Information for reporters on the use of Lytt

Preamble

This information sheet is intended for employees (hereinafter referred to as “reporters”) of our Clients who use the communication system developed by us for the purpose of internal communication. The purpose of this information sheet is to explain how personal data is processed by registrants within the framework of the use of our communication system.

We, the Lytt GmbH, offer our Clients a cloud-based information and communication system for internal communication within the company through which her employees or otherwise the reporting parties can communicate feedbacks, complaints and notifications (hereinafter also referred to as “reports”). These reports will then be answered by means of a corresponding case manager or through the involvement of external consultants (e.g. Lytt consultants or other experts who are not employed by the Client).

We process personal data of the notifying parties exclusively as order data processor within the meaning of Art. 4 No. 8 GDPR, i.e. on behalf of the Client who uses our communication system on the basis of a contract with us in his company and thereby makes our services available to the notifying parties working for her. This also applies in the event that we take over the complaint management for the Client.

The responsible authority in the sense of Art. 4 No. 7 GDPR for the processing of personal data of registrants within the framework of the use of our communication system is therefore exclusively our Client, who grants the registrants access to our communication system.

Lytt is responsible for the processing of personal data that we receive through our websites or that we receive from reporters who work for a company that is not already our Client (i.e. contacting potential Clients) in the sense of Art. 4 Para. 7 GDPR. In this case you will find information about the processing of personal data in our privacy policy on our website at https://www.lytt.co/files/legal/data_privacy-EN.html.

By using our communications system, you acknowledge that you are providing all information about your concern to the best of your knowledge and belief and are not using Lytt’s services for the purposes of discrimination, denunciation or misrepresentation.

1. Which categories of data are processed and where they come from

You as the reporter can communicate a request anonymously or not anonymously via the communication system, either directly to the Client, i.e. your employer, or to the Case Manager used by the Client (section 1.1). If we additionally take over the complaint management for the Client, then you as the reporting party can also directly inform our case managers (Lytt experts) of your concern (section 1.2). The Communication with the reporters always takes place on the basis of an encrypted chat.

When you submit a request via the communication system, the following information is processed:

1.1. Communication between the reporter and the Client or his case manager

If communication takes place between the reporter and the Client or case manager of the Client, we do not have access to the message history without the express permission of the reporting party. If you communicate your concern to the Client, you can contact either the case manager appointed by the Client or the Client, i.e. your employer, directly. This can be done in anonymous or non-anonymous form. Anonymous form means that you cannot be identified when communicating with the Client or the case manager. If you communicate your request to the Case Manager in a non-anonymous form, your name and, if applicable, your e-mail address as well as the content of your message or attachments will be transmitted to the Case Manager and processed by him/her. In this case, the Client does not have access to the information you have provided to the Case Manager (see also Section 2.2).

Irrespective of whether you communicate your concern in anonymous or non-anonymous form, the Client or the case manager appointed by the Client may receive and process information about persons about whom you report in your concern. In this case, both the Case Manager and the Client will treat this information confidentially.

1.2. Communication between the reporter and Lytt case managers

If we have taken over the complaint management for the Client, your employer, then you can inform us of your concern in anonymous or non-anonymous form. Anonymous form means that you cannot be identified when communicating with the Client or the case manager. If you communicate your concern directly to us, i.e. our consultants, in a non-anonymous form, we will receive your e-mail address, your name, the content of your message or attachments that you send to us and any other information you wish to provide to us.

Regardless of whether you communicate your request to us in an anonymous or non-anonymous form, we may receive and process information about persons about whom you report in your request. We will always treat this information confidentially. However, we are obliged to provide the Client, i.e. your employer, with access to the content of your request (and thus also to information about persons about whom you complain) or to the news history maintained with us, if

  • the Client expresses a justified suspicion based on his (welfare) duties as an employer within the meaning of the ArbSchG, StGB, BetrVG, AGG or similar legal texts, or
  • Within the framework of complaint management, we determine that the disclosure of the course of the message or the content of your request to the Client in the sense of her (welfare) duties within the meaning of ArbSchG, StGB, BetrVG, AGG or similar legal texts is expedient, or imminent danger exists.

