Privacy

CrefoSupply is our complaints system in accordance with the LkSG. Employees, customers, business partners or other whistleblowers can use CrefoSupply to report suspected violations of laws and internal rules to the internal reporting office. CrefoSupply is part of our compliance management system.

Who is responsible for data processing?
The person responsible for processing your personal data is:
Creditreform Compliance Services GmbH
Hammfelddamm 13
41460 Neuss
Germany
Tel: +49 2131 109-1089
Fax: +49 2131 109-81089
E-mail: info@creditreform-compliance.de

What data is processed?
The use of CrefoSupply is on a voluntary basis. In the case of tips, the following personal data is processed:
(a) Whistleblower: name (if you disclose your identity), contact details (if you provide them).
b) Persons affected by incidents: First name and surname, information about incidents and suspected violations of the law and regulations
c) Witnesses and/or third parties named in the notice (e.g. customers, suppliers, colleagues or business partners): first and last name, contact details

For what and on what legal basis do we process your data?
The above-mentioned data is processed for the purpose of detecting and preventing serious wrongdoing and avoiding and defending against particularly drastic or existence-threatening legal consequences and damages both for our organization (criminal prosecution, claims for damages, damage to our image, supervisory measures) and for our employees. The legal basis for the processing is a legal obligation (pursuant to Art. 6 para 1 lit b DSGVO) to comply with the requirements under the EU Whistleblower Directive of 23.10.2019 (EU 2019/1937) and the national implementing laws in this regard. In addition, the processing is based on the overriding legitimate interest of our organization (pursuant to Art. 6 para 1 lit f DSGVO), which is to achieve the above purposes.

Who receives my data?
The platform is operated and administered by Creditreform Compliance Services GmbH (hereinafter CCS), which provides the Compliance Office on behalf of Creditreform Compliance Services. CCS processes compliance data in order to review reported incidents, initiate and conduct investigations, and take remedial action where necessary. As part of the reviews, investigations, and remedial actions to be taken, it may be necessary to share information about a reported incident with employees of other departments or with the management of Creditreform Compliance Services, other Creditreform companies, external advisors (e.g., legal counsel), or the relevant authorities. We may also be required to report a reported incident to the relevant authorities and to the affected individuals.
CrefoSupply is operated by the specialized software service provider iComply GmbH, Große Langgasse 1a, DE-55116 Mainz, on our behalf. iComply GmbH is contractually obligated to maintain strict confidentiality and to comply with all data protection requirements. The data center operator has no access to data of any kind, it serves exclusively to store the application as well as the data stored in it.

What data security measures does CrefoSupply have?
Personal data and information entered into CrefoSupply are stored in a database operated by iComply GmbH in an ISO/IEC 27001 certified data center in Germany. Inspection of the data is only possible for CCS. The iComply GmbH and other third parties have no access to the data. This is guaranteed in a certified procedure by comprehensive technical and organizational measures. All data is encrypted and stored with multi-level password protection, so that access is limited to a very narrow circle of explicitly authorized persons. Communication between your end device and CrefoSupply takes place via an encrypted connection. The IP address of your end device is not stored during use.

What data protection rights do you have?
You have the right, upon request and free of charge, to receive information about the personal data stored about you, its origin and recipient, as well as the purpose of data processing.
If we process your data on the basis of our legitimate interest, you have the right to object to the processing if there are legitimate grounds arising from your particular situation (right of objection). In addition, you have the right to correct incorrect personal data, the right to delete personal data, the right to restrict the processing of personal data, the right to data portability. In this regard, as well as other questions on the subject of personal data, you can contact us at any time at datenschutz@creditreform-compliance.de.  Finally, you have the option of lodging a complaint with the supervisory authority if you believe that the processing of your data violates data protection law or your data protection rights have otherwise been violated in any way.

How long is the personal data stored?
Personal data is stored for as long as required for clarification and final assessment or if there is a legitimate interest of the company or this is required by law. Afterwards, this data will be deleted in accordance with the legal requirements. If a tip proves to be unfounded, the tip together with the personal data it contains will be deleted immediately.