Privacy policy Whistleblowing System and GDPR joint controller responsibilities withing the Fonds Soziales Wien Group (FSW Group)
Fonds Soziales Wien Group takes the topic of data protection and confidentiality very seriously. Therefore, the privacy policy is offered both in German and English. For the sake of completeness, it is noted, that the German version shall prevail. The English version is only a translation and is provided for better understanding.
Central provisions of data protection legislation consist of
- the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679,
- and the Data Protection Act – DSG, BGBI. I No. 165/1999, as amended.
Please carefully read the data protection information before submitting a report.
Responsible Entities and Data Protection Officer
Fonds Soziales Wien Group includes the following entities:
- Fonds Soziales Wien
Guglgasse 7-9
1030 Wien
as well as the following subsidiaries
- FSW-Wiener Pflege- und Betreuungsdienste GmbH
Guglgasse 7-9
1030 Wien - Obdach Wien gemeinnützige GmbH
Guglgasse 7-9
1030 Wien - Schuldnerberatung Wien - gemeinnützige GmbH
Guglgasse 7-9
1030 Wien - AWZ Soziales Wien GmbH
Schlachthausgasse 37
1030 Wien - FSW-LGM GmbH
Guglgasse 7-9
1030 Wien
The FSW Group operates the whistleblower system as a joint controller within the meaning of Article 26 GDPR. The joint responsibility applies to the entire operation and organisation of the whistleblower system within the FSW Group. This applies in particular to the internal administration of the whistleblower system and the implementation of specific whistleblower procedures. The companies of the FSW Group rely on a uniform platform and uniform IT systems for this purpose. The standardised procedure is intended to ensure that reported facts within the FSW group of companies are followed up according to uniform standards, and that they are remedied and punished if necessary. For this purpose, an agreement has been concluded between the companies of the FSW Group.
The agreement regulates the rights and obligations of the controllers in the joint processing of personal data within the framework of the whistleblower system. The main points of the agreement are:
Fonds Soziales Wien takes on the following core tasks:
- Documentation obligations (e.g. documentation of facts),
- Provision and operation of infrastructure and systems.
- Use of processors (EQS as the provider of the whistleblower platform).
- Definition, documentation and review of technical/organizational measures
- The FSW or its subsidiaries undertake to provide comprehensive documentation in order to be able to fulfil their accountability obligations under Article 5 (2) GDPR, whereby they provide each other with the necessary information from their respective areas of activity without delay if necessary.
- In accordance with Art. 26 para. 3 GDPR, you can assert the rights of data subjects to which you are entitled in accordance with Art. 15 to 22 GDPR against any company in the FSW group of companies. If a request from a data subject is addressed to a company in the FSW group of companies that is not responsible for it according to the concluded agreement, the latter will
immediately forward the request to the responsible company. The Fonds Soziales Wien has appointed a data protection officer. Requests for data protection can be sent to datenschutz@fsw.at by email.
Purpose of the whistleblowing system, legal foundation and automated decision-making
The whistleblowing system (BKMS® System) serves for securely and confidentially receiving, processing and managing reports concerning violations of the legal and compliance regulations of the FSW Group. The legal foundation for the processing of personal data is layed out in the following legal acts:
- HinweisgeberInnenschutzgesetz (HSchG - Whistleblower Protection Act) and/or Wiener Hinweisgeberinnen- und Hinweisgeber-Schutzgesestz (W-HSchG - Vienna Whistleblower Protection Act) in conjunction with Art. 6 para. 1 lit. c GDPR
- Art. 6 (1) (f) GDPR (safeguarding the legitimate interests of the FSW Group in the detection and prevention of grievances and thus in averting damage to the FSW Group, its employees and clients)
- Art. 9 para. 2 lit. b GDPR in conjunction with the corresponding works agreement (with regard to personal data of special categories within the meaning of Art. 9 para. 1 GDPR) Article 9 (2) (g) GDPR in conjunction with Section 8 (5) HSchG and/or Section 7 (4) W-HSchG (with regard to personal data of special categories within the meaning of Article 9 (1) GDPR)
- § 4 para. 3 DSG in conjunction with Art. 10 GDPR in conjunction with § 8 para. 6 HSchG and/or
- § 7 para. 4 W-HSchG (with regard to criminally relevant data)
No automated decision-making as defined in Article 22 GDPR takes place within the framework of the operation of the whistleblowing system.
