Reports under the Whistleblower Protection Act
We have set up an internal reporting office in accordance with the German Whistleblower Protection Act, so-called Hinweisgeberschutzgesetz, hereinafter HinSchG. Whistleblowers can contact this office if they have obtained information about violations in connection with their professional activities or or in advance of such activities and wish to report them.
Why a whistleblower protection law?
The Whistleblower Protection Act (HinSchG) is the German implementation of the so-called EU Whistleblower Directive.
The aim of the law
is to protect persons who have obtained information about violations in the course of their professional activities and report them.
For this reason, the HinSchG prohibits any reprisals against whistleblowers.
The essence of the law
is the establishment of reporting offices in companies to which whistleblowers can turn if they have obtained information about violations in connection with their professional activities or in advance of such activities and wish to report them.
Who is protected?
Protected is any person,
- who gives a notice,
- has reasonable grounds at the time of the report to believe the reported violation to be true, and
- the reported violation is covered by the scope of the HinSchG (see "What can be reported as a violation").
How are whistleblowers protected?
The HinSchG wants to encourage whistleblowers to draw attention to abuses in companies and public authorities. Therefore, whistleblowers enjoy extensive protection against reprisals, they can claim damages if necessary and enjoy liability privileges.
The central element is the prohibition of reprisals anchored in the HinSchG: Companies must note that all reprisals, including the threat and attempt of reprisals, are prohibited. In particular, suspension, dismissal, downgrading or denial of promotion, coercion, intimidation, mobbing, but also non-extension of fixed-term employment contracts, damage to reputation, negative performance appraisals, etc. are prohibited.
Who can submit whistleblower reports?
The scope of persons is broad and includes all persons who have obtained information about violations in connection with their professional activities and report them, i.e. in particular:
- Employees, including employees who have already left the company, job applicants, interns, temporary workers, but also.
- self-employed persons providing services, freelancers, contractors, subcontractors, suppliers and their employees.
In addition, persons who support the person making the report as well as persons who do not make the report themselves but are the subject of the report or otherwise affected by the report are also protected.
What can be reported as a violation?
Not every report of a violation of law (violation) is covered by the HinSchG.
The prerequisite is always that the violations must relate to the employer/company or another body with whom or which the reporting person was or is in professional contact.
In other respects, however, the scope of protection regulated under Section 2 HinSchG is very broad. Persons providing information enjoy the protection of the HinSchG if they report violations of the following regulations:
- Violations of penal regulations, this includes any penal criminal regulations under German law.
- Violations punishable by a fine (i.e. administrative offenses), but here there is the restriction that the violated norm serves to protect life, limb or health or to protect the rights of employees or their representative bodies. This includes in particular violations of
- Work-and Healthprotection in relation to employment or professional contact
- the Minimum Wage Law (Mindestlohngesetz) or
- the German Personnel Leasing Act (Arbeitnehmerüberlassungsgesetz).
- Violations of certain national or European legal provisions, in particular those relating to environmental protection, money laundering, product safety, data protection, and the protection of privacy and confidentiality in electronic communications.
The whistleblower system may not be used for false accusations; reporting knowingly false information is prohibited.
What is considered a violation?
Violations are acts or omissions in the context of a professional, entrepreneurial or official activity that are unlawful and can be reported as a violation (see "What can be reported as a violation?"). This may also include abusive acts or omissions.
What is information about violations?
Information about violations is reasonable suspicion or knowledge of actual or potential violations,
- that is or has been disclosed to the employing entity where the whistleblower works, or
- at another entity with which the whistleblower is or has been in contact as a result of the whistleblower's his employment,
- have already been committed or are very likely to be committed.
This includes information about attempts to conceal such violations.
How you can report clues?
Here, there is a right to choose between internal and external reporting. However, according to the HinSchG, internal reporting is to be preferred.
Therefore, the HinSchG obliges the employer or the company to set up an internal reporting office and to create incentives for whistleblowers to first contact the respective internal reporting office before reporting to an external reporting office.
All reporting channels must be designed in such a way that only the persons responsible for receiving and processing the reports and the persons supporting them in fulfilling these tasks have access to the incoming reports.
How is the internal reporting system at ]init[ designed?
]init[ sees the establishment of the internal reporting system as a useful early warning system that enables us to review and respond to the information, promote compliance and optimize our value culture.
Although there is no legal obligation, we also offer the option of anonymous communication between whistleblowers and the reporting office to reduce inhibition thresholds and support our understanding of compliance in our internal reporting channel.
]init[ takes the handling of whistleblower reports very seriously, processes every submitted whistleblower notice and initiates investigations where possible and necessary.
An important pillar of the whistleblower system is the principle of fair trial. It guarantees the greatest possible protection for whistleblowers, those affected and employees who help to clarify the reported misconduct.
No discrimination against whistleblowers or anyone who contributes to investigations will be tolerated. The presumption of innocence applies to the individuals involved until the violation is proven.
