Dataprivacy Declaration

The Ombudslawyers of Rechtsanwälte Elke Schaefer acknowledge and the great importance to data protection and compliance with data protection regulations. In the interest of transparency under the data protection laws, the following data protection declaration intends to explain the "vertrauenssachen.de" Whistleblowing System and to inform the whistleblowers, when using this system, about how we deal with incoming reports and about the type, scope and purpose of the collection and use of data. As the body responsible for data protection, the Ombudslawyers recognize the following data protection declaration as a binding part of the anonymous Whistleblower System:

1. Legal Basics

Tis declaration is based on the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) in their current version, in particular Art. 6 Para. 1 lit. f DDPR, Art. 88 GDRR in conjunction with § ARTICLE 26 BDSG. Any regulations deviating from the law shall be null and void, the remaining objectives and/or regulations remain unaffected.

2. Rurpose of the Whistleblower System

The Whistleblower System serves to receive and clear up serious suspicions about violations of rules set by the respective client of the whistleblower system, in particular about criminal acts that may endanger its company assets. Reports outside this scope will not be pursued further and be deleted.

The purpose and goal of the Whistleblower System is to process the whistleblower's data while maintaining his anonymity. The anonymous Whistleblower System collects data on the type of use. These include the frequency of access, the number of reports, the number of dialogues and the number of concerns raised. The Whistleblower System cannot utilize any statistical data that would allow conclusions to be drawn about an individual user. The Whistleblower System represents an internet-based alternative to the usual communication channels to the Ombudsmen and/or the client’s company-internal points of contact and therefore does not request any personal data from the whistleblower. No personal data of the whistleblower is intended to be provided to the Whistleblower System.

3. Whistleblower

Employees and third parties (e.g. customers, business partners, suppliers, employees of affiliated companies) of the companies and institutions supported by the Ombudslawyers can report information and concerns through the Whistleblower System.

4. Setting up a Mailbox

Depending on the system, the whistleblower is given the option of using a user name and password for a virtual mailbox. The creation of such a mailbox implies the consent of the whistleblower to deposit the entered data in the database of the whistleblower system.

To set up a virtual mailbox, a user name can be chosen and a password must be selected. The user name is only visible to the users of the mailbox. The password is made unrecognizable by a hash function in the web application and database.

When communicating via mailbox, it is ensured that the account of a whistleblower in the dialogue cannot be identified.

5. Guarantee of Confidentiality and Anonymity

User behavior is recorded anonymously by the Whistleblower System.

a) IP Acquisition

The IP address of the whistleblower is not stored for processing a message within the application.

To ensure the availability, confidentiality and integrity of the server and the applications and interfaces connected to the server, accesses are logged on the server to record potential security breaches. Accesses that cannot be associated with a compliance violation are deleted after one calendar month at the latest according to maintenance intervals.

b) Logging

Rotes are clearly marked by an identification number (ID). This ID is not intended to identify the whistleblower, but to distinguish several whistleblowers from each other.

6. Storage of Personal Data of the Whistleblower

The provision of personal data is not requested in the whistleblower system. The personal data voluntarily disclosed through the dialogue with the Ombudslawyer can be viewed by whistleblowers at any time using a virtual mailbox. Further information about the personal data stored in the whistleblower system is not technically possible. All data entered by the whistleblower will be individually encrypted and stored in a database. Neither administrators, website operators or other persons have the possibility to access the content of the personal data stored by the whistleblower.

7. Transmission of Personal Data

The personal data voluntarily provided during a dialogue can only be viewed by the Ombudslawyer and the whistleblower himself. Even if the whistleblower has disclosed his identity to the Ombudslawyer, the anonymity of the whistleblower is always preserved. Any transfer and processing of the data to an employee in the company affected by the report, insofar as this is necessary for clarification, requires the prior consent of the whistleblower. We would like to point out that in the event of such consent, the recipient may be obliged in accordance with Art. 14 GDPR to inform the person affected by the report of the identity of the whistleblower one month after it becomes known, but at the latest if this information would not jeopardize an effective investigation of the allegation or the collection of the necessary evidence. If a whistleblower gives his consent to the disclosure of his identity, he may revoke this consent in accordance with Art. 7 para. 2 GDPR up to one month after notification.

