Horst Brandstätter Group - Compliance

Data Protection information

Whistleblower portal

Transparency and information obligations according to DSGVO (General Data Protection Regulation)

Applies to whistleblowers, as well as other persons involved in the facts of the case within the framework of the whistleblower system.

With this document we inform you about the processing of your personal data by the participating companies of the Horst Brandstätter Group and the rights you are entitled to under data protection law.

1. responsible party/data protection

The responsible entity for data processing is the respective participating company to which the notification refers.

Contact Data Privacy:

2. categories/origin of data

If you make a report via our whistleblower system, the personal data you provide will be processed in order to handle your report and, if necessary, take further action. In principle, you have the option of making anonymous reports. The personal data processed depends on the content of your report.

We may process your personal data in the event that you are an accused person or other person involved in the matter in order to check the report made via the whistleblower system and to investigate the alleged compliance and legal violations. The data that is processed depends on the specific report in each case and also on what information, for example, a whistleblower has provided about you. For example, the following data may be processed:

  • Contact data (e.g. private address, mobile, landline number, e-mail address, if applicable)
  • Master data (surname, first name, name affixes, date of birth)
  • Photos/video recordings
  • Time recording data
  • Special types of personal data e.g. health data

3. purposes and legal bases of data processing

When processing your personal data, the provisions of the DS-GVO (in Germany additionally the BDSG and all other legal provisions, such as BetrVG, ArbZG, etc.) are always complied with.

If you are a reporting person, your data will be processed on the basis of your voluntary information and within the framework of the statutory provisions, Art. 6 para. 1 sentence 1 lit. a, lit. c GDPR (in Germany additionally in conjunction with §10 HinSchG and §8 LkSG) and, in the event that you are employed by us, in accordance with Art. 88 GDPR (in Germany additionally in conjunction with § 26 para. 2 BDSG). If we provide the whistleblower system without being legally obliged to do so, your data will be processed on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR.

In addition, we process your personal data as a data subject if this is necessary to protect the legitimate interests of the company or a third party (Art. 6 para. 1 lit. f, lit. c DS-GVO (in Germany also in conjunction with § 130 OwiG, §10 HinSchG and §8 LkSG). We have a legitimate interest in processing the personal data for the prevention and detection of violations and grievances that are reported via the whistleblower portal of our company. In addition, your personal data is processed insofar as this is necessary for the fulfillment of legal obligations.

4. storage period of the data

As soon as your data is no longer required for the above-mentioned purposes and no further storage obligations exist, it will be deleted.

5. recipients of the data/categories of recipients

In our company, we ensure that only those persons receive your data who need it to process the whistleblower's report submitted via the whistleblowing system.

The internal registration office is run by atarax. Further information on the processing of your data can be found at

In certain cases, service providers (e.g. IT service providers) support us in fulfilling our tasks. The necessary data protection contracts have been concluded with all service providers.

Depending on the focus of responsibility of the report and for the effective initiation of follow-up measures, the personal data may be passed on to our relevant specialist departments.

Furthermore, in cases prescribed by law, we are obliged to transmit certain information to bodies such as: Investigating authorities.

6. third country transfer/intent to transfer

Data is only transferred to third countries (outside the European Union or the European Economic Area) if this is absolutely necessary for processing the notification, is required by law or you have given us your consent.

Otherwise, we do not transfer your personal data to any service provider or group company outside the European Economic Area.

7. rights of the data subjects

The rights for you as a data subject are standardized in Art. 15 - 22 EU-DS-GVO.

This includes:

  • The right to information (Art. 15 EU-DS-GVO)
  • The right to rectification (Art. 16 EU-DS-GVO)
  • The right to erasure (Art. 17 EU-DS-GVO)
  • The right to restriction of processing (Art. 18 EU-DS-GVO)
  • The right to object to processing (Art. 21 EU-DS-GVO)
  • The right to data portability (Art. 20 EU-DS-GVO)

Insofar as you have voluntarily provided data as the reporting person, you can revoke the consent for any data processing at any time with a view to the future.

To revoke the consent and assert the other rights, please contact: The same applies if you have questions about data processing in our company or would like to revoke a granted consent. In addition, you can lodge a complaint against data processing with a data protection supervisory authority.

If we process your data to protect legitimate interests, you may object to this processing at any time on grounds relating to your particular situation.

We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

8. automated individual case decisions

We do not use purely automated processing to bring about a decision.

9. data processing on this website

You can find more information about the processing of your data at https://www.horst-brandstaette...