This data protection information is aimed at the data subjects within the

WAY Business Solutions GmbH
WAY Digital Solutions GmbH
WAY Engineering GmbH
WAY HR Professionals & Experts GmbH
WAY People+ GmbH

In the following, the five companies are referred to as the WAY Group.

Subject of the data protection information

The WAY Group is obliged under the German Whistleblower Protection Act (HinschG) to set up a
system for receiving confidential information and complaints (hereinafter referred to as
“information”) regarding possible misconduct.
The submission, management and follow-up of tips generally involves the processing of personal
data. Personal data means all information from which conclusions can be drawn about the person
providing the information or about third parties. For information on the processing of your
personal data and your rights under the General Data Protection Regulation, please refer to the
following explanations.

Explanation of the contact or reporting office

The reporting system will function as follows in future:
The person who wishes to submit a report calls up the digital whistleblower system via the Internet.
A corresponding link is easily accessible on the company’s website; you will find it in the footer of
the website, where you can also access the legal notice and the data protection information. The
system then guides the whistleblower through a clearly structured list of questions in which all
relevant information is requested. The whistleblower can choose whether to reveal their identity
or submit the report anonymously. In addition, photos or any documents can be uploaded directly.
If the whistleblower chooses to submit the report anonymously, further communication is also
conducted anonymously via a chat function in the system. The incident is then processed and
investigated. A via telephone can also be made at the same point.

Responsible for data processing :

WAY Group
Frankfurter Ring 150
80807 Munich
Phone +49 (0)89 264831600
E-mail info@waygroup.de

Data Protection Officer

We have appointed a data protection officer who acts in accordance with Art. 37 et seq. GDPR and
whom you can reach using the contact details below:
Rainer Aigner
Tel. 08505 919270

Confidentiality

According to the above-mentioned laws, those responsible are obliged to treat incoming
information confidentially. In addition, it is generally possible to submit information anonymously.
The information about you and other personal data contained in the report will only be disclosed
to a strictly limited group of people for the necessary processing of your report. In some cases,
however, those responsible may be legally obliged to disclose personal data.

Therefore, please only provide us with the information about yourself that is essential for
processing the report. In most cases, it is not necessary to provide your name. Likewise,
even if you submit a report without giving your name, you must be aware that your personal
data and other information from your report may make it possible to identify the person
submitting the report, even if you comply with the statutory confidentiality obligation.

Legal obligations to disclose personal data under the GDPR

A legal obligation to disclose the data contained in the notification to third parties may exist in
cases in which the person affected by a notification asserts their right to information in accordance
with Art. 15 GDPR and the controller is legally obliged to disclose the data. With regard to the
information contained in the disclosure, a balance must be struck between the rights of the data
subject under the GDPR and the rights of the whistleblower, so that a legal obligation of the
controller to disclose the identity of the whistleblower cannot completely be ruled out.
On the other hand, those responsible are generally obliged under Art. 14 para. 3 lit. a GDPR to
inform the accused person about the tip-off. Under certain circumstances, this may also include
naming the identity of the whistleblower or information that suggests their identity.

In the event of grossly negligent or intentional submission of reports containing false information,
the statutory protective provisions for reporting persons do not apply. This includes, in particular,
the obligation to maintain confidentiality and protection against reprisals.

Disclosure of your data

If this is necessary for the above-mentioned purposes and we are legally entitled to do so, your
personal data may be passed on to external bodies (legal advisors, authorities, other state bodies,
etc.). The data will only be passed on if we are legally entitled or obliged to do so.

Persons affected by the processing

On the one hand, the whistleblower is affected by the processing within the framework of the
whistleblower system. On the other hand, third parties may also be affected by the data
processing if personal data is processed in the whistleblower system that is attributable to said
third party.

Categories of data affected by the processing

Which data is processed depends largely on what information is communicated to us via the
whistleblower system.
The following data in particular may be affected:
• Information about yourself and your relationship to the group of companies (employee,
business partner, etc.)
• Information about your whereabouts at a specific time
• Information about your activities
• Any other information that is disclosed to us as part of the submission of the report or
during subsequent communication with the whistleblower and that constitutes personal
data.

