The data controller as described within this data privacy information, is Bundesdruckerei GmbH, Kommandantenstraße 18, 10969 Berlin, Germany, which decides on and designs the external appearance of Maurer Electronics GmbH. The data protection officer at Bundesdruckerei GmbH can be reached at the above address “c/o Data Protection Officer” as well as by e-mail at: datenschutz@bdr.de.

2.1 Categories of Data, Purpose of Processing and Legal Basis

While using Bundesdruckerei websites, applications or online tools (“Online Offering”), we regularly process the following personal data: 

Personal data such as 

• Contact data, such as first name and surname, e-mail address, telephone number, which you enter yourself voluntarily as part of a Bundesdruckerei online service, such as when registering, contacting us, participating in surveys, etc. 

• Information provided as part of a support request 

• Information that is automatically sent to us by your web browser or terminal device, such as your IP address, device type, browser type, previously visited websites, subpages visited or the date and time of the respective visitor request. 

Our basic purposes for processing your personal data are as follows: 

• To enable you to use the services and functions of the Online Offerings 

• To establish your identity and enable user authentication 

• To process your request 

The processing of personal data is necessary to achieve the stated purposes. More details in this regard are provided later on in the data protection information. Extensive information is provided on the individual processing series and the legal basis for processing your personal data.  

2.2 Use of Cookies

When you visit our website, we collect data during an ongoing connection via your Internet browser and by using session cookies, which are necessary for technical reasons. These session cookies make it possible for us to provide the various websites of the Bundesdruckerei Group. They expire at the end of the session. 

Most browsers are set to accept cookies automatically. However, you can deactivate the storage of cookies or set your browser to notify you as soon as cookies are sent. Through the use of cookies, the following information flows to the entity that sets the cookie (we in this case): 

• Date and time the website was accessed 

• Web browser and operating system used 

• Complete IP address of the requesting computer 

• Volume of data transferred 

The legal basis for storing information in the end user’s terminal equipment is Section 25 (2) No. 2 TTDSG. The use of session cookies is absolutely crucial for us as the provider of the Bundesdruckerei Group websites (telemedia service) to be able to render this expressly requested telemedia service. 

2.3 Processing of Log Files

Each time this website is accessed and each time a file is retrieved, data about this process is temporarily processed in a log file. The following specific data is stored: 

• Date and time the website was accessed 

• Web browser and operating system used 

• Complete IP address of the requesting computer 

• Volume of data transferred 

In the event of an attack (e.g., a DDoS attack) on the communication technology, this data will be analysed and, if necessary, used to initiate legal and criminal prosecution. These log files are deleted after seven days at the latest. The legal basis for processing your personal data is Art. 6 (1) (f) GDPR. Our legitimate interest is the clarification of security-related incidents. 

In order to reach our potential future colleagues in the best possible way, we operate a company page on the business network LinkedIn. The following data protection information therefore applies for the processing of personal data within the LinkedIn portal. 

When you visit, follow or explore our LinkedIn company page, LinkedIn processes personal data about this interaction, which enables us to evaluate user behavior using statistics. This involves the “Page Insights” function. For these statistical analyses, LinkedIn primarily processes data that you have made available to the platform via information within your profile. In addition, LinkedIn processes information about how you interact with our LinkedIn company page, such as whether you are a follower of our LinkedIn company page. When we organise “polls”, i.e., activate topic-related surveys on our company website, we see evaluations of the voting behaviour. 

LinkedIn does not provide us with any personal data via Page Insights. We only have access to summarised Page Insights that do not allow any conclusions to be drawn about individual members. 

Personal data from Page Insights is processed by LinkedIn and us as joint controllers. Analysis of the actions on our LinkedIn company page supports the constant efforts to align our public relations work with the needs of users. The legal basis for processing this data is Article 6 (1) (f) GDPR. 

We have entered into a joint controllership agreement with LinkedIn that sets out the allocation of data protection obligations between us and LinkedIn. Click here to review the agreement. Under data protection law, the company is the sole party responsible for the processing of personal data within the LinkedIn platform. Further information on the processing of personal data by LinkedIn can be found here. Please note that LinkedIn processes personal data in the USA or other third countries. LinkedIn only transfers personal data to countries for which the European Commission has issued an adequacy decision in accordance with Art. 45 GDPR or on the basis of suitable guarantees in accordance with Art. 46 GDPR. 

Ensuring compliance with legal regulations and internal rules, such as our Code of Conduct, and also with our Code of Conduct for Business Partners is a top priority for the Bundesdruckerei Group. This applies to our own business unit as well as to our supply chains. 