8. Personal Data of a the Person affected

The processing of personal data of the person affected by the notice does not require consent in cases of Art. 6 para. 1 letter f GDPR and § 26 para. 1 sentence 2 BDSG. In the event that personal data is stored, the person concerned will be informed about the processing and use of this data as soon as there is no danger to the clarification of the facts of the case at hand. In this case, the person affected by the notice also has a right to information about the personal data stored about him. The identity of the whistleblower is generally excluded from this right of information, subject to the above provisions.

9. Deletion and Modification

Whistleblowers and affected persons have the right to have incorrect data corrected, amended, blocked or deleted, provided that the legal requirements are met. Messages sent to the Ombudslawyer can only be deleted by the him. The statutory periods of deletion apply. If whistleblowers have transmitted personal data in the course of the dialogue, this data will be kept for as long as it is necessary to clarify and conclusively assess the reported facts. After completion of the processing of the report raised, this data will be deleted in accordance with the legal requirements.

In order to maintain the integrity of the data, regular backups are made of the application and the database. The retention period of a backup is a maximum of one calendar month. Older backups and all corresponding copies are automatically deleted.

10. Cookies

Our internet pages use cookies. Cookies are text files that are placed and stored on a computer system via an Internet browser.

By continuing to use this website, you agree to our cookie policy.

Technically necessary cookies

Essential cookies enable basic functions and are necessary for the proper functioning of the website. Therefore, you cannot disable them. This type of cookies is used exclusively by the website operator (first-party cookie) and all information stored in the cookies is sent only to this website.

Login cookies

Provider: Owner of the website
Purpose: Checks whether a user is logged in and whether access is authorized
Cookie Name: JSESSIONID, HASH_JSESSIONID
Cookie duration: 1 day

Data protection information

- Elke Schaefer Rechtsanwälte -

In accordance with Article 13 of the EU General Data Protection Regulation (GDPR), we hereby inform you about the protection of personal data of persons who submit information about possible violations to the whistleblower office or the complaints office. These are the whistleblower office of the companies of the Stadtwerkeverbund (“Whistleblower System”) and the complaints procedure under the Supply Chain Due Diligence Act (LkSG) (“LkSG complaints procedure”).

1. Data controller responsible for data processing

The respective company of the Stadtwerkeverbund (“Verbundunternehmen”) and the external legal ombudswoman are jointly responsible for the processing of personal data within the framework of the Whistleblower System and the LkSG complaints procedure. On the Stadtwerkeverbund side, the following companies are responsible in individual cases - depending on which company is affected:

Stadtwerke Potsdam GmbH
Steinstraße 104-106, Haus 14
14480 Potsdam
datenschutz@swp-potsdam.de
– im Folgenden SWP GmbH –

Energie und Wasser Potsdam GmbH
Steinstraße 101
14480 Potsdam
datenschutz@ewp-potsdam.de
datenschutz@ewp-potsdam.de
– im Folgenden EWP GmbH –

Stadtentsorgung Potsdam GmbH
Drewitzer Straße 47
14478 Potsdam
datenschutz@step-potsdam.de
– im Folgenden STEP GmbH –

ViP Verkehrsbetriebe Potsdam GmbH
Fritz-Zubeil-Straße 96
14482 Potsdam
datenschutz@vip-potsdam.de
– im Folgenden ViP GmbH –

Bäderlandschaft Potsdam GmbH
Steinstraße 104-106, Haus 14
14480 Potsdam
datenschutz@blp-potsdam.de
– im Folgenden BLP GmbH –

Netzgesellschaft Potsdam GmbH
Großbeerenstraße 231, Haus 2
14480 Potsdam
datenschutz@ngp-potsdam.de
– im Folgenden NGP GmbH –

Stadtbeleuchtung Potsdam GmbH
Steinstraße 101,
14480 Potsdam
datenschutz@sbp-potsdam.de
– im Folgenden SB GmbH –

Kommunale Fuhrparkservice Potsdam GmbH
Steinstraße 104-106, Haus 8
14480 Potsdam
datenschutz@kfp-potsdam.de
– im Folgenden KFP GmbH –

Each with its data protection officer

Herrn Dr. Martin Schmidt
Comfield Unternehmensberatung GmbH & Co. KG
Uhlandstraße 162
10719 Berlin
persönlich erreichbar unter martin.schmidt@comfield.eu

The respective Verbundunternehmen is jointly responsible with

Rechtsanwältin Dr. Kathrin J. Niewiarra
Rechtsanwälte Elke Schäfer
Philippistrasse 11
14059 Berlin
stadtwerkepotsdam@ombudskanzlei.de

- hereinafter referred to as the “Ombuds Office”

Information on joint responsibility can be found in section 8.

