Anlage A

Zuständigkeit der gemeinsam Verantwortlichen

Overview of responsibilities for the CoLT Whistleblower System

GeneralProcessing activity 1Processing activity 2
Description of the processing activityReceiving reports in the whistleblower system;further processing of reports in the whistleblower system including any investigations and follow-up actions;
Possible nature of the dataName of the person submitting the report and their position;
names of other people associated with the report and their functions;
other personal data as part of the report;
Name of the person submitting the report and their position;
names of other people associated with the report and their functions;
other personal data as part of the report;
Purposes of processingProvision of an internal reporting channel in accordance with the HinweisgeberInnenschutzgesetz (HSchG) and for other serious compliance matters;Initiating investigations into substantiated reports;
setting of remedial measures;
Means of processingEmail inbox including Microsoft Outlook application;
telephone hotline;
Microsoft Word application;
Email inbox including Microsoft Outlook application;
telephone hotline;
Microsoft Word application;
Lawfulness of processingArt 6 para 1 lit c GDPR;
Art. 6 para 1 lit f GDPR;
Art 6 para 1 lit c GDPR;
Art. 6 para 1 lit f GDPR;
Joint controllership
A) FACC AG,
B) FACC Operations GmbH;
C) CoLT Prüf und Test GmbH;
A) FACC AG,
B) FACC Operations GmbH;
C) CoLT Prüf und Test GmbH;
Who is responsible for which data protection obligations?
Art 13 Information to be provided where personal data are collectedAA
Art 14 Information to be provided where personal data have not been obtained from the data subjectAA
Art 15 Processing requests for informationAA
Art 16 Processing rectification requestsAA
Art 17/18/19 Processing of erasure requests or restriction of processing and notification in connection with rectification, erasure, restrictionAA
Art 20 Processing of requests for handover or transmission AA
Art 21 Processing of objectionsAA
Art 22 Automated individual decision-making, & profilingAA
Art 7 Abs 3 Processing of withdrawalsAA
Art 24 Abs 1 in conjunction with Art 32 Determination/documentation/review and updating of technical and organizational measures after risk assessment and, if necessary, PIA (Art 35) and consultation with a supervisory authority/provision of the necessary information (Art 36 para 3)AA
Art 28 Involvement of processors or sub-processors and their reviewAA
Art 30 Maintaining the record of processing
activities
AA
Art 33, 34 Process for reportable data breachesAA
Art 35 Data protection impact assessmentAA