All whistleblower notices submitted will be treated with absolute confidentiality.
The internal reporting office is staffed by independent contact persons who are not subject to directives.
To make our internal reporting system as simple and trustworthy as possible for whistleblowers, we have commissioned an external and independent law firm to receive and pre-screen reports.
Message via the hotline
You can reach the whistleblower hotline at +49 30 23 59 87 057.
Message via e-mail
Notifications can be sent by e-mail to the following e-mail address, which will be received directly by the aforementioned external law firm: meldung.init@meldemanagement.de.
How is your personal data protected?
Without your consent, your identity will not be disclosed to the persons authorized to process whistleblower reports. However, depending on the information provided, it may not be possible to rule out the possibility of drawing conclusions about the whistleblower.
We process personal data as part of the whistleblower system solely for the purpose of investigating the reported incident, ending any breach and preventing similar incidents in the future.
The legal basis for the data processing is the fulfillment of a legal obligation (Art 6 para 1 lit. c DSGVO), as we are legally obliged to operate a whistleblower system. In addition, data processing is necessary to protect our legitimate interests (Art 6 para 1 lit. f DSGVO), as we have a great interest in the early detection, clarification and prevention of breaches of the law and misconduct.
In the case of your consent, the processing of your personal data is based on Art 6 para 1 lit. a DSGVO.
As a matter of principle, ]init[ AG ensures that your personal data is only accessible to a limited number of authorized persons who need to know this data in order to process the reports and investigate the reported violations. Any person who gains access to the data is bound to confidentiality.
In some circumstances, there may be a legal obligation to disclose information about you to other entities (e.g., government agencies or courts).
Further data protection information on our whistleblower system can be found at the bottom of this page.
How do you reach the external reporting office?
In addition to the option of submitting reports to our own reporting office, whistleblowers under the HinSchG also have the option of contacting external reporting offices.
Further information on these options is available on the website of the Federal Office of Justice:
Data protection information on the whistleblower system of ]init[ AG
Here you can find out how we handle your personal data when you use our whistleblower system.
I Receiving whistleblowing reports via the external hotline
In order to make our internal reporting system as simple and trustworthy as possible for whistleblowers, we have commissioned the external and independent law firm orka Partnerschaft mit beschränkter Berufshaftung (mbB) - hereinafter referred to as orka - with the receipt and preliminary review of reports.
orka carries out the receipt and preliminary review of the reports under its own responsibility and not as part of commissioned processing. In this respect, the following data protection information from orka applies:
Reports on compliance issues (“whistleblowing reports”) can be made to the law firm orka by
- using a whistleblowing hotline which can be contacted at the following telephone number: +49 30 23 59 87 057 or
- writing an e-mail to the following e-mail address:
- meldung.init@meldemanagement.de or
- on the occasion of a personal meeting (location/ time to be arranged)
- all means of communication referred to as “hotline” in the following.
This hotline can be used to report information on violations of regulations within the scope of the Whistleblower Protection Act (cf. sections 2, 3 HinSchG) as well as - in addition - information on all administrative offenses and other compliance violations relating to ]init[ AG.
Whistleblowing-reports are passed on to ]init[ AG by orka. Whistleblowers can make use of the hotline without being obliged to provide their name or other personal information that could identify them to the persons authorised by ]init[ AG to process whistleblower reports. In the following, we provide information on data processing within the framework of the hotline:
1. Responsible Body (Controller)
Responsible for data processing is:
orka Partnerschaft mbB
Kaistraße 6, 40221 Düsseldorf
Telefon: +49 211 60035-0
Website: www.orka.law
orka does not act as a processor of ]init[ AG.
2. Data Protection Officer
You can reach the data protection officer of orka as follows:
E-Mail: datenschutzbeauftragter@orka.law
3. Purpose and Scope of Data Processing
As part of the hotline, orka processes data provided by whistleblowers solely for the purpose of receiving, legally assessing, documenting and transmitting the information to the unit of ]init[ AG responsible for processing the report (in the following: “designated unit”). The data processing by orka is carried out in relation to the legal obligation and in order to protect the legitimate interest if ]init[ AG to provide the opportunity to report possible criminal offenses, administrative offenses and other compliance violations by means of the hotlines (Art. 6 para. 1 lit. f GDPR). Insofar as the data processing is performed on the basis of this legitimate interest, data subjects generally have the right to object to the processing of their personal data (Art. 21 GDPR).
The identity of whistleblowers is treated confidentially. The identity will only be disclosed if the whistleblowers consent thereto. This also applies to the telephone number or e-mail address, if these are provided to us. However, it cannot be excluded that the identity of the whistleblowers may be inferred from the information provided. Under certain circumstances, there may also exist legal obligations to pass on information about the identity of the whistleblower to other bodies (e.g. authorities/ courts). Beyond that, personal data is only disclosed to technical service providers as contract processors.
orka stores data, in general, only for the duration of the processing of a report. Afterwards, all data will be completely erased, insofar as there are no legal retention obligations.
