Data privacy statement regarding the KAMPER Whistleblowing System

The processing of personal data in connection with the establishment and use of the KAMPER Whistleblowing System is based on the legal authorisations/obligations pursuant to Section 8 Austrian Whistleblower Protection Act in conjunction with Art. 6 para. 1 letter c and/or letter e, Art 9 para. 2 letter g and Art 10 General Data Protection Regulation, GDPR.

Persons whose personal data is processed:
1. Whistleblowers
2. Persons affected by whistleblowing
3. Persons who support whistleblowers
4. Persons who may be affected by negative consequences resulting from whistleblowing (e.g. retaliatory measures)

The processing of personal data within the framework of the KAMPER Whistleblowing System is subject to the following conditions: It must be in the public interest to prevent or penalise violations of the law and, for this purpose, to provide information and verify its validity. The processing of personal data shall further be limited to data that is required to ascertain and penalise a violation of the law.

The following personal data may be processed or disclosed to authorities and third parties when the KAMPER Whistleblowing System is used:

• Name and contact details (address, e-mail address, phone number)
• Relationship to our company
• Information on the facts reported
• Other information resulting from the whistleblowing report
• Log data resulting from the processing of the case

Personal data on acts or omissions that are punishable by courts or administrative authorities, in particular also on the suspicion of criminal offences committed, as well as on criminal convictions or preventive measures may also be processed as a matter of principle pursuant to Art. 10 GDPR.

• must be limited to cases of absolute necessity, and
• must be documented in writing.

Personal data as defined in Art. 10 GDPR may only be kept to the extent that is absolutely necessary once the decision on the criminal offence in a procedure in which this data was processed has become final; this data must be stored without processing if possible.

Storage period

Personal data that is not required for the processing of a whistleblowing report may not be collected or will be deleted immediately if it was collected unintentionally.
Personal data that is required to process a whistleblowing report must be stored by a controller for five years from the last time it was processed or transmitted, and for as long as is necessary to conduct administrative or judicial proceedings that have already been initiated, or investigative proceedings under the Code of Criminal Procedure. Personal data must be deleted as soon as the retention obligation no longer applies.
In addition, log data on processing operations carried out in the course of handling a case must be retained from the last time they were processed or transmitted until three years after the afore-mentioned retention obligation no longer applies.

For as long as is necessary and to the extent necessary to protect whistleblowers and persons supporting them or persons who may fear retaliation, for example, and persons affected or involved by follow-up measures, the following data subject rights will not be applied to persons affected by a report, in particular for the duration of administrative or judicial proceedings, or investigative proceedings under the Code of Criminal Procedure. This pertains to the following rights:

• Right to information (Section 43 Austrian Data Protection Act, Art. 13 and 14 GDPR)
• Right to access (Section 1 para. 3 number 1 and Section 44 Austrian Data Protection Act, Art. 15 GDPR)
• Right to rectification (Section 1 para. 3 number 2 and Section 45 Austrian Data Protection Act, Art. 16 GDPR)
• Right to erasure (Section 1 para. 3 number 2 and Section 45 Austrian Data Protection Act, Art. 17 GDPR)
• Right to restriction of processing (Section 45 Austrian Data Protection Act, Art. 18 GDPR)
• Right to object (Art. 21 GDPR)
• Right to communication of a personal data breach to the data subject (Section 56 Austrian Data Protection Act and Art. 34 GDPR).

KAMPER Handwerk+Bau GmbH, Gewerbepark 1, 8434 Tillmitsch, Austria, office@kamper.at, is the controller of the data pursuant to Art. 4 number 7 GDPR.