Privacy Policy
With this privacy policy, we would like to inform you about the processing of your personal data when submitting reports via the whistleblower system to the internal reporting office. The whistleblower system is primarily used to receive reports of violations in accordance with the German Whistleblower Protection Act of May 31, 2023 ("HinSchG"). It goes without saying that the requirements of the European General Data Protection Regulation (GDPR) and the applicable national data protection regulations are observed.
This privacy policy was last updated on December 17, 2023.
This privacy policy was last updated on December 17, 2023.
Note: For reasons of better readability, the simultaneous use of the language forms for male, female and diverse (m/f/d) is dispensed with in this privacy policy. All personal designations apply equally to all genders.
Table of contents
1. controllers and data protection officers
2. Data processing operations
3.Data subjects
4. Type of personal data collected
5. Purposes and legal basis
6. Storage period and deletion of data
7. Confidentiality
8. Recipients of data
9. Data transfer
10. Joint responsibility
11. Your rights.
12. No automated decision-making or profiling.
13. Security standards.
14. Changes to the privacy policy.
1. Controllers and data protection officers
For the processing operations in connection with the whistleblower system and the internal reporting office, the
1. controllers and data protection officers
2. Data processing operations
3.Data subjects
4. Type of personal data collected
5. Purposes and legal basis
6. Storage period and deletion of data
7. Confidentiality
8. Recipients of data
9. Data transfer
10. Joint responsibility
11. Your rights.
12. No automated decision-making or profiling.
13. Security standards.
14. Changes to the privacy policy.
1. Controllers and data protection officers
For the processing operations in connection with the whistleblower system and the internal reporting office, the
- HANS IM GLÜCK Franchise GmbH
- Birken Burger Essen GmbH
- Birken Burger Gastro GmbH
- Hans im Glück Gastro GmbH
- Hans im Glück Franchise Austria GmbH
- Hans im Glück Restaurant GmbH
- Hans im Glück Köln Gastronomiebetriebs GmbH
- Hans im Tal GmbH
- Hans im Glück payment system GmbH
- HIG Gastro (AT) GmbH formerly Hans im Tirol
- Happy Burger Mainz GmbH
Address and contact information for all: Weihenstephaner Str. 6, 81673 Munich, phone: +49 89 125094 400, email: info@hansimglueck-franchise.de, and the participating Franchisees (name and address can be found in the list on the platform of the reporting system)
- hereinafter also referred to as "HANS IM GLÜCK Group" and individually also referred to as "Employers" -
- hereinafter also referred to as "HANS IM GLÜCK Group" and individually also referred to as "Employers" -
and the
L|A Business Services GmbH & Co. KG
Brienner Straße 29
80333 Munich
E-Mail: hgs@lutzabel.com Telephone number: +49 89 544147-0
- hereinafter also referred to as "LUTZ | ABEL" -
Brienner Straße 29
80333 Munich
E-Mail: hgs@lutzabel.com Telephone number: +49 89 544147-0
- hereinafter also referred to as "LUTZ | ABEL" -
have jointly determined the purposes and means of the processing operations described in more detail below. In this respect, they are joint controllers in accordance with Art. 4 No. 7, 26 GDPR.
You can reach the data protection officer of the HANS IM GLÜCK Group at: datenschutz@hansimglueck-franchise.de.
You can reach the data protection officer of LUTZ | ABEL at: datenschutz@lutzabel.com.
2. Data processing operations
Data processing in the course of operating the whistleblower system and the internal reporting office can be divided into three areas.
2.1 Area 1: Operation of the Vispato whistleblower system (reporting channel)
The Employers have set up a software-based reporting channel (as defined in Section 16 HinSchG) through which reports can be submitted to LUTZ | ABEL (internal reporting office). The HANS IM GLÜCK Group uses the digital whistleblower system of the German service provider Vispato GmbH, Hansaallee 299, 40549 Düsseldorf ("Vispato") as a reporting channel. The system can be accessed via the Internet. For security reasons, it is end-to-end encrypted so that none of the Employers can view the entries in the whistleblower system. The system also allows anonymous reports.
