PRIVACY POLICY – WHISTLEBLOWING SYSTEM
(Updated: 12.12.2023)

PURPOSE OF THIS PRIVACY POLICY:

This Privacy Policy describes which personal data is collected when you use our whistleblowing system SecuReveal (“whistleblowing system“) and how we process this data as the responsible party. 

This data protection declaration is addressed to every user of the whistleblower system as well as to potential suspects, witnesses or other third parties named in reports (each “Data subject“). 

We process personal data in accordance with the EU General Data Protection Regulation (“GDPR”) and the applicable national data protection laws. Unless otherwise defined in this Privacy Policy, the terms used herein have the same meaning as in the GDPR. 

RESPONSIBILITY 

QMD Services GmbH 
Zelinkagasse 10/3 
1010 Vienna, Austria 

WHAT PERSONAL DATA WE COLLECT AND FOR WHAT PURPOSES WE USE IT 

We process personal data in order to provide you with information about the whistleblower system and to enable the submission and processing of submissions via the whistleblower system. 

The following statements are intended to inform you about how we process personal data about you via the whistleblower system and for what lawful purposes we may use it.  

Website security 

When you visit the whistleblower system via our website, your browser automatically transmits your IP address and other information about the system you are using (such as the browser you are using and the browser version). The processing of this data is necessary in order to make our website available to you correctly on your respective device. The firewall of our processor checks this connection data through automatically generated log files in order to recognise and prevent harmful attacks on our system.  

Legal basis: Article 6 (1) (f) GDPR – legitimate interest in maintaining the functionality, stability and security of our website. 

Receiving reports via the whistleblower system 

The whistleblower system is designed to guarantee whistleblowers the highest possible level of data protection. The whistleblower system can be used anonymously without providing personal data, so that the anonymity of the whistleblower can be fully preserved when submitting a report.  

Data is transmitted exclusively using SSL encryption in order to guarantee the security of the data provided by the whistleblower. We do not use any tracking tools or third-party cookies on the website.   

The whistleblower system uses special encryption methods to ensure that only the respective whistleblower and our responsible compliance officers have access to the report provided. The data contained in the report is therefore only forwarded within our company to the relevant compliance officer; it is not forwarded to third parties in any other way (with the exception of any forwarding to the competent authorities or courts as well as auditors for further investigation of the facts on which the report is based). In particular, there is no possibility of access to data within the report by our processors.  

Depending on the data you provide to us, we process the following personal data:  

  • Identification data of the whistleblower and the accused person (e.g. name, personnel number) 
  • (Private) contact information of the person providing the information (e.g. address, e-mail address, telephone number) 
  • Function in the company 
  • Details of the reported issue 
  • Communication with the compliance officers 
  • Information on follow-up measures (e.g. investigations) 
  • Secondary technical data (IP address of access to the whistleblower system) 

Legal basis: Art 6 (1) (c) GDPR – fulfilment of a legal obligation, namely the providing of an internal whistleblower system pursuant to Section § 8 in conjunction with Section § 11 of the Whistleblower Protection Act (“HSchG”).   

You can also submit reports via our whistleblower system without disclosing your identity. In this case, you will remain anonymous. 

Cookies 

This website also uses cookies. These are small text files that are stored on your device when you visit our website and store certain information about you. 

We only use technically necessary cookies on this website, which are necessary to ensure the proper functionality of the website and the whistleblower system. The use of technically necessary cookies is possible without your consent. However, you can deactivate these cookies at any time via your browser settings. 

Legal basis: Article 6 (1) (f) GDPR – legitimate interest in the proper provision of the website and the whistleblowing system. 

The following technically necessary cookies are set on the website: 

Cookie Name 

Purpose 

Storage duration 

PHPSESSID 

This cookie is necessary to manage your running session. 

Session 

RECIPIENTS OF YOUR PERSONAL DATA 

We may disclose your personal data to the following recipients for the above-mentioned purposes: 

  • For the technical hosting of the whistleblowing system: RBS Responsible Business Solutions GmbH based in Vienna (no content data of the report is transmitted, only secondary technical data) and the technical sub-processors A1 Telekom Austria AG and Wolf Rechtsanwälte GmbH & Co KG. 
  • If a disclosure is required (i) by law or regulation or (ii) for the purpose of asserting, exercising or defending legal claims, we may also disclose personal data to competent authorities, such as supervisory, regulatory or criminal authorities, courts or other third parties who advise us in this context (e.g. lawyers, forensic experts or auditors).   

Your data will only be processed within the EEA and will therefore not be transferred to a third country.  

HOW LONG WE STORE YOUR DATA FOR 

Log files (see point 3.3 above) are generally stored for a period of three (3) months. Beyond this period, log files are only stored for the purpose of investigating irregularities or security incidents in our systems. For the storage period of cookies, see point 3.4 above. 

In general, we only store your personal data for as long as is necessary to fulfil the purpose for which it was collected. Once a report has been investigated, any personal data contained therein will be deleted within 6 months of the end of the investigation, unless investigations lead to disciplinary, legal or regulatory action.  

Secondary technical data (IP address of access to the whistleblower system) is processed exclusively in the processor’s firewall and deleted after 24 hours.  

YOUR RIGHTS AS A data subject 

As a data subject, you have the following rights in particular under the legally defined conditions in accordance with Art. 15 – 21 GDPR with regard to your personal data: 

  • to check whether and which personal data we have stored about you and to receive copies of this data (right of access by the data subject) 
  • to request the rectification, completion or deletion of your personal data that is incorrect or is not processed in accordance with the law (right to rectification and erasure) 
  • to request us to restrict the processing of your personal data (right to restriction of processing) 
  • under certain circumstances, to object to the processing of your personal data or to withdraw consent previously given for processing (right to object) 
  • to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format and to transfer this data to another controller (right to data portability) 

We do not process your personal data for the purpose of making decisions based solely on automated processing, including profiling, which produces legal effects concerning you (Art. 22 GDPR). 

To exercise any of the above rights, please send an email to Datenschutz(at)qmdservices.com. You also have the right to file a complaint with the competent supervisory authority if you believe that we have violated your data protection rights or have not adequately implemented your data subject rights. For Austria: Austrian Data Protection Authority, Barichgasse 40-42, A-1030 Vienna, www.dsb.gv.at 

UPDATES TO THIS PRIVACY POLICY 

We may update this Privacy Policy to reflect legal, technical or business changes. When we update this Privacy Policy, we will take reasonable steps to notify you of the changes made. The date of the “last update” can be found at the beginning of this privacy policy. 

OUR CONTACT DETAILS 

If you have any questions or other concerns regarding the processing of your personal data by us, please contact Datenschutz(at)qmdservices.com. 

Our business address is:

QMD Services GmbH 
Zelinkagasse 10/3 
1010 Vienna, Austria