Whitsleblower Protection

Directive

• Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law

Federal law

• Act for better protection of whistleblowers (Whistleblower Protection Act - HinSchG)

State law

• Act amending the Municipal and District Elections Act and other legal provisions of 24 July 2023

Bavarian state universities are currently required to set up an internal reporting centre.

Who is obliged?

State universities with at least 50 employees

What must be done?

• Set up reporting channels
• Establish procedures for dealing with reports
• Appointment of the ombudsperson
• Provide information on the whistleblower system

Responsible person

...

Contact details of the data protection officer

...

Purposes

Better enforcement of Union law and policy and national law through information on infringements

Legal bases

Art. 6 para. 1 lit. c GDPR, Art. 9 para. 2 j GDPR, § 10 Whistleblower Protection Act

Categories of personal data

Categories of data subjects

Categories of internal recipients

Categories of external recipients

Transfers of personal data to a third country or to an international organisation

Not currently envisaged

Time limits envisaged for the erasure of the various categories of data

The right to archive remains unaffected by the deletion periods.

Technical and organisational measures

Provided for by law

• Process safeguarding through consent for audio recordings, submission of minutes and digital meetings,

suggestions

• Possibility of anonymous reports
• Multi-eyes principle
• Authorisation management
• Multi-factor login

Data protection impact assessment

...

Opinion of the data protection officer

...

Responsible person

...

Contact details of the data protection officer

...

Purposes

Better enforcement of Union law and policy and national law through information on infringements

Legal bases

Art. 6 para. 1 lit. c GDPR, Art. 9 para. 2 j GDPR, § 10 Whistleblower Protection Act

Categories of personal data and origin

Categories of data subjects

Categories of internal recipients

Categories of external recipients

Transfers of personal data to a third country or to an international organisation

Not currently envisaged

Time limits envisaged for the erasure of the various categories of data

The right to archive remains unaffected by the deletion periods.

Rights of data subjects

With regard to the processing of your personal data, you as a data subject have the following rights in accordance with Art. 15 et seq. GDPR, provided that you do not assert them abusively, manifestly unfounded or excessively:

• You can request information as to whether we process your personal data. If this is the case, you have a right to information about this personal data and to further information related to the processing (Art. 15 GDPR). Please note that this right to information may be restricted or excluded in certain cases (see in particular Art. 10 BayDSG).
• In the event that personal data concerning you is not (or no longer) accurate or incomplete, you may request that this data be rectified and, if necessary, completed (Art. 16 GDPR).
• If the legal requirements are met, you can request the erasure of your personal data (Art. 17 GDPR) or the restriction of the processing of this data (Art. 18 GDPR). However, the right to erasure pursuant to Art. 17 (1) and (2) GDPR does not apply if, among other things, the processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (Art. 17 (3) (b) GDPR).
• For reasons arising from your particular situation, you can also object to the processing of your personal data by us at any time (Art. 21 GDPR). If the legal requirements are met, we will then no longer process your personal data.
• If you have consented to the processing or a contract for data processing exists and the data processing is carried out using automated procedures, you may have a right to data portability (Art. 20 GDPR).
• If there is an international transfer of personal data without the basis of an adequacy decision by the EU Commission, you have the right to receive a copy of the contractual guarantees from us on request.
• If the processing is based on consent, you have the right to withdraw your consent at any time. The revocation only takes effect for the future; this means that the revocation does not affect the legality of the processing carried out on the basis of the consent until the revocation.
• You have the right to complain to a supervisory authority within the meaning of Art. 51 GDPR about the processing of your personal data. The competent supervisory authority for Bavarian public bodies is the Bavarian State Commissioner for Data Protection, Wagmüllerstraße 18, 80538 Munich. In addition to the right to lodge a complaint, you can also lodge a judicial remedy.

Obligation to provide data

We may process personal data as part of the obligation to set up internal reporting centres in accordance with Section 12 HinSchG as part of the reporting and follow-up measures.

Legal guarantees

Section 4 HinSchG provides, among other things, statutory protection for whistleblowers and other protected persons by prohibiting reprisals and liability for damages.

Declaration on the accessibility of the DPMS whistleblowing system

We endeavour to make our whistleblowing system accessible in accordance with the Bavarian Digital Ordinance (BayDiV).

This accessibility statement applies to the whistleblowing system.

Status of compatibility with the requirements

The solution is partially compatible with § 9 BayDiV due to the following exceptions.

Non-accessible content

The content listed below is not accessible for the following reasons:

• Disproportionate burden

Which content is not accessible is currently still being tested.

Creation of this declaration on accessibility

This declaration was created on 2 July 2023 by means of a self-assessment.

The statement was last reviewed in June 2024.

Feedback and contact details

You can report any shortcomings in terms of compliance with accessibility requirements to us at ...

Responsible for accessibility and the processing of notifications received through the feedback mechanism is

...

Enforcement procedure

As part of an enforcement procedure, you have the option of submitting an online request to the Enforcement Body to check compliance with accessibility requirements.

Contact details of the enforcement body

State Office for Digitisation, Broadband and Surveying
IT Service Centre of the Free State of Bavaria
Enforcement and Monitoring Body for Accessible Information Technology
St.-Martin-Straße 47
81541 Munich

E-mail : bitv@bayern.de
Internet: www.ldbv.bayern.de/digitalisierung/bitv.html

Further information

...

The ombudsperson is a paraphrase for the person who carries out the tasks of the internal reporting office under the HinSchG.

According to § 15 HinSchG, the ombudsperson must be

• independent,
• free from conflicts of interest and
• be knowledgeable.

According to recital 56 of Directive EU 2019/1937 on which the HinSchG is based, the following persons should be considered for smaller organisations (probably refers to companies with up to 250 employees)

• Head of the compliance or HR department
• Integrity officer
• Legal or data protection officer,
• Chief Financial Officer
• Audit manager
• Members of the Executive Board.

With regard to the legal requirements, it does not always appear that the aforementioned persons fulfil these requirements. In addition, specialised law such as Art. 38 para. 6 GDPR must also be observed.

From the point of view of the staff unit, the following would be particularly suitable

• Person without management responsibilities from the legal department
• Data protection officer, if there is a deputy
• Internal audit
• Existing ombudspersons

The German legislator has spoken of consent in the following constellations

• § Section 9 Exceptions to the confidentiality requirement
• § Section 11 Audio recordings or transcripts (verbatim record) of a report or meeting
• § Section 16 Video and audio transmission at a meeting

§ Section 9 (3) HinSchG refers to Section 26 (2) BDSG and its special requirements for consent under data protection law in employee data protection.

The Directive itself does not refer to consent but only to authorisation.

• Art. 16 Confidentiality requirement
• Art. 18 Audio recordings or transcripts (verbatim records) of the report and the meeting

With regard to the right to one's own words and image, consent is in any case required under civil law and criminal law.

However, since the directive does not explicitly mention consent with regard to ensuring data processing, consent cannot be assumed under data protection law. However, the respective sub-process must be secured by asking for consent and the data subjects should choose this path voluntarily.

Further information on this topic can also be found in the article "Type and scope of the data processing obligations of internal reporting centres in accordance with the Whistleblower Protection Act", DSB 01/2024, p. 12 - 14.