Whistleblower System

Legal information on the use of the internal whistleblowing system

The youknow GmbH (in the following “youknow”) has implemented a whistleblower system to detect and prevent violations of applicable law as well as company policies based on the EU Directive 2019/1937 on the protection of persons who report a violation of Union law.

As a matter of principle, reporting via the whistleblower system should only be the last of all possible communication channels. Priority should always be given to the direct route to the manager or the HR department, or for business partners and external whistleblowers, to the contact person in the company or the management. If this is not possible for valid reasons, the reporting system is another option for reporting violations or misconduct.

This reporting system is available to employees, customers, suppliers and business partners. Reports can be made by mail or e-mail:

By mail: youknow GmbH, St.-Martin-Str. 57, 81669 Munich, Germany

Privacy notice for the whistleblower system

Data protection is a matter of trust. Your trust is a core value for the youknow GmbH ("youknow" and/or "we" and/or "us"). This privacy policy is based on the EU General Data Protection Regulation ("GDPR") – even if the GDPR does not apply. This ensures a high level of protection for individuals whose personal data youknow processes in accordance with the Whistleblower Protection Act. This privacy policy therefore applies to you as a whistleblower and your personal data. We may change this privacy policy at any time. For your use of the whistleblower system the version in effect at the time of your report will apply.

1. About us

youknow is the controller of your personal data in accordance with this privacy policy. If you have any questions in connection with the processing of your personal data, you can contact youknow or the data protection officer. The contact details can be found in the general privacy policy at https://you-know.de/en/data-protection/.

2. Personal data processed by us

In principle, the whistleblower system can be used – to the extent permitted by law – without providing your personal data. However, you can voluntarily disclose your personal data as part of a whistleblowing procedure. This applies in particular to information about your identity, such as your first and last name and e-mail address. In principle, we do not request or process any special categories of personal data (so-called sensitive data or particularly sensitive personal data), such as information about your ancestry or ethnic origin, your religious and/or ideological beliefs, your membership in trade unions or your sexual orientation. However, you may voluntarily disclose such special categories of personal data when contacting us. Your statement may also contain personal data of third parties to which you refer. The data subjects will be given the opportunity to comment on this information. In this case, we will inform the data subjects about the declaration. In doing so, however, we will ensure confidentiality, as the data subject will not receive any information about your identity – to the extent permitted by law. Your information will therefore be used while maintaining your anonymity.

3. Purpose and legal basis of processing

You can contact us via the whistleblower system to report compliance or legal violations. We process your personal data to review your report via the whistleblower system and to investigate suspected compliance or legal violations. In this context, we may have questions for you. For this purpose, we will communicate with you exclusively via the whistleblower system – unless you have expressly consented to other forms of communication. The confidentiality of the information you provide is our highest priority and is therefore guaranteed. Your personal data will be processed in accordance with and on the basis of your consent when making a report via the whistleblowing system (Article 6 (1) (a) GDPR). Furthermore, we process your personal data to the extent necessary to comply with our legal obligations. This relates in particular to the reporting of matters relevant under criminal law, competition law and employment law (Article 6 (1) (c) GDPR). Your personal data will also be processed if this is necessary to safeguard the legitimate interests of youknow or a third party (Article 6 (1) (f) GDPR). If you provide us with special categories of personal data (e.g. sensitive data), we process them on the basis of your consent (Article 9 (2) (a) GDPR). We intend to use your personal data only for the purposes stated above. Otherwise, we will obtain your prior consent.

4. Technical execution and security of your data

youknow takes appropriate technical and organizational measures to ensure data protection and confidentiality and continuously adapts them to the advancing technical development.

5. Disclosure of personal data

The stored data can only be processed by specially authorized persons within youknow. All persons authorized to review data expressly undertake to maintain confidentiality. In order to fulfill the above purpose, it may be necessary for us to share your personal data with external entities inside and outside the European Union, such as law firms or law enforcement or competition authorities. If we share your personal data within the company or externally, internal data protection regulations and/or corresponding contractual agreements ensure a consistent level of data protection.

6. Duration of storage

We store personal data as long as this is necessary for the processing of your message or as long as we have a legitimate interest in storing your personal data. Storage may also take place in order to comply with legal obligations, such as storage obligations, if this is provided for under European or national laws. All personal data will then be deleted, blocked or anonymized.

7. Your rights

If you have provided us with your personal data, you have the right to information, rectification and erasure with regard to this personal data. You may also restrict the processing or request that it be transferred to another controller. Furthermore, you are entitled at any time to refuse the processing of your personal data for reasons related to your particular situation. You are entitled to revoke your consent at any time. If you revoke your consent, this will not affect the lawfulness of the processing carried out until then on the basis of the consent. You exercise these rights by notifying the youknow data protection team. If you exercise your right to rectification, erasure or restriction of your personal data, we are obliged to inform all recipients to whom we have disclosed your personal data about this rectification, erasure or restriction of processing, unless this is impracticable or involves an unreasonable effort. Finally, if you consider that the processing of your personal data infringes the GDPR, you are entitled, without prejudice to any other administrative or judicial remedy, to lodge a complaint with a supervisory authority, in particular in the member state or federal state of your residence, workplace or the alleged infringement.

Version: 16.11.2023