This information sheet is intended for employees (hereinafter referred to as “reporters”) of our Clients who use the communication system developed by us for the purpose of internal communication. The purpose of this information sheet is to explain how personal data is processed by registrants within the framework of the use of our communication system.
We, the Lytt GmbH, offer our Clients a cloud-based information and communication system for internal communication within the company through which her employees or otherwise the reporting parties can communicate feedbacks, complaints and notifications (hereinafter also referred to as “reports”). These reports will then be answered by means of a corresponding case manager or through the involvement of external consultants (e.g. Lytt consultants or other experts who are not employed by the Client).
We process personal data of the notifying parties exclusively as order data processor within the meaning of Art. 4 No. 8 GDPR, i.e. on behalf of the Client who uses our communication system on the basis of a contract with us in his company and thereby makes our services available to the notifying parties working for her. This also applies in the event that we take over the complaint management for the Client.
The responsible authority in the sense of Art. 4 No. 7 GDPR for the processing of personal data of registrants within the framework of the use of our communication system is therefore exclusively our Client, who grants the registrants access to our communication system.
By using our communications system, you acknowledge that you are providing all information about your concern to the best of your knowledge and belief and are not using Lytt’s services for the purposes of discrimination, denunciation or misrepresentation.
You as the reporter can communicate a request anonymously or not anonymously via the communication system, either directly to the Client, i.e. your employer, or to the Case Manager used by the Client (section 1.1). If we additionally take over the complaint management for the Client, then you as the reporting party can also directly inform our case managers (Lytt experts) of your concern (section 1.2). The Communication with the reporters always takes place on the basis of an encrypted chat.
When you submit a request via the communication system, the following information is processed:
If communication takes place between the reporter and the Client or case manager of the Client, we do not have access to the message history without the express permission of the reporting party. If you communicate your concern to the Client, you can contact either the case manager appointed by the Client or the Client, i.e. your employer, directly. This can be done in anonymous or non-anonymous form. Anonymous form means that you cannot be identified when communicating with the Client or the case manager. If you communicate your request to the Case Manager in a non-anonymous form, your name and, if applicable, your e-mail address as well as the content of your message or attachments will be transmitted to the Case Manager and processed by him/her. In this case, the Client does not have access to the information you have provided to the Case Manager (see also Section 2.2).
Irrespective of whether you communicate your concern in anonymous or non-anonymous form, the Client or the case manager appointed by the Client may receive and process information about persons about whom you report in your concern. In this case, both the Case Manager and the Client will treat this information confidentially.
If we have taken over the complaint management for the Client, your employer, then you can inform us of your concern in anonymous or non-anonymous form. Anonymous form means that you cannot be identified when communicating with the Client or the case manager. If you communicate your concern directly to us, i.e. our consultants, in a non-anonymous form, we will receive your e-mail address, your name, the content of your message or attachments that you send to us and any other information you wish to provide to us.
Regardless of whether you communicate your request to us in an anonymous or non-anonymous form, we may receive and process information about persons about whom you report in your request. We will always treat this information confidentially. However, we are obliged to provide the Client, i.e. your employer, with access to the content of your request (and thus also to information about persons about whom you complain) or to the news history maintained with us, if
Data processing within the framework of our complaints management is carried out by trained specialists. Reporters who have expressly stated that they wish to remain anonymous will be made anonymous or unrecognisable prior to inspection by the Client in accordance with the aforementioned paragraph of this section. In this case, the Client receives sole knowledge of the content of the request of the reporting party, but not of the identity of the reporting party. The Client shall not be obliged to initiate criminal proceedings when inspecting the information in accordance with the aforementioned paragraph.
We process information about the situation you have observed or experienced, including its underlying characteristics (e.g. sexual harassment, bias, cultural issues, illegal acts, money laundering, bribery, information about the person you are concerned) and the time and frequency of your report on behalf of the Client. Whether you experienced the incident first hand or observed it, how it happened to someone else and when it occurred. The processing of this information is necessary so that the Client, i.e. your employer, or the case manager appointed by her or our consultants, can successfully process your request and provide you with the best possible advice.
If the complaint management is carried out solely by the Client, we have no insight and no knowledge of the content of your request.
Information such as age, language, gender, the person who is exposed to the situation or who has observed it is processed by us on behalf of the Client. The processing of this information is necessary so that the Client, i.e. your employer, or the case manager appointed by him or our consultants, can process your request successfully and give you the best possible advice.
If the complaint management is carried out solely by the Client, we have no insight and no knowledge of the content of your request.
If you would like to share a non-anonymous feedback, you have the option to enter your name so that your feedback can be assigned. If you provide us with additional information in connection with your report, we will collect that information with a high degree of confidentiality.
