment relationship, the processing is necessary for detection and the employee's legitimate interest in the exclusion of processing does not outweigh this, in particular the type and extent are not disproportionate with regard to the reason.
3.3 What categories of data are processed?
Generally, we process personal data that we receive directly as part of a report. This may include:
- Information about the reporting person (unless he/she wishes to remain anonymous) and the accused person(s), such as
First and last name
Other personal data relating to the employment relationship, if applicable
- Personal information, such as data subjects identified in a report as a person alleged to have engaged in misconduct and identified in the investigation, including details of the allegations made and supporting evidence.
- Any other information identified in the investigation results and in any further proceedings, e.g. information on criminal conduct or data on unlawful or improper conduct, insofar as this has been reported.
- Information about violations that may also allow conclusions to be drawn about a natural person.
Personal data collected via the web-based software is only made accessible to those persons who have a legitimate need to process this data due to their function. If the report is received via the telephone hotline, the report will be recorded in the reporting system while preserving the anonymity of the reporting person.
We have commissioned two neutral Compliance Ombudspersons to receive and qualify a report.
They operate our internal reporting office with the aid of a web-based application provided by Gesellschaft für Datenschutz, situated at Holzweg 9, 38302 Wolfenbüttel.
Depending on the focus of responsibility of the report and for the effective initiation of follow-up measures, the personal data required as part of the report may be passed on to the responsible internal specialist departments.
In some cases, the Controller is obliged to disclose the data to authorities (such as those with legal or regulatory jurisdiction over the employer, law enforcement authorities and legal bodies) or external advisors (such as auditors, accountants, lawyers).
If the reporting person has provided their own name or other personal data (non-anonymous reporting), their identity will not be disclosed - as far as legally possible - and it will also be ensured that no conclusions can be drawn about the identity of the reporting person.
If personal data is processed by external service providers, this is always done based on order processing contracts in accordance with Art. 28 GDPR. In these cases, we ensure that the processing of personal data is carried out in accordance with the provisions of the GDPR and that all persons authorized to process personal data have undertaken to maintain confidentiality or are subject to an appropriate statutory duty of confidentiality.
Within the framework of the respective regulations (in particular Art. 15-21 GDPR), you have various rights with regard to the processing of your personal data:
- Right to information,
- Right to rectification,
- Right to erasure,
- Right to restriction of processing
- Right to data portability.
- Right not to be subject to an exclusively automated individual decision.
- Right to lodge a complaint with a competent data protection supervisory authority.
The right to information and the right to erasure are subject to legal restrictions. If we process your data to protect legitimate interests, you can object to this processing if your particular situation gives rise to reasons that speak against data processing.
In accordance with Art. 7 GDPR, you have the right to withdraw your consent to data processing at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Further information on the right to object can be found below.
The personal data will be stored in the respective procedure for as long as required for the clarification and final assessment, a legitimate interest of the company or a legal requirement exists. This data is then deleted in accordance with legal requirements. The duration of storage depends in particular on the severity of the suspicion and any reported breaches of duty.
Personal data in connection with reports will be deleted immediately by the Compliance Ombudspersons if they are deemed to be manifestly unfounded.
Pursuant to Art. 21 GDPR, you have the right to object to the processing of your personal data on grounds relating to your particular situation. Your personal data will then no longer be processed unless the Controller demonstrates compelling legitimate reasons for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
The objection can be made informally and should, if possible, be addressed to the above-mentioned Controller or its internal reporting office.
The provision of data via a notification is neither contractually required nor necessary for the conclusion of a contract. Depending on the individual case, there may be legal obligations to provide us with a report. However, it is necessary to process the data in order to process and investigate the report appropriately.
We reserve the right to update this data protection notice if necessary.