Privacy policy for the whistleblower system
Compliance with data protection regulations is a high priority at MÜNCHENSTIFT. We would therefore like to inform you below about the collection of your personal data in connection with the whistleblower system AdvoWhistle in accordance with Art. 13 of the General Data Protection Regulation (GDPR).
1. Controller
The controller responsible for the data processing is named in the imprint.
2. Purposes of data processing
MÜNCHENSTIFT accepts information according to the German Whistleblower Protection Act (HinSchG) and complaints according to the German Corporate Due Diligence Obligations in Supply Chains Act (LkSG) via the whistleblower system AdvoWhistle.
The purpose of this system is to comply with the legal obligations of the HinSchG and the LkSG and to report incidents in a secure and confidential manner that could have significant consequences for MÜNCHENSTIFT and/or its employees (such as possible criminal consequences, payment of large fines and/or damage to its image). This applies in particular to violations of antitrust laws, corruption, property and financial crimes, violations of data protection laws, and violations of human and environmental rights.
If you choose to make a report, you may do so anonymously without providing your personal information.
If you choose not to make an anonymous report, the following personal information may be collected if you provide it:
- Last name, first name
- Your contact information
- The fact that you have made a report (anonymously, if applicable) through the whistleblower system.
The following personal data may be processed about persons affected by incidents, witnesses or persons named in the report:
- First and last name, information about incidents and
- Suspected violations of laws and regulations.
3. Legal bases of data processing
If you submit an anonymous report, we will not be able to associate the report with you personally. The following information is then no longer relevant to you. If you provide us with your own personal data as a whistleblower, we will process this data in accordance with Art. 6 para. 1 p. 1 lit. f) GDPR in our legitimate interest to fulfill our legal obligations according to § 10 HinSchG and § 8 LkSG.
We also process the personal data of third parties that you provide in the context of your report in order to protect our legitimate interests in following up on reports about compliance violations pursuant to Art. 6 para. 1 p. 1 lit. f) GDPR.
4. Storage period
We will delete all reports and data after a period of three years from the date of receipt. This does not apply if deletion conflicts with other legal obligations.
5. Confidentiality of your data and recipients
Your information will be kept confidential. Your data will only be transmitted in encrypted form. Only a very small number of specially authorized employees have access to the whistleblowing system.
Within the scope of technical operations, iComply GmbH processes personal data on behalf of MÜNCHENSTIFT strictly in accordance with instructions.
| Data processing company | Purpose | Adequate data protection level |
| iComply GmbH | Hosting and technical operations | Processing only within EU/EEA |
Your identity, if you have voluntarily provided it to us, will not be disclosed to other parties unless we are required to do so by law. We will only disclose other personal information to third parties (e.g., law enforcement agencies) if permitted by applicable data protection laws.
6. Data subject rights
As a data subject, you have the right to information about the personal data that concerns you, as well as to the correction or deletion of incorrect data, provided that one of the reasons cited in Art. 17 GDPR is constituted, such as the data are no longer required for the purposes pursued.
You also hold the right to restrict processing if any of the preconditions set out in Art. 18 GDPR apply and, in cases of Art. 20 GDPR, the right to data transfer.
If data are collected on the basis of Art. 6 para. 1 p. 1 lit. f) GDPR, the data subject has the right to object to the processing at any time for reasons relating to their particular situation. In this case, we shall no longer process your personal data unless we can demonstrate compelling reasons for processing that override the interests, rights and freedoms of the data subject, or unless processing serves the assertion, exercise or defence of legal claims.
Any data subject has the right to complain to the supervisory authority if they consider that the processing of their personal data breaches data protection regulations. The responsible supervisory authority is:
Bayerische Landesamt für Datenschutzaufsicht
Home address: Promenade 18, 91522 Ansbach
Postal address: Postfach 13 49, 91504 Ansbach
+49 981 531300
poststelle@lda.bayern.de
7. Our data protection officer
You also have the right to contact our data protection officer at any time, who is bound to secrecy regarding your request. The contact details of our data protection officer can be found on the privacy policy page.
We will be happy to provide you with more detailed information on request.
Version: January 2024