+++ New: Flexibly BUY or RENT your Enpal solar solution. +++
Information pursuant to Articles 13 and 14 of the GDPR for the whistleblower protection system
With this data protection information, we inform youabout the processing of personal data when using the whistleblower system. Informationon data processing when providing your data via the Enpal website, as well asfor contract initiation and execution as a customer of the Enpal B.V. and theuse of the Enpal app, can be found at Information on data protection of the Enpal B.V.
Personal data is information relating to an identifiedor identifiable person. This includes, in particular, information that allowsconclusions to be drawn about your identity, such as your name, telephonenumber, address or email address. However, certain identifiers such as your IPaddress or the device ID of the terminal you are using also constitute personaldata.
The contact person and so-called controller for the processing of your personal data when visiting this website and using the whistle blower protection system within the meaning of the General Data Protection Regulation (GDPR) is
Enpal B.V.
Bödikerstraße 25
10245 Berlin
Email:info@enpal.de
Telephone: +49 30 30 8080 52
If you have any questions about data protection inconnection with visiting this website and using the whistleblower protectionsystem, you can also contact our data protection officer at any time. They canbe reached at the postal address and the email address below.
Youcan contact our data protection officer at:
Enpal B.V. Data Protection Officer
Bödikerstr. 25, 10245 Berlin
Email: datenschutz@enpal.de
Enpal B.V. ("Enpal" or "we") usesweb-based software, a cloud solution hosted in Germany, which assists in the detection of operational malpractice. The introduction of such a system enables criminal, illegal, morally reprehensible or unfair actions to be detected and prevented at an early stage. This helps to avert incalculable material and immaterial damage as well as damage to reputation.
1. Purpose of data processing
Enpal processes the personal data of the whistle blower, unless the report was submitted anonymously, as well as the personal data of the accused person(s), such as name and other communication and content data, solely for the purpose of receiving and investigating reports of criminal, illegal, morally reprehensible or unfair actions in a secure and confidential manner.
2. Categoriesof data processing within the whistleblower system
Thefollowing information is processed when using the whistleblower system:
· Information about thewhistleblower (unless they wish to remain anonymous) and the accused, such as
o Firstand last name
o Position/title
o Contactdetails
o Otherpersonal data relating to the employment relationship, if needed
· Personal information identified inthe investigation team's reports (see section 4), including details of theallegations made and supporting evidence;
· Date and time of calls (when thetip-off was received via the telephone hotline);
· Any other information identifiedin the investigation findings and in the follow-up proceedings subsequent tothe report, e.g. information about criminal behaviour or data about illegal orimproper behaviour, insofar as this has been reported.
3. Legalbasis for data processing
Thecollection of the personal data of the whistleblower in the case of anon-anonymous report is based on consent to processing through the transmissionof the data, Art. 6(1)(a) GDPR.
The collection, processing and disclosure of personaldata of the persons named in the report serves to safeguard the legitimateinterests of Enpal, Art. 6 (1) (f) GDPR. It is in Enpal's legitimate interestto effectively and confidentially uncover, process, remedy and sanctionviolations of the law and serious breaches of duty by employees throughout theorganisation and to avert associated damages and liability risks for Enpal (Sections30, 130 OWiG).
Directive (EU) 2019/1937 ("EU WhistleblowerDirective") and the Whistleblower Protection Act also require theestablishment of a whistleblower system to give employees and third parties theopportunity to report legal violations within the company in an appropriatemanner.
The transfer of personal data to other recipients in the case of non-anonymousreports may be necessary due to a legal obligation, Art. 6(1)(c) GDPR.
4. Recipientsof the data and transfer to third countries
All personal data collected via the web-based softwarewill only be made available to those persons who have a legitimate need toprocess this data due to their function.
DILICOmanGbR, Stuttgarter Str. 37, 74211 Leingarten, is responsible for the initialprocessing of incoming reports.
If the report is received via the telephone hotline,it is recorded in the reporting system while maintaining the anonymity of thereporter. Hotline employees are bound to secrecy (see below).
AtEnpal, only authorised employees from the following departments have access tothe data (investigation team):
· Legal & Compliance;
· HR (case-related).
In some cases, the company is obliged to disclose thedata to authorities (such as those with legal or regulatory jurisdiction overthe employer, law enforcement agencies and judicial bodies) or externaladvisors (such as auditors, accountants and lawyers).
If the whistleblower has provided his/her name orother personal data (non-anonymous report), the identity will not be disclosed– as far as legally possible – and it will also be ensured that no conclusionscan be drawn about the identity of the whistleblower, § 8 HinSchG.
If personal data is processed by external serviceproviders, it is always done on the basis of data processing agreements inaccordance with Art. 28 GDPR. In these cases, we ensure that the processing ofpersonal data is carried out in accordance with the provisions of the GDPR andthat all persons authorised to process personal data have committed themselvesto confidentiality or are subject to an appropriate legal duty ofconfidentiality. The whistleblower system is operated on our behalf byDILICOman GbR, Stuttgarter Str. 37, 74211 Leingarten.
Nopersonal data is transferred to third countries (outside the EU/EEA).
5. Durationof processing, deletion of data
Personal data will be stored in the respectiveprocedure for as long as is necessary for clarification and final assessment,or as long as there is a legitimate interest on the part of Enpal or a legalrequirement. After that, the data will be deleted in accordance with legalrequirements. The duration of storage depends in particular on the seriousnessof the suspicion and the reported possible breach of duty.
6. Technicalinformation on the use of the whistleblower system
Communication between your computer and thewhistleblower system takes place via an encrypted connection (SSL). Yourcomputer's IP address is not stored while you are using the whistleblowersystem. To maintain the connection between your computer and the whistleblowersystem, a cookie is stored on your computer, which only contains the sessionID. The cookie only remains valid until the end of your session and becomesinvalid when you close your browser.
