Data Protection


The protection of your personal data is of particular concern to us. We therefore process your data exclusively on the basis of the legal provisions (DSGVO, TKG 2021). In this data protection information, we inform you about the most important aspects of data processing within the framework of our whistleblower protection system.

We declare compliance with the legal provisions on data protection and data security. In particular, data will only be used for the purposes stated below and measures will be taken to ensure data security by ensuring that data is used properly and not made accessible to unauthorised persons. Clients, service providers and their employees are obliged to maintain secrecy and confidentiality with regard to the data disclosed by us, unless there is a legally permissible reason for transferring or disclosing the data entrusted or made accessible.

1.     General, information on the procedure 

1.1     This data protection statement describes how JOANNEUM RESEARCH Forschungsgesellschaft mbH, as the data protection controller within the meaning of Art 4 Z 7 of the General Data Protection Regulation (DSGVO), processes personal data in connection with the operation of the whistleblower system and the receipt and processing of tips. We provide you with this information in accordance with Art 13 DSGVO and the Whistleblower Protection Act (HSchG).

1.2     This data protection declaration refers to the following groups of data subjects:

-     Whistleblowers;
-     persons affected by the whistleblowing;
-     natural persons who support whistleblowers in their whistleblowing activities;
-     Individuals in the whistleblower's circle who, without assisting the whistleblower, may be affected by adverse consequences of the whistleblowing, such as retaliation;
-     persons affected by or involved in follow-up actions.

Whistleblowers have the possibility to use our whistleblowing system - also anonymously. There is no obligation to provide personal data.

1.3     The data collected will be processed by Saxinger, Chalupsky & Partner Rechtsanwälte GmbH ("SCWP Schindhelm"), which has been commissioned by us, in compliance with all necessary procedural principles (in particular confidentiality, protection of the whistleblower, sensitivity of the data processed and the "need-to-know principle") as well as processing principles (Art 5 DSGVO). SCWP Schindhelm first independently carries out a plausibility check/first check of the reported information (depending on the reported circumstances and provided that the report contains sufficient information).If necessary, SCWP Schindhelm can request the support of company departments, such as the legal/data protection/compliance department or the human resources department, or other external consultants. With regard to the set-up, process and implementation of the reporting procedure, SCWP Schindhelm has access to specially designated internal contacts at JOANNEUM RESEARCH Forschungsgesellschaft mbH.

1.4     Upon receipt of a tip, the whistleblower will receive an acknowledgement of receipt in the whistleblowing system within a maximum of seven calendar days, unless the whistleblower has expressly objected or SCWP Schindhelm has reason to believe that acknowledging receipt of a written tip would compromise the protection of the whistleblower's identity.

1.5     SCWP Schindhelm shall inform the whistleblower no later than three months after receipt of a whistleblower

-     which follow-up measures SCWP Schindhelm has taken or intends to take.A follow-up measure is a measure taken as a result of a tip-off by an internal unit, another organisational unit of a company, an administrative authority, a court or the public prosecutor's office, such as the examination of the validity of the tip-off, internal enquiries, investigations, or the initiation, commencement, implementation or termination of proceedings or other measures for further action against the violation, for criminal prosecution or for the restoration of the lawful situation;
-     or for what reason SCWP Schindhelm does not pursue the whistleblower.

1.6     Whistleblowers are only required to disclose personal data that is suitable for preventing or punishing violations of the law. We do not collect any personal data that is not required for the processing of a report; if such personal data has been provided to us, it will be deleted immediately. We expressly point out that whistleblowers are considered data controllers in their own right within the meaning of Art 4 Z 7 DSGVO with regard to personal data that they know goes beyond what is necessary to follow up the whistleblowing (cf. § 8 Abs 4 Z 1 HSchG).

1.7     Information that is obviously false will be rejected. In such a case, we will point out that such false information may give rise to claims for damages and may be prosecuted in court or as an administrative offence (cf. Art. 6 (4) HSchG).

2.     Purpose of the processing

2.1     The whistleblower system gives whistleblowers the possibility to point out certain grievances by means of a standardised procedure without revealing their identity.

