Data Protection Compliance Whistleblower System

Introduction

We look forward to hearing from you soon. wenglor sensoric GmbH (hereafter referred to as “wenglor”, "we” or “us”) places great importance on the security of users’ data and compliance with data protection regulations. In the following, we would like to inform you about the processing of your personal data as part of the compliance report.

Responsible Body and Data Protection Officer

Responsible body:
wenglor sensoric GmbH, wenglor Str. 3, 88069 Tettnang / Germany
Tel.: +49 (0)7542 5399 0
E-mail: info@wenglor.com

External Data Protection Officer:
DDSK GmbH
Tel.: +49 (0)7542 949 21 -0
E-mail: gdpr@wenglor.com

Terms

The technical terms used in this data protection declaration are to be understood as legally defined in Art. 4 GDPR.

Information on Data Processing for Reports of Compliance Violations

We offer the option of contacting our ombudsman for the purpose of reporting compliance violations. On receipt of a compliance report, we process the data of the reporting person to the extent necessary to process the report. If facts are presented that relate to an identified or identifiable person in our company, we process the data about the person affected by this information to the extent that it was communicated to us by the reporting person.

You can find out more about the further processing of your personal data by our ombudsman here.

Details on the processing of your data on our website can be found in the separate data protection notices that we provide to you as part of the notification.

Information we collect about you as a reporting person:

Data categories: name, contact details (e.g. your address, e-mail address, telephone or fax number), factual data that may relate to you (the data you provide may vary depending on the individual case and the report made)
Purposes of processing: processing the report of a compliance violation based on and in accordance with our legal or operational obligations, in particular based on European and national whistleblower laws contact to obtain further information about the violations you have reported evaluation of your information in connection with the specified violations
Legal basis: legitimate interest in compliance with internal regulations and ethical principles (Art. 6 para. 1 lit. f) GDPR), fulfillment of legal obligation (Art. 6 para. 1 lit. c) GDPR in conjunction with Directive (EU) 2019/1937)

Information we collect about you as a data subject:

Categories of affected persons: Person affected by a report
Data categories: name, contact details, if necessary further characteristics for exact identification of the relevant person in the company
Content of the report: details of the relevant violation of internal, national or European legal requirements, if these allow conclusions to be drawn about a natural person
Purposes of processing: processing the report of compliance violations based on and in accordance with our legal and internal obligations, in particular on the basis of the corresponding national and European laws; contacting to clarify the facts of the case in order to obtain further information about the violations reported in connection with you; analysis of the facts of the case and comparison with past reports
Legal basis: legitimate interest in compliance with internal regulations and ethical principles (Art. 6 para. 1 lit. f) GDPR), fulfillment of legal obligation (Art. 6 para. 1 lit. c) GDPR in conjunction with Directive (EU) 2019/1937)

Recipient of the Data

Within the EU

Within our company, the internal offices or organizational units that need your data to achieve the above-mentioned purposes, in particular the investigation of reported compliance violations, will receive your data. In addition, all findings and reports relating to compliance reports are combined within our group of companies to enable us to check for specific patterns across countries. Only information that does not enable a person to be identified is used for this purpose. We store all reports in our global database, which is also used to pass the data on to official databases.

We will only pass on data in such a way that it is not possible to directly identify you (pseudonymised). There is no transfer of data beyond the cases outlined above.

We use a specialist service provider as an ombudsman to record and process reports of compliance violations in accordance with legal and internal requirements. Your data is subject to the same security standards there as with us. The data may only be used within the framework of the contractual agreement, to the extent absolutely necessary and for the purposes specified by us.

Outside the EU

We transfer data to countries outside the EEA, so-called third countries. This is done on the basis of the above-mentioned purposes (e.g. transmission within the Group). The transfer takes place in order to fulfill our contractual and legal obligations or on the basis of a previously granted consent of the data subject. Data is also transmitted in compliance with the applicable data protection laws, in particular taking into account Art. 44 ff. GDPR, e.g. on the basis of adequacy decisions issued by the European Commission or other suitable guarantees (e.g. standard data protection clauses, etc.).

