BIOTRONIK is legally obliged to set up a whistleblowing system. We fulfil this obligation with our whistleblowing system "iWhistle". Employees, customers, business partners or other whistleblowers can use iWhistle to report suspected violations of laws and internal rules to the internal reporting office. The internal reporting office is managed by employees of BIOTRONIK's Compliance Department, as the employees are independent and have the appropriate expertise. The whistleblower system is part of our Compliance Management System.
Who is responsible for data processing?
The person responsible for processing your personal data is
BIOTRONIK Corporate Services SE, Corporate Legal Compliance, Sieversufer 7-9, DE-12359 Berlin, [firstname.lastname@example.org]
If you have specific questions about data protection at BIOTRONIK, you can contact our data protection officer. You can send an email to email@example.com.
What data is processed?
The use of iWhistle is on a voluntary basis. In the case of tips, the following personal data may be processed:
- Whistleblower: name (if you disclose your identity), contact details (if you provide them).
- Persons affected by incidents: First and last name, information about incidents and suspected violations of the law and rules.
- Witnesses and/or third parties named in the notice (e.g. customers, suppliers, colleagues or business partners): first and last name, contact details
When using iWhistle, a server-side IP anonymisation and data encryption is used. There is therefore no IP tracking and no cookies are set. The use of iWhistle is completely anonymous, so that no conclusions can be drawn about the reporting person.
For what purpose and on what legal basis do we process your data?
The above-mentioned data is processed for the purpose of uncovering and preventing serious wrongdoing and avoiding and warding off particularly drastic or existence-threatening legal consequences and damages both for our organisation (criminal prosecution, claims for damages, damage to our image, supervisory measures) and for our employees. The legal basis for the processing is a legal obligation pursuant to Art. 6 para 1 lit c DSGVO to comply with the requirements under the EU Whistleblower Directive of 23.10.2019 (EU 2019/1937) as well as the national implementing laws in this regard.
Who receives my data?
Recipients of your report are selected employees of the Compliance Department. As part of the audits, investigations and remedial measures to be taken, it may be necessary to pass on information on a reported incident to appropriate specialist departments of the company, external advisors (e.g. legal advisors) or to the competent authorities. iWhistle is operated by the specialised software service provider iComply GmbH, Große Langgasse 1a, DE-55116 Mainz, as a processor on our behalf.
What data protection rights do you have?
You have the right to request information free of charge about the personal data stored about you, its origin and recipient and the purpose of the data processing. If we process your data on the basis of our legitimate interest, you have the right to object to the processing if there are legitimate grounds arising from your particular situation (right of objection). In addition, you have the right to correct incorrect personal data, the right to delete personal data, the right to restrict the processing of personal data, the right to data portability (if the data was collected and processed on the basis of your consent). You can contact us at any time about this and other questions on the subject of personal data. Finally, you have the option of lodging a complaint with the supervisory authority if you believe that the processing of your data violates data protection law or your data protection rights have otherwise been violated in any way.
How long will personal data be stored?
Personal data is stored for as long as clarification and final assessment requires or as required by law. Afterwards, this data will be deleted in accordance with the legal requirements. If a report proves to be unfounded, the report and the personal data it contains will be deleted immediately. The information and reports are regularly deleted after 6 months. For documentation purposes, a final assessment is also stored.