It is important to us for risks to be identified at an early stage and violations avoided as far as possible. We want to initiate appropriate countermeasures in good time and avoid possible damages for those affected, including customers, employees, business partners and our group of companies. 

That is why we have set up an independent, impartial and confidential whistleblowing system that allows internal and external whistleblowers to also report anonymously. 

With the help of the transparent Complaints Procedure, we create the greatest possible protection for those affected, the whistleblowers and the employees who are involved in clarifying the reported facts. All actual and alleged violations of legal requirements, the Code of Conduct and the Code of Conduct for Business Partners can be reported under the Complaints Procedure. Likewise, the subject of a report may involve human-rights or environmental risks or breaches of duty along the entire supply chain of our Group companies and in our own business area. 

Rapid, standardised processes plus confidential and professional processing of tips by internal experts form the foundation of this system, which is based on the principle of fair proceedings. 

Discrimination or punishment of whistleblowers and persons entrusted with the handling of complaints and tips will not be tolerated. 

The aformentioned Complaints Procedure is applicable to Bundesdruckerei Group GmbH and the group companies Bundesdruckerei GmbH, Maurer Electronics GmbH, genua GmbH, D-Trust GmbH, Maurer Electronics Split d.o.o, iNCO Sp. z o.o. and Xecuro GmbH (together referred to as the “Bundesdruckerei Group”). 

a) Purpose and Legal Basis of Data Processing 

The purpose of processing personal data is the management of the whistleblower system, including the detection of serious violations or potential violations of applicable law or other serious matters. 

The processing of personal data is necessary for fulfilling legal obligations to which we are subject; see Art. 6 (1) (1) (c) GDPR. This is the law for better protection of whistleblowers (Whistleblower Protection Act – Hinweisgeberschutzgesetz, HinSchG). 

The processing serves to safeguard the legitimate interest in the detection of serious violations or potential violations of applicable law or other serious matters pursuant to Art. 6 (1) (1) (f) GDPR. 

As far as the processing of special categories of personal data is concerned, processing on the basis of the Whistleblower Protection Act is necessary for reasons of substantial public interest, see Art. 9 (2) (g) GDPR. Special categories of personal data are processed pursuant to Art. 9 (2) (f) GDPR in conjunction with Art. 6 (1) (1) (f) GDPR for the establishment, exercise or defence of legal claims. 

Data subjects are persons who are the subject of the notification. They may be employees, contractual partners or other persons who are professionally associated with us. In addition, we process personal data about whistleblowers even if the contact information or other information transmitted or communicated by them exposes their identity. Whistleblowers must therefore be aware that we may process personal data about them in connection with the processing of the reported case. 

b) Categories of Personal Data 

The report can be made anonymously. In this case, no personal data of the whistleblower will be processed. 

The categories of personal data processed will depend on the information reported. If the whistleblower reports personal data about another person, including that of the person or persons being reported on, this personal data will also be processed. The following categories of personal data may be processed: 

General personal data (name, address, e-mail address, telephone number, position, etc.) 

Personal data relating to criminal convictions or suspicion of such 

Special categories of personal data (information revealing racial or ethnic origin, political opinions, religious or philosophical convictions or trade union membership, data concerning health and data concerning a person’s sex life or sexual orientation) 

We advise the whistleblower only to report information that is of specific relevance to the reported case and, in particular, not to report sensitive information unless it is of central importance for the processing of the reported case. 

c) Obligation to Provide Personal Data 

There is no obligation to provide the personal data listed under section b), as it is also possible to report anonymously. However, it may not be possible for us to process the report without being provided with personal data. 

d) Recipients of Personal Data 

The reports are documented as a process in the WhistleB System at Bundesdruckerei GmbH. Following an assessment, the processes are passed on internally to the relevant departments, and any necessary follow-up measures are initiated. If a report concerns one of the Group companies of the Bundesdruckerei Group, these processes will be forwarded to the responsible persons of the respective Group company and evaluated internally by the responsible person, and any necessary follow-up measures will be initiated. Personal data is only passed on for a specific purpose and in accordance with the principle of data minimisation; in other words, only the personal data that is absolutely necessary to process the notification is passed on. 

We disclose personal data about the whistleblower to authorities if this is necessary to deal with serious offences or serious matters or to ensure the right of defending the data subjects. In other cases, personal data about the whistleblower will only be passed on with the consent of the whistleblower. Personal data about persons other than the whistleblower will only be passed on in the context of following up a reported case or to deal with serious offences or serious matters. 

