Data processing Information

In the following, we inform you about the collection and processing of personal data in connection with a report under the Whistleblower Protection Act (HinSchG)

Data protection controller within the meaning of Art. 4 No. 7 GDPR

Technical University of NurembergUlmenstraße 52i90443 Nuremberg

Contact details of the official data protection officer of the Technical University of Nuremberg

insidas GmbH & Co. KG vertreten durch Kilian Bauer
Wallerstraße 284032 Altdorf
dataprotection@utn.de

Purposes of data processing

The purpose of data processing is to improve the enforcement of Union law and policies and national law by providing information on breaches.

Legal bases

Art. 6 (1) (c) GDPR, Art. 9 (2) (g) GDPR, § 10 HinSchG

Categories of personal data and origin

Number	Name of data	Origin
1	Name and/or other identifying data of the whistleblower	whistleblower
2	Contact details (usually e-mail address) of the whistleblower	whistleblower
3	Name and/or other identifying data of persons who are the subject of a report or who are otherwise named in a report	whistleblower
4	Contents of the report (including any subsequent additions)	whistleblower
5	Documentation of the notification and the procedure according to § 17 HinSchG	created by Ombudsperson
6	Verbatim transcript of the (remote) oral report	created by Ombudsperson
7	Minutes of the contents of the (remote) oral report	created by Ombudsperson
8	Audio recording of the message or meeting	whistleblower / created by ombudsperson
9	Perceptions at a meeting	Ombudsperson
10	Account data	created by Meldestelle / Technische Universität Nürnberg
11	Usage data and logging of changes	by using the system

Categories of data subjects

Data Category (No.)	Category of affected persons
1, 2, 4-11	whistleblower
4-11	Ombudsmen (employees of the reporting office)
3-8	Persons who are the subject of a report and other persons named in a report

Categories of recipients

The identity of the whistleblower is initially only known to the ombudspersons, i.e. employees of the reporting office in the IT Law Unit of the University of Würzburg. The identity of the whistleblower will only be passed on to the Technical University of Nuremberg if this is necessary for any follow-up measures and if the whistleblower has previously consented in text form. If other persons are named in the report, their identity will only be passed on to the Technical University of Nuremberg if they have given their consent or if this is necessary for the follow-up measures. Otherwise, the report will be anonymized and abstracted and forwarded to the Technical University of Nuremberg so that confidentiality is maintained. However, the protection of confidentiality does not apply without exception. On the one hand, whistleblowers who report incorrect information intentionally or through gross negligence are not protected. On the other hand, in certain cases provided for by law, information on the identity of whistleblowers may be passed on to competent authorities, such as law enforcement and fine authorities. For further details, please refer to the following tabular overview.

Data Category (No.)	Receiver	Reason for disclosure
1-11	The Ombudsperson	Operation of the reporting office, including receipt of reports and conduct of proceedings pursuant to Section 17 of the Whistleblowing Act
1-8, 10,11	IT Law Unit of the University of Würzburg; Sub-processor: LegalInnovate Technologies GmbH, An der Niers 6, 47608 Geldern and its sub-processors	Operation of the whistleblower platform
1	Competent bodies according to § 9 para. 2 and 3 HinSchG (law enforcement authorities, fine authorities, bodies responsible for taking follow-up measures inside and outside the Technical University of Nuremberg, etc.)	Occasions pursuant to Section 9 (2) and (3) HinSchG (criminal prosecution, fine proceedings, internal and external follow-up measures, etc.); in this case, the identity of the whistleblower is only disclosed below the requirements of § 9 (1) to (3) HinSchG
3	Competent bodies according to § 9 para. 4 HinSchG (law enforcement authorities, fine authorities, bodies responsible for taking follow-up measures inside and outside the Technical University of Nuremberg, etc.)	Occasions according to § 9 para. 4 HinSchG (criminal prosecution, fine proceedings, Nuremberg University of Technology internal and external follow-up measures, etc.); in this case, the identity of the whistleblower is only passed on below the requirements of § 9 (4) HinSchG
4-7	Competent bodies according to § 9 HinSchG (law enforcement authorities, fine authorities, bodies responsible for taking follow-up measures inside and outside the Technical University of Nuremberg, etc.)	Reasons according to § 9 para. 2-4 HinSchG (criminal prosecution, fine proceedings, internal and external follow-up measures, etc.)

Transfer of personal data to a third country

There are currently no plans to transfer data to recipients in third countries.

Envisaged deadlines for the deletion of the different categories of data

Data Category (No.)	Deletion period
1-7	The data will be deleted three years after the conclusion of the procedure. The data may be retained for a longer period of time in order to comply with the requirements of the HinSchG or other legal provisions, as long as this is necessary and proportionate.
8	The data will be deleted after the protocol has been prepared and released. The protocol is usually prepared within one month.
9	The data is "deleted" when the memory fades, and the confidentiality requirement takes the place of deletion.
10, 11	The data will be deleted when the necessity no longer exists.