Processing of your personal data by the WAY Group

The data processing includes the processing of the report on the basis of and with the help of the
compliance experts of aigner business solutions GmbH, any subsequent communication with you
and measures that are necessary to process the report within the scope of the purpose of the
whistleblower system.
Data processing may also include the merging of the information with information from other
sources, insofar as this is necessary for the intended processing of the information.
The purpose of data processing is, on the one hand, to comply with legal obligations. On the other
hand, the purpose of data processing is to uncover misconduct and grievances within the
company.
The legal bases for the processing of your personal data may be the following in particular:
• the processing of personal data takes place on the basis of your consent in the context of
notification, Art. 6 para. 1 sentence 1 lit. a GDPR;
• the processing is necessary for the performance of the employment contract, Art. 6 para.
1 sentence 1 lit. b GDPR in conjunction with Art. 88 GDPR;
• the processing is necessary for compliance with a legal obligation pursuant to Sections 10,
13 HinschG, Art. 6 para. 1 sentence 1 lit. c GDPR;
• the processing is necessary to protect the predominant, legitimate interests of the WAY
Group or a third party, Art. 6 para. 1 sentence 1 lit. f GDPR;
o The interests of the WAY Group are the detection and internal clarification of
grievances as well as the prevention of damage and liability cases for the WAY
Group. This includes both issues within the company and in connection with the
entire supply chain.
• the processing is necessary because there is factual evidence to suspect that an employee
has committed a criminal offense in the employment relationship, the processing is
necessary for clarification and the interest in the processing outweighs the interest of the
employee in excluding the processing, paragraph 26 section 1 sentence 2 BDSG.

Data security

We also use appropriate technical and organizational security measures within the meaning of Art.
32 GDPR to protect personal data, in particular against accidental or intentional manipulation, loss,
destruction or against attacks by unauthorized persons. These security measures are continuously
adapted in line with technical developments.

Deletion of personal data

Those responsible will process your personal data for as long as is necessary for the purpose of
clarifying and processing the reported facts. The data will be deleted in accordance with the
statutory provisions 3 years after the end of processing in compliance with data protection
regulations. An exception only exists if either your data is required in accordance with Art. 17 para.
3 lit. e GDPR for the assertion of legal claims or for the defense against legal claims of third parties
or if further processing is permissible in accordance with Art. 6 para. 1 lit. f, as well as para. 4 GDPR.

Order processing

Our digital whistleblowing system is provided by an external partner. We are also supported by
external compliance experts in processing incoming reports.
These companies work for us as processors and are obliged by a contract within the meaning of
Art. 28 para. 3 GDPR to process data strictly in accordance with instructions and to maintain the
strictest confidentiality.

Rights of data subjects

In the following, we would like to inform you about your rights under the GDPR:

Information option

The data subject shall have the right to obtain from the controller confirmation as to whether or
not personal data concerning him or her is being processed, and, where that is the case, access
to the personal data.
For this purpose, the controller provides an overview of the processing purposes, the categories
of personal data processed and the respective recipients or categories of recipients in
accordance with Art. 15 EU GDPR.

Rights to rectification, erasure and restriction of processing

In accordance with Art. 16 GDPR, the data subject has the right to obtain without undue delay the
rectification of inaccurate personal data concerning him or her. Taking into account the purposes
of the processing, the data subject also has the right to request the completion of incomplete
personal data.
Pursuant to Art. 17 GDPR, the data subject has the right to obtain from the controller the erasure
of personal data concerning him or her without undue delay, provided that no other legal
requirement precludes such erasure.
In accordance with Art. 18 GDPR, the data subject has the right to request the restriction of
processing if
• the accuracy of the personal data is contested,
• the processing is unlawful and the data subject opposes the erasure of the personal data and
requests the restriction of their use instead,
• the controller no longer needs the personal data for the purposes of the processing, but they
are required by the data subject for the establishment, exercise or defense of legal claims
• the data subject objects to the processing pursuant to Art. 21 GDPR.

Right of withdrawal

The data subject has the right to withdraw their consent at any time. The withdrawal of consent
shall not affect the lawfulness of processing based on consent before its withdrawal.

Right of objection

You have the right to object at any time to the processing of your personal data based on
Art. 6 (1) (e) and (f) GDPR. The controller will then no longer process the personal data unless
they can demonstrate compelling legitimate grounds which are predominant to the
interests, rights and freedoms of the data subject.

Right of appeal

You also have the right to complain to the competent supervisory authority about data processing
by the controller. For the WAY Group, the Bavarian State Data Protection Supervisory Authority is
the competent data protection supervisory authority in accordance with Art. 54 et seq. GDPR.

Status of the data protection information

Constant development makes it necessary to adapt our data protection principles from time to
time. We therefore reserve the right to adapt the data protection information.
Status: 02/2023