The reporting channel via Vispato is secured by a data processing constellation. The respective Employers are responsible under data protection law for the operation of the reporting channel as far as their employees and reports concerning them are addressed.
2.2 Area 2: Receipt and evaluation of reports (internal reporting office)
The respective Employers have appointed LUTZ | ABEL to operate the internal reporting office (in accordance with Sections 12, 13 HinSchG). In this context, LUTZ | ABEL reviews the incoming reports, checks the responsibility and forwards the reports for further processing and evaluation. Only officers and attorneys who have previously been bound to confidentiality are granted access to the reports.
LUTZ | ABEL is responsible for this area of data processing.
2.3 Area 3: Provision of information to the Employer and further action
After LUTZ | ABEL, as the internal reporting office, has completed processing the report, it forwards the information from the report to the respective Employer so that appropriate measures can be taken. The confidentiality of the whistleblower is maintained in accordance with statutory requirements (see more below).
You can reach the data protection officer of the HANS IM GLÜCK Group at: datenschutz@hansimglueck-franchise.de.
You can reach the data protection officer of LUTZ | ABEL at: datenschutz@lutzabel.com.
2. Data processing operations
Data processing in the course of operating the whistleblower system and the internal reporting office can be divided into three areas.
2.1 Area 1: Operation of the Vispato whistleblower system (reporting channel)
The Employers have set up a software-based reporting channel (as defined in Section 16 HinSchG) through which reports can be submitted to LUTZ | ABEL (internal reporting office). The HANS IM GLÜCK Group uses the digital whistleblower system of the German service provider Vispato GmbH, Hansaallee 299, 40549 Düsseldorf ("Vispato") as a reporting channel. The system can be accessed via the Internet. For security reasons, it is end-to-end encrypted so that none of the Employers can view the entries in the whistleblower system. The system also allows anonymous reports.
The reporting channel via Vispato is secured by a data processing constellation. The respective Employers are responsible under data protection law for the operation of the reporting channel as far as their employees and reports concerning them are addressed.
2.2 Area 2: Receipt and evaluation of reports (internal reporting office)
The respective Employers have appointed LUTZ | ABEL to operate the internal reporting office (in accordance with Sections 12, 13 HinSchG). In this context, LUTZ | ABEL reviews the incoming reports, checks the responsibility and forwards the reports for further processing and evaluation. Only officers and attorneys who have previously been bound to confidentiality are granted access to the reports.
LUTZ | ABEL is responsible for this area of data processing.
2.3 Area 3: Provision of information to the Employer and further action
After LUTZ | ABEL, as the internal reporting office, has completed processing the report, it forwards the information from the report to the respective Employer so that appropriate measures can be taken. The confidentiality of the whistleblower is maintained in accordance with statutory requirements (see more below).
The respective Employer is responsible for this area of data processing.
The respective Employer then decides whether to discontinue the procedure or what kind of further measures to take. The respective Employer is the sole controller under data protection law in accordance with Art. 4 No. 7 GDPR for the data processing that occurs in this context. The rights of data subjects (see more on this below in Section 11) can only be claimes against the respective Employer for the associated data processing.
2.4 Area 4: Anonymous statistics
LUTZ | ABEL will provide HANS IM GLÜCK Franchise GmbH with anonymized statistics on the reports received at regular intervals. These reports will not contain any personal data, but only the categories of reported violations pursuant to Section 3 Subsection 2 HinSchG and the time of the report. Furthermore, reports will not be assigned to individual franchise companies. The anonymization is the responsibility of LUTZ | ABEL. Due to the lack of personal reference, the forwarding of anonymous statistics does not constitute any processing of personal data in accordance with Art. 4 No. 2 GDPR.