Recipient overview

The following recipients receive your data as part of the data processing described here:
Receiver: DDSK GmbH, Dr. Klein-Str. 29, 88069 Tettnang, Germany
Third-country transfer: No transfer to a third country takes place.

Receiver: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
Third-country transfer: There is no adequacy decision for the transmission. The transfer is based on Art. 46 GDPR. Services used are provided by Microsoft, a US provider. The personal data is therefore also processed in a third country. We have concluded a data processing agreement with the provider of the services that meets the requirements of Art. 28 GDPR. The transfer of data to a third country only takes place if the special conditions of Art. 44 et seqq. GDPR are met. The present transfer of data to the USA takes place on the basis of the standard data protection clauses and the amended contractual conditions in accordance with Schrems II judgment. Specifically, Microsoft has made the following provisions in the new contractual clauses:

• the right to compensation for the data subject whose data has been unlawfully processed and who has suffered material or immaterial damage as a result;
• informing the data subject if Microsoft has been legally obliged by a government order to release data to US security authorities;
• Microsoft’s obligation to take legal action and the US courts.

Duration of Storage

We retain the information provided to us in connection with reporting compliance violations for as long as required to fulfill our obligation under national or European laws and regulations to which we are subject. In all other cases, we delete the personal data after the purpose has been fulfilled. In the event of reports of compliance violations, we delete the data 1 year after the case has been processed at the end of the relevant year.
This storage period does not affect data that we process about you on the basis of existing contractual relationships or other circumstances for which we have permission.

Automated Decision-Making

We do not use automated decision-making or profiling, in accordance with Art. 22 GDPR.

Legal Basis

Relevant legal bases arise primarily from the GDPR. These are supplemented by national laws of the Member States and may be applicable together with or in addition to GDPR.

Consent: Art. 6 para. 1 lit. a) GDPR serves as the legal basis for processing activities where we have obtained consent for a specific processing purpose.
Fulfillment of contract: Art. 6 para. 1 lit. b) GDPR serves as the legal basis for processing that is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures that take place at the request of the data subject.
Legal obligation: Art. 6 para. 1 lit. c) GDPR serves as the legal basis for processing that is required to fulfill a legal obligation.
Vital interests: Art. 6 para. 1 lit. d) GDPR serves as a legal basis if the processing is necessary to protect the vital interests of the data subject or another natural person.
Public interest: Art. 6 para. 1 lit. e) GDPR serves as the legal basis for processing that is necessary for the performance of a task in the public interest or in the exercise of official authority assigned to the responsible party.
Legitimate interest: Art. 6 para. 1 lit. f) GDPR serves as the legal basis for processing that is necessary for the protection of the legitimate interests of the responsible party or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, outweigh the interests or fundamental freedoms of the data subject, in particular if the data subject is a child.

Rights of the Data Subject

Right of access: Data subjects have the following rights in accordance with Art. 15 GDPR, you have the right to request confirmation as to whether we process data relating to you. You can obtain information about this data as well as the data described in Art. 15 para. 1 GDPR and request a copy of your data.
Right to rectification: Data subjects have the following rights in accordance with Art. 16 GDPR, you have the right to request rectification or completion of the data relating to you and processed by us.
Right to erasure: Data subjects have the right pursuant to Art. 17 GDPR, to demand the immediate erasure of the data relating to them. Alternatively, in accordance with Art. 18 GDPR, you have the right to request the restriction of the processing of your data.
Right to data portability: According to Art. 20 GDPR, you have the right to request the provision of the data provided to us by you and to request that it be transferred to another responsible body.
Right to lodge a complaint: Data subjects also have the right to lodge a complaint with the supervisory authority responsible for them in accordance with Art. 77 GDPR.
Right to object: If personal data is processed on the basis of legitimate interests pursuant to Art. 6 para. 1 p. 1 lit. f) GDPR, data subjects have the right, in accordance with Art. 21 GDPR, to object to the processing of your personal data if there are reasons for this arising from your particular situation or if the objection is directed against direct advertising. In the latter case, data subjects have a general right to object, which we implement without specifying a special situation.