Data Protection Policy
In the following, we inform the visitors of our website, our members, supporters, participants in events, donors, benefactors, subscribers, applicants, employees, freelance workers, and all individuals who contact us regarding how personal data is handled at the Ellsberg Whistleblower Award implemented by the Whistleblower Network e.V. as the managing board. Personal data refers to information that can directly or indirectly lead to identifying you. With this, we fulfill our information obligations as per Article 13 of the German General Data Protection Regulation (GDPR).
- 1. Responsibility
- 2. Purposes and Legal Bases of Processing
- 3. Recipients of Data
- 4. Cookies and Web Analytics (via Matomo)
- 5. Third Country Transfers
- 6. Newsletter, Press Review, Press Releases, Event Invitations
- 7. Rights of the Data Subject
- 8. Changes to this Data Protection Policy
1. Responsibility
The controller for data processing, in accordance with Article 13(1)(a) GDPR, is:
Whistleblower Network e.V.
Markgrafenstr. 15, 10969 Berlin
Represented by the Executive Board:
Dipl.-Pol. Annegret Falter, OStA a.D. Robert Bungart, Dr. Detlev Böttcher, RA Klaus Bergmann.
For questions regarding data protection, you can contact us by email at ‚info@whistleblower-net.de‘, by phone at ‚+49 176 84915150‘, or by postal mail at the address mentioned above.
Contacts for Data Protection:
Kosmas Zittel (Managing Director) and Dr. Detlev Böttcher (Treasurer).
2. Purposes and Legal Bases of Processing
Whistleblower Network processes personal data for the following purposes:
Management of sponsors and members of the association and advisory board:
We process name, first name, address, email address, phone number, membership start and end dates, and (if provided) the interests and expertise of the (supporting) members. The legal basis is Article 6(1)(b) GDPR. The data will be deleted ten years after the end of membership.
Membership fees administration:
We process name, first name, membership fee amount, and bank details including IBAN and BIC. The legal basis is Article 6(1)(b) GDPR. The data will be deleted ten years after the last transaction.
Administration of donations, loans, fines, or penalties:
We process name, first name, donation amount and date, and, if applicable, address, email address, and bank details including IBAN and BIC. The legal basis is Article 6(1)(b) GDPR. The data will be deleted ten years after the last transaction.
Fulfillment of transparency obligations:
We process names and donation amounts for the purpose of disclosing donations in the lobby register if the donation(s) exceed €20,000 in the previous financial year, as required by law. The legal basis is Article 6(1)(c) in conjunction with paragraph 3 GDPR. The data will be deleted after the statutory retention period.
Disclosure of major donors:
Names of individuals whose annual contributions exceed 10% of the total annual budget are processed to fulfill obligations from the “Initiative Transparente Zivilgesellschaft.” The legal basis is Article 6(1)(c) GDPR. Data will be deleted three years after the last transaction.
Applications:
We process name, first name, address, email address, phone number, and all other data and documents submitted during the application process. The legal basis is § 26 BDSG (Federal Data Protection Act). The data will be deleted six months after the end of the application process, or six months after the end of employment if the application is successful.
Employee and salary management:
We process name, first name, address, religious affiliation (if applicable), tax number, social security number, health insurance number, and bank details including IBAN and BIC. The legal basis is Article 6(1)(c) GDPR. The data will be deleted ten years after the end of employment.
Personnel files and certificates will be deleted ten years after the end of employment. The legal basis is § 26 BDSG.
Contract work:
We process name, first name, address, tax number, and bank details including IBAN and BIC of freelance workers. The legal basis is Article 6(1)(c) GDPR. Data will be deleted ten years after the last transaction.
Public relations:
We process image and audio recordings and short profiles of board members, advisory board members, and employees of Whistleblower Network, as well as image and audio recordings of event participants, to document our work. This includes posting on the website **whistleblower-net.de** and accompanying publications in social networks, both online and offline. The legal basis is Article 6(1)(f) GDPR, with a legitimate interest in public information about our activities. The data will be deleted when no longer necessary, for example, after leaving the organization or when newer images are available. If you do not wish to be photographed, please inform us in advance at **info@whistleblower-net.de**.
Operation of the website ‘ellsberg-award.org’:
Automatically transmitted data is not stored. Security log data, stored based on Article 6(1)(f) GDPR, will be deleted after six months.
Event management:
We process information and personal data that you provide when registering for an event, typically your last name, first name, and email address. Event-related information will be deleted 24 months after the event, unless legal reasons (e.g., accounting) require longer retention for documentation purposes. The legal basis is Article 6(1)(b) GDPR.
Sending of newsletters, press reviews, press releases, and event invitations:
We process your name, first name, and email address, and whether you have opened the newsletter, press review, press release, or event invitation and clicked on any contained links. The legal basis for this processing is Article 6(1)(a) GDPR.
If you have signed up for or attended one of our events, we will send you invitations to follow-up events for up to 24 months after your last registration or participation. Our legitimate interest (Article 6(1)(f) GDPR) lies in promoting follow-up events.
