Privacy

Data protection information Art. 13, 14 GDPR for the processing of reports in accordance with the Whistleblower Protection Act (HinSchG) 

(as of 09.01.2024)
 

1. Name and contact details of the person responsible

Medizinischer Dienst Rheinland-Pfalz
- Board of Directors -
Albiger Strasse 19d
55232 Alzey
Germany
Phone: +49 6731 486-0
E-mail: post@md-rlp.de

Details of the reporting office of the person responsible
Medizinischer Dienst Rheinland-Pfalz
- Reporting office -
Albiger Strasse 19 d
55232 Alzey
Germany
Phone: +49 6731 486-0
Link to the external reporting system: https://md-rlp.advowhistle.de/en
 

2. Contact details of the data protection officer

Data protection officer
- Medical Service Rhineland-Palatinate -
Albiger Strasse 19d,
55232 Alzey
Germany
Phone: +49 6731 486-0
E-mail: datenschutzbeauftragter@md-rlp.de
 

3. Purpose of processing and legal basis

The reporting office processes personal data of 

  • the reporting person
  • persons who are the subject of a report, and
  • other persons named in a report.


Pursuant to Section 10 HinSchG, reporting offices are authorised to process personal data insofar as this is necessary to fulfil their tasks set out in Sections 13 and 24 HinSchG. By way of derogation from Article 9 (1) of Regulation (EU) 2016/679, the processing of special categories of personal data by a reporting office is permitted if this is necessary for the fulfilment of its tasks. In this case, the reporting office must take specific and appropriate measures to protect the interests of the data subject; Section 22 (2) sentence 2 of the Federal Data Protection Act and Section 19 (2) sentence 4 of the Rhineland-Palatinate State Data Protection Act shall apply accordingly.
 
Your personal data will also be processed on the basis of Art. 6 para. 1 sentence 1 lit. c), 9 para. 2 lit. g) GDPR in conjunction with Art. 10 HinSchG. § Section 10 HinSchG, unless the report was submitted anonymously.
The principles of processing personal data (Section 5 GDPR) are complied with.

4. Categories of personal data processed 

In accordance with Section 13 HinSchG, the internal reporting offices operate reporting channels in accordance with Section 16 HinSchG, conduct the procedure in accordance with Section 17 HinSchG and take follow-up measures in accordance with Section 18 HinSchG. The personal data processed in this context is based on the content of the report.
 
To fulfil the above-mentioned purposes, we process the following data categories, for example:

Data category
Basic master data of reporting persons, unless they are anonymous
Details on data category

  • Surname, first name 
  • Contact details (phone, e-mail) 

 
Data category
Personal data about data subjects in the context of notification.
Details on data category

  • Surname, first name 
  • Contact details (phone, e-mail) 
  • Factual data (e.g. potential offences, facts)  

 
Source of the data
Your above-mentioned data originates either 
a) directly from you, if you are the person providing the information, or 
b) indirectly through the content of the report, if you are a person named elsewhere (e.g. accused, witness, injured party).
 
or it is

c) data collected in the course of further research.
 

5. recipients or categories of recipients of the personal data

Internal recipients:
All personal data in the context of this processing is generally processed by the Reporting Centre Officers in accordance with Section 8 (1) sentence 2 HinSchG and only by those bodies that are relevant for taking follow-up measures and for supporting activities.

External recipients:
As a rule, your personal data will not be disclosed without your express consent. In certain cases, however, your personal data may have to be disclosed due to legal regulations or third-party claims for information. In particular, if you intentionally or grossly negligently report incorrect information about offences, your identity is not protected (see Section 9 (1) HinSchG)
 
In addition, your identity may be disclosed under the conditions of Section 9 (2) HinSchG, e.g. in criminal proceedings at the request of law enforcement authorities. In certain cases, your personal data may also have to be disclosed to the data subject as part of a request for information (Art. 15 GDPR) or to fulfil information obligations (Art. 13, 14 GDPR), provided that this does not conflict with the protection of your rights and freedoms, for example (see Sections 11 (1) No. 3, 12 (2) No. 3 LDSG Rhineland-Palatinate).

6. Access to personal data by third parties

Only persons who are responsible for receiving reports or for taking follow-up measures and the persons who support them in the fulfilment of these tasks have access to the information. This is ensured, among other things, by the fact that the personal data is recorded/processed exclusively in a digital whistleblowing system that is operated separately. The provider of the digital whistleblowing system has a TÜV-certified information security management system in accordance with DIN EN ISO/IEC 27001:2017. In this respect, use by third parties can be ruled out. 
 

7. Duration of the storage of personal data

In accordance with Section 11 (5) HinSchG, the documentation must be deleted three years after completion of the procedure. The documentation may be stored for longer in order to fulfil the requirements of this Act or other legal provisions as long as this is necessary and proportionate.
 

8. Rights of data subjects

You have the following rights in connection with the processing of your personal data:

Right to information in accordance with Art. 15 GDPR
In accordance with Art. 15 GDPR, you can request information about your personal data free of charge.

Right to rectification in accordance with Art. 16 GDPR
If you are of the opinion that the data stored about you is incorrect or incomplete, you can request the immediate correction or completion of this data at any time in accordance with Art. 16 GDPR.

Right to erasure in accordance with Art. 17 GDPR
Under the conditions of Art. 17 para. 1 GDPR, you can request the deletion of your personal data stored by us.

Right to restriction of processing in accordance with Art. 18 GDPR
Under the conditions of Art. 18 GDPR, you can request the restriction of the processing of your personal data.

Right to object
Under the conditions of Article 21 GDPR, you can object to data processing

Exercising your rights
Data subjects may consult the Data Protection Officer on all matters relating to the processing of their personal data and the exercise of their rights under this Regulation (Art. 38 para. 4 GDPR).
To exercise your rights, please contact the data protection officer.

9. Right to lodge a complaint

In the event of complaints under data protection law (pursuant to Art. 77 GDPR), you can contact the competent supervisory authority:

The State Commissioner for Data Protection and Freedom of Information Rheinland-Pfalz (Rhineland-Palatinate)
Hintere Bleiche 34, 55116 Mainz, Germany
Phone: +49 (0) 6131 208-2449
Fax: +49 (0) 6131 208-2497
Website: https://www.datenschutz.rlp.de/
E-mail: poststelle@datenschutz.rlp.de