In this data protection notice, we explain what personal data we collect from you when you use the whistleblower channel (whistleblower software) and how we process it. We take appropriate technical and organizational measures to ensure compliance with the applicable data protection regulations.
1. Who is responsible for data processing and who can be contacted?
Responsible for data collection is
The Compliance Management of Bayerische Versorgungskammer is responsible for the processing of your personal data, the latter represented by the Executive Board, Denninger Str. 37, 81925 Munich, Germany
E-Mail: compliance@versorgungskammer.de
Phone: +49 (0)89 9235 9281
You can reach our data protection officers at
Bayerische Versorgungskammer
Data Protection Officer
81921 Munich, Germany
E-Mail: datenschutz@versorgungskammer.de
Phone: +49 (0)89 9235 9292
2. What sources and data do we use?
If you contact us to report violations in connection with fraud, money laundering, insider trading, conflicts of interest, corruption, sponsorship and advertising, confidentiality, violations of the Code of Conduct of the Bayerische Versorgungskammer or other significant violations of laws or guidelines or a suspicion thereof via the whistleblower channel, we may process the following personal data:
- Your surname and first name, professional position, place of employment and your professional contact details (unless the report is made anonymously) and/or the corresponding data of the employees affected by your report
- the fact that you have used our whistleblower channel for reporting purposes
- the reported behavior of the employees concerned
- personal data requiring special protection, such as health data, insofar as these are entered in the whistleblower channel as part of the reports or in subsequent investigation proceedings
- company documents such as performance records, travel expense reports, logbooks, invoices and similar documents, which may also contain personal data, insofar as they are required to clarify the reported situation
- Information about behavior concerning the use of company communication systems such as metadata, log data or the contents of company e-mails, insofar as they are required to clarify the reported situation
3. For what purpose do we process your data (purpose of processing) and on what legal basis?
The purpose of the whistleblower channel is to receive and process reports from our employees and external people regarding the conduct of employees that is unlawful or contrary to the aim or purpose of legal provisions in a secure and confidential manner. The whistleblower channel serves to implement the legal obligations arising from the Whistleblower Protection Act (HinSchG), among others.
We process the personal data referred to in section 1 for the following purposes in particular:
- checking whether the information provided appears plausible and suggests a violation of laws or other legally binding requirements or breaches of duty under the employment contract
- if necessary, further clarification of the reported situation in regard to any violations of laws or other legally binding requirements or breaches of duty under employment contracts
- if necessary, further clarification for the purpose of exonerating wrongly suspected employees
- if necessary, for the prevention of imminent economic and other disadvantages and for the assertion and/or enforcement of the rights of Bayerische Versorgungskammer and the pension schemes it administers, and
- where applicable, the fulfillment of any obligations to cooperate on the part of Bayerische Versorgungskammer and the pension schemes it manages in the context of investigations by law enforcement or other authorities.
The legal basis for the processing of your personal data is Art. 6 para. 1 lit. c General Data Protection Regulation (GDPR) in conjunction with. §§ 16ff. HinSchG. Insofar as particularly sensitive personal data pursuant to Art. 9 para. 1 GDPR is entered in the whistleblower portal as part of the reports or in subsequent investigation proceedings, we process this on the legal basis of Sections 16 et seq. HinschG in conjunction with Art. 9 para. 2 letter g GDPR.
As part of the report you have submitted, it may be necessary to pass on your personal data to other internal departments in order to initiate follow-up measures. In accordance with Section 9 (3) HinSchG i.V.m. Art. 6 para. 1 lit. a GDPR, however, this requires your permission. If you do not give your permission, you will not suffer any disadvantages. This is because your permittance on this matter is voluntary and can be freely revoked at any time in the future.
4. Technical implementation for the security of your data
Communication on the whistleblower channel takes place via an encrypted connection. Your IP address and your current location will not be stored at any time during use. After submitting a report, you will receive login data to a mailbox so that you can continue to communicate with us securely.
The data you provide will be stored in a specially secured database of our service provider Whistleblower Software by Formalize in the European Union. All data stored in the database is encrypted according to the current state of the art. The data can only be accessed by Compliance Management department. Whistleblower Software by Formalize or other third parties are also unable to decrypt this data and make it readable.
5. Who receives your data?
Personal data from the whistleblower channel is primarily processed by Compliance Management as part of a report or the clarification of the reported compliance violation. The processing includes the hearing of witnesses and/or managers. Other recipients may include:
- Human resources (HR) department, if it is also or solely affected by the reported facts or is responsible for further processing
- Law enforcement authorities or courts if the reported violation gives rise to suspicion of criminal acts
All individuals authorized to inspect the data are expressly obliged to maintain confidentiality.
In principle, we are obliged under data protection law to inform the individual(s) named in your report of the allegations made against them. This is not required only if it is objectively clear that providing information to this/these individual(s) could still impair the clarification of the reported facts. If you have not submitted your report anonymously, we will not disclose your identity as a whistleblower - as long as that is legally permitted (e.g. in accordance with Art. 14 para. 5 GDPR) - and additionally we will also ensure that no other conclusions can be drawn about your identity. Please note that in the event of a knowingly false report with the intention of discrediting another person, we may be obliged to disclose your identity to that person.
6. Will your data be transferred to a third country or an international organization?
Personal data is not transferred to so-called third countries (outside the EU and the EEA, i.e. outside the scope of the GDPR).
7. How long will your data be stored?
The personal data from the whistleblower channel will generally be deleted within three years after completion of the respective investigation (Section 11 (5) HinSchG), unless they need to be processed for other purposes, e.g. to fulfill retention obligations or to exercise, assert or defend legal claims.
The data is stored at Amazon Web Services Inc. (AWS) in the data center in Frankfurt, Main (Germany) and may also be stored by third parties if it is passed on to them.
8. What data protection rights do you have?
If your personal data is processed, you have the right to obtain information about the personal data stored about you (Art. 15 GDPR). If incorrect personal data is processed, you have the right to rectification (Art. 16 GDPR). If the legal requirements are met, you can request the erasure or restriction of processing and object to processing (Art. 17, 18 and 21 GDPR). If you make use of your above-mentioned rights, we will check whether the legal requirements for this are met.
You also have the right to lodge a complaint with the Bavarian State Commissioner for Data Protection. The responsible supervisory authority for monitoring compliance with data protection regulations by the Compliance Management of the Bayerische Versorgungskammer is the Bavarian State Commissioner for Data Protection, Wagmüllerstraße 18, 80538 Munich, Germany, phone +49 (0)89 212672 0, poststelle@Datenschutz-Bayern.de
9. Do you have an obligation to provide data?
Use of the whistleblower channel is purely voluntary. There is no obligation to use the whistleblower channel or to disclose your identity.