Whistleblower System


The FFT whistleblower system enables employees of FFT Group companies, business partners and stakeholders to report potential breaches of rules via the established internal whistleblowing office. There is also the option to report a potential breach to an external lawyer as an ombudsperson. The whistleblower system serves to reveal misconduct and risks at FFT in order to prevent damage to employees, the company or external third parties.

For more information on the scope, use, your rights and data handling, please refer to our Whistleblower Policy and the applicable Rules of Procedure.

Please feel free to report concerns about misconduct that affects our company or the well-being of employees and third parties to the following reporting offices.

Mandatory information according to Art. 13 GDPR

on the processing of your data within the framework of our whistleblowing system

The protection of personal data of our whistleblowers is an important concern for us. Therefore, we process personal data in accordance with the applicable legal provisions on the protection of personal data and data security.


I. Contact details of the responsible person

The responsible person within the meaning of the General Data Protection Regulation (GDRP) and other national data protection laws of the member states as well as other data protection regulations is:

FFT Produktionssysteme GmbH & Co. KG
represented by its general partner Flexible Fertigungstechnik GmbH, Mücke.
Managing Directors: Tristan Pfurr, Hagen Dickert, Volker Stark 
Phone: +49 661 2926-0; e-mail: info(at)fft.de


II. Contact details of the external data protection officer

BerIsDa GmbH, Rangstraße 9, 36037 Fulda, Germany
Tel.: +49 661 29698090; e-mail: datenschutz(at)berisda.de


III. Contact details of the internal whistleblowing offices

Internal: FFT Produktionssysteme: Legal & Compliance Department
Phone: +49 661 2926-292 or -2921; e-mail: whistleblower(at)fft.de

Outsourced: Law firm Cornea & Franz: RA Dr. Stephan Wübbelsmann
Phone: +49 661 901644-0; e-mail: ombudsstelle-fft(at)cornea-franz.de


V. Processing description

1. Description and scope of data processing

We use the information you provide as part of our whistleblower system for the purpose of reviewing and documenting reports, as well as for internal and external investigations (including disclosure to external attorneys, auditors, or other professionals bound by professional confidentiality laws) and, if necessary, for disclosure to government agencies.

Via the outsourced external whistleblowing office, you can submit your message without providing any personal data.

If you disclose your identity to the whistleblowing office, the following data protection information applies. We only process data that you actively and voluntarily disclose to us. You do not have to provide a name or contact details - your tip will still be checked and processed. We assure all whistleblowers of confidential processing.

The providing of your personal data is neither legally nor contractually required. There is no obligation to provide your personal data. However, failure to provide it may mean that we are unable to inform you about the progress of the investigation and that any tips given cannot be adequately followed up or processed, for example because the disclosure of your identity on the basis of consent would be necessary in order to take follow-up action or because it is necessary to request further information.

No fully automated decision-making (including profiling) pursuant to Art. 22 GDPR is used to process the data you have provided.

2. Legal basis of processing

The legal basis for the processing is Art. 6 para. 1 p. 1 lit. c GDPR, § 10 ff. HinSchG for the fulfilment of a legal obligation to which the controller is subject.

The processing of special categories of personal data by the whistleblowing office is based on Section 10 HinSchG in conjunction with Article 9 (2) GDPR. The controller is authorized to process personal data if this is necessary to fulfil the tasks under §§ 13 and 14 HinSchG.

The legal basis for the processing of the data and the disclosure of your identity is the existence of a consent of the whistleblower pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR, Art. 9 para. 2 lit. a GDPR, §§ 9 para. 3, 11 para. 2, 16 para. 3 HinSchG. After you revoke your consent, storage takes place for proof purposes and defense against liability claims (storage of revocation) on the basis of Art. 6 para. 1 p. 1 lit. f GDPR.

The processing of data within our system LECARE is based on Art. 6 para. 1 p. 1 lit. f GDPR.

3. Purpose of processing

The processing of personal data serves to comply with the legal requirements of the Whistleblower Protection Act (HinSchG). We use the information you provide as part of our whistleblower system for the purpose of verifying and documenting (Section 11 HinSchG) the reports as well as for internal and external investigations. In addition, under the conditions of Section 9 (1) and (2) HinSchG, the information may be passed on to responsible authorities.

If you have given us consent to disclose your identity, we will disclose information about your identity to the appropriate authorities in order to take follow-up measures (Section 9 (3) HinSchG). This also applies in the event that we have received consent from persons who are the subject of a report and from other persons named in the report (Section 9 (4) HinSchG). We will inform you or the persons concerned separately about this disclosure when obtaining consent. Your revocation is stored in order to be able to prove that consent was previously given, even after revocation, and thus to ward off any liability claims. 

The processing is carried out in order to organize and optimize the coordination of the tips and the processing as well as the tracking, and to protect the safety of our whistleblowers and to minimize security risks. Our legitimate interest in the processing of personal data also lies in these purposes according to Art. 6 para. 1 sentence 1 lit. f GDPR.