For further information, including how to withdraw consent, contact us at ‚info@ellsberg-award.org‘
Individual communication (email, phone, post, messaging services, whistleblower platform, video calls):
We process all voluntarily submitted data and documents related to your inquiry, such as last name, first name, email address, and any other personal or special categories of data necessary to handle your inquiry. The legal basis is Article 6(1)(a) GDPR. Data will be deleted 24 months after the conclusion of communication or 24 months after the end of any ongoing procedures.
Sending of information regarding the allocation of fines/penalties:
We process name, first name, and address of judges and prosecutors. The legal basis is Article 6(1)(f) GDPR, with a legitimate interest in informing judges and prosecutors about the possibility of allocating fines or penalties to Whistleblower Network.
Sending of opinions and position papers:
We process name, first name, email address, and address of Members of Parliament and ministerial officials. The legal basis is Article 6(1)(f) GDPR, with a legitimate interest in providing information on our expert opinions.
3. Recipients of Data
We do not transfer your data to third parties without your explicit consent (Article 6(1)(a) GDPR), except for the purpose of processing memberships, salaries, or donations. If necessary, this occurs as part of a data processing agreement. Our legitimate interest (Article 6(1)(f) GDPR) in such agreements lies in outsourcing resource-intensive administration. Data is transferred to payroll service Abacus for salary processing.
Whistleblower Network is listed in the German lobby register for representing interests before the German Bundestag and the Federal Government. As such, we are legally required to disclose the names of donors and the amount of donations if the donations exceed €20,000 in the previous financial year.
We do not use social media plug-ins. Instead, the buttons present on the website provide links to the respective social media platform (Facebook, Twitter, Mastodon, Instagram, LinkedIn, YouTube). No data collection or transfer occurs simply by the presence of these buttons. Data is only transferred when you click on one of the links, directing you to the provider’s website.
For online events and video calls, we use Zoom. If you are registered with Zoom as a user, meeting metadata, telephone dialing data, Q&A content, and poll data may be stored by Zoom for up to one month. After 14 days, data in reports provided in the account management is anonymized.
4. Cookies and Web Analytics (via Matomo)
The website of the Ellsberg Whistleblower Award uses cookies. Cookies are text files stored on your computer via an internet browser. Cookies are used to make our services more user-friendly, effective, and secure; this is our legitimate interest (Article 6(1)(f) GDPR) in their use.
Whistleblower Network e.V. uses the open-source software Matomo (www.matomo.org) on this website of the Ellsberg Whistleblower Award. The information obtained by the cookie about your use of the website is transferred to the server of Whistleblower Network and stored there, enabling an evaluation of user behavior. Your IP address is immediately anonymized, making you remain anonymous as a user. The information collected by the cookie will not be passed on to third parties.
You can adjust your browser settings to notify you when cookies are being set, allow cookies only in individual cases, exclude the acceptance of cookies in specific cases or generally, and activate the automatic deletion of cookies when closing the browser.
5. Third-country Transfers
Whistleblower Network does not transfer data outside the scope of the German GDPR. The only exception is communication via Zoom and social media platforms based in the USA (Privacy Shield), such as Instagram and Bluesky. Here, personal data is processed solely by third parties who are themselves users of these networks.
6. Newsletter, Press Review, Press Releases, Event Invitations
Whistleblower Network sends and manages newsletters, press reviews, press releases, and event invitations using the Mailpoet program on our own server. You can subscribe to these mailing lists yourself and give your consent by confirming the activation link we send you. We store this consent as part of the subscription process.
People who have signed up for events or participated in events receive invitations to follow-up events for up to 24 months after the last registration or participation in an event.
The email address you provide is processed to be used in the mailing list. You can unsubscribe from the respective mailing list at any time, and your email address will be deleted immediately. You can also send an email to revoke your consent for the use of your email address to info@ellsberg-award.org. In that case, your email address will be deleted immediately.
Mailpoet uses a tracking pixel. This is a pixel embedded in the email that establishes a connection with the server of Whistleblower Network when the email is opened. This allows us to determine whether you have opened the email and clicked on the links contained within it. You can prevent this transmission by deactivating the function “Load external content” in your email program.
7. Rights of the Data Subject
If we process personal data relating to you, you have the following rights as a data subject:
- a right to information about the data processed and to a copy
- a right to rectification if we process incorrect data about you
- a right to erasure, unless there are exceptions as to why we still store the data, for example retention obligations or limitation periods
- a right to restriction of processing
- a right to withdraw consent to data processing at any time
- a right to object to processing in the public interest or in the legitimate interest
- a right to data portability
- a right to lodge a complaint with a data protection supervisory authority if you believe that we are not processing your data properly. The Berlin Commissioner for Data Protection and Freedom of Information (An der Urania 4-10; 10787 Berlin; mailbox@datenschutz-berlin.de) is responsible for our association. If you reside in another German federal state or outside of Germany, you can also contact the data protection authority there.
8. Changes to this Data Protection Policy
We reserve the right to modify this data protection policy at any time in order to ensure that it complies with current legal requirements or to reflect changes to our services, for example, when introducing new services. The updated data protection policy will then apply to your next visit to the website.