Joint data protection statement of Quirin Privatbank AG and YPOG Partnerschaft von Rechtsanwälten und Steuerberater mbB Schnittker + PartnerWith this data protection statement, we, (“client”), consisting of
- Quirin Privatbank
- quirion AG,
1. Purpose of the whistleblowing systemThe whistleblowing system YStle is an internal reporting channel in the sense of the European Whistleblowing Directive and the German Whistleblower Protection Act. Its purpose is to give the client’s employees, business partners and customers, as well as other persons, who are in contact with the client in the course of their professional activites, the opportunity to report facts that have come to their attention that indicate serious wrongdoing within this company. For this purpose, your data will be processed if you provide us with them. However, you can also remain anonymous when making a report - just as you can when communicating further with us. We recommend this for the reason stated under 2.
2. Data processingWe only collect and process personal data that you disclose with your report and in subsequent messages. Your IP address is not accessible to us. Cookies are not set. Concerned are therefor your personal data (if you do not submit an anonymous report) and personal data of third parties, if they are disclosed in the context of your report.
The personal data you disclose will be processed for the purpose of evaluating your report and the possible subsequent case handling by the client, YPOG and case handlers commissioned by the client and expressly obliged to maintain confidentiality.
a. Your personal dataWe recommend that you submit your report anonymously.
Important notes in this context:If you disclose your identity to us despite our recommendation, we will treat your data as strictly confidential. However, it cannot be ruled out that third parties concerned by your report must be informed in accordance with Art. 14 GDPR about the source of the data concerning them. It is therefore possible that data subjects will be informed of your identity. If applicable, this information must be provided within one month of the notification, as provided by law as a rule, but at the latest if it no longer seriously affects the clarification of the facts or necessary actions. You should take this into account when deciding whether to disclose your identity.
In case of disclosure of your own personal data, your own consent pursuant to Art. 6 I a GDPR forms the legal basis for our processing. You can revoke this consent pursuant to Art. 7 GDPR, but this is ineffective insofar as the data was disclosed with your consent and the aforementioned information of affected third parties has already taken place.
We also cannot rule out the possibility that your data may have to be disclosed to a public authority or court within the framework of the applicable laws.
b. Personal data of third partiesPlease limit the input of personal data of third parties to what is absolutely necessary for the evaluation and processing of your report.
The legal basis for the processing the personal data of third parties, which is essential for the evaluation of your report and the possible subsequent case handling, is provided by the legitimate interest of the client to be able to investigate and correct possible internal grievances (Art. 6 I 1 f GDPR).
3. Communication with youYour report and any subsequent communication with you are stored in encrypted form in the IT system and are not accessible to unauthorized persons. The only key to protected communication consists of a password assigned by you and a case ID generated by the system after your report and communicated to you. You are requested to log in with your password and the case ID assigned to your report at intervals that are not too long in order to take note of messages from our case handlers and to be able to answer questions. Files (text files, PDFs and photos) can be uploaded to the platform. They are also stored with encrypted content.
The client and YPOG have password-protected access to communicate with you.
For necessary internal investigations of the facts, external case handlers commissioned by the client and expressly obliged to maintain confidentiality will, if necessary, be informed about the content of the report and the subsequent communication with the respective whistleblowers.
4. Data security and data transmissionWe ensure the security of the data we collect and process by taking technical and organizational measures to ensure this protection. Only the client, YPOG or, if applicable, case handlers designated by the client have access to the content of the reports. This can be an external law firm or a case handler in the company concerned who is expressly obliged to maintain confidentiality and is investigating free from conflicts of interest. The content of your reports is immediately encrypted and stored on the platform in this way. Any subsequent communication with you will also be encrypted. Decryption only takes place when you log in with your case ID + password or when a case handler of the client or YPOG logs in.
The IT supervisor of the platform and the host do not have access to the contents of the report or the communication with you at any time. The servers on which the reports are stored are located in the Federal Republic of Germany. The processing of personal data by the IT administrator and the host is carried out on our behalf and strictly in accordance with our instructions on the basis of corresponding contracts for commissioned processing in accordance with Art. 28 GDPR.
The data contained in the notification and further communication will not be transferred outside the EU/EEA at any time.
5. Deletion of your dataIf you have transmitted your personal data to us in the dialog, this data will be stored for as long as is necessary for the clarification and final assessment of the reported facts. After the processing of the reported information has been completed, this data will be deleted in accordance with the legal requirements.
6. Our distribution of rolesTogether we form the client’s internal reporting office, whereby your report will first be received and processed by YPOG. If necessary, YPOG will also take over further communication with you. Within the scope of the internal reporting office, we will jointly analyze the content of the report and take any necessary follow-up measures.
The client and YPOG will fulfill your rights and the information obligations towards you. If members of the client are affected by the report, their rights and the information obligations towards them will be fulfilled by the client.
7. Your rights as a data subject of the processing of your personal dataYou have the following rights under applicable data protection laws:
- Right to information about your personal data stored by us
- Right to erasure and restriction of processing of your personal data
- Right to rectify your personal data
- Right to data portability
- Right to complain to a supervisory authority
- You can revoke your consent to the collection, processing and use of your personal data at any time with effect for the future.
Berliner Beauftragte für Datenschutz und Informationsfreiheit (Alt-Moabit 59-61, 10555 Berlin)
8. Responsible for data protectionResponsible for data protection are jointly
Quirin Privatbank AG and
YPOG Partnerschaft von Rechtsanwälten
und Steuerberatern mbB Schnittker + Partner
Neuer Wall 80
and – if the report concers the following company –
9. Right of appealIf you consider that the processing of personal data concerning you violates the GDPR, the BDSG or the Whistleblower Protection Act, you have the right to lodge a complaint at a competent data protection supervisory authority.