Whistleblower System ST Gebäudetechnik GmbH
The following notes provide a simple overview of what happens to your personal data when you use our whistleblower system. We ensure compliance with law and regulations through an appropriate compliance organization, legally secure processes, and other measures to prevent and respond to potential violations. For this purpose, we have introduced a reporting system. Our employees (including applicants and interns), shareholders, as well as employees of contractors, subcontractors, and suppliers can use the whistleblower system to report possible violations of legal requirements or internal regulations ("report") and thus contribute to their investigation and enforcement.
Responsible for the processing of personal data within the meaning of the EU General Data Protection Regulation (GDPR) is
ST Gebäudetechnik GmbH
Horstweg 53 a
We have appointed a data protection officer for our company, who can be reached at.
Wir haben für unser Unternehmen einen Datenschutzbeauftragten bestellt, erreichbar unter
Waldfeuchter Str. 266
Telefon: +49 2452 – 99 33 11
This website is hosted by an external service provider (host). The personal data collected on this website are stored on the host's servers. These include the data you have entered into the system; other data (log files such as IP address, location, browser used, etc.) are not collected.
The use of the host is to comply with legal requirements (Art. 6 para. 1 lit. c GDPR) and in the interest of a secure, fast, and efficient provision of our whistleblower system by a professional provider (Art. 6 para. 1 lit. f GDPR).
Our host will process your data only to the extent necessary to fulfill its performance obligations and to follow our instructions with respect to such data.
We use the following host:
Conclusion of a contract for order processing
To ensure data protection compliant processing, we have concluded a contract for order processing with our host.
3. Type and extent of data processing
When you send us reports via the whistleblower system, your details from the form, including the contact information you have provided there, will be stored by us for the purpose of processing the request and in the event of follow-up questions. To submit a report, you must enter at least a brief description of the incident; all other information is voluntary. Upon receipt of a report, we are obligated to review it and, if necessary, initiate follow-up measures. In the course of this process, we may, while observing legal requirements, process additional data to investigate the incident.
4. Purpose and legal basis
Your data is processed for the following purposes, on the basis of the following legal grounds:
- Implementation of the employment relationship (§ 26 para. 1 sentence 1 BDSG): Data processing in the context of investigative measures may be necessary, among other things, for the implementation and termination of the employment relationship with employees. This applies, for example, to investigative measures to uncover breaches of employment contract obligations that do not constitute a criminal offense.
- Investigation of criminal offenses (§ 26 para. 1 sentence 2 BDSG): If investigative measures serve to uncover possible criminal offenses in the context of employment relationships, they may be justified according to § 26 para. 1 sentence 2 BDSG. However, we will only base the relevant data processing on § 26 para. 1 sentence 2 BDSG if documented actual indications justify the suspicion of a crime within the employment relationship and the interests of the affected person do not prevail.
- Implementation of legal requirements (Art. 6 para. 1 lit. c GDPR): We are subject to certain laws that obligate us to accept and process reports of compliance violations.
- Legitimate interests (Art. 6 para. 1 lit. f GDPR): We have an interest in improving our compliance management, as well as in investigating received reports.
5. Storage duration
We store your data until the respective incident is resolved. Legal requirements – particularly retention periods – remain unaffected.
6. Data transfer
We will transfer your data only if there is a legal basis for doing so. In the course of the investigative process and to initiate follow-up measures, data may be transferred to the following recipients:
- External ombudspersons: If you submit your report to an external ombudsperson, we need to exchange information with them to initiate the investigative process and possible follow-up measures. The ombudspersons will anonymize the identity of the whistleblower when passing on a report; personal data of the whistleblower will only be passed on with their consent.
- Departments within the company: To investigate the report and initiate follow-up measures, the report may be passed on to an impartial entity within our company while observing legal requirements – particularly while maintaining confidentiality. Should we require the consent of the works council or other representative bodies in the course of the investigative process, we will pass the report on to them.
- Courts, authorities, public bodies & service providers: We may transfer your data to public bodies if we are obliged to do so, for example in the context of criminal investigations. In the course of investigating reports, we may also transfer data to external service providers (law firms, data protection officers, etc.) in compliance with legal requirements.
7. Rights of affected persons
Revocation of your consent to data processing
Many data processing operations are only possible with your explicit consent. You can revoke consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
Right to object to data collection in special cases (Art. 21 GDPR)
Right to file a complaint with the competent supervisory authority
In the event of violations of the GDPR, affected parties have a right to file a complaint with a supervisory authority, particularly in the member state of their habitual residence, their place of work, or the place of the alleged violation. The right to complain is without prejudice to other administrative or judicial remedies.
Right to data portability
You have the right to receive the data that we process automatically on the basis of your consent or in fulfillment of a contract, handed over to yourself or a third party in a standard, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done to the extent it is technically feasible.
Right of access, erasure, and rectification
Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of the data processing and, if applicable, a right to rectification or erasure of this data. For this and other questions on the subject of personal data, you can always contact us at the address given in the legal notice.
Right to restrict processing
You have the right to request the restriction of the processing of your personal data. For this purpose, you can contact us at any time at the address given in the legal notice. The right to restrict processing exists in the following cases:
- If you dispute the accuracy of your personal data stored with us, we usually need time to investigate. For the duration of the investigation, you have the right to request the restriction of the processing of your personal data.
- If the processing of your personal data was/is unlawful, you may request the restriction of data processing instead of deletion.
- If we no longer need your personal data, but you need it to exercise, defend, or assert legal claims, you have the right to request restriction of the processing of your personal data instead of erasure.
- If you have lodged an objection pursuant to Art. 21 para. 1 GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.
If you have restricted the processing of your personal data, these data may – apart from being stored – only be processed with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or a member state.
An automated decision making process, including profiling, does not take place.