Data processing within the framework of our complaints management is carried out by trained specialists. Reporters who have expressly stated that they wish to remain anonymous will be made anonymous or unrecognisable prior to inspection by the Client in accordance with the aforementioned paragraph of this section. In this case, the Client receives sole knowledge of the content of the request of the reporting party, but not of the identity of the reporting party. The Client shall not be obliged to initiate criminal proceedings when inspecting the information in accordance with the aforementioned paragraph.

1.3. Information related to your request

We process information about the situation you have observed or experienced, including its underlying characteristics (e.g. sexual harassment, bias, cultural issues, illegal acts, money laundering, bribery, information about the person you are concerned) and the time and frequency of your report on behalf of the Client. Whether you experienced the incident first hand or observed it, how it happened to someone else and when it occurred. The processing of this information is necessary so that the Client, i.e. your employer, or the case manager appointed by her or our consultants, can successfully process your request and provide you with the best possible advice.

If the complaint management is carried out solely by the Client, we have no insight and no knowledge of the content of your request.

1.4. Demographic information

Information such as age, language, gender, the person who is exposed to the situation or who has observed it is processed by us on behalf of the Client. The processing of this information is necessary so that the Client, i.e. your employer, or the case manager appointed by him or our consultants, can process your request successfully and give you the best possible advice.

If the complaint management is carried out solely by the Client, we have no insight and no knowledge of the content of your request.

1.5. Feedback

If you would like to share a non-anonymous feedback, you have the option to enter your name so that your feedback can be assigned. If you provide us with additional information in connection with your report, we will collect that information with a high degree of confidentiality.

1.6. Sources of data

We process personal data that we receive from you as part of the notification of a concern in our communication system or that we receive from you through direct contact with our consultants.

2. How your data is processed 2.1. Purpose and legal basis for the processing

We process your personal data in accordance with the applicable laws, in particular the Basic Data Protection Ordinance (DSGVO) and the Federal Data Protection Act (BDSG). The processing of your personal data takes place primarily on behalf of the Client in accordance with Art. 28 GDPR:

  • To fulfil her obligations under the employment agreement concluded with you pursuant to Art. 6 Para. 1 b) GDPR in conjunction with Art. 26 Para. 1 GDPR.
  • To safeguard the legitimate interests of the Client or third parties (authorities) on the basis of Art. 6 Para. 1 lit. f) GDPR. This applies in particular for the purpose of controlling communication in the Client’s company, other administrative purposes or for the investigation of criminal offences (legal basis § 26 Par. 1 P. 2 BDSG).

Insofar as special categories of personal data are processed by us on behalf of the Client within the framework of this order data processing in accordance with Art. 9 Para. 1 GDPR, this shall serve to exercise rights within the scope of the employment relationship or to fulfil legal obligations arising from labour law, social security law and social protection (e.g. recording of sick reports in the communication system). This takes place on the basis of Art. 9 para. 2 lit. b) GDPR in conjunction with § 26 para. 3 BDSG. If you give us or our Client express consent to process personal data for certain purposes, the lawfulness of this processing is given on the basis of your consent according to Art. 6 para. 1 lit. a) GDPR. A given consent can be revoked at any time, with effect for the future (see below section 5.1.). In addition, we process your personal data on the basis of Art. 6 Para. 1 lit. f) GDPR.

  • to improve our communication system, to provide you with functions, services and information of our communication system, to answer your questions and concerns and to offer you our support.
  • to analyze patterns for research purposes.
  • for our business purposes, such as audits, security, fraud monitoring and prevention. We can always process anonymous data, i.e. data that does not relate to a specific person and which does not identify a specific person.

2.2. Receiver of data

Within our company only those persons receive your personal data who need it to fulfil our contractual and legal obligations. In addition, we can pass on your personal data which we receive within the framework of the use of our communication system by you and our Clients:

  • To potential or actual purchasers, successors or assigns in connection with any reorganization, merger, sale, joint venture, assignment, transfer or other disposal of all or any part of our business, assets or shares (including bankruptcy or similar proceedings).
  • To public authorities and government agencies insofar as we are legally obliged to do so.