2. Subject matter and purpose of data processing

The personal data that you provide as a whistleblower will be processed exclusively for the purpose of processing and investigating reports within the framework of the Whistleblower System or the LkSG complaints procedure of the Stadtwerkeverbund.

In the case of the Ombuds Office, this includes checking whether the reports justify the initial suspicion of a legal or regulatory violation that is covered by the Stadtwerkeverbund's Whistleblower System. The result of the examination is documented. If the report falls within the scope of application of the Whistleblower Protection Act (HinSchG) pursuant to Sections 1 and 2 HinSchG, the Ombuds Office will observe the confidentiality requirement pursuant to Section 8 HinSchG and the documentation requirements pursuant to Section 11 HinSchG when processing the report. In all other cases, the Stadtwerkeverbund's internal regulations for handling reports in the Whistleblower System apply.

Personal data collected via the whistleblowing system may relate to the whistleblower, provided that the whistleblower discloses his / her identity when submitting the whistleblowing report, as well as to persons who are the subject of a whistleblowing report (“Data Subjects”) or other third parties such as witnesses or persons who have relevant information about the whistleblowing alert submitted.

The subject of the processing is personal data mentioned in the notice or resulting from the notice. Depending on the content of the notice, this may also include special categories of personal data in accordance with Article 9 (1) GDPR.

3. Legal basis for the processing

The Ombuds Office processes personal data within the framework of the Whistleblower System exclusively for the purpose of fulfilling its tasks as ombudspersons/lawyers of trust and/or reporting channel within the meaning of Section 16 HinSchG and the assignment as an internal reporting office in accordance with § 13 HinSchG. Personal data is processed based on Article 6(1)(1)(c) GDPR in conjunction with Section 10(1), 13(1) HinSchG if the information provided falls within its scope of application (see Section 3 HinSchG), or Article 6(1)(1)(c) GDPR in conjunction with Section 8 LkSG if the information provided falls within the scope of application of the LkSG. In cases where the information provided falls outside the scope of the HinSchG or the LkSG and deals with concerns, for example breaches of internal regulations, the personal data is processed on the basis of Article 6 (1) sentence 1 letter f) GDPR.

The Ombuds Office has a legitimate interest in the examination, evaluation and documentation of incoming reports based on its position as ombudsperson/lawyer of trust or as an internal reporting office for the Verbundunternemen. As an internal reporting office, there is a legitimate interest in fully implementing the follow-up measures provided for by law in accordance with Section 18 HinSchG. Furthermore, the Ombuds Office has a legitimate interest in removing obviously irrelevant information from a whistleblowing report. We also have a legitimate interest in the processing of personal data in connection with the operation of the electronic whistleblowing system and communication with whistleblowers.
The Ombuds Office also has a legitimate interest in forwarding the potential violations reported by whistleblowers to our contact at the Verbundunternehmen, provided that the whistleblower has consented to the forwarding. In this case, SWP GmbH is the recipient of the personal data in accordance with Article 13(1)(e) GDPR. The investigation results may also be passed on to a competent authority for further investigation.

4. Recipients of personal data

Normally, personal data for the above-mentioned purposes is only processed by Ombuds Office, which forwards the information (anonymously if necessary) to the Compliance department of SWP GmbH. Within SWP GmbH, the data may be forwarded within the framework of a strict need-to-know principle to those departments that can make a meaningful contribution to clarifying the facts of the case or are responsible for taking follow-up measures.

However, it may be necessary to pass the data on to third parties for clarification purposes, for example to other companies of the Stadtwerkeverbund, for example if the information relates to a matter at another group company. The data may also be passed on to external consultants such as lawyers or investigating authorities. SWP GmbH will always ensure that the disclosure is permissible in accordance with legal requirements.

