Data Privacy Information

1. General information
The following notes provide a simple overview of what happens to your personal data when you visit our website. Personal data is all data with which you can be personally identified. Detailed information on the subject of data protection can be found in our data protection declaration listed under this text.

Data collection on our website

Who is responsible for data collection on this website?
The data processing on this website is carried out by the website operator. You can find their contact details in the imprint of this website.

How do we collect your data?
On the one hand, your data is collected when you communicate it to us. This can, for example, be data that you enter in a contact form.

Other data is automatically recorded by our IT systems when you visit the website. This is primarily technical data (e.g. internet browser, operating system or time of the page view). This data is collected automatically as soon as you enter our website.

What do we use your data for?
Part of the data is collected to ensure that the website is provided without errors. Other data can be used to analyze your user behavior.

What rights do you have regarding your data?
You have the right to receive information about the origin, recipient and purpose of your stored personal data free of charge at any time. You also have the right to request the correction, blocking or deletion of this data. You can contact us at any time at the address given in the imprint if you have any further questions on the subject of data protection. You also have the right to lodge a complaint with the competent supervisory authority.

You also have the right, under certain circumstances, to request that the processing of your personal data be restricted. Details can be found in the data protection declaration under "Right to restriction of processing".

Analysis tools and third-party tools
When you visit our website, your surfing behavior can be statistically evaluated. This is mainly done with cookies and so-called analysis programs. The analysis of your surfing behavior is usually anonymous; surfing behavior cannot be traced back to you. You can object to this analysis or prevent it by not using certain tools. You will find detailed information on this in the following data protection declaration.

You can object to this analysis. We will inform you about the possibilities of objection in this data protection declaration.


2. General information and mandatory information

data protection
The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this data protection declaration.

If you use this website, various personal data will be collected. Personal data is data with which you can be personally identified. This data protection declaration explains what data we collect and what we use it for. It also explains how and for what purpose this happens.

We would like to point out that data transmission on the Internet (e.g. when communicating by e-mail) can have security gaps. A complete protection of the data against access by third parties is not possible.

Note on the responsible body

The responsible body for data processing on this website is:

bbcom secure Deutschland gmbh
Kanalstraße 2/1
88250 Weingarten
phone: 0049 (0) 7531 584 799 0
E-Mail: info@bbcomsecure.de

The responsible body is the natural or legal person who, alone or together with others, decides on the purposes and means of processing personal data (e.g. names, e-mail addresses, etc.).

Revocation of your consent to data processing
Many data processing operations are only possible with your express consent. You can revoke consent that you have already given at any time. An informal message by e-mail to us is sufficient. The legality of the data processing that took place up until the revocation remains unaffected by the revocation.

Right to object to data collection in special cases and to direct advertising (Art. 21 GDPR)
If the data is processed on the basis of Article 6 Paragraph 1 Letter e or f GDPR, you have the right at any time to object to the processing of your personal data for reasons that arise from your particular situation; this also applies to profiling based on these provisions. The respective legal basis on which processing is based can be found in this data protection declaration. If you object, we will no longer process your affected personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims ( Objection according to Art. 21 Para. 1 GDPR).

If your personal data is processed in order to operate direct advertising, you have the right to object at any time to the processing of personal data concerning you submit data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising. If you object, your personal data will then no longer be used for direct advertising purposes (objection according to Art. 21 Para. 2 GDPR).

Right of appeal to the competent supervisory authority
In the event of violations of the GDPR, those affected have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work or the place of the alleged violation. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy.

A list of the data protection officers (without any claim to completeness or correctness) and their contact details can be found at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

Right to data portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another person responsible, this will only be done to the extent that it is technically feasible.

SSL or TLS encryption
For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator, this site uses an SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data that you transmit to us cannot be read by third parties.

Information, blocking, deletion and correction
Within the framework of the applicable legal provisions, you have the right to free information about your stored personal data, its origin and recipient and the purpose of the data processing and, if necessary, a right to correction, blocking or deletion of this data at any time. You can contact us at any time at the address given in the imprint if you have any further questions on the subject of personal data.

Right to restriction of processing
You have the right to request the restriction of the processing of your personal data. You can contact us at any time at the address given in the imprint. The right to restriction of processing exists in the following cases:
• If you dispute the accuracy of your personal data stored by us, we usually need time to check this. For the duration of the examination, you have the right to request that the processing of your personal data be restricted.
• If the processing of your personal data happened/is happening unlawfully, you can request the restriction of data processing instead of deletion.
• If we no longer need your personal data, but you need it to exercise, defend or assert legal claims, you have the right to demand that the processing of your personal data be restricted instead of being deleted.
• If you have a contradiction according to Art. 21 Para. 1 DSGVO, a balance must be made between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to demand that the processing of your personal data be restricted.

