Data protection

1. General 

The law firm for business and medical criminal law (hereinafter: law firm or ombuds office) offers you the opportunity to report compliance violations via a virtual mailbox as well as by telephone. Compliance violations are violations of legal requirements or of internal regulations of the Hessing Group.
 
You can use the virtual mailbox to report specific indications of corruption, violations of accounting and reporting regulations, theft, fraud, falsification of documents, embezzlement, cartels, unfair competition, betrayal of business or trade secrets, conflicts of interest and other criminal or irregular conduct.
 
The information you report will be evaluated by the firm's staff. It may result in the initiation of internal or official investigation procedures and other adverse consequences for the persons concerned. Therefore, you should only provide us with information that you believe, to the best of your knowledge, to be accurate. If you knowingly provide false or misleading information, you may be subject to consequences. Knowingly disseminating false information is punishable by law.
 
The law firm is the responsible entity for tips reported to the ombuds office. The address of the responsible entity is:
Kanzlei für Wirtschafts- & Medizinstrafrecht
RA Prof. Dr. Jur. Hendrik Schneider
Taunusstraße 7
65183 Wiesbaden
 

2. Technical requirements 

The technical requirements for the operation of the whistleblower system are provided by the independent operator Vispato GmbH (Hansaallee 299, 40549 Düsseldorf, Germany). The processing of the content of the whistleblowing is carried out exclusively by the law firm.
 
The tips entered via the whistleblower system (virtual mailbox) cannot be assigned to any natural person. This ensures the anonymity of the whistleblower. The processing and use of the data takes place exclusively in the Federal Republic of Germany. The whistleblower system is hosted in the certified (ISO 27001) data center of DATEV eG. 
 
Only the predefined contact persons of the law firm have access to the tips. No data is processed from the whistleblowers that can be assigned to a natural person. The law firm has no access to the IP addresses of the whistleblowers or other personally identifiable information. 
 
As long as you do not enter any personal data, the whistleblower system automatically protects your anonymity by means of a certified procedure (end-to-end encryption), which is secured by comprehensive technical and organizational measures. 
 

3. Processing of your tip

Insofar as this is technically possible, if, for example, the virtual mailbox is used, the whistleblower will receive a confirmation of receipt via the virtual mailbox within seven days of receipt of the report.
 
Upon receipt of a report by the ombuds office, the ombuds office will conduct an initial review of the information, in particular to determine whether there is evidence to corroborate or refute the information provided. 
 
If the ombuds office is of the opinion that further investigations should be carried out, it documents this and forwards the necessary information to the "Legal and Compliance" department of the Hessing Group. The latter then carries out the internal investigations. 
 
Personal data may also be collected as part of a report. Personal data within the meaning of Article 4 No. 1 of the German Data Protection Regulation (DS-GVO) is all information by which you can be identified as a person. The collection of personal data in the context of the use of the whistleblower system only takes place through the receipt of the information provided by you. 
 
The processing of the data by the law firm as well as the disclosure of the data to the extent required in the individual case is carried out for the purpose of fulfilling the obligation as an ombudsman law firm by the Hessing Group of Companies and, if applicable, in the interest of the third party to whose (possible) damage the report relates. The processing is in the legitimate interest of the law firm and is therefore lawful pursuant to Art. 6 (1) f DS-GVO, unless the interests or fundamental rights and freedoms of the data subject prevail in the individual case. 
 
The whistleblower system offers the possibility to provide information completely anonymously. If you do not make use of this option, your data may be passed on to the Hessing Group of Companies if necessary (e.g. as part of follow-up measures, cf. section 4.1 of the Guideline on the Establishment and Operation of a Whistleblowing System in the Hessing Foundation Group of Companies). 
 
You may object to the processing of your data in the form of disclosure to the Hessing group of companies. You can exercise this right of objection at any time. 
 

4. Access by Governmental Authorities

The law firm may be legally obligated to provide information on compliance violations to certain government agencies, in particular government investigative agencies or courts. In the event of a duty to provide information or to surrender information or in the event of seizures, we cannot withhold the information you have provided.
 

5. Informing the data subjects 

If personal data of a third party are collected or processed as a result of a report, this person has, in principle, rights of access or information vis-à-vis the law firm. This information also includes the origin of the data. However, if a third party has an overriding legitimate interest in confidentiality, information need not be disclosed, Section 29 (1) BDSG. Whistleblowers are to be protected by anonymity from direct and indirect reprisals, so that in principle there is an overriding legitimate interest in keeping the identity of the whistleblower confidential. 
 
We would like to point out that only those whistleblowers who have not made malicious or abusive reports are to be comprehensively protected. This is the case if you intentionally and knowingly report false or misleading information at the time of the report. If such a report is made to the detriment of a third party and the third party asserts claims for information or notification in this context, the law firm is obliged to release the information.
 

6. Retention of personal data

The personal data you have provided – if any – will be retained for as long as is necessary for the clarification of the compliance notice and its final processing, including the elimination of any deficiencies identified and the handling of any related legal proceedings. Your personal data will also be retained thereafter if this is required by legal, regulatory or contractual retention obligations or permitted by law. Your personal data will be deleted as soon as the purpose for which it was collected and stored no longer applies.
 
You have the right to request information at any time about the personal data stored, the processing purposes, the category of data and recipients, the storage period, the origin of the data if it was not collected in the office. Furthermore, they may have the right to have this data corrected or deleted. 
 

7. Consent and voluntariness

If you do not want the law firm to collect, process and use personal data - as far as you have indicated - from you as described, you may submit your notification anonymously. The provision of your personal data is voluntary, as is the use of the whistleblower system.
 

By using this whistleblower system, you consent to the collection, processing and use of your personal data, to the extent provided by you, as described above.