At the Ombuds Office, reports are only processed by fully qualified German lawyers who are subject to professional confidentiality. Disclosure to third parties will only take place if this is necessary to fulfill legal obligations or with the consent of the reporting or affected persons.

5. Transfer to third countries

No transfer of data to third countries outside the EU is planned.

6. Duration of storage

Article 6(1)(c) GDPR in conjunction with Section 50(1) of the German Federal Lawyers' Act (BRAO) applies to the Ombuds Office and the files of all cases must be kept for six years.

The following applies to the Verbundunternehmen:
In the case of reports that fall within the scope of the Whistleblower System and also within the scope of the HinSchG, the documentation of the report is retained for three years after the conclusion of the procedure in accordance with Section 11(5) sentence 1 HinSchG and then deleted. Pursuant to Section 11 (5) sentence 2 HinSchG, it may be retained for longer to fulfill requirements under the HinSchG or other legal provisions, as long as this is necessary and proportionate.

Information that falls within the scope of the Whistleblower System but not within the scope of the HinSchG will be retained for as long as is necessary for the clarification and final assessment of the information and compliance with the legal requirements. As soon as the data is no longer required, it will be deleted immediately.

Information that is outside the scope of the Whistleblower System is either deleted immediately after the whistleblower has been informed accordingly or forwarded to other responsible departments with the consent of the whistleblower and then deleted.

The retention period for personal data in the further documentation of internal investigations depends on the outcome of the investigation.

If, after completion of the investigation, it is established or cannot be ruled out with certainty that a violation has occurred, the personal data will only be deleted after the expiry of relevant limitation periods under criminal or civil law.

If it is determined after completion of the investigation that no violation has occurred, the personal data will be deleted immediately or, if necessary, only kept for as long as it may be required for measures of redress and then deleted.

Irrespective of this, information relating to matters within the scope of the LkSG and the associated further documentation of internal investigations will be retained for at least seven years in accordance with Section 10 (1) sentence 2 LkSG. The data is then deleted or, if a violation is established after the investigation has been completed or this cannot be ruled out with certainty, only deleted after the relevant limitation periods under criminal or civil law have expired.

7. Your rights as a whistleblower

You have the following rights in connection with the processing of your personal data:

  • the right to information from the respective controller about the personal data concerning you under the conditions of Article 15 GDPR. This right may be restricted, among other things, to protect the identity of the referring persons and - if necessary - to protect the confidentiality of the internal investigation in accordance with the provisions of the GDPR or the Federal Data Protection Act (BDSG).

  • You have the right to rectification of inaccurate data in accordance with Article 16 GDPR.

  • In accordance with Article 17 GDPR, you have the right to have your data deleted if there is no legal reason for further storage.

  • In accordance with Article 18 GDPR, you have the right to request that the processing of your data be restricted. This means that your data will continue to be store but may only be processed under restricted conditions (e.g. with your consent or to enforce legal claims).

  • In accordance with Article 20 GDPR, you have the right to data portability in relation to all data that you have provided to us. This means that we will provide you with this data in a structured, commonly used and machine-readable format.

  • In accordance with Article 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR.

To exercise your rights, please contact the data protection mailboxes of your Verbundunternehmen mentioned under Section 1 or the Ombuds Office at stadtwerkepotsdam@ombudskanzlei.de.

You have the right to raise a complaint with the data protection officer or a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR or other laws (Article 77 GDPR). The right to raise a complaint may be exercised in particular with a supervisory authority in the Member State of the data subject's habitual residence or place of the alleged infringement.

8. Information on joint responsibility pursuant to Article 26(2) GDPR

The Verbundunternehmen and the Ombuds Office operate a so-called internal reporting office in accordance with the HinSchG and for receiving complaints in accordance with the LkSG in order to receive, evaluate and clarify information on possible misconduct. For this purpose, the parties jointly determine the purposes and means of processing personal data and are therefore jointly responsible for the protection of the personal data of the persons concerned. In order to regulate the joint responsibility, the parties have concluded an agreement in accordance with Article 26 (1) GDPR. The aim of this agreement is to determine in a transparent manner which of the contracting parties fulfills which obligations under the GDPR, in particular with regard to the exercise of the rights of the data subjects pursuant to Articles 12 to 23 GDPR and how the information obligations pursuant to Articles 13 and 14 GDPR are fulfilled.