If you have restricted the processing of your personal data, this data - apart from its storage - may only be used with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the European Union or a Member State are processed.

Widerspruch gegen Werbe-E-Mails
We hereby object to the use of contact data published as part of the imprint obligation for sending unsolicited advertising and information material. The site operators expressly reserve the right to take legal action in the event of unsolicited advertising being sent, such as spam e-mails.


3. Contact person for data protection issues

bbcom secure Deutschland gmbh
Kanalstraße 2/1
88250 Weingarten
E-Mail: datenschutz@bbcomsecure.de


4. Data collection on our website

Server-Log-files
The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:
• Browser type and browser version
• operating system used
• Referrer URL
• Host name of the accessing computer
• Time of server request
• IP address

This data is not merged with other data sources.

This data is collected on the basis of Article 6 (1) (f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of his website - the server log files must be recorded for this purpose.

contact form
If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provided there, will be stored by us for the purpose of processing the inquiry and in the event of follow-up questions. We do not pass on this data without your consent.

The data entered in the contact form is therefore processed exclusively on the basis of your consent (Article 6 (1) (a) GDPR). You can revoke this consent at any time. An informal message by e-mail to us is sufficient. The legality of the data processing operations carried out up to the revocation remains unaffected by the revocation.

The data you enter in the contact form will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory legal provisions - in particular retention periods - stay untouched.

Inquiry by e-mail, telephone or fax
If you contact us by e-mail, telephone or fax, your inquiry including all resulting personal data (name, enquiry) will be stored and processed by us for the purpose of processing your request. We do not pass on this data without your consent.

This data is processed on the basis of Article 6 (1) (b) GDPR if your request is related to the fulfillment of a contract or is necessary to carry out pre-contractual measures. In all other cases, the processing is based on your consent (Art. 6 Para. 1 lit. a GDPR) and / or on our legitimate interests (Art. 6 Para. 1 lit. f GDPR), since we have a legitimate interest in the effective processing of inquiries addressed to us.

The data you send us via contact requests will remain with us until you request deletion, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory legal provisions - in particular statutory retention periods - remain unaffected.

hgp Hinweisgeberportal-Mittelstand
bbcom secure, February 2023

bbcom secure is the owner and operator of the website www.zettelgeberportal-mittelstand.de. We take over the internal reporting office prescribed by the Whistleblower Protection Act (HinSchG) for employers. Whistleblowers can report incorrect behavior securely and, if desired, anonymously and receive protective measures in accordance with the HinSchG.

We would like to inform you below about the processing of your personal data on the SME whistleblower portal and about the data protection claims and rights to which you are entitled in accordance with Article 12 ff. of the General Data Protection Regulation (GDPR).

1. General Information

On the website www.tippgeberportal-mittelstand.de we provide both employers and whistleblowers with comprehensive information on the Whistleblower Protection Act, the process of proceedings regarding a submitted tip and the services provided within the framework of taking over an internal reporting office.

If an employer commissions us to take over the internal reporting office, we will set up an individual reporting portal for them in the form of a subdomain with the name "berufegeber.tippgeberportal-mittelstand.de". Other reporting channels offered are telephone and personal acceptance by a trusted person.

Below we answer the questions that are particularly important to you regarding the processing of personal data.

2. Persons responsible and their contact details

Responsible for the processing of personal data in the context of assuming the function of an internal reporting office i. s.d. §§ 12, 13 HinSchG and § 14 para. 1 sentence 1 HinSchG is bbcom secure Deutschland gmbh (see a). This applies until reports have been handed over to the employer (see b). Should the employer bbcom secure carry out follow-up measures in the form of an investigation i. s.d. § 18 Paragraph 1 HinSchG, bbcom secure processes the personal data on its own responsibility. This also applies until the results reports are handed over to the employer (see b). The employer is responsible for the processing of personal data after the handover of information or result reports.

a) bbcom secure Deutschland GmbH, Kanalstr. 2, 88250 Weingarten; phone: +49 7531 5847990, E-Mail: info@bbcomsecure.de
b) Employers who have their internal reporting office carried out by bbcom secure, see the imprint of the employer's website

3. Your one-stop shop for rights, questions and asserting your rights

The parties have agreed that they consent in particular to exercising the rights of the data subject pursuant to Art. 15-21 GDPR and the fulfillment of the information obligations according to Art. 13 and 14 GDPR to the person responsible (see point 2 b). Those responsible are available to answer any questions you may have regarding the processing of your personal data as part of this data processing.

4. What data is processed and from what sources does this data come?

We process personal data that we receive in connection with the use of the whistleblower portal-Mittelstand and that we receive from telephone and personal conversations or as part of communication as a whistleblower point.

