Data Protection

Data processing within the internal whistleblowing system ("Whistleblowing")
You have the option of using our internal whistleblowing system. You should not enter any personal data about yourself. Communication takes place solely via the whistleblower system by means of a password assigned by you. Depending on the content of your contribution, however, your report may contain personal data of third parties. Personal data that is clearly irrelevant or irrelevant to a report will not be collected or will be deleted immediately if it was collected unintentionally.
Unless you voluntarily provide personal information, you will remain anonymous to us.

Data processing on the website
When you visit our websites, the following usage data is temporarily collected on the web server of the whistleblower system: 
  • requested element
  • accessed URL
  • Date and time of the request
  • protocol used
  • Time zone difference from Greenwich Mean Time (GMT)
  • HTTP status code
The IP address is immediately shortened to ensure an anonymous visit to the website. The data is stored in accordance with the time limits specified below.

A technically necessary session cookie is set for the language settings and information about a login, which is deleted again after the session.

In order to protect your data from unwanted access as comprehensively as possible, we take technical and organisational measures. We use an encryption procedure on our site. Your data is transferred from your computer to our server and vice versa via the Internet using TLS encryption. You can recognise this by the fact that the lock symbol is closed in the status bar of your browser and the address line begins with https://.

Purpose of the processing
The whistleblower system gives the employees of the company and also third parties the opportunity to point out grievances without themselves becoming visible. This concerns in particular the following issues in the company: 
  • Crimes or misconduct;
  • serious and flagrant violations of applicable law and/or international agreements;
  • serious threats or endangerment of the public interest of which the whistleblower has personal knowledge;
  • Breach of any code of conduct of the company; and
  • Threats to the health of employees.

Legal bases for the processing
The processing of the data serves the fulfilment of a legal obligation (Art. 6 para. 1 p. 1 c) GDPR), which follows from the so-called Whistleblower Directive (Directive (EU) 2019/1937 on the protection of persons who report infringements of Union law) and national laws of the EU member states based on this, for Germany from § 10 Whistleblower Protection Act. 
The data processing is also carried out in the legitimate interest of the company to be informed about illegal and reportable events and to be able to clarify these internally (Art. 6 para. 1 p. 1 f) GDPR).
Data identifying the whistleblower will only be passed on by the internal reporting office for the purpose of conducting internal investigations on the basis of your consent and insofar as the passing on is necessary for follow-up measures (§ 9 (3) Whistleblower Protection Act).

Storage periods
The notifications are checked and answered within the legally determined deadlines. 
Personal data that are obviously not relevant or unsubstantiated for the allegations or processing of a specific report are not processed further and are only kept for the purpose of complying with the storage periods.
Pursuant to § 11 (5) of the Whistleblower Protection Act, all receipts must be stored for up to 3 years after the conclusion of the proceedings. Documentation may be kept longer to meet requirements under the Whistleblower Protection Act or other legislation as long as this is necessary and proportionate.

Recipient of the data
The data collected is forwarded by the persons responsible for processing reports within the company and made available to third parties (lawyers, experts, auditors) for analysis and investigation purposes. If necessary, authorities and courts may also be involved.

Transfer of data to countries outside the European Union
The data collected may be made available to recipients outside the European Union on a case-by-case basis to the extent that this is strictly necessary to process the notifications received, in particular to determine the materiality of the infringements. Prior to the transfer of personal data, all measures necessary to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined shall be taken.

You have certain rights in accordance with the applicable data protection regulations - in particular the GDPR and the corresponding regulations in the applicable law of a Member State of the European Union. You can assert these rights against Schindhelm: 

You can request information about the personal data stored about you in accordance with Art. 15 GDPR.
You can request the correction of incorrect personal data in accordance with Art. 16 GDPR.
You may request erasure pursuant to Article 17 GDPR or restriction of the processing of your personal data pursuant to Article 18 GDPR and you may request to receive your personal data provided by you in a structured, commonly used and machine-readable format pursuant to Article 20 GDPR.

If you have given us your consent, you also have the right to revoke this consent at any time with effect for the future.

You also have the option of contacting the competent supervisory authority in the event of complaints about the handling of your personal data.