Data protection information on the operation of the reporting channels according to the German Whistleblower Protection Act

The present information pursuant to Art. 13 et seq. DSGVO on data protection serve the information obligation for the collection and processing of personal data in connection with our internal reporting system according to the German Whistleblower Protection Act (HinSchG).

Our reporting system basically comprises the following reporting channels:

  • Verbal notification (e.g. by telephone)

  • Written notification (e.g. by mail or web form)

  • Personal notification (at the request of the person providing the information)

Please read this privacy notice carefully before submitting a report.

1. Name and contact details of the responsible person

CARFAX Europe GmbH

Barth Street 2-10

80339 Munich


(hereinafter "CARFAX", "we", "us").

2. Contact details of the data protection officer:

Holzhofer Consulting GmbH

Martin Holzhofer

Lochhamer Str. 31

82152 Planegg

Tel.: (0 89) 1 25 01 56 00


3. Purposes for which the personal data are to be processed and the legal basis for the processing

3.1 General

The reporting channels we provide allow you to contact us in a secure and confidential way to report suspected compliance and regulatory violations.

We generally process the personal data contained in a report, if any, in order to process the report and to investigate and resolve the alleged compliance and legal violations.

It may also happen that we have questions for you. For this purpose, we usually use the communication via the reporting channel that you used to submit the report.

The confidentiality of the information you provide will be maintained at all times. This includes, in particular, the confidentiality of your identity as the person providing the information and of the persons who are the subject of the report or are affected by it (confidentiality obligation). All persons authorized by CARFAX to view the information are also expressly bound to confidentiality.

In addition, the need-to-know principle is strictly adhered to, i.e. the identity of the above-mentioned persons is only disclosed to the following group of persons:

  • Persons who are responsible for receiving reports, or

  • Persons responsible for taking follow-up action, and

  • Persons who assist them in the performance of these duties.

If the notification you submit contains personal data of third parties to which you refer in your notification, the data subjects will be given the opportunity to comment on the notifications as well as any allegations made against them and investigations carried out. In such cases, we must generally inform the data subjects about the notice within one month pursuant to Art. 14 (3) (a) of the GDPR. However, the information may be postponed if necessary on the basis of Art. 14 (5) (b) of the GDPR. As soon as the reason for the postponement no longer applies, the information of the data subjects will be made up for.

In this case, too, your confidentiality is protected, since no information about your identity is provided to the data subject - as far as legally possible - and your report is used in such a way that your anonymity is not jeopardized.

3.2 Receipt, (initial) verification and documentation of a message

The use of the reporting system is always on a voluntary basis. If you submit a report via one of the reporting channels, we may process and store the following personal data or data categories for the purpose of accepting, verifying and documenting the report received and for the necessary communication with you as the person providing the information:

  • First and last name of the person providing the information (if this data is provided.

  • Title, first and last name and other personal data of the persons who are the subject of the report or affected by it (e.g. accused persons).

  • Contact information such as phone number or email address (if this data is provided).

  • The fact that the whistleblower has made a report through the whistleblowing system.

  • Whether the person making the report or other persons affected by the report are employed by CARFAX or have a relationship with CARFAX (e.g., customer, supplier, service provider).

  • Timing, content, and other relevant circumstances (e.g., locations of witnesses and documents) related to the report submitted by whistleblowers.

The legal basis for the processing is usually Art. 6. para. 1 lit. c DSGVO in conjunction with the relevant provisions of the HinSchG:

  • § Section 12 HinSchG contains the obligation to establish and operate an internal reporting office.

  • § Section 10 HinSchG permits the processing of personal data by the reporting offices insofar as this is necessary for the fulfillment of their tasks specified in Section 13 HinSchG.

  • § Section 11 HinSchG contains the obligation to document all incoming reports.

If a tip received relates to an employee of CARFAX, the processing may serve to prevent and detect criminal offences or other legal violations that are related to the employee relationship (Section 26 (1) sentence 2 BDSG).

If you as a whistleblower voluntarily wish to disclose your identity to CARFAX or an external body, this will be done on the basis of your consent pursuant to Art. 6 para. 1 lit. a DSGVO. The consent to be given is given by the fact that the notice can also be given completely anonymously.

With your consent as the person providing the information, the personal notification can also be made by means of video and audio transmission (e.g. by means of a video conferencing system). In this case, the legal basis is the voluntary and informed consent according to Art. 6 para. 1 lit. a DSGVO, § 16 para. 3 HinSchG.

In the case of telephone reports or reports by means of another type of voice transmission, a permanently retrievable audio recording of the conversation or its complete and accurate transcript (verbatim record) will only be made with your consent as the person providing the information. The same applies to the complete and accurate recording of the meeting as part of a personal notification. Here, too, the legal basis is the voluntary and informed consent in accordance with Art. 6 Para. 1 lit. a DSGVO, § 11 Para. 2 and 3 HinSchG.

As a matter of principle, we do not collect and process special categories of personal data within the meaning of Art. 9(1) DSGVO (e.g. information on racial and/or ethnic origin, religious and/or philosophical beliefs, trade union membership or sexual orientation). However, due to free text fields in the registration form, such special categories of personal data can in principle be transmitted. In this case, the data will be processed in accordance with § 10 S. 2 HinSchG and only if this is absolutely necessary for the processing of the notification. Otherwise, this data will be deleted immediately in accordance with data protection regulations.