	Archive law remains unaffected by the deletion periods.

Your rights under the General Data Protection Regulation (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

Information: You can request information as to whether and, if so, which personal data we process about you and receive further information related to the processing (Art. 15 GDPR). Please note that this right to information may be limited or excluded in certain cases (cf. in particular Art. 10 BayDSG).

Rectification: If incorrect personal data is processed, you have the right to rectification (Art. 16 GDPR).

Deletion / restriction of processing: If the legal requirements are met, you can request the deletion of your personal data or the restriction of its processing (Art. 17 and 18 GDPR). However, the right to erasure pursuant to Art. 17 (1) and (2) GDPR does not exist, among other things, if the processing of personal data is necessary for the performance of a task that is in the public interest or is carried out in the exercise of official authority (Art. 17 (3) (b) GDPR) or if there are statutory retention obligations.

Objection: For reasons arising from your particular situation, you can also object to the processing of personal data concerning you by us at any time (Art. 21 GDPR).

If you make use of your rights, we will check whether the legal requirements for this are met. Further limitations, modifications and, where applicable, exclusions of the aforementioned rights may result from the General Data Protection Regulation or national legislation.

Complaint: You have the right to complain to a supervisory authority within the meaning of Art. 51 GDPR about the processing of your personal data. The competent supervisory authority for the Technical University of Nuremberg is the Bavarian State Commissioner for Data Protection, which can be reached at P.O. Box 22 12 19, 80502 Munich or https://www.datenschutz-bayern.de/service/complaint.html. In addition to the right to lodge a complaint, you can lodge a legal remedy in court.

No obligation to provide the data

You are not obliged to provide your data. However, if you do not provide the required data, you will not be able to submit a report or the report cannot be processed.

Legal guarantees

Section 4 of the Whistleblowing Act creates, among other things, legal protection for whistleblowers and other protected persons by prohibiting reprisals and liability for damages. The confidentiality of the identity of data subjects is protected by §§ 8, 9 HinSchG.

External reporting channels

In addition to internal reporting, there is also the option of external reporting channels-

External Federal Reporting Office at the Federal Office of Justice

An overview of additional external reporting offices can be found on the website of the Federal Ministry of Jusitiz.

We would also like to draw your attention to the following established whistleblowing systems – both national and EU-level. Further information on the relevant notification procedures of institutions, bodies, offices and agencies of the European Union can be found here:

Institutions of the European Union:

Bodies of the European Union:

Other bodies of the European Union:

Federal Financial Supervisory Authority

to the whistleblower office of the Federal Financial Supervisory Authority (BaFin)

Bundeskartellamt

to the website of the Bundeskartellamt

Please note that the internal reporting office can regularly provide better information about the deterioration and take targeted follow-up measures.

Terms

The use of the solution is subject to the manufacturer's terms and conditions on the one hand, and on the other hand to the University's Terms of Use for Information Processing Systems and the Terms of Use for the University Network.

Statement on the accessibility of the DPMS whistleblowing system

We make every effort to make our whistleblowing system accessible in accordance with the Bayerische Digitalverordnung (BayDiV).

This accessibility statement applies to the whistleblower system.

Status of compliance with the requirements

Due to the following exceptions, the solution is partially compatible with § 9 BayDiV.

Non-accessible content

The content listed below is not accessible for the following reasons:

Disproportionate burden

Which content is not accessible is still being tested.

Preparation of this Accessibility Statement

This statement was prepared as of July 2, 2023 by means of a self-assessment.

The statement was last reviewed in June 2023.

Feedback and contact details

If there are any deficiencies in terms of compliance with accessibility requirements, please contact us at it-recht@digitalverbund.bayern

Responsible for accessibility and processing of messages received under the feedback mechanism is:

Office of IT Law of the Bavarian State Universities and Colleges

c/o Rechenzentrum Universität WürzburgHubland Süd97074 WürzburgPhone.: +49 931 31-84217Threema: https://www.rz.uni-wuerzburg.de/dienste/it-recht/threema-kontakt/

Enforcement

As part of an enforcement procedure, you have the option of submitting an online request to the enforcement body for an audit of compliance with accessibility requirements.

Contact details of the enforcement body

State Office for Digitalization, Broadband and SurveyingIT Service Center of the Free State of BavariaEnforcement and Monitoring Office for Barrier-Free Information TechnologySt.-Martin-Straße 4781541 Munich

E-Mail: bitv@bayern.de
Internet: www.ldbv.bayern.de/digitalisierung/bitv.html

Login