We process personal data that we receive from you as part of the notification of a concern in our communication system or that we receive from you through direct contact with our consultants.2. How your data is processed2.1. Purpose and legal basis for the processing
We process your personal data in accordance with the applicable laws, in particular the Basic Data Protection Ordinance (DSGVO) and the Federal Data Protection Act (BDSG). The processing of your personal data takes place primarily on behalf of the Client in accordance with Art. 28 GDPR:
Insofar as special categories of personal data are processed by us on behalf of the Client within the framework of this order data processing in accordance with Art. 9 Para. 1 GDPR, this shall serve to exercise rights within the scope of the employment relationship or to fulfil legal obligations arising from labour law, social security law and social protection (e.g. recording of sick reports in the communication system). This takes place on the basis of Art. 9 para. 2 lit. b) GDPR in conjunction with § 26 para. 3 BDSG. If you give us or our Client express consent to process personal data for certain purposes, the lawfulness of this processing is given on the basis of your consent according to Art. 6 para. 1 lit. a) GDPR. A given consent can be revoked at any time, with effect for the future (see below section 5.1.). In addition, we process your personal data on the basis of Art. 6 Para. 1 lit. f) GDPR.
Within our company only those persons receive your personal data who need it to fulfil our contractual and legal obligations. In addition, we can pass on your personal data which we receive within the framework of the use of our communication system by you and our Clients:
Personal data and other confidential information that you share with either the Client’s case manager or our consultants in a non-anonymous form, whether in a matter of concern or in other news stories, will not be shared with the Client (their employer). The Client will only receive such personal data or confidential information if you contact them directly through our communication system. In individual cases, we may be obliged to provide the Client with an insight into the message processes between you and our case managers, provided that the Client is an employer in the sense of § 618 I BGB as well as the Occupational Health and Safety Act (ArbSchG), the Occupational Safety Act (ASiG), the Occupational Health and Safety Ordinance (ArbStättV), the rules and regulations of the employers’ liability insurance associations and after consideration of a particular case to take appropriate measures. We are entitled to process and disclose data which is available to us in anonymous form, i.e. which has no reference to a person or through which no persons can be identified.
The transfer of your personal data to a third country is not intended. All personal data that we receive from you as the reporting party through the use of our communication system is stored and processed on servers in Germany. If we use service providers based outside the EU, we will take appropriate measures to ensure that third party processors adequately protect your information in accordance with data protection law. These measures include the signing of EU standard contracts and other data protection provisions regulating the transfer of such data.
We and our third party providers may collect anonymous information through automated means such as cookies, web beacons and web server logs. By using our service, you consent to the placement of cookies, beacons and similar technologies in your browser. Information collected in this way includes browser characteristics, device IDs and characteristics, operating system versions, language preferences, referring URLs, and information about the use of our website.
For example, we may use this anonymous information to ensure that our services work properly, to determine how many users have visited certain pages, or to identify and prevent abusive or fraudulent activities.
We do not track the users of our communication system, i.e. in particular our Clients and the reporters, either temporally or via third-party websites and therefore do not respond to Do Not Track (DNT) signals.
Because we strive to keep your identity as confidential as possible, we do not collect your IP address nor do we use Google Analytics at the Client’s URL. To learn more about cookies, visit www.lytt.co/cookies or http://www.allaboutcookies.org/managecookies/index.html.
We do not store personal data for longer than for the purposes for which it is processed. The duration of the storage of information depends on the purposes for which we have collected and used it on behalf of the Client.
In addition, there may be various storage and documentation obligations, including those arising from the German Commercial Code (HGB) and the German Tax Code (AO). The periods prescribed there for storage and documentation are two to ten years.
Finally, the storage period also depends on the statutory periods of limitation, which may, for example, be three years according to § 78 StGB and three years according to § 195 et seq. BGB, but in certain cases also up to thirty years.
You have the right to information in accordance with Art. 15 DSGVO, the right to correction according to Art. 16 DSGVO, the right to deletion according to Art. 17 DSGVO, the right to restrict processing under Art. 18 DSGVO, the right to notification under Art. 19 DSGVO and the right to data transfer according to Art. 20 DSGVO.
In addition, you have the right to appeal to a data protection supervisory authority according to Art. 77 DSGVO if you have the opinion that the processing of your personal data is not lawful. The right of appeal is without prejudice to any other administrative or judicial remedy.
If the processing of data takes place on the basis of your consent, you are entitled according to Art 7 DSGVO to revoke your consent to the use of your personal data at any time. Please note that the revocation will only take effect in the future. Processing that took place before the revocation is not affected by this. Please also note that certain data may have to be stored for a certain period of time in order to comply with legal requirements (see section 4).
We will consider all requests and give our answer within the time limit set by the applicable law. Please note, however, that under certain circumstances certain information may be exempt from such requests, which may also be the case if we need to process your data in order to provide you with services or to comply with a legal obligation. In addition, you are not permitted to check the information of other persons or companies.
We may ask you to provide us with the necessary information to confirm your identity before responding to your request.
Reporting parties are not obliged to provide personal data within the framework of the use of our communication system. You are therefore not obliged to provide information about your personal data.
Last modified: August 2019