2.2     Within the framework of this whistleblower system, information can be submitted on the following relevant topics in accordance with § 3 para 2 to 5 HSchG:

-     Public procurement;
-     Financial services, financial products and financial markets as well as prevention of money laundering and terrorist financing;
-     Product safety and conformity;
-     Transport safety;
-     Environmental protection;
-     Radiation and nuclear safety;
-     Food and feed safety, animal health and welfare;
-     public health;
-     consumer protection;
-     Protection of privacy and personal data and security of network and information systems;
-     Prevention and punishment of offences under sections 302 to 309 of the Criminal Code (StGB), Federal Law Gazette No. 60/1974;
-     Infringements detrimental to the financial interests of the European Union within the meaning of Article 325 of the Treaty on the Functioning of the European Union (TFEU) and in accordance with specific definitions in relevant Union measures;
-     Infringements of internal market rules within the meaning of Article 26(2) TFEU, as well as for infringements of Union rules on competition and State aid and infringements of internal market rules in relation to acts which infringe corporate tax rules or in relation to agreements aimed at obtaining a tax advantage contrary to the object or purpose of corporate tax law;
-     Provisions enumerated in Parts I.B and II of the Annex to Directive 2019/1937/EU. However, in relation to the directly applicable legal acts of the Union listed in Part II of the Annex to Directive 2019/1937/EU and the federal laws referred to in section 4(1)(1) to (18) of the HSchG, this only concerns a matter which is not bindingly regulated by those legal acts of the Union or which is not regulated by the federal laws referred to in section 4(1)(1) to (18) of the HSchG.

2.3     We would like to point out that we are not permitted to process information outside of the aforementioned list. SCWP Schindhelm will check the report after it has been received to see whether it touches on one of the aforementioned reporting topics. We ask whistleblowers to contact the usual channels (e.g. the relevant specialist department) for reports that fall outside the above-mentioned list.

3.     What is personal data?

According to Article 4(1) of the GDPR, personal data is any information relating to an identified or identifiable natural person.

4.     What data is processed?

All personal data processed in connection with the submission of a notice are processed exclusively for the purposes of the HSchG, whereby processing is restricted to data required to establish and punish an infringement of the law (§ 8 para 2 Z 2 HSchG). These purposes are (§ 8 Abs 2 Z 1 HSchG):

-     Encouraging lawful behaviour in areas of life of special public interest by providing simple procedures with predictable processes in case of indications of violations of the law (§ 1 para 1 HSchG);
-     prevention and punishment of violations of the law in the public interest, enabling the submission of tips in this regard and checking the tips for their validity (§ 8 para 2 Z 1 HSchG).

5.     For what purposes do we process your data and on what legal basis are they processed?

5.1     The legal basis for the processing of personal data in connection with the operation of the whistleblower system as well as the internal evaluation of the tips are:

-     the fulfilment of a legal obligation (Art 6 para 1 lit c DSGVO) as well as the performance of a task which is in the public interest (Art 6 para 1 lit e DSGVO in conjunction with § 8 para 1 HSchG);
-     with regard to special categories of data within the meaning of Art 9(1) DSGVO, additionally the substantial public interest (Art 9(2)(g) DSGVO in conjunction with § 8(5) HSchG). Processing of this data only takes place if the processing is absolutely necessary to achieve the purposes stated in point II.4. and the public interest in the processing to achieve these purposes is substantial. In such a case, we take effective measures to protect the rights and freedoms of data subjects.
-     with regard to data on criminal convictions and offences (including personal data on acts or omissions punishable by a court or administrative authority, in particular also on suspicion of the commission of criminal offences, as well as on criminal convictions or preventive measures) additionally Art 10 DSGVO in conjunction with § 8 para 6 HSchG. This data will only be processed if absolutely necessary and will be documented in writing.

5. 2     Insofar as we forward personal data in individual cases to third parties who have the professional expertise required for the assessment and have accordingly been commissioned by us to examine indications, such as in particular lawyers, auditors or experts, the legal basis is the exercise, defence or assertion of legal claims (Art 6 para 1 lit f DSGVO as our legitimate interest, with regard to special categories of data Art 9 para 2 lit f DSGVO, with regard to data on criminal convictions and offences Art 10 DSGVO in conjunction with § 4 para 3 line 2 DSG).

6.     To whom is your data passed on; who is considered the recipient of the data?

6.1     The processing is carried out with the help of the Schindhelm Whistleblowing Solution, which is provided by SCWP Schindhelm Rechtsanwälte GmbH, Böhmerwaldstraße 14, 4020 Linz. JOANNEUM RESEARCH Forschungsgesellschaft mbH has concluded a corresponding order processing agreement with SCWP Schindhelm Rechtsanwälte GmbH. The commissioned processor is obliged to treat your data confidentially and to process it only in the course of providing the service in accordance with the statutory provisions.