Personal data and other confidential information that you share with either the Client’s case manager or our consultants in a non-anonymous form, whether in a matter of concern or in other news stories, will not be shared with the Client (their employer). The Client will only receive such personal data or confidential information if you contact them directly through our communication system. In individual cases, we may be obliged to provide the Client with an insight into the message processes between you and our case managers, provided that the Client is an employer in the sense of § 618 I BGB as well as the Occupational Health and Safety Act (ArbSchG), the Occupational Safety Act (ASiG), the Occupational Health and Safety Ordinance (ArbStättV), the rules and regulations of the employers’ liability insurance associations and after consideration of a particular case to take appropriate measures. We are entitled to process and disclose data which is available to us in anonymous form, i.e. which has no reference to a person or through which no persons can be identified.

2.3. International data transfer

The transfer of your personal data to a third country is not intended. All personal data that we receive from you as the reporting party through the use of our communication system is stored and processed on servers in Germany. If we use service providers based outside the EU, we will take appropriate measures to ensure that third party processors adequately protect your information in accordance with data protection law. These measures include the signing of EU standard contracts and other data protection provisions regulating the transfer of such data.

3. Information that we collect automatically

We and our third party providers may collect anonymous information through automated means such as cookies, web beacons and web server logs. By using our service, you consent to the placement of cookies, beacons and similar technologies in your browser. Information collected in this way includes browser characteristics, device IDs and characteristics, operating system versions, language preferences, referring URLs, and information about the use of our website.

For example, we may use this anonymous information to ensure that our services work properly, to determine how many users have visited certain pages, or to identify and prevent abusive or fraudulent activities.

We do not track the users of our communication system, i.e. in particular our Clients and the reporters, either temporally or via third-party websites and therefore do not respond to Do Not Track (DNT) signals.

Because we strive to keep your identity as confidential as possible, we do not collect your IP address nor do we use Google Analytics at the Client’s URL. To learn more about cookies, visit www.lytt.co/cookies or http://www.allaboutcookies.org/managecookies/index.html.

4. Duration of data storage

We do not store personal data for longer than for the purposes for which it is processed. The duration of the storage of information depends on the purposes for which we have collected and used it on behalf of the Client.

In addition, there may be various storage and documentation obligations, including those arising from the German Commercial Code (HGB) and the German Tax Code (AO). The periods prescribed there for storage and documentation are two to ten years.

Finally, the storage period also depends on the statutory periods of limitation, which may, for example, be three years according to § 78 StGB and three years according to § 195 et seq. BGB, but in certain cases also up to thirty years.

5. Rights of reporters

5.1. What rights do you have

You have the right to information in accordance with Art. 15 DSGVO, the right to correction according to Art. 16 DSGVO, the right to deletion according to Art. 17 DSGVO, the right to restrict processing under Art. 18 DSGVO, the right to notification under Art. 19 DSGVO and the right to data transfer according to Art. 20 DSGVO.

In addition, you have the right to appeal to a data protection supervisory authority according to Art. 77 DSGVO if you have the opinion that the processing of your personal data is not lawful. The right of appeal is without prejudice to any other administrative or judicial remedy.

If the processing of data takes place on the basis of your consent, you are entitled according to Art 7 DSGVO to revoke your consent to the use of your personal data at any time. Please note that the revocation will only take effect in the future. Processing that took place before the revocation is not affected by this. Please also note that certain data may have to be stored for a certain period of time in order to comply with legal requirements (see section 4).

In order to exercise your rights, you can contact our Client as the responsible party in the sense of Art. 4 para 7 DSGVO as well as us as the commissioned data processor directly at legal@lytt.co.

We will consider all requests and give our answer within the time limit set by the applicable law. Please note, however, that under certain circumstances certain information may be exempt from such requests, which may also be the case if we need to process your data in order to provide you with services or to comply with a legal obligation. In addition, you are not permitted to check the information of other persons or companies.

We may ask you to provide us with the necessary information to confirm your identity before responding to your request.

5.2. Are you obliged to provide your data?

Reporting parties are not obliged to provide personal data within the framework of the use of our communication system. You are therefore not obliged to provide information about your personal data.

Last modified: August 2019