3.3 Initiation and implementation of follow-up measures

In the course of necessary follow-up actions, such as internal audit and investigation, contacting the individuals and work units concerned, closing the case for lack of evidence or other reasons, and handing over the case for further investigation to the work unit responsible for internal investigations or a competent authority, we may process and store the following data or categories of data:

  • Personal information within the scope of reconnaissance measures (e.g. first and last name, private address, private telephone number, private e-mail address)

  • Business details (e.g. function in the company, job title, possible supervisor position, business e-mail address, business telephone number).

  • Business-related documents (e.g. travel expense reports, time sheets or time statements, contracts, performance records, driver's logs, invoices)

  • Information on relevant facts: Internal intelligence measures often relate to specific facts. The identification and evaluation of relevant information on the respective facts may allow conclusions to be drawn about the behavior or actions of the persons concerned.

The legal basis for the processing is usually Art. 6. para. 1 lit. c DSGVO in conjunction with the relevant provisions of the HinSchG:

  • § Section 12 HinSchG contains the obligation to establish and operate an internal reporting office.

  • § Section 10 HinSchG permits the processing of personal data by the reporting offices insofar as this is necessary for the fulfillment of their tasks specified in Section 13 HinSchG.

4. Automated decision making including profiling

Automated individual case decisions including profiling according to Art. 22 (1) and (4) DSGVO do not take place on the part of CARFAX.

5. Data transfer to a third country

Data transfers to countries outside the EU and the European Economic Area ("Third Countries") arise in the context of the administration, development and operation of IT systems. The transfer takes place only on the basis:

  • of an adequacy decision of the European Commission within the meaning of Art. 45 GDPR.

  • of an approved certification mechanism pursuant to Art. 42 GDPR together with legally binding and enforceable obligations of the controller or processor in the third country.

  • of standard data protection clauses adopted by the Commission in accordance with the review procedure under Article 93(2) of the GDPR.

Currently, in connection with the use of our internal reporting system, a transfer of personal data to third countries takes place in the following cases:

  • Transfer of data to S&P Global Inc., 55 Water Street, New York, New York, 10041, USA

  • Transfer of data to NAVEX Global Inc, 5500 Meadows Road, Suite 500 Lake Oswego, OR 97035, USA.

For the USA, the European Commission has issued an adequacy decision according to Art. 45 (3) GDPR, which applies to the EU-US Data Privacy Framework (DPF). For data exports to recipients in the USA that are certified according to the DPF, the level of data protection is thus considered adequate. The service provider NAVEX is certified under the DPF and thus committing to comply with European data protection principles.

6. Categories of recipients of data

For the processing of personal data for the purposes stated here, we use the following categories of recipients as processors within the meaning of Art. 28 DSGVO:

  • NAVEX Global Inc. for the purpose of providing and technically implementing the reporting system.

  • Provider of servers for the purpose of hosting the websites

  • Service provider for hosting and operation of the online video conferencing system

  • TC service provider to operate the telephone system

  • ...

These service providers process information about you on our behalf and on the basis of our instructions and are contractually bound by an AV agreement to comply with applicable data protection laws.

To the extent permitted by law, we may share personal data with the following external recipients:

  • Lawyers in case of legal advice

  • Law enforcement authorities, antitrust authorities, other administrative authorities, courts (in the case of a corresponding legal obligation or necessity for the clarification of information)

  • Affiliates of CARFAX (where required for internal audit and investigation and in connection with the provision and operation of the reporting system at the corporate level )

  • Other third parties in the course of transferring functions (e.g. data protection officer)

We always ensure that the relevant data protection regulations are complied with whenever information is passed on.

7. Storage period and criteria for determining the duration

Personal data is generally only stored for as long as is necessary to fulfill the purposes stated here (e.g., for processing a report and conclusively clarifying a violation) or as required by the retention periods stipulated by law. After the respective purpose ceases to apply or after the retention periods have expired, the data is deleted in accordance with the statutory provisions.

The specific duration of storage depends in particular on the severity of the suspicion and the reported compliance and legal violations.

The documentation of notifications within the meaning of § 11 HinSchG is deleted three years after the conclusion of the procedure .

Personal data that is obviously irrelevant for the processing of a report will not be collected or will be deleted immediately after receipt of the report.

8. Information on your data subject rights

CARFAX Europe GmbH is responsible for the processing of your data, unless otherwise stated.

You can request information (Art. 15 GDPR) about the data stored about you and its correction (Art. 16 GDPR) in case of errors at any time. Furthermore, you can request the restriction of processing (Art. 18 DSGVO), the portability (Art. 20 DSGVO) of the data provided to us by you in a machine-readable format or the deletion of your data (Art. 17 DSGVO) - insofar as they are no longer needed.

You also have the right to object at any time to the use of your data based on public or legitimate interests (Art. 21 DSGVO).

If we process your data on the basis of your consent, you can revoke this consent at any time with effect for the future (Art. 7 (3) DSGVO). From the receipt of your revocation, we will no longer process your data for the purposes specified in the consent.

If you wish to exercise your data protection rights, please send your request by e-mail to or by mail to the above address.

9. Right of appeal to a supervisory authority

In addition, you can contact a supervisory authority with a complaint at any time in accordance with Art. 77 (1) DSGVO. For us is basically the

Bavarian State Office for Data Protection Supervision (BayLDA)

Promenade 18

91522 Ansbach

PO Box 1349


Phone: +49 (0) 981 180093-0, responsible.

Alternatively, you can approach your local supervisory authority.

10. Technical implementation and security of your data

The web form contains the option for anonymous communication via an encrypted connection. When using it, your IP address and your current location are not stored at any time.

We have implemented sufficient technical and organizational measures to ensure compliance with applicable data protection regulations and confidentiality. The data you provide is stored on a specially secured database. All data stored on the database is encrypted by us according to the current state of the art.

Status: January 2024