Privacy

CrefoSupply is our complaints system in accordance with the German Supply Chain Due Diligence Act (LkSG). Employees, customers, business partners or other whistleblowers can use CrefoSupply to report suspected violations of laws and internal rules to the internal reporting centre. CrefoSupply is part of our compliance management system.
  
Who is responsible for data processing?
Creditreform Compliance Services GmbH
Hammfelddamm 13 
41460 Neuss 
Germany 
Tel: +49 2131 109-1089 
Fax: +49 2131 109-81089 
E-Mail: info@creditreform-compliance.de
 For questions about data protection: datenschutz@creditreform-compliance.de

What data is processed?
The use of CrefoSupply is voluntary. The following personal data is processed in the case of notifications:
  
a) Whistleblower: Name (if you disclose your identity), contact details (if you provide them) 
b) Persons affected by incidents: First name and surname, information about incidents and suspected violations of laws and regulations 
c) Witnesses and/or third parties named in the whistleblowing alert (e.g. customers, suppliers, colleagues or business partners): First name and surname, contact details
  
What do we process your data for and on what legal basis?The above-mentioned data is processed for the purpose of detecting and preventing serious misconduct and avoiding and defending against particularly drastic or existence-threatening legal consequences and damage both for our organisation (criminal prosecution, claims for damages, reputational damage, supervisory measures) and for our employees and other stakeholders. The legal basis for the processing is a legal obligation (pursuant to Art. 6 para. 1 lit. c GDPR) to comply with the requirements of the LkSG (pursuant to Section 8 LkSG). In addition, the processing is based on the overriding legitimate interest of our organisation (pursuant to Art. 6 para. 1 lit. f GDPR), which is to achieve the above-mentioned purposes. The data input is exclusively voluntary on the part of the complainant and the data is processed exclusively for processing the enquiry in question. In this respect, the interests of the data subjects coincide with our interests. 
 
Who receives my data?The platform is operated and administered by Creditreform Compliance Services GmbH (hereinafter referred to as CCS), which provides the Compliance Office on behalf of the Grieshaber Verwaltungsgesellschaft mbH. CCS processes compliance data in order to review the reported incidents, initiate and conduct investigations and, where necessary, take remedial action. As part of the checks, investigations and remedial action to be taken, it may be necessary to pass on information about a reported incident to employees of other departments or to the management of CCS, other Creditreform companies, external advisors (e.g. legal advisors) or the competent authorities. We may also be obliged to report a reported incident to the competent authorities and the persons concerned.CrefoSupply is operated on our behalf by the specialised software service provider iComply GmbH, Große Langgasse 1a, DE-55116 Mainz. iComply GmbH is contractually obliged to maintain strict confidentiality and to comply with all data protection requirements. The data centre operator has no access to data of any kind; it is used exclusively to store the application and the data stored in it.
  
What data security measures does CrefoSupply have in place?Personal data and information entered in CrefoSupply is stored in a database operated by iComply GmbH in an ISO/IEC 27001-certified data centre in Germany. Access to the data is only possible for CCS. iComply GmbH and other third parties have no access to the data. This is guaranteed by comprehensive technical and organisational measures in a certified process. All data is encrypted and stored with multi-level password protection, so that access is restricted to a very narrow circle of expressly authorised persons. Communication between your end device and CrefoSupply takes place via an encrypted connection. The IP address of your end device is not stored during use.   
          
What data protection rights are you entitled to?You have the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR and the right to data portability under Art. 20 GDPR. The restrictions under Sections 34 and 35 BDSG apply to the right of access and the right to erasure. 

Right to object in accordance with Art. 21 GDPR: You can object to the processing of your data at any time, provided that it is processed on the basis of a balancing of interests (Art. 6 para. 1 lit. f GDPR). In this case, we will no longer process your data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims.

In addition, you have the right to lodge a complaint with a data protection supervisory authority of your choice (Art. 77 GDPR in conjunction with Section 19 BDSG). 

You can contact us at any time if you have further questions on the subject of data protection or the processing of personal data. Please use the contact details given above. 

How long will the personal data be stored?Personal data will be stored for as long as required for clarification and final assessment or for as long as the company has a legitimate interest or is required by law. This data is then deleted in accordance with legal requirements. If a report proves to be unfounded, the report and the personal data it contains will be deleted immediately.