Joint data protection statement of Securepoint GmbH

With this data protection statement, we, Securepoint GmbH (hereinafter Securepoint), would like to inform you, as a user of our internal whistleblowing system „easyline“, what data we collect in the course of a report, for what purposes this data is processed, how your data is protected and to what extent it is transferred, what rights you have with regard to this data, as well as useful contact details. Personal data are collected and processed in accordance with applicable law, namely the General Data Protection Regulation (GDPR)), the current Federal Data Protection Act (BDSG) and the Whistleblower Protection Act (HinSchG).

1. Responsible for data protection

Responsible for data protection is

Securepoint GmbH
Bleckeder Landstraße 28
21337 Lüneburg

Phone: 04131/2401-0
E-Mail: info@securepoint.de

(hereinafter Securepoint, "we", "us")

2. Contact details of the data protection officer

The data protection officer of the Securepoint GmbH can be contacted using the following contact details:

Securepoint GmbH
Data protection officer
Bleckeder Landstraße 28
21337 Lüneburg

E-Mail: datenschutz@securepoint.de

3. Type and scope of data processing for this reporting platform

3.1 Which of your data is processed

If you do not use this reporting platform anonymously, we will process the personal personal data that you disclose to us. In detail, this may be the following data be:
  • Your voluntary information
    • First name
    • Last name
    • E-mail address
    • File attachments
  • If you provide us with further personal information in your message or with the file attachments, we will also process these.
The aforementioned data is only processed to the extent that it is actually collected and is necessary for the purpose described under 3.2.

Your IP address is neither accessible to us, the internal reporting office nor the operator of this operator of this reporting platform. In addition, cookies are not set when you visit this reporting platform are not set.

3.2 Purpose of data processing

The personal data you disclose will be processed for the purpose of evaluating your report and the possible subsequent case handling by Securepoint and, if applicable, internal or external case handlers commissioned by Securepoint and especially bound to secrecy.

Background: The easyline whistleblowing system is an internal reporting channel in the sense of the European Whistleblowing Directive and the German Whistleblower Protection Act. Its purpose is to give our employees, business partners and customers, as well as other persons, who are in contact with Securepoint in the course of their professional activites, the opportunity to report facts that have come to their attention that indicate serious wrongdoing within this company.

3.3 How your data is processed

Your report and any subsequent communication with you are stored in encrypted form in the IT system and are not accessible to unauthorized persons. The sole key for protected communication consists of a case ID and password, which are generated by the system and communicated to you after your report. Decryption only takes place when you log in with your case ID and password or when a case handler from our site. You are requested to log in with your password and the case ID assigned to your report at intervals that are not too long in order to take note of messages from our case handlers and to be able to answer questions. Files (text files, PDFs and photos) can be uploaded to the platform. They are also stored with encrypted content.

For necessary internal investigations of the facts, external case handlers who have been commissioned by us and are under a special obligation to maintain confidentiality will be informed of the content of the report and the subsequent communication with the respective whistleblowers, if applicable.

3.4 Legal basis of data processing

The legal basis for the processing the personal data is Art. 6 para. 1 lit. c DSGVO in conjunction with § 10 HinSchG. Should it become apparent during the processing of your report that it is outside the scope of application of § 10 HinSchG, the legal basis for the processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest then lies in the appropriate processing of your report.

3.5 How long your data is stored

If you have transmitted your personal data to us in the dialog, this data will be stored for as long as is necessary for the clarification and final assessment of the reported facts. After the processing of the reported information has been completed, this data will be deleted in accordance with the legal requirements.

3.6 Who receives your data

Only the case handler desiganted by us has access to the content of the reports. The IT administrator of the platform, the host and we do not have access to the content of the report or the communication between you and the external case handler at any time.

The servers on which the messages are stored are located in the Federal Republic of Germany. The processing of personal data by IT supervisors, host and external case handlers is carried out on our behalf and strictly in accordance with our instructions on the basis of corresponding contracts for order processing in accordance with Art. 28 GDPR, which include corresponding confidentiality obligations.

The data contained in the notification and further communication will at no time be transferred outside the EU/EEA at any time.

Important information

If you disclose your identity to us despite our recommendation, we will treat your data as strictly confidential. However, it cannot be ruled out that third parties concerned by your report must be informed in accordance with Art. 14 GDPR about the source of the data concerning them. It is therefore possible that data subjects will be informed of your identity. If applicable, this information must be provided within one month of the notification, as provided by law as a rule, but at the latest if it no longer seriously affects the clarification of the facts or necessary actions. You should take this into account when deciding whether to disclose your identity.

4. Your rights as a data subject of the processing of your personal data

You have the following rights in terms of Art. 13 et seq. GDPR:
  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Withdrawal of consent (Art. 7 para. 3 GDPR)

Your data will not be subject to decisions based solely on automated processing, including profiling automated processing - including profiling - (Art. 22 GDPR).

Of course, you can assert your rights with us by sending us an informal message by e-mail to datenschutz@securepoint.de or to our postal address.

You also have the right to lodge a complaint with a supervisory authority at any time in accordance with Art. 77 GDPR.

5. Changes to the privacy policy

Advances in technology, legal requirements or changes to processes may have an impact on this privacy policy, affect this privacy policy, among other things. We therefore reserve the right to change this privacy policy at any time with effect for the future. The respective current version of this privacy policy can be found on this website. Please visit regularly to inform yourself about the applicable provisions.

Status: 07.11.2023