The reporting platform is provided by the processor, WhistleB Whistleblowing Centre AB, Stockholm, Sweden. Further information on WhistleB, Whistleblowing Centre AB can be found in the Terms of Use. 

e) Storage Duration 

Personal data that proves to be irrelevant for the processing of a reported case, along with reports that we consider to be unfounded, is immediately categorised as “irrelevant”, and any personal reference (unless it is already an anonymous report) is removed. In order to guarantee compliance with the legally required documentation obligation or statutory deletion period from Sec. 11 (1), (5) HinSchG, this report will then be archived at first (without personal reference) but not yet deleted. Archived cases are used exclusively to fulfil documentation obligations and can therefore no longer be called up for processing. 

Reports and personal data collected in the course of processing a report form the basis for further processing and are anonymised as soon as possible. However, if the need for follow-up measures within the meaning of Sec. 3 (8) and Sec. 18 HinSchG arises, it is possible that the anonymisation policy will need to be deviated from due to an official order or in order to secure legal claims. In this case, pseudonymisation is generally striven for unless something else has been specified (e.g., by a court order). The documentation will be deleted three years after completion of the procedure. The documentation may be kept for longer in order to fulfil the requirements of this Act or other legislation, as long as this is necessary and proportionate. 

Our employees use their own upload and download portal for the secure exchange of documents. With the aid of your e-mail address, we can assign authorisations and provide you with documents in a secure way. 

a) Web Interface (WebUI)  

The UDP offers you the option of transmitting large and/or sensitive data via the web interface described below without having to install special software. Your documents remain encrypted throughout the entire transmission process and are therefore protected from being accessed by unauthorised persons. 

b) SecuPass 

SecuPass encryption developed by FTAPI enables end-to-end encrypted transmission of any files. In addition to maximum possible security, the special feature of SecuPass is that these transfers can take place between any persons (or endpoints) without them having to create and install complex keys or certificates. With UDP, this process works fully automatically and is also as simple as sending an e-mail. 

c) SubmitBox Link 

SubmitBox Link offers you the option of transmitting large and/or sensitive data via a simple website without having to install special software or remember access data. It is only necessary to provide you with the link (SubmitBox link) of the desired Bundesdruckerei employee. For example, this link can look as follows: https://udp.bundesdruckerei.de/submit/MMustermann. 

For more information, see the user manual at https://udp.bundesdruckerei.de/bdr/UDP_Anwenderdokumentation.pdf. 

We will take all necessary technical and organisational security measures to protect your personal data from loss and misuse. To this end, your data will be stored in a secure operating environment that is not accessible to the public. 

The websites may contain links to external websites. The respective operators of these external websites are liable for them. Bundesdruckerei GmbH is not responsible for the content or the data protection provisions of external websites. 

Bundesdruckerei GmbH may transfer personal data to other Bundesdruckerei Group companies for the aforementioned purposes if this is necessary to fulfil these purposes. 

Personal data will also be disclosed to courts, regulatory authorities or law firms to the extent legally permissible and necessary to comply with applicable law or to assert, exercise or defend legal claims. 

In the event of collaboration with service providers (“processors”), such as service providers for IT maintenance services, they will only act on our instructions and are contractually obliged to comply with the applicable data protection requirements. Bundesdruckerei GmbH remains responsible for data processing. 

Unless an explicit storage period is specified at the time of collection (e.g., as part of a declaration of consent), personal data will be deleted as soon as it is no longer required for the purposes for which it was collected – unless legal storage obligations (e.g., storage obligations under commercial and tax law) prevent its deletion. 

Under applicable data protection law, you have the following basic rights as a data subject: 

You have the right to 

• request confirmation as to whether personal data about you is being processed and to receive information about the personal data processed along with further information (cf. Art. 15 GDPR); 

• request the correction of inaccurate personal data (cf. Art. 16 GDPR); 

• request the deletion of personal data (cf. Art. 17 GDPR); 

• request that the processing of personal data be restricted (cf. Art. 18 GDPR); 

• receive personal data that you have provided in a structured, common and machine-readable format or to request that the personal data be transferred to a third party (cf. Art. 20 GDPR); 

• object to data processing based on Art. 6 (1) (f) GDPR or for the purpose of direct advertising (cf. Art. 21 GDPR); 

• revoke your consent with future effect at any time. Revocation will only apply for the future and will not affect the lawfulness of the processing of personal data until the revocation. 

In accordance with Art. 77 GDPR, you also have the right to lodge a complaint with the data protection supervisory authority.