Data privacy policy

In this privacy policy, we inform you about the processing of your personal data when using the whistleblower software iwhistle®.

Personal data is information that relates to an identified or identifiable person. This primarily includes information that allows conclusions to be drawn about your identity, for example your name, your telephone number, your address or e-mail address. Statistical data that we collect, for example, when you visit our website and that cannot be linked to your person do not fall under the concept of personal data.

According to the EU Directive 2019/1937, kfzteile24 GmbH is obliged to introduce and operate an anonymous whistleblower channel.
kfzteile24 GmbH uses the whistleblower software iwhistle® to implement this directive. Due to the legal obligation to operate this whistleblower system, kfzteile24 GmbH is allowed to store personal data according to Art. 6 Sec. 1 lit. c) DSGVO.

1. Controller and contact information
For the purposes of the EU General Data Protection Regulation (“GDPR”), the controller is

kfzteile24 GmbH
Am Treptower Park 28-30
12435 Berlin
(“kfzteile24”, “we” or “us”)


The whistleblower system is operated by a specialized company of iComply GmbH, located in 55116 Mainz, Große Langgasse 1A, on behalf of kfzteile24 GmbH. iComply GmbH is contractually bound to strict confidentiality and to comply with all data protection requirements.

iComply GmbH works exclusively with a German data center operator, which must be ISO 27001 certified. The data center operator has no access to data of any kind, it serves exclusively to store the application as well as the data stored in it. Personal data and information entered into the whistleblower system are stored in a database operated by iComply GmbH in an ISO/IEC 27001 certified data center. Only kfzteile24 GmbH is allowed to view the data. iComply GmbH and other third parties have no access to the data. This is guaranteed in a certified procedure by comprehensive technical and organizational measures.
The current data center operator can be found on the homepage of iComply GmbH at All data is encrypted and stored with multi-level password protection, so that access is limited to a very narrow circle of expressly authorized persons of kfzteile24 GmbH.

2. Data protection officer
If you have questions or requests regarding the protection of your data, please send a letter by post to the aforementioned address, or send an email to:

3. Data collection
When violations are reported via "iWhistle", personal data is collected: 

  • Of the person submitting a report (e.g., name, contact information) (optional/voluntary!), and
  • of the persons affected by an incident (e.g. description of the actions of affected persons)

 entered in the respective reporting form or transmitted via the protected mailbox are collected and processed. The data is processed by the responsible department in order to review the reported incidents, initiate and conduct investigations, and take remedial action as necessary.

As part of the audits, investigations and remedial action to be taken, it may be necessary to share information about a reported incident with employees of other departments such as Human Resources, with external consultants (e.g. legal advisors) or with the competent authorities and/or and the data subjects.

 4. Duration of storage
As a general principle, we store personal data we have collected only as long as necessary to fulfil contractual or statutory obligations. After that, we will erase the data without undue delay unless we must keep them, until the statute of limitations expires, for evidence purposes for civil rights claims or due to statutory retention obligations.

We must retain contract data for three years after the end of the year in which the business relationships with you are terminated, for evidence purposes. In accordance with the normal statutory retention period, any claims become time-barred at that time at the earliest.

Even after that, we must sometimes store data for bookkeeping reasons. We must comply with statutory documentation obligations arising from the HGB (German Commercial Code), the AO (German Tax Code), the KWG (German Banking Act), the GwG (German Money Laundering Act) and the WpHG (German Securities Trading Act). The time limits for retention or documentation prescribed in those locations can last from two to ten years.

5. Your rights
Under applicable statutory requirements, you have the following statutory rights to data protection:

• Right to information (Article 15 GDPR, § 34 BDSG (German Data Protection Act))
• Right to erasure (Article 17 GDPR, § 35 BDSG (German Data Protection Act))
• Right to rectification (Article 16 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)

To assert your rights described here, you may at any time turn to the contact information specified under “Controller and contact information”.

You also have a right to file a complaint at any time with the data protection supervisory authority responsible for us: Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information), Friedrichstr. 219, 10969 Berlin. You may assert this right with a supervisory authority in the member state of your abode or workplace, or the location of the alleged breach.

6. Rights to withdrawal and objection
Under Article 7(3) GDPR, you may at any time revoke a consent you have granted to us. If you do so, from that point on we may no longer continue any data processing based on that consent. Withdrawing that consent will not affect the legality of any processing that occurred based on that consent before it was withdrawn.

If we are processing your personal data based on legitimate interests under Art. 6(1)(1)(f) GDPR, you may object to that processing pursuant to Art. 21 GDPR, if grounds exist that relate to your particular situation or if the objection is directed at processing for direct marketing purposes. In the latter case you have a general right to object, which we will honor without requiring you to give us reasons.

If you wish to assert your right to object or revoke consent, a notification sent to the contact information specified under “Controller and contact information” will suffice (no official form is required).

7.  Amendments to the data privacy statement
We occasionally update this data privacy statement, for example, when legal requirements change.

© kfzteile24 – October 21, 2021