LUTZ | ABEL will provide HANS IM GLÜCK Franchise GmbH with anonymized statistics on the reports received at regular intervals. These reports will not contain any personal data, but only the categories of reported violations pursuant to Section 3 Subsection 2 HinSchG and the time of the report. Furthermore, reports will not be assigned to individual franchise companies. The anonymization is the responsibility of LUTZ | ABEL. Due to the lack of personal reference, the forwarding of anonymous statistics does not constitute any processing of personal data in accordance with Art. 4 No. 2 GDPR.
3. Data subjects
The following categories of data subjects may be subject to the processing of personal data:
The following categories of data subjects may be subject to the processing of personal data:
- Persons providing information
- Persons named in the report or subsequent communication
If you make your report anonymously, no personal data about you will be processed. In particular, your report will not be linked to the IP address of the end device used to make the report.
4. Type of personal data collected
4.1 The following applies to processing areas 1-2:
You are not obliged to provide data. The provision of information is voluntary. If you submit a report, the following applies:
4. Type of personal data collected
4.1 The following applies to processing areas 1-2:
You are not obliged to provide data. The provision of information is voluntary. If you submit a report, the following applies:
The following personal data may be processed:
- The name of the whistleblower, if he/she discloses his/her identity when reporting.
- The employment status of the whistleblower and other personal circumstances relating to him/her (such as the email address), if he/she discloses these in the report.
- If applicable, the names of persons and other personal data of the persons named in the report.
- The other content of the report, insofar as it is personally identifiable.
- Under certain circumstances, voice recordings and other media such as photographs, provided you make them available via the whistleblower portal.
If you submit the report stating your name and other personal details (e.g. your email address), this data will be encrypted in the whistleblower system and stored for processing the report and for further communication with you. However, the respective Employer has no access to this data due to the end-to-end encryption of the whistleblower system. Only LUTZ | ABEL has access as internal reporting office bound to confidentiality. With regard to the transfer of data, please note the further information in this privacy policy.
4.2 The following applies to processing area 3:
If whistleblowers disclose personal data about themselves as part of the report, LUTZ | ABEL will remove clearly identifying references to the whistleblowers before the information from the report is forwarded to the respective Employer. This is to ensure the greatest possible confidentiality to the whistleblower. Please note, however, that it cannot be ruled out with absolute certainty that in individual cases the content of a report may indirectly allow conclusions to be drawn about a possible circle of whistleblowers.
4.2 The following applies to processing area 3:
If whistleblowers disclose personal data about themselves as part of the report, LUTZ | ABEL will remove clearly identifying references to the whistleblowers before the information from the report is forwarded to the respective Employer. This is to ensure the greatest possible confidentiality to the whistleblower. Please note, however, that it cannot be ruled out with absolute certainty that in individual cases the content of a report may indirectly allow conclusions to be drawn about a possible circle of whistleblowers.
The reports may also contain the following personal data and information:
- Names of persons and other personal data of the persons to whom the report relates.
- The other content of the report, insofar as it is personally identifiable.
5. Purposes and legal basis
The purpose of data processing is primarily to fulfill the obligations arising from the HinSchG. This includes in particular
The purpose of data processing is primarily to fulfill the obligations arising from the HinSchG. This includes in particular
- the provision of a reporting channel for internal reports in accordance with Section 16 HinSchG,
- examining and processing reports as part of the procedure under Section 17 HinSchG, which may also include providing feedback on the follow-up measures planned and/or taken by reason of the report,
- the initiation of follow-up measures in accordance with Section 18 HinSchG and
- the documentation of the report and the procedure according to Section 11 HinSchG.
The legal basis for the associated data processing is Art. 6 para. 1 lit. c GDPR in conjunction with Section 10 HinSchG.
After LUTZ | ABEL, as the internal reporting office, has submitted the report on a report in accordance with processing area 3 to an Employer, the Employer decides whether to discontinue the procedure or what kind of further measures to take. The respective Employer is solely responsible under data protection law in accordance with Art. 4 No. 7 GDPR for the data processing that occurs in this context. The Employer will provide separate information on the purposes and legal bases of this processing.
