Homepage » Privacy Policy (Whistleblower Policy)


Data protection information when reporting a tip-off via our whistleblower system


1. General

Compliance with laws and internal regulations is a top priority for us. Pühl takes the protection of personal data very seriously. This Privacy Policy explains what personal data we collect from you when you use the reporting system that we provide in accordance with the Whistleblower Protection Act. We ensure compliance with the applicable data protection regulations through technical and organizational measures. The technical data protection terms used in this data protection notice have the meaning assigned to them in the General Data Protection Regulation (GDPR). Please read this data protection notice carefully before submitting a notification.


2. Name and contact details of the controller

The controller responsible for processing your personal data as part of the whistleblower system is:


Pühl GmbH & Co KG

Herscheider Str. 33





3. Contact details of the data protection officer

The appointed data protection officer is:

DataCo GmbH

Dachauer Str. 65

80335 Munich

Phone: +49 (0) 89 7400 458 40

E-mail: datenschutz@dataguard.de



4. Type and category of personal data

The whistleblower system is used on a voluntary basis. In principle, the reporting system can be used without providing personal data. However, you can voluntarily disclose personal data as part of the reporting process, in particular information on


  • Case number
  • Your first name and surname (if you disclose your identity)
  • country of residence
  • whether you are employed by us
  • (business and/or private) address, telephone number or e-mail address
  • if applicable, names of persons and other personal data of the persons you name in your report.


In principle, we do not request or process any special categories of personal data, e.g. information on racial and/or ethnic origin, religious and/or philosophical beliefs, trade union membership or sexual orientation. However, you are free to provide this information in the free text fields of the registration form.


5. Purposes of processing

The whistleblower system is used to receive, process and manage reports of compliance violations in a secure and confidential manner and to fulfill legal obligations to process reports. In this context, processing is carried out for the following purposes

  • Initial inclusion of a report in the whistleblower system
  • Translation of the report into other languages (if required for processing)
  • Checking the validity and relevance of a report
  • Feedback to the whistleblower (e.g. confirmation of receipt, follow-up measures, conclusion of the procedure)
  • Conducting internal investigations to clarify grievances and violations, including updating and supplementing the data stored in the whistleblower system
  • Informing the accused, witnesses and other parties involved in the proceedings of their involvement in the proceedings, giving them the opportunity to comment and fulfilling their duty to provide information
  • Involvement of external third parties to support internal investigations (e.g. law firms, forensic experts or other experts)
  • Information to public bodies, investigative and supervisory authorities (if required based on the results of the investigation)
  • Implementation and review of internal follow-up and remedial measures in the event of grievances and violations (in particular defense and minimization of damage, prevention of further violations and consequences as well as repressive and disciplinary sanctions)


6. Legal bases of the processing

The processing of personal data as part of the whistleblower system is based on our company’s legitimate interest in the detection and prevention of wrongdoing and violations to verify the legality of internal processes and to safeguard the integrity of the company, and thus to prevent damage to our company, our employees and customers (Art. 6 para. 1 sentence 1 lit. f GDPR), legal obligations to process reports (Art. 6 para. 1 sentence 1 lit. c GDPR in conjunction with Section 10 para. 1 Whistleblower Protection Act) and, in cases of deliberate and intentional disclosure of identity, the consent of the whistleblower (Art. 6 para. 1 sentence 1 lit. a GDPR). If you require further information regarding the balancing of interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR, please use one of the contact options listed in this privacy policy.


If you provide us with certain special categories of personal data, we process these on the basis of your consent (Art. 9 para. 2 lit. a GDPR) and legal obligations to process information (Art. 9 para. 2 lit. g GDPR in conjunction with § 10 para. 2 Whistleblower Protection Act).

There is no automated decision-making including profiling within the meaning of Art. Art. 22 para. 1 and 4 GDPR takes place.


7. Technical implementation and security of processing

The whistleblower system is technically implemented on our behalf by a specialized company, EQS Group AG, Karlstraße 47, 80333 Munich, Germany (“EQS”). This service provider has been carefully selected and checked accordingly.

Personal data and information entered into the whistleblower system is stored in a database operated by EQS in a high-security data center. Only we have access to the data. EQS has no access to or access to the data. This is guaranteed by comprehensive technical and organizational measures in a certified process.

