Anlage A
Zuständigkeit der gemeinsam Verantwortlichen
| General | Processing activity 1 | Processing activity 2 |
|---|---|---|
| Description of the processing activity | Receiving reports in the whistleblower system; | further processing of reports in the whistleblower system including any investigations and follow-up actions; |
| Possible nature of the data | Name of the person submitting the report and their position; names of other people associated with the report and their functions; other personal data as part of the report; | Name of the person submitting the report and their position; names of other people associated with the report and their functions; other personal data as part of the report; |
| Purposes of processing | Provision of an internal reporting channel in accordance with the HinweisgeberInnenschutzgesetz (HSchG) and for other serious compliance matters; | Initiating investigations into substantiated reports; setting of remedial measures; |
| Means of processing | Email inbox including Microsoft Outlook application; telephone hotline; Microsoft Word application; | Email inbox including Microsoft Outlook application; telephone hotline; Microsoft Word application; |
| Lawfulness of processing | Art 6 para 1 lit c GDPR; Art. 6 para 1 lit f GDPR; | Art 6 para 1 lit c GDPR; Art. 6 para 1 lit f GDPR; |
| Joint controllership | ||
|---|---|---|
| A) FACC AG, B) FACC Operations GmbH; C) CoLT Prüf und Test GmbH; | A) FACC AG, B) FACC Operations GmbH; C) CoLT Prüf und Test GmbH; |
| Who is responsible for which data protection obligations? | ||
|---|---|---|
| Art 13 Information to be provided where personal data are collected | A | A |
| Art 14 Information to be provided where personal data have not been obtained from the data subject | A | A |
| Art 15 Processing requests for information | A | A |
| Art 16 Processing rectification requests | A | A |
| Art 17/18/19 Processing of erasure requests or restriction of processing and notification in connection with rectification, erasure, restriction | A | A |
| Art 20 Processing of requests for handover or transmission | A | A |
| Art 21 Processing of objections | A | A |
| Art 22 Automated individual decision-making, & profiling | A | A |
| Art 7 Abs 3 Processing of withdrawals | A | A |
| Art 24 Abs 1 in conjunction with Art 32 Determination/documentation/review and updating of technical and organizational measures after risk assessment and, if necessary, PIA (Art 35) and consultation with a supervisory authority/provision of the necessary information (Art 36 para 3) | A | A |
| Art 28 Involvement of processors or sub-processors and their review | A | A |
| Art 30 Maintaining the record of processing activities | A | A |
| Art 33, 34 Process for reportable data breaches | A | A |
| Art 35 Data protection impact assessment | A | A |