Data protection information - Whistleblowing
Purpose and Legal Basis
Our whistleblower system is intended for all those who act in good faith and have a reasonable suspicion that the mdw or its associated bodies and employees have violated relevant EU law.
The mdw collects and processes sensitive and personal data about individuals who are suspected of having violated relevant (EU) norms, as well as about other individuals mentioned in the corresponding reports.
Violations of relevant (EU) law can be reported anonymously through our whistleblower system. Therefore, individuals reporting suspected violations are not obliged to provide personal information. However, it cannot be ruled out that, during the examination of the report, mdw may obtain information that allows conclusions to be drawn about the identity of the person making the report, such as name, date of birth, address, contact details, or professional data. In addition, non-anonymous reporting is possible by providing one's own name and contact details.
The data transmitted via the whistleblower system is processed on behalf of mdw by external providers of the whistleblower system in use. These providers are contractually bound by a so-called data processing agreement and do not access the contents of the reports.
Initially, the reports are processed by the internal employees responsible for the whistleblower system. If necessary, additional individuals will be involved insofar as this is required for the examination and clarification of suspected violations of legal regulations, legal provisions, and/or the company's own policies. The group of people who have access to incoming reports is strictly obliged to maintain the confidentiality of the report and its contents.
Furthermore, the recipient may be obliged to report or disclose certain facts to authorities such as the tax office or the public prosecutor's office, as well as to disclose certain information to administrative authorities, courts, or the public prosecutor's office. The disclosure of data is based on Art. 6 Para. 1(c) of the GDPR in conjunction with the corresponding special regulations, especially Sec. 7 of the HSchG.
After the closure of the case files, all relevant personal data will be stored for five years. Personal data that are not needed for the processing of a report will be immediately deleted.
As a subject of the data processing, you have rights under Art. 15-21 of the GDPR, vis-à-vis the mdw, of access, rectification, erasure, restriction of processing, and transfer of data. To exercise these rights or for other data protection concerns, please contact our Data Protection Officer at email@example.com.
Please note that under Sec. 8 Para. 9 of the HSchG, these rights are not applicable insofar as necessary to protect the identity of a whistleblower, persons referred to in Sec. 2 Para. 3(1, 2) or Para. 1(4). This limitation ensures the objectives outlined in Sec. 1 Para. 2(1) of the HSchG can be met, primarily in preventing any hindrance, circumvention, or delay in the reporting process or in any follow-up measures. This applies, in particular, for the duration of an administrative or judicial proceeding or an investigation procedure under the Code of Criminal Procedure (StPO).
If you believe that the processing of your personal data by us violates applicable data protection law or your data protection claims have been violated in another way, you can file a complaint with the responsible supervisory authority (in Austria: the data protection authority, firstname.lastname@example.org).
Data protection officer at Anton-von-Webern-Platz 1, 1030 Vienna, by email at email@example.com, or by phone at 01 71155 6046