Sharing and type of collected personal data
Use of the whistleblowing system is voluntary. The sharing of your personal data is not required either by agreement or by law (or required for the conclusion of a contract). Even if you do notshare your personal data, we shall ensure that your report is investigated by the employees responsible for this at Fonds Soziales Wien.
It should be expressly noted once again that you are in no way obliged to disclose your identity when submitting a report.
If you submit a report via the whistleblowing system, we collect the following personal data and information:
- Your name (if you choose to reveal your identity)
- Data in your report (if you choose to reveal your identity)
- Whether you are employed by Fonds Soziales Wien (if you choose to disclose this information)
- The names and other personal data of persons whom you list in your report, if applicable.
Confidential handling of reports
Incoming reports are received by Compliance Management, which is part of the Management Board of Fonds Soziales Wien, and always handled confidentially. The Compliance Management team of Fonds Soziales Wien will evaluate the matter and carry out any further investigation that may be required by the specific case.
All persons who receive access to the data are obligated to maintain confidentiality.
The whistleblowing system is operated by a specialised company, EQS Group GmbH Siebensterngasse 31/8, 1070 Wien, on behalf of Fonds Soziales Wien. With regard to the processing of your personal data, Fonds Soziales Wien has concluded a processing agreement with EQS Group GmbH in accordance with Article 28 (3) GDPR.
Personal data and information entered into the whistleblowing system is stored in a database operated by EQS Group GmbH in a high-security data centre. Only Fonds Soziales Wien can see the data. EQS Group GmbH and other third parties do not have access to the data. This is ensured in a certified procedure through extensive technical and organizational measures.
All data are stored encrypted with multiple levels of password protection and are subject to a permissions concept. Access to the data is restricted to a very small selection of expressly authorized persons at Fonds Soziales Wien.
Insofar as it is absolutely necessary to achieve the stated purpose, the personal data may be transmitted to the following entities:
- EQS Group GmbH, Siebensterngasse 31/8, 1070 Vienna (as technical service provider forprocessing)
- Insurance companies, legal or tax advisors or other third parties in the context of follow-up measures
- Courts and/or authorities in the context of the follow-up
Information of the natural person accused in a report If it is guaranteed that the identity of the whistleblower will not be disclosed and that the information does not jeopardize the follow-up of the report, the person affected by the report must be informed about receipt of such report.
Rights of the data subject and right of appeal to the data protection authority
You are entitled to your rights under the General Data Protection Regulation against all of the above-mentioned controllers of the FSW Group. You can assert your rights by sending an e-mail to datenschutz@fsw.at.
Pursuant to the provisions of national and European data protection legislation, you and the persons named in the report have
- the right of access (Article 15 GDPR),
- the right to rectification (Article 16 GDPR),
- the right to erasure (Article 17 GDPR),
- the right to restriction of processing (Article 18 GDPR)
- and a right of objection (Article 21 GDPR) to the processing of your personal data.
If the right to object to the processing of the personal data is exercised, the necessity of the stored data for the examination of a report will be evaluated immediately. Personal data that are no longer required will be deleted at once.
You also have the right to appeal with the Austrian data protection authority – DSB (dsb@dsb.gv.at).
Retention period for personal data
Personal data are retained for as long as necessary to clarify the situation and perform a final assessment or for as long as a legitimate interest exists on the part of the company or retention is required by law. After the report processing is concluded, the data will be erased in accordance with statutory requirements.
Use of the whistleblowing system
Communication between your computer and the whistleblowing system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the whistleblowing system. In order to maintain the connection between your computer and BKMS® System, a cookie is stored on your computer that merely contains the session ID (session cookie).
This cookie is only valid until the end of your session and expires when you close your browser.
It is possible to set up a postbox within the whistleblowing system that is secured with an individually chosen pseudonym/ user name and password. This allows you to send reports to the Compliance Management department of Fonds Soziales Wien either by name or in an anonymous, safe way. This system stores the data exclusively within the whistleblowing system, which makes the data particularly secure. It differs from regular e-mail communication.
Note on sending attachments
When submitting a report or an addition, you have the option of adding attachments. If you wish to submit an anonymous report, please note the following security advice: Files may contain hidden personal data that could jeopardise your anonymity. Please remove all such information before sending a file. If you are unable to remove such data or are uncertain about how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the reporting process.
Version: 17 January 2025