+++ New: Flexibly BUY or RENT your Enpal solar solution. +++
Information pursuant to Articles 13 and 14 of the GDPR for the whistleblower protection system
With this data protection information, we inform you about the processing of personal data when using the whistleblower system. Informationon data processing when providing your data via the Enpal website, as well as for contract initiation and execution as a customer of the Enpal B.V. and the use of the Enpal app, can be found at Information on data protection of the Enpal B.V.
Personal data is information relating to an identified or identifiable person. This includes, in particular, information that allows conclusions to be drawn about your identity, such as your name, telephone number, address or email address. However, certain identifiers such as your IP address or the device ID of the terminal you are using also constitute personal data.
The contact person and so-called controller for the processing of your personal data when visiting this website and using the whistleblower protection system within the meaning of the General Data Protection Regulation (GDPR) is
Enpal B.V.
Bödikerstraße 25
10245 Berlin
Email: info@enpal.de
Telephone: +49 30 30 8080 52
If you have any questions about data protection in connection with visiting this website and using the whistleblower protection system, you can also contact our data protection officer at any time. They can be reached at the postal address and the email address below.
You can contact our data protection officer at:
Enpal B.V. Data Protection Officer
Bödikerstr. 25, 10245 Berlin
Email: datenschutz@enpal.de
Enpal B.V. ("Enpal" or "we") uses web-based software, a cloud solution hosted in Germany, which assists in the detection of operational malpractice. The introduction of such a system enables criminal, illegal, morally reprehensible or unfair actions to be detected and prevented at an early stage. This helps to avert incalculable material and immaterial damage as well as damage to reputation.
1. Purpose of data processing
Enpal processes the personal data of the whistleblower, unless the report was submitted anonymously, as well as the personal data of the accused person(s), such as name and other communication and content data, solely for the purpose of receiving and investigating reports of criminal, illegal, morally reprehensible or unfair actions in a secure and confidential manner.
2. Categories of data processing within the whistleblower system
The following information is processed when using the whistleblower system:
· Information about the whistleblower (unless they wish to remain anonymous) and the accused, such as
o First and last name
o Position/title
o Contact details
o Other personal data relating to the employment relationship, if needed
· Personal information identified in the investigation team's reports (see section 4), including details of the allegations made and supporting evidence;
· Date and time of calls (when the tip-off was received via the telephone hotline);
· Any other information identified in the investigation findings and in the follow-up proceedings subsequent to the report, e.g. information about criminal behaviour or data about illegal or improper behaviour, insofar as this has been reported.
3. Legal basis for data processing
The collection of the personal data of the whistleblower in the case of a non-anonymous report is based on consent to processing through the transmission of the data, Art. 6(1)(a) GDPR.
The collection, processing and disclosure of personal data of the persons named in the report serves to safeguard the legitimate interests of Enpal, Art. 6 (1) (f) GDPR. It is in Enpal's legitimate interest to effectively and confidentially uncover, process, remedy and sanction violations of the law and serious breaches of duty by employees throughout the organisation and to avert associated damages and liability risks for Enpal (Sections30, 130 OWiG).
Directive (EU) 2019/1937 ("EU Whistleblower Directive") and the Whistleblower Protection Act also require the establishment of a whistleblower system to give employees and third parties the opportunity to report legal violations within the company in an appropriate manner.
The transfer of personal data to other recipients in the case of non-anonymous reports may be necessary due to a legal obligation, Art. 6(1)(c) GDPR.
4. Recipients of the data and transfer to third countries
All personal data collected via the web-based software will only be made available to those persons who have a legitimate need to process this data due to their function.
DILICOmanGbR, Stuttgarter Str. 37, 74211 Leingarten, is responsible for the initial processing of incoming reports.
If the report is received via the telephone hotline, it is recorded in the reporting system while maintaining the anonymity of the reporter. Hotline employees are bound to secrecy (see below).
At Enpal, only authorised employees from the following departments have access to the data (investigation team):
· Legal & Compliance;
· HR (case-related).
In some cases, the company is obliged to disclose the data to authorities (such as those with legal or regulatory jurisdiction over the employer, law enforcement agencies and judicial bodies) or external advisors (such as auditors, accountants and lawyers).
If the whistleblower has provided his/her name or other personal data (non-anonymous report), the identity will not be disclosed– as far as legally possible – and it will also be ensured that no conclusions can be drawn about the identity of the whistleblower, § 8 HinSchG.
If personal data is processed by external service providers, it is always done on the basis of data processing agreements inaccordance with Art. 28 GDPR. In these cases, we ensure that the processing of personal data is carried out in accordance with the provisions of the GDPR and that all persons authorised to process personal data have committed themselves to confidentiality or are subject to an appropriate legal duty of confidentiality. The whistleblower system is operated on our behalf by DILICOman GbR, Stuttgarter Str. 37, 74211 Leingarten.
No personal data is transferred to third countries (outside the EU/EEA).
5. Duration of processing, deletion of data
Personal data will be stored in the respective procedure for as long as is necessary for clarification and final assessment, or as long as there is a legitimate interest on the part of Enpal or a legal requirement. After that, the data will be deleted in accordance with legal requirements. The duration of storage depends in particular on the seriousness of the suspicion and the reported possible breach of duty.
