Data protection whistleblower system

PDF-Download: Data protection whistleblower system

Data protection information in accordance with Art. 13 GDPR on reporting breaches of law and regulations to the whistleblower system

The following data protection information explains the whistleblower system and informs you about the use of the system and about personal data processed in this context.

Employees at the European locations of Plansee HPM and GTP as well as Plansee Group Service GmbH, Matmatch GmbH and Plansee Holding AG (hereinafter referred to as "companies" or “company”) or external persons may report indications of legal or regulatory breaches that are not insignificant and which occur in a company. Suspected cases may also be reported if they occur outside of the companies if the suspected case could have an impact on a company.

There are several ways available for whistleblowers to report suspicious cases. Suspicious cases may be brought to the attention of the whistleblower's manager within the departments. The manager forwards the information to the relevant offices. However, a whistleblower may also report directly to the following offices within companies:

The Compliance Committee of the relevant divisional parent company or lead company is responsible for receiving reports within a company division. This is where reports may be notified directly.

Information relating to Plansee Group Service GmbH must be reported to the Compliance Committee of Plansee Group Service GmbH.

If the information concerns Plansee Holding AG or Matmatch GmbH, the responsible body for receiving reports will be the Compliance Committee of Plansee Holding AG.

However, there is also an option to report suspicious cases via an external legal ombudsman's office. The external legal ombudsman's office protects the identity of whistleblowers who do not wish to reveal their identity. Whistleblowers will receive an acknowledgement of receipt within 7 days and feedback relating to the content of their report within 3 months.

Further processing of information is carried out by the Compliance Committee in accordance with the general principles for handling suspicious cases.

Responsible for receiving reports at the external legal ombudsman's office is:

FS-PP Berlin Rechtsanwaltsgesellschaft mbH
Potsdamer Platz 8
10117 Berlin

The following are appointed as ombudspersons:
Lawyer Dr. Rainer Frank,
Lawyer Dr. Leonie Lo Re.

A. Definitions

Since both the whistleblower and the person to whom a notice refers are data subjects in accordance with Article 4 (1) of the GDPR, the following terminological distinction is made in this data protection information for the sake of clarity:

Whistleblower: The person who provides a report.

Data subject: The person to whom a reference refers, as well as other persons named in the report.

B. Purposes of data processing

The whistleblower system serves to receive and address cases of suspicion concerning serious breaches of laws and regulations. In this way, criminal acts carried out within the company and from the company should be identified and prevented. The system for reporting suspicious cases is also an instrument for guarding against corruption.

The purpose of establishing an external legal ombudsman's office is to allow employees and external parties to report suspicious cases in a safe and confidential way.

The purpose of establishing an external ombudsman's office is to receive, process and manage or, if necessary, forward information about legal and regulatory violations inside and outside the organisation of companies with effects on the companies in a secure and confidential manner.

The companies also want to protect the rights of their employees, external persons as well as persons to whom a whistleblower refers within the framework of the whistleblower system and to limit the collection of personal data to the minimum necessary.

For this reason there must be no disclosure of sensitive information, such as racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership as well as data relating to the state of health or sexual life of the whistleblower and the data subject, which is not absolutely necessary for the reported facts and the grounds for suspicion.

C. Legal basis for data processing

The processing of the whistleblower's personal data in the context of whistleblowing is based on consent from the whistleblower in accordance with Art. 6 (1) sentence 1 lit. a) GDPR. This takes place through the voluntary transfer of information to the ombudsman's office or the Compliance Committee.

1. Legal basis of data processing by the companies

Processing of personal data by the Compliance Committee is carried out in accordance with Art. 6 (1) sentence 1 lit. f) GDPR based on a legitimate interest of the companies in identifying, preventing and combating unlawful conduct within the companies and from the companies.

2. Legal basis for data processing by the external ombudsman

The processing of personal data in the context of conveying reports to the external legal ombudsman is carried out in accordance with Art. 6 (1) S. 1 lit. f) GDPR based on a legitimate interest of the ombudsman in the fulfilment of the contract as ombudsman with Plansee Group Service GmbH for the detection and prevention of breaches of law and regulations.

For other purposes, personal data collected in the context of a report are not processed by the companies and the ombudsman's office.

No automated decision-making including profiling according to Art. 22 (1) and (4) GDPR takes place.

D. Categories of processed data

Depending on whether the whistleblower reports the information to the external legal ombudsman or direct to the Compliance Committee, the following personal data relating to the whistleblower is collected:

1. In the case of a report to the external legal ombudsman's office:

By telephone or letter: It is possible to convey reports anonymously; apart from that, only the personal data that is conveyed (e.g. name, contact option) is collected.

Please note: For anonymous reports by telephone, the call number transfer must be disabled; otherwise the number of the connection used will appear in the telephone system.

By e-mail or fax: e-mail address or fax number, are automatically collected for technical reasons. When sending a report by fax, please note that the fax number can also be used to establish a personal reference. When a report is sent by e-mail, the company e-mail account should not be used if the report is to be conveyed anonymously. Apart from this, only the personal data conveyed (e.g. name, further contact options) will be collected.

Via the FS-PP BKMS® system: please obtain information direct from the input screen there about the data protection information that applies in this respect.

2. In the case of a report, directly or indirectly (via the respective manager) to the Compliance Committee:

By telephone or e-mail: Name, e-mail address, position/function within the company or from an external whistleblower, and if applicable the telephone number, which is already collected for technical reasons when contact is made.

