DEHNspeakup

Data Privacy Statement

Dated: 27 July 2023

Introduction

This data privacy statement explains what data we collect about you when you use DEHNspeakup, what we need this data for and with whom we share this data. It also includes your rights in relation to your data and who to contact for further information or enquiries.

The terms "DEHN", "we", "us" and "our" used in the following below refer to

DEHN SE
Hans-Dehn-Straße 1
92318 Neumarkt

DEHN operates a whistleblower system, "DEHNspeakup", managed by Deloitte.

DEHN processes personal data as part of DEHNspeakup.

Controller within the meaning of the GDPR

The controller within the meaning of Art. 4, Para. 7 of the EU General Data Protection Regulation (GDPR) for the processing of your personal data in connection with DEHN is

DEHN SE
Hans-Dehn-Straße 1
92318 Neumarkt
Phone: +49 9181 906-0
Email: info@dehn.de

DEHNspeakup is operated on behalf of DEHN by Deloitte GmbH Wirtschaftsprüfungsgesellschaft, Rosenheimer Platz 4, 81669 Munich, Germany.

Data protection officer

The data protection officer of the controller is:
Projekt 29 GmbH & Co. KG
Ostengasse 14
93047 Regensburg
Telephone: +49 941 2986930
Fax: +49 941 29869316
Email: anfragen@projekt29.de
Website: www.projekt29.de

Any data subject can contact our data protection officer directly at any time with any questions or suggestions regarding data protection.

Scope, nature and purpose of processing

DEHNspeakup is a system for the secure and confidential receipt and processing of information about (possible) breaches of the law or internal regulations against DEHN.

Reporting of information is voluntary.

Legal basis for the processing

DEHN is legally obliged to operate a whistleblower system in accordance with §12, Para. 1 of the German Whistleblower Protection Act (HinSchG) and §8, Para. 1 of the German Supply Chain Duty of Care Act (LkSG) in conjunction with Art. 6, Para. 1, lit. c of the GDPR.

For information not covered by the Whistleblower Protection Act or the Supply Chain Duty of Care Act, DEHN relies on the legitimate interest in uncovering wrongdoing and the associated prevention of damage and liability risks (Art. 6, Para. 1, lit. f of the GDPR). If the persons providing the information or the persons who are the subject of the information are DEHN employees, §26, Para. 1, sentence 2 German Federal Data Protection Act (BDSG) will also apply.

If a report requires the processing of special categories of personal data, such as health data pursuant to Art. 9, Para. 1 of the GDPR, this processing is based on Art. 9, Para. 2, lit. a (consent) or lit. f (assertion, exercise or defence of legal claims) of the GDPR or, in the case of a report under the Whistleblower Protection Act, based on §10 of the HinSchG.

The disclosure of the identity of the whistleblower in a report under the Whistleblower Protection Act is governed by §9, paras 1 to 3 of the HinSchG. Disclosure of the identity of persons who are the subject of the report is governed by §9, Para. 4 of the HinSchG.

Data categories

In this context, we process in particular the following categories of personal data:

For all reports:

Names of the people involved
Names of all witnesses (if available)
Date, time and location of the incident(s)
Details of possible evidence
Frequency of the incident
Information about the incident
Information regarding whether the incident has already been reported to the company and to whom
Relationship of the whistleblower to the organisation
Information contained in the attachments to the report (optional)

In the case of confidential reports submitted, the following data can also be shared voluntarily:

Name
Department
Email address
Contact number
Other information

Duration of data retention

Personal data will be kept for as long as clarification and final assessment require it or there is a legitimate interest on the part of DEHN or this is required by law. Afterwards, this data is deleted in accordance with legal requirements. The duration of retention depends in particular on the severity of the suspicion and the reported possible breach of duty.

In the event of a report under the German Whistleblower Protection Act, documentation on a process under §11, Para. 5 of the act will be deleted three years after the conclusion of the process.

Categories of recipients of data and transfer to EU countries

In connection with DEHNspeakup, personal data, as specified below, may also be transmitted to third parties. In this respect, data may be transferred to other European countries.

To other Deloitte member firms¹ for the purpose of collaborating in the provision of our services.

To the extent necessary to provide the service, i.e. in the case of procurement abroad or if the expertise of a foreign colleague is required, Deloitte cooperates on behalf of DEHN with other companies from the global Deloitte network. If such a transfer is made to a network company outside the EU/European Economic Area, an adequate level of data protection is ensured through the use of standard contractual clauses of the EU Commission within the meaning of Art. 46, Para. 2, lit. c) of the GDPR. You can view the EU's standard contractual clauses at https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:DE:PDF.

To authorities, courts or other bodies

In connection with the processing of reports, it may also be necessary to transmit information, work results and documents to authorities, courts or other public or private bodies (also abroad in the case of procurement from another country). The same applies to cases in which DEHN is subject to a legal, official or judicial order to hand over/disclose personal data.

To Deloitte internal service providers as well as external IT service providers

As a contractor of DEHN, Deloitte uses other German or foreign Deloitte network companies as IT service providers within the network in the course of its activities in individual cases, which provide services for the operation, maintenance and care of the IT systems and applications used by the Deloitte network companies. The use of these companies with access rights to personal data only takes place if this has been agreed in the order agreements with our customers or is legally permissible in individual cases without consent.

If there is access by a network company outside the European Economic Area, an adequate level of data protection is ensured through the use of standard contractual clauses of the EU Commission within the meaning of Art. 46, Para. 2, lit. c) of the GDPR.

Right to lodge a complaint with a data protection supervisory authority

You can exercise various rights in connection with your personal data. In particular, you have the right

to information, Art. 15 of the GDPR:

You can always request information from DEHN at any time as to whether your personal data is being processed or stored at DEHN, how this is being processed and which specific data this entails.

to rectification, Art. 16 of the GDPR:

You may request an update of your personal data processed by DEHN or, if you believe that it is inaccurate or incomplete, a correction of such data.

to erasure ("right to be forgotten") Art. 17 of the GDPR or to restriction of processing, Art. 18 of the GDPR:

You may request the deletion of your personal data processed by DEHN or a restriction of the way in which DEHN processes this data, insofar as this does not conflict with legal obligations.

to data portability, Art. 20 of the GDPR:

You may obtain a copy of the personal data relating to you that you have provided to us in a structured, commonly used and machine-readable format for the purpose of transferring it to another party (where the processing is based on consent or a contract).

to objection, Art. 21 of the GDPR:

You can object to the processing of your personal data by DEHN. Objection does not incur any costs other than the transmission costs according to the basic rates.

to revoke consent

You may revoke your consent to the processing of your personal data at any time without giving reasons at anfrage@projekt29.de (if such processing is based on consent). Please note that the consent you revoke does not affect the lawfulness of any processing performed in the past and only applies henceforth.

Please contact anfrage@projekt29.de to exercise your rights.

to complain to a data protection supervisory authority

In addition to the data subject rights outlined above, you also have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates data protection law.
The supervisory authority of the German federal state in which DEHN has its registered office is responsible.

© 2024. See Terms of Use and Privacy Notice for more information.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities. DTTL (also referred to as “Deloitte Global”) and each of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.