6. Technical information on the use of the whistleblower system
Communication between your computer and the whistleblower system takes place via an encrypted connection (SSL). Your computer's IP address is not stored while you are using the whistleblower system. To maintain the connection between your computer and the whistleblower system, a cookie is stored on your computer, which only contains the sessionID. The cookie only remains valid until the end of your session and becomes invalid when you close your browser.
7. Use of Friendly Captcha
The whistleblower system website uses the "Friendly Captcha" service (www.friendlycaptcha.com).
This service is provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany. Friendly Captcha is a new, privacy-friendly protection solution that makes it more difficult for automated programmes and scripts (known as "bots") to use our website.
To this end, we have integrated a program code from Friendly Captcha into our application before a report is sent, so that the visitor's end device can establish a connection to the Friendly Captcha servers in order to receive a calculation task from Friendly Captcha. The visitor's device solves the calculation task, which uses certain system resources, and sends the calculation result to our web server. The web server contacts the Friendly Captcha server via an interface and receives a response indicating whether the calculation task was solved correctly by the device. Depending on the result, we can apply security rules to requests via our website and, for example, process or reject them.
The data is used exclusively for the protection against spam and bots described above. Friendly Captcha does not set or read any cookies on the visitor's device. IP addresses are only stored in hashed (one-way encrypted) form and do not allow us or Friendly Captcha to identify any individual. If personal data is stored, this data is deleted within 30days.
The legal basis for processing is our legitimate interest in protecting our website from misuse by bots, including spam protection and protection against attacks (e.g. mass requests), Art. 6(1)(f)GDPR.
Further information on data protection when using Friendly Captcha can be found at https://friendlycaptcha.com/legal/privacy-end-users/.
You are entitled to the rights of data subjects set out in Art. 7(3) and Art. 15–21 GDPR at any time, provided that the respective legal requirements are met:
1. Right to withdraw your consent(Art. 7(3) GDPR)
If you have given your consent as the legal basis for the processing of your data, for example in accordance with Art. 6 para. 1sentence 1 lit. a or Art. 9 para. 2 lit. a GDPR, you can revoke this consent at any time in accordance with Art. 7 para. 3 GDPR. If you do so, we will stop processing your data, but the lawfulness of the processing remains unaffected until the withdrawal.
2. Right to information about the processing of your personal data (Article 15 GDPR)
In accordance with Art. 15 GDPR, you have the right to request information from us at any time about all data we store about you. This includes, in particular, information about
· the purposes for which we process your data,
· the categories of data we process from you,
· the specific recipients or, if these are not known, the categories of recipients to whom we transfer your data,
· the period for which we store your data or, if this cannot be determined, the criteria under which we store your data, and
· where applicable, the origin of the data if we did not collect it from you.
The restrictions under Sections 34 and 35 of the Federal Data Protection Act must be taken into account with regard to the right to information.
3. Right to rectification of your personal data stored by us that is inaccurate (Art. 16GDPR)
If your data processed by us is incorrect or incomplete, you can request that we correct or complete this data at any time in accordance with Art. 16 GDPR.
4. Right to erasure (Art. 17 GDPR)
If the original legal basis for data processing no longer applies, or if you have revoked your consent or objected to processing, or if we are not permitted to continue processing your data for any of the other reasons specified in Art. 17(1) GDPR, you may request that we erase your personal data in accordance with Art. 17 GDPR.
You do not have this right if the processing is necessary for the exercise of freedom of expression and information or for the protection of public interests, if there is a legal obligation to do so, or if it is necessary for the assertion, exercise or defence of legal claims.
The restrictions under Sections 34 and 35 of the Federal Data Protection Act must be taken into account with regard to the right to erasure.
5. Right to restriction of processing (Art. 18 GDPR)
In accordance with Art. 18 GDPR, you may also request the restriction of processing. You have this right if you dispute the accuracyof the data, if the processing is unlawful, if we no longer need the data for the specified purposes, or if you have objected to the processing and, in the latter two cases, we are not permitted to continue processing the data for other lawful purposes.
6. Right to object to processing (Art. 21 GDPR)
If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time for reasons arising out of your particular situation. If you object to data processing for direct marketing purposes, you have a general right to object, which we will implement even without you giving reasons.
If you wish to exercise your right to object, simply send an informal message to datenschutz@enpal.de.
7. Right to data portability (Art. 20 GDPR)
In addition, pursuant to Art. 20 GDPR, you may request that we transfer your data to you or another controller in a structured, commonly used and machine-readable format.
8. Other rights
In addition, you have the right to lodge a complaint with the data protection supervisory authority in accordance with Art. 77 GDPR in conjunction with § 19 BDSG. You can exercise this right, for example, with a supervisory authority in the Member State of your place of residence, your place of work or the place of the alleged infringement. In Berlin, where we are based, the competent supervisory authority is: Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin.
Your requests to assert data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, for longer if there is reason to assert, exercise or defend legal claims. The legal basis is Art. 6 (1) lit. fGDPR, based on our interest in defending ourselves against any civil law claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling our accountability obligation under Art. 5 (2) GDPR.
In the context of the operation of the Enpal website or the initiation and execution of contracts, there is no automated decision-making or profiling within the meaning of Art. 22 GDPR that has legal effect on you or significantly affects you in a similar way.
We occasionally update this data protection information, for example when we modify our website or when legal or regulatory requirements change.