Personal: Name, position/function within the company or from external whistleblowers, other contact details to be agreed if necessary.

3. Processing of personal data of data subjects

The personal data collected on data subjects will be that which is provided by the whistleblower. As a rule, this will be at least the following data: Name, function in the company, action that prompted the report.

E. Recipient of data

I. In a case of whistleblowing within the companies

All information provided by the whistleblower will be reviewed and subjected to an initial assessment by the aforementioned relevant office. If the whistleblower provides a report to a manager, the information will be forwarded by the manager to the Compliance Committee for evaluation of the report. If an examination of the content of the reported case of suspicion necessitates it, the information will be forwarded by the Compliance Committee to the relevant departments and evaluated there before a final decision is made concerning measures to be taken.

1. Transfer to the data subject

In accordance with Art. 14 (5) (d) of the GDPR, in deviation from Art. 14 (1)-(4) of the GDPR, the data subject will not be informed if information would be disclosed which, by its nature, makes the achievement of the purposes of processing impossible or is seriously detrimental to it. The data subject will be informed in accordance with Article 14 (1)-(4) of the GDPR at the latest when the investigation of the suspected case is completed.

II. Reports via FS-PP Berlin

All information conveyed by the whistleblower will be received by the ombudspersons in confidence and the content will be examined with regard to a breach of law or rules. The whistleblower will receive an acknowledgement of receipt from FS-PP Berlin no later than 7 days after receipt of the information.

As a matter of principle, the ombudspersons' examination takes place in two steps. In an initial examination, the submitted material is checked to see whether the report even relates to a relevant issue. Only if this is the case will the material be subsequently examined in detail in respect of an initial suspicion based on facts. The whistleblower will receive feedback on the course of the proceedings no later than 3 months after receipt of the information.

1. Conveyance to the companies

In the absence of authorization from the whistleblower documented by FS-PP, no disclosure will be made to the Compliance Committee of the companies. Depending on the whistleblower's authorization, the information will be forwarded with or without the identity of the whistleblower.

The companies have irrevocably waived their rights to information from the lawyer's contract with FS-PP Berlin in respect of data relating to the identity or identifiability of whistleblowers unless in the individual case, in the opinion of FS-PP Berlin, there is an urgent fact-based case of suspicion that the whistleblowers have intentionally made a false accusation.

2. Conveyance to data subjects

In accordance with Art. 14 (5) (d) GDPR in conjunction with Section 29 BDSG (Federal Data Protection Act) (legal professional privilege), in deviation from Art. 14 (1)-(4) GDPR, the data subject will not be notified if information would be disclosed which, by its nature, needs to be kept secret, in particular on account of overriding legitimate interests of a third party. This includes, in particular, maintaining the confidentiality of the whistleblower's identity.

F. Source of the data

Whistleblowers (e.g. employees, business partners, suppliers, customers, other external parties, etc.) or documents provided by whistleblowers.

G. Storage period

I. Company

If the investigation of the suspected case does not indicate any violation of law or duty, the data will be erased immediately after completion of the investigation.

If the facts submitted give rise to a suspicion of a breach of law or duty but do not yet substantiate it, the data will be erased 2 months after conclusion of the investigation.

If the report gives rise to a suspicion of a breach of law or duty and a legal dispute takes place subsequently, the data will be retained in accordance with Article 17 (3) (3) GDPR for as long as is necessary for the assertion, exercise or defence of legal claims.

II. FS-PP Berlin

Personal data associated with reports given will be retained for 6 years in accordance with § 50 BRAO (Federal Lawyer Ordnance).

In the case of notifications not conveyed to one of the companies the period begins at the end of the calendar year in which the notification was received; in the case of notifications conveyed the period starts at the end of the calendar year in which the process was completed in the companies.

H. Rights of data subjects and whistleblowers

1. Right of objection

If processing is carried out to safeguard legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR), you will have the right to object to the processing of your personal data at any time for reasons arising from your particular situation in accordance with Art. 21 GDPR. Please note: if there are overriding legitimate grounds for processing in accordance with Art. 17 (1) (c) GDPR, your objection cannot be complied with.

If you wish to exercise your right to object, just send an e-mail to dataprotection(at) or datenschutzbeauftragter(at)

2. Other rights

You also have

the right, in accordance with Art. 7 (3) GDPR, to revoke your consent to the processing of data at any time. This means that from the time of the revocation, the data processing based on this consent may no longer continue. To do so, just send an e-mail to dataprotection(at) and datenschutzbeauftragter(at)

  • in accordance with Art. 15 GDPR the right to receive information about your personal data processed by us, unless the exception of Art. 23 (1) lit. d) and lit. i) GDPR in conjunction with Section 29 (1) sentence 2 BDSG applies;
  • the right in accordance with Art. 16 GDPR to have inaccurate or incomplete data concerning you rectified without delay;
  • the right to have your personal data erased in accordance with Art. 17 GDPR;
  • the right to restriction of the processing of your personal data in accordance with Art. 18 GDPR;
  • the right to data portability in accordance with Art. 20 GDPR. This means you have the right to receive the personal data relating to you in a structured, commonly used and machine-readable format or to demand that we transfer it to another data controller;
  • in accordance with Art. 77 GDPR, in the case of complaints relating to data protection law you may contact a regulatory authority, in particular the regulatory authority in the member state of your place of residence, your place of work or the alleged place of the infringement.