We process the following categories of personal data:
- Name whistleblower
- E-mail address whistleblower
- File attachments via upload function
- Information about people who are affected by the respective notice (name / function in the company)
- Information about eyewitnesses
- Login data for portal use and password
- other personal data provided to us in the notice

Persons affected by data processing can be:
- Whistleblower
- Persons accused in the note
- other persons named by the whistleblower
- Persons who are involved in an investigation into the tip i. s.d. § 18 paragraph 1 HinSchG can be contacted

5. What do we process your data for - purpose of processing - and what is the legal basis for this?

If we have received personal data from you, then we will only process it for the purposes for which we received it or collected it. These purposes include in particular:
• the organization and implementation of a registration office i. s.d. §§ 12, 13 HinSchG and § 14 paragraph 1 sentence 1 HinSchG. this includes
• the operation of reporting channels according to § 16 HinSchG
• Conducting the procedure according to § 17 HinSchG
• the taking of follow-up measures according to § 18 HinSchG by those responsible as well as
• the required documentation according to § 11 HinSchG of the respective process by those responsible.

Data processing for other purposes can only be considered if the necessary legal requirements in accordance with Art. 6 Para. 4 GDPR are in place. In this case, we will of course observe any information obligations under Art. 13 Para. 3 GDPR and Art. 14 Para. 4 GDPR.

6. Legal basis of processing
We process your personal data in compliance with the applicable statutory data protection requirements. The legal basis for the processing of personal data is Section 10 HinSchG and – insofar as there are no specific legal provisions – Article 6 (1) (c) GDPR. In the event that we also process information on behalf of the person responsible for 2 b that goes beyond the requirements of the HinSchG, such as reports on conflicts of interest or compliance violations, this is done in the legitimate interest of the client (2a) i. s.d. Article 6 paragraph 1 lit f GDPR.

7. Who receives your data?
Within the individual companies, only those departments have access to the personal data that they need for the purposes of data processing and to fulfill legal obligations. The persons responsible also have some of the aforementioned processes and services carried out by carefully selected and data protection-compliant service providers who are based in Germany.

Your data will not be transmitted to third parties as part of the use of the Mittelstand whistleblower portal, except to bodies that are required by law under the Whistleblower Protection Act.

8. Will your data be transferred to a third country or international organizations?
The data transfer of your data to a third country or international organizations is not planned.

9. Place of Data Processing
We process your personal data exclusively in data centers in the European Union.

10. How long do we store your data?
We process your personal data as long as this is necessary for the respective purpose. Insofar as there are legal storage obligations, the relevant personal data will be stored for the duration of the storage obligation in order to fulfill the following purposes:
a) Fulfillment of the statutory storage obligations according to HinSchG: According to this, the storage and documentation periods are specified for at least 3 years after the end of the procedure.
b) After the storage obligation has expired, it is checked whether there is a further need for processing. If there is no longer a need or a legitimate interest on the part of the employer (see 2b), the data will be deleted.

11. What are your rights?
According to the Federal Data Protection Act, you have
• a right to information under Article 15 GDPR
• the right to correction under Article 16 GDPR
• the right to erasure under Article 17 GDPR
• the right to restriction of processing under Article 18 GDPR
• and the Right to data portability from Art. 20 GDPR.

The restrictions according to §§ 34 and 35 BDSG-new apply to the right to information and the right to deletion. In addition, there is a right of appeal to a data protection supervisory authority (Art. 77 GDPR in conjunction with Section 19 BDSG) in the federal state in which the respective person responsible is established.

A list of the data protection officers and their contact details can be found at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html You can revoke your consent to the processing of personal data at any time with effect on revoke the future to us. The lawfulness of the data processing carried out up to the revocation remains unaffected by the revocation.

12. Right to Object

Your right to object according to Art. 21 GDPR

Individual right of objection

If you file an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

In the case of a request for information that is not made in writing or without sufficient means of identification, we ask for your understanding that we may then request evidence from you that proves that you are the person you claim to be. The request for information can be made in any form and should be addressed to the contact details of the person responsible.

13. Are you obliged to provide data?
As part of the processing via the Mittelstand whistleblower portal, you only have to provide the personal data that you are legally obliged to collect. Without this data (at least the company concerned must be specified), we will generally not be able to process the notification.

14. Data security and data protection, communication by e-mail
Your personal data is protected by technical and organizational measures during collection, storage and processing so that it is not accessible to third parties. In the case of unencrypted communication by e-mail, we cannot guarantee complete data security on the transmission path to our IT systems, so we recommend encrypted communication or the postal service for information with a high need for confidentiality.

hgp Hinweisgeberportal-Mittelstand
bbcom secure Deutschland gmbh, August 2023