DATA PRIVACY REGULATIONS FOR THE WHISTLEBLOWER SYSTEM

1. Responsible party and data privacy officer

The responsible party is Carthago Reisemobilbau GmbH, Carthago-Ring 1, 88326 Aulendorf, Germany, +49 (0)7525 92000.

Data privacy officer: Christoph Boser
Carthago Ring 1, 88326 Aulendorf, Germany
Phone: +49 7525 9200 3000
E-Mail: datenschutz@carthago.com
 
If you have any questions concerning data privacy, you can contact our data privacy officer at any time by e-mail.
E-mail datenschutz@carthago.com.
 

2. Purpose of our internal whistleblower system

We provide an internal whistleblower system so that we can receive, process and manage reports of potential abuses, contraventions of the law and other misconduct within the company in a secure and confidential manner.
 

3. Whistleblowers

Our internal whistleblower system is available to employees, former employees of our company and third parties (e.g. customers, business partners, suppliers and employees of affiliated companies).
 

4. Types of tip

  • In the event of an anonymous tip, our whistleblower system records and process none of the respective whistleblower’s personal information.
  • In the event of a confidential tip, only the external operator of our CONFDNT whistleblower system has the whistleblower’s contact details, but these are not disclosed to us. In the event of a confidential tip, we have the possibility of communicating directly with the whistleblower in order to be able to confirm receipt of the respective tip, ask questions about the facts and inform the whistleblower about the measures which have been taken, for example. However, we do not receive any information about the identity of the whistleblower. The external operator of our CONFDNT whistleblower system acts as an "anonymization layer" between us and the whistleblower.
  • In the event of a transparent tip, the contact person who is responsible for processing tips within our company has access to the data concerning the identity of the whistleblower, and can communicate directly with the whistleblower. According to the EU Whistleblower Directive, we are obliged to keep the identity of the whistleblower confidential, i.e. only the employee(s) who process the respective tip may know the identity of the whistleblower, otherwise no-one else within the company.

 

5. Processed personal information

If a tip is provided via the whistleblower system, we process the following personal information:

  • Name and contact details of the whistleblower, provided that these are specified in the event of a transparent tip, and in the event of a confidential tip, the external operator of our whistleblower system CONFDNT will not pass on the personal information of the whistleblower to us, and in the event of an anonymous tip, none of the whistleblower's personal information whatsoever will be processed.
  • The IP address of the whistleblower is not stored for processing a tip within the application. In order to maintain the availability, confidentiality and integrity of the server and the applications and interfaces connected to the server, access to the server is logged so that potential security breaches can be detected and dealt with. Accesses which cannot be linked to any security breach will be deleted after no more than one calendar month for maintenance interval-related reasons.
  • The company affiliation and function will be processed if they are specified within the scope of a tip.
  • The personal information of persons who are mentioned in a tip will be processed in order to investigate or deal with a tip.

The communication between the whistleblower's computer and the whistleblower system takes place via an encrypted connection (SSL). In order to maintain the connection between the computer and the whistleblower system, a cookie is stored on the computer which only contains the session ID (so-called null cookie). The cookie is only valid until the end of the respective session, and is deleted when the browser is closed.
 

6. Confidential handling of tips and disclosure

Incoming tips are received and processed by a small number of authorized employees. These employees are expressly obliged to treat all tips confidentially at all times. These responsible employees check the tip and carry out further case-related clarification of the facts if necessary. As part of the clarification of the facts and, if necessary, the subsequent initiation of measures, it may be necessary to pass on information to other company employees. This takes place exclusively within the scope of that which is necessary for clarification and the initiation of measures, and we always ensure that the relevant data protection regulations are observed when information is passed. In certain cases, there is an obligation under data protection law to inform the accused person about the allegations which have been made against them. This is required by law in cases whereby it is objectively certain that the passing of information to the accused cannot (or can no longer) affect the specific clarification of the tip. As far as it is legally possible, the identity of the whistleblower will not be disclosed, and it will be ensured that no conclusions can be drawn about the identity of the whistleblower. If false information is knowingly posted with the aim of discrediting a person (denunciation), the confidentiality of the identity of the whistleblower cannot be guaranteed. If an appropriate legal obligation or data protection requirement for clarifying the tip exists, criminal prosecution authorities, antitrust authorities, other administrative authorities, courts and law firms and auditing firms commissioned by us also come into question as other categories of recipient.
 

7. Setting up an account

Whistleblowers set up an account for their tip. The account can be accessed via a QR code and/or via an individual link. The account can be used for communication between the employees in the company who are responsible for processing the tip and the whistleblower. No additional personal data is collected when the account is created and used. The use of the whistleblower system can be recorded anonymously, whereby no conclusions can be drawn about individual users. Individual tips are uniquely identified with an identification number. Under no circumstances is the identification number used to identify the whistleblower, but only to logically separate different tips and whistleblowers from each another. The personal information provided in the whistleblower system can be viewed by the whistleblower in the account at any time. The whistleblower system does not store any personal information other than the personal information specified in the account. All of the data that is entered by the whistleblower is individually encrypted and stored in a database.
 

8. Legal bases

The processing of personal information as part of the whistleblower system is based on the fulfilment of legal obligations and our overriding legitimate interest in uncovering and preventing abuses and the associated averting of damage and liability risks for the company. Accordingly, the legal basis is Art. 6 para. 1 lit. c) and lit. f) GDPR (General Data Protection Regulations) in conjunction with sections 30, 130 OWiG (Law on Regulatory Offences).
If a tip concerns one of our employees, the processing also serves to prevent and uncover criminal offences or other legal violations in connection with the employment relationship. The legal basis in this case is section 26 para. 1 GDPR.
 

9. Retention and Deletion

Personal information will be retained for as long as is necessary to clarify and conclusively evaluate a tip, or for as long as there is a legitimate interest of the company or is required by law.
This information will then be deleted in accordance with the legal requirements. The duration for which the information is stored particularly depends on the severity of the suspicion and the alleged breach of duty which has been reported.
The data that is collected is always deleted within two months of the completion of the internal investigation.
If criminal, disciplinary or civil court proceedings occur as a result of misconduct within the meaning of this policy or abuse of the whistleblower system, the storage period may be extended until the final conclusion of the respective proceedings.
Personal information that is obviously not relevant for the processing of a specific tip will not be collected or will be deleted immediately if it was collected unintentionally.
 

10. Service provider

Our whistleblower system is provided by service provider Compliance.One GmbH in Germany on the basis of an order processing agreement in accordance with Article 28 GDPR.
 

11. Your rights as an affected person

You have the following rights as an affected person, provided that the legal requirements are fulfilled:

  • >Right to information, Art. 15 GDPR
  • Right to correction, Art. 16 GDPR
  • Right to deletion, Art. 17 GDPR
  • Right to restriction of processing, Art. 18 GDPR
  • Right to data portability, Art. 20 GDPR
  • Right of objection, Art. 21 GDPR

If the data processing is based on a balancing of legitimate interests, you have the right to object to this processing of the information. Legitimate reasons for this must exist that arise from your particular situation.
You also have the right to complain to the data privacy supervisory authorities about the data processing.
 

12. Changes to this data privacy information

We reserve the right to adapt this data privacy information from time to time so that it always corresponds to the current legal requirements and/or in order to reflect changes to the data processing accordingly. The new data privacy information will then apply when you start to use the system again.