Information pursuant to Art. 13 of the General Data Protection Regulation (GDPR)
on the processing of personal data in the context of the whistleblower system
In the following, we inform you about the processing of personal data by Wera Werkzeuge GmbH (hereinafter "Wera") in the context of the whistleblower system as well as about the associated data protection regulations, claims and rights. Wera uses a web-based software (cloud solution hosted in Germany) which supports the detection of operational malpractices. By implementing such a system, criminal, illegal, morally reprehensible or unfair actions can be detected and prevented at an early stage. As a result, incalculable material and immaterial damages as well as reputational damage can be averted.
1. Purpose of data processing
Wera processes the personal data of the whistleblower, unless the whistleblower has submitted the information anonymously, as well as the personal data of the accused person(s), such as name and other communication and content data, solely for the purpose of receiving and following up on notices regarding criminal, illegal, morally reprehensible or unfair acts in a secure and confidential manner.
2. Categories of data processing within the whistleblower system.
• Information about the whistleblower (unless the whistleblower wishes to remain anonymous) and the accused, such as:
o first and last name
o contact details
o other personal data related to the employment relationship, if applicable.
• Personal information identified in the reconnaissance team reports (see paragraph 4), including details about the allegations made and this supporting evidence.
• Date and time of calls (in case the notice was received via the telephone hotline).
• Any other information identified in the investigation findings and in the follow-up process to the report, e.g., information about criminal conduct or data about unlawful or improper conduct, if reported.
3. Legal basis of the data processing
The collection of the personal data of the whistleblower in the case of a non-anonymous whistleblowing is based on consent to the processing by the transmission of the data (implied consent) (Art. 6 para. 1 sentence 1 lit. a GDPR).
The collection, processing and disclosure of personal data of the persons named in the notification serves the legitimate interests of Wera (Art. 6 para. 1 p. 1 lit. f GDPR). It is a legitimate interest of Wera to detect, process, stop and sanction violations of the law and serious breaches of duty by employees effectively and with a high degree of confidentiality and to avert associated damage and liability risks for Wera (Sections 30, 130 regulatory offences act).
Directive (EU) 2019/1937 ("EU Whistleblower Directive") and the Whistleblower Protection Act also require the establishment of a whistleblower system to give employees and third parties the opportunity to provide protected information about legal violations in the company in a suitable manner.
The disclosure of personal data to other recipients in the case of non-anonymous reporting may be necessary due to a legal obligation (Art. 6 para. 1 p. 1 letter c GDPR).
4. Recipients of the data and third country transfer (EU/EEA foreign countries).
All personal data collected by Wera will only be made available to those persons who have a legitimate need to process this data due to their function. Wera's Compliance Department is tasked with the initial processing of incoming notices. If the notice is received via the telephone hotline, the notice is recorded in the whistleblower system while preserving the anonymity of the whistleblower. The hotline employees are bound to secrecy (see below).
In some cases, Wera is required to disclose the data to authorities (such as those having legal or regulatory jurisdiction over the employer, law enforcement agencies and legal bodies) or external advisors (such as auditors, accountants, lawyers). If the whistleblower has provided his or her name or other personal data (non-anonymous whistleblowing), the identity will not be disclosed - to the extent legally possible - and it will also be ensured that no conclusions can be drawn about the identity as a whistleblower. If personal data is processed by external service providers, this is generally done on the basis of order processing contracts in accordance with Art. 28 GDPR. In these cases, we ensure that the processing of personal data is carried out in accordance with the provisions of the GDPR and that all persons authorized to process personal data have committed themselves to confidentiality or are subject to an appropriate legal duty of confidentiality. The whistleblower system platform as well as the hotline is operated on our behalf by LegalTegrity GmbH, Platz der Einheit 2, 60327 Frankfurt/Main. A transfer of personal data to third countries (EU/EEA foreign countries) does not take place.
5. Duration of processing, deletion of data
The personal data will be retained in the respective proceedings for as long as is necessary for the clarification and final assessment, for a legitimate interest of Wera or for a legal requirement. Afterwards, this data will be deleted in accordance with the legal requirements. The duration of storage depends in particular on the severity of the suspicion and the reported possible breach of duty.
6. Technical information on the use of the whistleblowing system
Communication between your computer and the whistleblower system takes place via an encrypted connection (SSL). The IP address of your computer is not stored during the use of the whistleblowing system. To maintain the connection between your computer and the whistleblower system, a cookie is stored on your computer, which only contains the session ID. The cookie is only valid until the end of your session and becomes invalid when you close your browser.
7. Data subject rights according to the GDPR
You have the following rights in connection with the processing of personal data concerning you:
• According to Art. 7 GDPR, you have the right to revoke your consent to data processing at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
• Pursuant to Art. 14 of the GDPR, if your data is collected without your knowledge (for example, because you are involved in the whistleblowing procedure as an accused person), you have the right to be informed about the storage, the nature of the data, the purpose of the processing and the identity of the controller and, if applicable, the whistleblower (unless the whistleblowing was done anonymously). However, if there would be a substantial risk that such information would jeopardize Wera's ability to effectively investigate the allegation or gather the necessary evidence, this information may be postponed pursuant to Art. 14 (5) sentence 1 lit. b GDPR for as long as such risk exists. The information must then be provided as soon as the reason for the postponement has ceased to exist.
• Pursuant to Art. 15 of the GDPR, you have the right to request information regarding the personal data concerning you that is processed by Wera.
• Pursuant to Art. 16 of the GDPR, you have the right to request the immediate correction or completion of incorrect or incomplete data stored by us.
• Pursuant to Art. 17 GDPR, you have the right to request the erasure of personal data concerning you that is stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation to which Wera is subject, for the performance of a task carried out in the public interest, or for the establishment, exercise or defense of legal claims.
• Pursuant to Art. 18 GDPR, you may request the restriction of the processing of your personal data if you contest the accuracy of such data or if the processing of such data is unlawful.
• Pursuant to Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, common and machine-readable format, and to transmit this data to another controller without hindrance or to have it transmitted by us.
• Pursuant to Art. 21 GDPR, you have the right to object to the processing of your personal data on grounds relating to your particular situation. Your data will then no longer be processed unless Wera can demonstrate compelling grounds for the processing which override the interests, rights and freedoms of the data subject, or for the assertion, exercise or defense of legal claims.
• Pursuant to Art. 77 GDPR in conjunction with section 17 German Federal Data Protection Act (BDSG), you have the right to lodge a complaint against Wera with the competent supervisory authority.
8. Responsible party in the sense of data protection law
Responsible for the processing of the above personal data and your related requests and inquiries is:
Wera Werkzeuge GmbH
Korzerter Str. 21-25
Tel.: +49 202 4045-0
If you have any questions concerning data protection, please contact our compliance team at compliance(at)wera.de
Some features of this website need your consent.