If whistleblowers wish to be informed by orka about the respective processing status, they must provide contact data (e-mail address and/or telephone number). orka processes this data exclusively in connection with contacting the whistleblower for the purpose of informing him/her of the processing status on the basis of the whistleblower's consent (Art. 6 para. 1 lit. a GDPR). The consent given can be revoked at any time with effect for the future. The lawfulness of data processing carried out until the consent is revoked remains unaffected. In this context, orka stores data for the duration until the whistleblower has been informed about the processing status, unless the whistleblower has previously revoked his/her consent. In addition, orka only stores the declaration of consent as such for the purpose of evidence.
If whistleblowers wish orka to forward their contact data to the designated unit so that this unit can inform the whistleblower about the respective processing status, they must provide contact data (e-mail address and/or telephone number). orka processes this data exclusively for the purpose of forwarding it to the designated unit on the basis of the whistleblower's consent (Art. 6 para. 1 lit. a GDPR). Consent given can be revoked at any time with effect for the future. The lawfulness of data processing carried out until consent is revoked remains unaffected. In this context, orka stores data until the completion of the transmission of contact data and receiving of an acknowledgement of receipt by the designated unit, unless consent has been revoked by the whistleblower beforehand. In addition, orka only stores the declaration of consent as such for the purpose of evidence.
4. Data Subject Rights
Data subjects generally have a right of access to information about data processing, rectification or erasure or to restriction of data processing or a right of objection as well as a right to data portability. Data subjects also have the right to lodge a complaint with a data protection supervisory authority.
II Processing of reports and investigation of reported violations by ]init[ AG
Further verification of the reports submitted by orka to ]init[ as well as internal investigations are carried out by the internal reporting office established at ]init[ AG.
1. Responsible entity
Responsible for data processing is
]init[ AG für digitale Kommunikation
Köpenicker Str. 9
10997 Berlin
Tel.: +49 30 97006 200
Fax: + 49 30 97006 135
www.init.de
2. Data Protection Officer
You can reach the data protection officer of ]init[ AG as follows: datenschutz@init.de.
We attach great importance to the protection of your personal data and collect, process and use your personal data exclusively in accordance with the principles described below and in compliance with the statutory data protection provisions.
3. Purpose of data processing
The purpose of the whistleblower system and the associated data processing is to receive and process information about (suspected) breaches of the law or serious internal breaches of rules in a secure and confidential manner, insofar as this information relates to ]init[ AG. In addition, the whistleblower system serves to prevent criminal offenses or other violations of the law in connection with an employment relationship or professional contact with ]init[ AG.
4. Legal basis
The legal basis for data processing is the fulfillment of a legal obligation (Art 6 para 1 lit. c GDPR), as we are obliged to operate a whistleblower system under the Whistleblower Protection Act (HinSchG). In addition, data processing is necessary to protect our legitimate interests (Art 6 para 1 lit. f GDPR), as we have a great interest in the early detection, clarification and prevention of violations of the law and misconduct.
In case of your consent, the processing of your personal data is based on Art. 6 para 1 lit. a GDPR.
5. Categories of personal data
The following data is processed as part of the whistleblower system:
- Information about the accused/participant (e.g. surname, first name, title, contact details, position and employment details),
- Details of the (alleged) breach of conduct and the relevant facts,
- If you submit your report anonymously, no personal data about you will be collected. However, depending on the information provided, conclusions about your person possibly cannot be ruled out,
- In the case of non-anonymous reports, personal data such as name, contact details and, if applicable, personal information on the circumstances communicated with your report will be processed.
6. Recipients or categories of recipients of the personal data
As a matter of principle, ]init[ AG ensures that your personal data is only accessible to a limited number of authorized persons who need to know this data in order to process the reports and investigate the reported violations.
The processing of the notice is therefore only carried out with those persons whose area of responsibility is affected by the notification and with whom it can be assumed that a clarification of the case can succeed.
Any person who gains access to the data is obligated to maintain confidentiality.
Personal data will only be transferred to recipients outside our company if we are legally entitled or obliged to do so. Under these conditions, external recipients of personal data may be, for example, authorities, courts, consultants, experts or legal representatives.
7. Duration of data storage
Personal data will be retained for the period of time necessary to investigate and make a final assessment of the whistleblower notice. After completion of the investigation, the documentation of a whistleblower report and all information related to it will be stored for a period of three (3) years from the date of completion. In the event of the initiation of judicial/official regulatory proceedings, data can be stored until the end of the proceedings or the expiration of appeal periods.
8. Automated decision making
In the context of the whistleblower system, no automated decision-making pursuant to Art. 22 GDPR takes place.
More information
Further information on data protection at ]init[ AG can be found here.