The following applies to processing area 4: In processing area 4, data is processed to anonymize the data for the purpose of compiling statistics for the HANS IM GLÜCK parent company. In particular, the parent company can use the statistics to review and improve the appropriateness of its own compliance structures. It is questioned whether a legal basis is required at all for the anonymization of data. Assuming that a legal basis is required, in the case of anonymization in the present case, this legal basis is Art. 6 para. 1 lit. f GDPR in conjunction with Art. 6 para. 4 GDPR. There is then a change of purpose, whereby the requirements of Art. 6 para. 4 GDPR are met. The legitimate interest lies in the provision of anonymized statistics to improve group compliance.
6. Storage period and deletion of data
Personal data is only stored for as long as is necessary to achieve the purpose and fulfill statutory retention obligations.
Reports that are subject to the HinSchG must be documented (Section 11 HinSchG). The documentation is generally deleted three years after completion of the procedure. Exceptionally, longer storage is permitted in order to fulfill the other requirements under the HinSchG or other legal provisions, as long as this is necessary and proportionate.
Personal data is only stored for as long as is necessary to achieve the purpose and fulfill statutory retention obligations.
Reports that are subject to the HinSchG must be documented (Section 11 HinSchG). The documentation is generally deleted three years after completion of the procedure. Exceptionally, longer storage is permitted in order to fulfill the other requirements under the HinSchG or other legal provisions, as long as this is necessary and proportionate.
If the data is forwarded to law firms for legal processing, the statutory retention periods for lawyers also apply in particular. Accordingly, reference files and the data contained therein are subject to the six-year retention period under Section 50 Subsection 1 sentence 2 of the German Federal Lawyers' Act (BRAO), if applicable in conjunction with Section 50 Subsection 4 BRAO.
7. Confidentiality
The internal reporting office observes the confidentiality requirements pursuant to Section 8 HinSchG. In particular, the confidentiality of the identity of the whistleblower is maintained in accordance with the legal requirements. Reference is made to the exception to the confidentiality requirement in Section 9 HinSchG.
The internal reporting office observes the confidentiality requirements pursuant to Section 8 HinSchG. In particular, the confidentiality of the identity of the whistleblower is maintained in accordance with the legal requirements. Reference is made to the exception to the confidentiality requirement in Section 9 HinSchG.
8. Recipients of data
Vispato GmbH, Hansaallee 299, 40549 Düsseldorf, Germany, is involved as a processor in providing and operating the whistleblower system.
Vispato GmbH, Hansaallee 299, 40549 Düsseldorf, Germany, is involved as a processor in providing and operating the whistleblower system.
In addition, personal data may be transmitted to the following recipients or categories of recipients:
- Third parties, in particular legal advisors, in connection with taking follow-up measures in accordance with Section 18 HinSchG and other further measures,
- Public authorities such as public prosecutors' offices, courts or authorities, insofar as legal obligations exist,
- Other external processors in accordance with Art. 28 GDPR. The strict applicable national and European data protection regulations are observed. The service providers are subject to instructions and are subject to strict contractual restrictions with regard to the processing of personal data. Accordingly, processing is only permitted to the extent necessary for the performance of the services or to comply with legal requirements. The rights and obligations of the service providers with regard to personal data are defined in advance.
9. Data transfer
Personal data will not be transferred to non-European third countries.
10 Joint responsibility
10.1 In order to guarantee your rights and to comply with the requirements of the GDPR, an agreement has been concluded with LUTZ | ABEL which sets out rules on the processing of your personal data (agreement on joint responsibility in accordance with Art. 26 GDPR). The data subject must be provided with the essential contents of this agreement in accordance with Art. 26 para. 2 sentence 2 GDPR. You will already find important information on this in this privacy policy (in particular under Sections 1 and 2). The following also applies:
Personal data will not be transferred to non-European third countries.