7. Useof Friendly Captcha
The whistleblower system website uses the"Friendly Captcha" service (www.friendlycaptcha.com).
This service is provided by Friendly Captcha GmbH, AmAnger 3-5, 82237 Wörthsee, Germany. Friendly Captcha is a new, privacy-friendlyprotection solution that makes it more difficult for automated programmes andscripts (known as "bots") to use our website.
To this end, we have integrated a program code fromFriendly Captcha into our application before a report is sent, so that thevisitor's end device can establish a connection to the Friendly Captcha serversin order to receive a calculation task from Friendly Captcha. The visitor'sdevice solves the calculation task, which uses certain system resources, andsends the calculation result to our web server. The web server contacts theFriendly Captcha server via an interface and receives a response indicating whetherthe calculation task was solved correctly by the device. Depending on theresult, we can apply security rules to requests via our website and, forexample, process or reject them.
The data is used exclusively for the protectionagainst spam and bots described above. Friendly Captcha does not set or readany cookies on the visitor's device. IP addresses are only stored in hashed(one-way encrypted) form and do not allow us or Friendly Captcha to identifyany individual. If personal data is stored, this data is deleted within 30days.
The legal basis for processing is our legitimateinterest in protecting our website from misuse by bots, including spamprotection and protection against attacks (e.g. mass requests), Art. 6(1)(f)GDPR.
Further information on data protection when usingFriendly Captcha can be found at https://friendlycaptcha.com/legal/privacy-end-users/.
You are entitled to the rights of data subjects setout in Art. 7(3) and Art. 15–21 GDPR at any time, provided that the respectivelegal requirements are met:
1. Right to withdraw your consent(Art. 7(3) GDPR)
If you have given your consent as the legal basis forthe processing of your data, for example in accordance with Art. 6 para. 1sentence 1 lit. a or Art. 9 para. 2 lit. a GDPR, you can revoke this consent atany time in accordance with Art. 7 para. 3 GDPR. If you do so, we will stopprocessing your data, but the lawfulness of the processing remains unaffecteduntil the withdrawal.
2. Rightto information about the processing of your personal data (Article 15 GDPR)
In accordance with Art. 15 GDPR, you have the right torequest information from us at any time about all data we store about you. Thisincludes, in particular, information about
· the purposes for which we processyour data,
· the categories of data we processfrom you,
· the specific recipients or, ifthese are not known, the categories of recipients to whom we transfer yourdata,
· the period for which we store yourdata or, if this cannot be determined, the criteria under which we store yourdata, and
· where applicable, the origin ofthe data if we did not collect it from you.
The restrictions under Sections 34 and 35 of theFederal Data Protection Act must be taken into account with regard to the rightto information.
3. Rightto rectification of your personal data stored by us that is inaccurate (Art. 16GDPR)
If your data processed by us is incorrect orincomplete, you can request that we correct or complete this data at any timein accordance with Art. 16 GDPR.
4. Rightto erasure (Art. 17 GDPR)
If the original legal basis for data processing nolonger applies, or if you have revoked your consent or objected to processing,or if we are not permitted to continue processing your data for any of theother reasons specified in Art. 17(1) GDPR, you may request that we erase yourpersonal data in accordance with Art. 17 GDPR.
You do not have this right if the processing isnecessary for the exercise of freedom of expression and information or for theprotection of public interests, if there is a legal obligation to do so, or ifit is necessary for the assertion, exercise or defence of legal claims.
The restrictions under Sections 34 and 35 of theFederal Data Protection Act must be taken into account with regard to the rightto erasure.
5. Rightto restriction of processing (Art. 18 GDPR)
In accordance with Art. 18 GDPR, you may also requestthe restriction of processing. You have this right if you dispute the accuracyof the data, if the processing is unlawful, if we no longer need the data forthe specified purposes, or if you have objected to the processing and, in thelatter two cases, we are not permitted to continue processing the data forother lawful purposes.
6. Rightto object to processing (Art. 21 GDPR)
If we process your data on the basis of legitimateinterests, you have the right to object to the processing of your data at anytime for reasons arising out of your particular situation. If you object todata processing for direct marketing purposes, you have a general right toobject, which we will implement even without you giving reasons.
If you wish to exercise your right to object, simplysend an informal message to datenschutz@enpal.de.
7. Rightto data portability (Art. 20 GDPR)
In addition, pursuant to Art. 20 GDPR, you may requestthat we transfer your data to you or another controller in a structured,commonly used and machine-readable format.
8. Otherrights
In addition, you have the right to lodge a complaintwith the data protection supervisory authority in accordance with Art. 77 GDPRin conjunction with § 19 BDSG. You can exercise this right, for example, with asupervisory authority in the Member State of your place of residence, yourplace of work or the place of the alleged infringement. In Berlin, where we arebased, the competent supervisory authority is: Berlin Commissioner for DataProtection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin.
Your requests to assert data protection rights and ourresponses to them will be stored for documentation purposes for a period of upto three years and, in individual cases, for longer if there is reason toassert, exercise or defend legal claims. The legal basis is Art. 6 (1) lit. fGDPR, based on our interest in defending ourselves against any civil law claimsunder Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling ouraccountability obligation under Art. 5 (2) GDPR.
In the context of the operation of the Enpal websiteor the initiation and execution of contracts, there is no automateddecision-making or profiling within the meaning of Art. 22 GDPR that has legaleffect on you or significantly affects you in a similar way.
We occasionally update this data protectioninformation, for example when we modify our website or when legal or regulatoryrequirements change.