All data is encrypted and stored with multi-level password protection, so that access is restricted to a very narrow circle of expressly authorized recipients. In addition, both we and the service providers we use maintain further suitable technical and organizational measures to ensure in particular the confidentiality, availability and integrity of the data.


8. Confidentiality, transmission of personal data and recipients

Incoming information is received by a narrow circle of expressly authorized and specially trained employees and is always treated confidentially. The case handlers examine the facts of the case and, if necessary, carry out further case-related clarification of the facts. When processing a report or as part of a special investigation, it may be necessary to pass on information to other employees within the Group, e.g. if the information relates to events in other companies. It may also be necessary to involve external third parties to assist with internal investigations (e.g. law firms, forensic experts or other experts) as well as public bodies, investigative and supervisory authorities. Your personal data will not be transferred to a third country outside the European Union (EU) or the European Economic Area (EEA). [These recipients may also be based in countries outside the European Union (EU) or the European Economic Area (EEA), which may have different regulations for the protection of personal data. We always ensure that the relevant data protection regulations are complied with when passing on information. Every case handler who receives access to the data is obliged to maintain confidentiality.


9. Information of the accused

In principle, we are legally obliged to inform the accused persons that we have received a tip-off about them as soon as this information no longer jeopardizes the follow-up of the tip-off (Art. 14 para. 3 lit. a GDPR). Your identity as the whistleblower will not be disclosed – to the extent permitted by law.


10. Duration of the storage of personal data

We only store personal data for as long as is necessary to process your report or for as long as we have a legitimate interest in storing personal data, e.g. in individual cases for the duration of the clarification of further legal steps required, such as disciplinary proceedings or the initiation of criminal proceedings.


In addition, your personal data may be stored if this is required under European or national law to fulfill legal obligations, such as retention and documentation obligations, or if the relevant authorities require or order (further) retention of the information as part of external investigation proceedings. All personal data will then be deleted, blocked or anonymized.


11. Use of the whistleblower portal

Communication between your computer and the whistleblower system takes place via an encrypted connection (SSL). The IP address of your computer is not stored while you are using the whistleblower portal. To maintain the connection between your computer and the whistleblowing system, a cookie is stored on your computer which only contains the session ID (so-called zero cookie). The cookie is only valid until the end of your session and becomes invalid when you close your browser.


You have the option of setting up a protected mailbox in the whistleblower system with a pseudonym / user name and password of your choice. This allows you to send reports to the case handler by name or anonymously and securely. In this system, the data is stored exclusively in the whistleblower system and is therefore particularly secure; it is not a standard e-mail communication. It is also possible to submit a verbal report via voice recording, in which the voice is automatically distorted. When submitting a report or sending a supplement, you still have the option of adding attachments. If you wish to submit a report anonymously, please note the following security advice: Files may contain hidden personal data that could jeopardize your anonymity. Remove this data before sending. It is also possible to use the whistleblower portal anonymously. In this case, please select the corresponding option when submitting the report.


12. Rights of data subjects

According to the General Data Protection Regulation (GDPR), you have the following rights


  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure (“right to be forgotten”) (Article 17 GDPR)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to object (Article 21 GDPR)
  • If, as a whistleblower, you consciously and intentionally waive your anonymity and give us your consent to process your personal data, you also have the right to withdraw your consent up to one month after reporting (Article 7 (3) GDPR)
  • You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The supervisory authority responsible for us is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia. You can contact them at

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia

Mrs. Bettina Gayk

Kavalleriestr. 2-4

40213 Düsseldorf

Telephone: 0211/38424-0

Fax: 0211/38424-999

E-mail: poststelle@ldi.nrw.de


The full scope of your rights can be found in the corresponding articles of the GDPR, which you can access under the following link



If you wish to make use of your rights or have any questions about data protection at our company, please use the contact details listed above under point 2 or 3.Annex: Details on joint responsibility


Pühl GmbH & CO KG, Plettenberg currently has no subsidiaries (group structure). Should this change in the future, then the following shall apply:
For all data processing, we decide jointly with other controllers on the purposes and means of processing personal data. Other controllers are always the local companies of the Pühl Group involved on the basis of the facts of the case. For example, if a reference concerns behavior in a foreign company (e.g. French company in country A), the joint controllers are the French company and us. We will be happy to provide you with the essentials of the agreement between us and the other responsible parties on request (for contact details, see section 2 above).


Below you will find more detailed information on all companies as possible joint controllers:

Pühl GmbH & Co KG

Herscheider Str. 33