10 Joint responsibility
10.1 In order to guarantee your rights and to comply with the requirements of the GDPR, an agreement has been concluded with LUTZ | ABEL which sets out rules on the processing of your personal data (agreement on joint responsibility in accordance with Art. 26 GDPR). The data subject must be provided with the essential contents of this agreement in accordance with Art. 26 para. 2 sentence 2 GDPR. You will already find important information on this in this privacy policy (in particular under Sections 1 and 2). The following also applies:
10.2 Both the respective Employer and LUTZ | ABEL shall take technical and organizational measures to adequately secure the data against misuse and loss in accordance with the requirements of the relevant data protection provisions of the GDPR.
10.3 Both the respective Employer and LUTZ | ABEL are obliged to implement the information obligations under Art. 12-14 GDPR and Art. 26 para. 2 sentence 2 GDPR vis-à-vis the data subjects, insofar as the respective party is responsible for the processing step(s) (see Section 2 of this privacy policy).
10.4 The data subjects may exercise their rights pursuant to Art. 15-21 GDPR against both the respective Employer and LUTZ | ABEL. The parties shall inform each other about corresponding applications and their processing and shall support each other.
10.5 Both the respective Employer and LUTZ | ABEL shall be equally obliged to inform the supervisory authority and those affected by a personal data breach in accordance with Art. 33 GDPR and Art. 34 GDPR.
11. Your rights
Insofar as your personal data is processed, you are a "data subject" pursuant to the GDPR. As a data subject, you have the following rights:
Insofar as your personal data is processed, you are a "data subject" pursuant to the GDPR. As a data subject, you have the following rights:
The right,
- to receive information about the data processing and to receive a copy of the processed data (right of access, Art. 15 GDPR)
- to request the rectification of inaccurate data or the completion of incomplete data (right to rectification, Art. 16 GDPR),
- to demand the immediate erasure of personal data (right to erasure, Art. 17 GDPR),
- to demand the restriction of data processing (right to restriction of processing, Art. 18 GDPR),
- and to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the controller (right to data portability, Art. 20 GDPR),
- the right to withdraw consent to data processing (right to withdraw consent, Art. 7 GDPR).
- Right of objection
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on lit. (f) of Article 6 para. 1 GDPR (Article 21 para. 1GDPR). The consequence of the objection is that the personal data concerning you may no longer be processed unless compelling legitimate grounds for the processing can be demonstrated which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims. You can inform either the respective Employer or LUTZ | ABEL of your objection using the contact details given in Section 1 above.
- If you believe that one of the parties involved in the processing violates the GDPR by processing personal data concerning you, you have the right to lodge a complaint with the competent supervisory authority in accordance with Art. 77 GDPR.
Please note that some data subject rights may not exist or are restricted in certain cases due to regulations such as Section 29 BDSG (in conjunction with the HinSchG).
12. No automated decision-making or profiling
Automated decision-making including profiling in accordance with Art. 22 para. 1 and 4 GDPR does not take place.
13. Security standards
Appropriate physical, technical and administrative security standards are implemented to protect your personal data from loss, misuse, alteration, or destruction in the course of data processing. All service providers are contractually obliged to maintain the confidentiality of personal data. In addition, they may not use the data for purposes that have not been approved in advance.
14. Changes to the privacy policy
This privacy policy may be updated from time to time to ensure that it always complies with current legal requirements or to reflect changes in data processing. You can see whether anything has changed since your last visit from the date at the beginning of this privacy policy.
Automated decision-making including profiling in accordance with Art. 22 para. 1 and 4 GDPR does not take place.
13. Security standards
Appropriate physical, technical and administrative security standards are implemented to protect your personal data from loss, misuse, alteration, or destruction in the course of data processing. All service providers are contractually obliged to maintain the confidentiality of personal data. In addition, they may not use the data for purposes that have not been approved in advance.
14. Changes to the privacy policy
This privacy policy may be updated from time to time to ensure that it always complies with current legal requirements or to reflect changes in data processing. You can see whether anything has changed since your last visit from the date at the beginning of this privacy policy.