6.2     In the course of carrying out the audit, the data collected may be transmitted on an ad hoc basis to third parties commissioned by us to carry out the audit, such as, in particular, lawyers, auditors or experts who are either subject to a professional and/or contractual duty of confidentiality. However, following the principle of data minimisation, we will only transmit such personal data that is absolutely necessary for the proper examination of the notice.

6.3     Within our company, data will only be disclosed to those departments and employees who need this data to fulfil contractual or legal obligations and to protect legitimate interests.

6.4     A transfer of personal data to administrative authorities, courts and/or public prosecutors' offices shall only take place in accordance with the legal requirements. The identity of whistleblowers and other information from which the identity of whistleblowers can be directly or indirectly inferred may only be disclosed by us if an administrative authority, a court or the public prosecutor's office considers this to be indispensable within the framework of administrative or judicial proceedings or an investigation under the Code of Criminal Procedure and proportionate with regard to endangering the person of the whistleblower in view of the validity and seriousness of the allegations made (section 7(4) HSchG). The same shall apply mutatis mutandis to a person affected by a whistleblower (section 7(5) HSchG).

7.     How long will the data be stored?

7.1     If personal data is not required for the processing of a report, it will be deleted immediately.

7.1     If personal data is not required for the processing of a report, it will be deleted immediately.

7.2     If a tip is deemed not to be valid in the course of an initial check, for example because the tip does not fall within the scope of the HSchG or there is no indication of its validity from the tip, the personal data contained therein will be deleted immediately after this initial check has been carried out, but no later than 14 days after receipt of the tip.

7.3     If a notice is deemed to be valid, we will retain the personal data contained therein for five years from the last time it was processed or transmitted, and beyond that for as long as is necessary to conduct administrative or judicial proceedings that have already been initiated or investigative proceedings pursuant to the Code of Criminal Procedure (StPO). After this storage obligation has lapsed, the data shall be deleted.

7.4     Logs of the processing operations actually carried out, such as in particular changes, queries or transfers, will be retained by us for three years from their last processing or transfer after the respective retention obligation within the meaning of point 7.2. ceases to apply and then deleted.

8.     Your data protection rights

8.1     You have the following data subject rights under the respective legal requirements:

-     Right to information (Art. 13 and 14 DSGVO),
-     Right to information (§ 1 para. 3 no. 1 DSG, Art. 15 DSGVO),
-     Right to rectification (Art. 1 para. 3 no. 2 DSG, Art. 16 DSGVO),
-     Right to erasure (§ 1 para. 3 no. 2 DSG, Art. 17 DSGVO),
-     Right to restriction of processing (Art. 18 DSGVO),
-     Right to data portability (Art. 20 DSGVO)
-     Right to object (Art. 21 DSGVO) and
-     Right to notification of a personal data breach (Art. 34 GDPR).

8.2     As long as and insofar as this is necessary to protect the identity

-     of a whistleblower
-     a natural person who assists whistleblowers in making a report, or
-     a natural person in the vicinity of the whistleblower who, without assisting the whistleblowing, may be affected by adverse consequences of whistleblowing such as retaliation

and is necessary to achieve the purposes stated under point 4.1, in particular to prevent attempts to prevent, undermine or delay information or follow-up measures based on information, in particular for the duration of administrative or judicial proceedings or investigative proceedings under the Code of Criminal Procedure, the rights listed under point 8.1. subpoints 1 to 5 and 7 to 8 shall not apply to a natural person affected by information. Similarly, the rights listed under 8.1. sub-items 2 to 4 do not apply to legal persons if this requirement is met. In such a case, we must refrain from providing information and information on the notice to a person affected by a notice.

8.3     If you believe that the processing of your personal data violates data protection law or that your data protection rights have been violated in any other way, you can complain to the supervisory authority. In Austria, this is the data protection authority, e-mail:

9.     You can reach us at the following contact details:

JOANNEUM RESEARCH Forschungsgesellschaft mbH.
Leonhardstraße 59, A-8010 Graz
Tel.: +43 316 876-0
Fax: +43 316 876-1181
Central Data Protection: Mag. Katrin Gallé