Privacy policy for the MHH whistleblower system
The protection of your data is a top priority for us. In the following, we would like to inform you about the collection, processing and use of personal data within the framework of the whistleblower system if you submit a report via the contact form, by e-mail, telephone call, letter or by appearing in person at the MHH. Personal data is any information relating to an identified or identifiable natural person. Please read this data protection information very carefully before submitting a report.
I. Purpose and legal basis of processing
The purpose of data processing is Communications with persons providing information in accordance with Section 17 HinShG, the documentation of information received in accordance with Section 11 HinSchG and the implementation of follow-up measures in accordance with Section 18 HinSchG.
The whistleblower system is used to receive and process reports of violations of the law or internal regulations against MHH in a secure and confidential manner.
The processing of all personal data contained in the report is based on Art. 6 para. 1 lit. c and 9 para. 2 lit. g GDPR in conjunction with § Section 10 HinSchG, unless the notice was submitted anonymously. Furthermore, the processing of personal data which are general inquiries is based on Art. 6 para. 1 lit. a GDPR.
The lawfulness of the data processing is based on Art. 6 para. 1 lit. a) EU GDPR or Art. 6 para. 1 lit. f) EU GDPR. In accordance with our legitimate interest pursuant to Art. 6 para. 1 lit. f) EU GDPR, we anonymize personal data under certain circumstances. In this case, the data does not contain any information or identifiers relating to specific persons.
If files (images and documents) are sent via this form, this constitutes consent to the processing of this data. This also applies to transmitted special categories of personal data, such as health data. In accordance with Art. 9 para. 2 lit. b) GDPR, MHH processes these exclusively for the clarification of the underlying facts of the notification.
The company's legitimate interest in clarifying and sanctioning misconduct follows from the company's legitimate interest in accordance with Art. 6 para. 1 lit. f) GDPR.
II. duration of storage of personal data:
Your personal data will be stored and processed on the server of the MHH data center in accordance with data protection regulations, in particular the GDPR. Employees of the MIT of the MHH and the Legal department - Compliance division have access to the data.
Any personal data provided will be used to clarify the underlying facts of the report.
After collection, your data will be stored by the MHH Department MIT, the Administrative Unit Legal - Compliance and, if applicable, other departments, insofar as their cooperation is required for the respective processing of the report, for as long as this is necessary for the respective task fulfillment, taking into account the statutory retention periods in relation to the specific data categories. All personal data will be treated according to the so-called "need-to-know" principle and anonymized or deleted as soon as possible, but at the latest after three years in accordance with Section 11 (5) HinSchG, after processing has been completed. If criminal, service or labor law proceedings arise from the information, the storage period may be extended if necessary.
III Forwarding of the data
The personal data is stored and processed on the server of the MHH data center in accordance with data protection regulations, in particular the GDPR. Employees of the ZIMt, Administrative Unit Legal - Compliance have access to the data. Any personal data provided will be used to clarify the underlying facts of the report.
The personal data will only be passed on within MHH to those areas and persons who need this data to fulfill the legal obligations or to implement the legitimate interest of MHH. Personal data may be passed on to the responsible public prosecutor's office in the event of criminal offenses. They will not be passed on to third countries.
IV. Risks of data processing and security measures
The confidentiality of personal data in notices is ensured by suitable security measures (e.g. central security concepts, the underlying IT infrastructure, authorization concepts).
V. Legal rights as a data subject
You have the following legal rights in connection with the processing of your personal data:
- In accordance with Art. 15 EU GDPR, you have the legal right to request information about the data stored by us.
- In accordance with Art. 16 EU GDPR, you have the right to have incorrect data corrected.
- In accordance with Art. 17 EU GDPR, you have the right to have your data deleted, provided there is no legal reason for further storage.
- In accordance with Art. 18 EU GDPR, you have the legal right to request that the processing of your data be restricted. This means that your data will still be stored, but may only be processed under limited conditions (e.g. with your consent or to assert legal claims).
- In accordance with Art. 20 EU GDPR, you have the legal right to data portability with regard to all data that you have provided to us. This means that we will provide you with this data in a structured, commonly used and machine-readable format.
You can also withdraw your consent at any time. In this context, please note the information under "Purpose of the whistleblower system and data processing". You also have the right to lodge a complaint with a competent supervisory authority, e.g.
State Commissioner for Data Protection of Lower Saxony
Prinzenstraße 5
30159 Hannover
www.lfd.niedersachsen.de
To exercise these rights, please send an email to compliance@mh-hannover.de.
You have the Legal right to lodge a complaint with the Data Protection Officer or a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR or other laws (Art. 77 GDPR).
IV. Contact person
The controller pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is Hannover Medical School, Carl-Neuberg-Str. 1, 30625 Hannover, e-mail: pressestelle@mh-hannover.de (see our legal notice). You can contact our Data Protection Officer at Data Protection@mh-hannover.de or at our postal address with the addition "The Data Protection Officer, OE 0007".