4. Duration of processing and storage, possibility of objection, revocation and elimination

The collected personal data as well as the documentation will be deleted three years after the process has been completed (§ 11 para. 5 HinSchG).

In addition, the data you provide will be processed for as long as it is required by law or is necessary to comply with retention obligations or to prove compliance with obligations to provide information and notices.

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. You can send the revocation to the controller by e-mail or by post. After the purpose no longer applies or your revocation or withdrawal of your consent, the data you have provided will be processed to comply with legal retention obligations or based on our legitimate interests. We may also store revoked consent for up to three years on the basis of our legitimate interest in order to be able to prove consent formerly given even after revocation. You can object to the storage if your interests outweigh our legitimate interest.

5. Recipient of the data

Only authorized persons in the Legal & Compliance department have access to the internal documentation system. In the course of investigations within our company, those offices and departments may receive knowledge of your personal data that need it to fulfil our legal obligations or the above-mentioned purposes and that are authorized to process this data. These are in particular the management, the staff representatives, the data protection officer, the information security officer, the HR department and the reporting office.

Within the scope of service provision, processors may be commissioned to contribute to the fulfillment of contractual obligations. If service providers are cooperated with, such as service providers for IT maintenance services (so-called order processors). These service providers will only act according to instructions and are obligated to comply with the applicable data protection requirements by means of an order processing contract prescribed by data protection law.

We have concluded a contract with the external whistleblowing office pursuant to Section 14 HinSchG for the performance of the tasks of an internal whistleblowing office for FFT Produktionssysteme GmbH & Co. KG. The processing takes place within the framework of joint responsibility according to Art. 26 GDPR.

If persons concerned are not employed by FFT Produktionssysteme GmbH & Co. KG, but by another group company, your data will be transferred to FFT Produktionssysteme GmbH & Co. KG, Legal & Compliance Department for further processing, as data processing in connection with the Whistleblower Protection Act for the affiliated group companies is performed centrally there within our group of companies. We have agreed on a contract for the performance of the tasks of an internal whistleblowing office for the employment provider within the framework of joint responsibility pursuant to Art. 26 GDPR for the data of the data subjects to be processed.

We may disclose personal data to state authorities (such as the police, public prosecutor's office, courts or supervisory authorities) or to external attorneys, auditors or other professionals bound by professional secrecy, insofar as there is a legal obligation to do so pursuant to Art. 6 (1) sentence 1 lit. c GDPR or is necessary for the assertion, exercise or defense of legal claims pursuant to Art. 6 (1) sentence 1 lit. f GDPR and there is no reason to assume that our whistleblowers have an overriding interest worthy of protection in the non-disclosure of the data. If information about the identity of a whistleblower or about other circumstances that allow conclusions to be drawn about the identity of this person is disclosed to law enforcement authorities or on the basis of court decisions, we will inform you in advance about this disclosure and tell you the reasons for the disclosure, unless the competent authority or court has notified us that the information would jeopardize the relevant investigations, inquiries or court proceedings.

If possible, the transfer takes place without providing personal data.

6. Data transfer to third countries

The data you have provided will be transferred to a third country without providing personal data and only if it is necessary to process the report due to a third country reference. If the investigation also concerns group companies in a third country, we will inform you and obtain your consent regarding a forwarding of your personal data.


V. Rights of the data subject

If we process personal data from you, you have the following rights as a data subject against us as the person responsible:

1. Right of access, Art. 15 GDPR

Within the scope of the applicable legal provisions, you have the right to (free of charge) information about your collected and stored personal data at any time. This includes, among other things, information about their processing purposes, their origin and recipients, the storage period and the existence of various rights.

2. Right to rectification, Art. 16 GDPR

You have a right against the controller to rectification (also in the sense of completion) of your data, if the processed personal data concerning you are inaccurate or incomplete for the purpose of processing. The controller shall carry out the rectification without undue delay.

3. Right to erasure, Art. 17 GDPR

You may request the deletion of your personal data at any time under the conditions of Art. 17 of the GDPR, unless circumstances still apply that entitle or oblige the controller to continue processing your personal data (such as statutory retention obligations).

4. Right to restriction of processing, Art. 18 GDPR

If the legal requirements are met, you may request restriction of the processing of your personal data within the scope of Art. 18 GDPR.

5. Right to data portability, Art. 20 GDPR

If you have provided us with personal data, you have a right to the transfer of the data you have provided within the scope of Art. 20 GDPR.

6. Right of objection, Art. 21 GDPR

You have the right to object to processing on the basis of a balance of interests, stating the reasons arising from your particular situation.

7. Right to withdraw your consent, Art. 7 para. 3 GDPR

You have the right to revoke your declaration of consent under data protection law at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation. You can send the revocation by e-mail or by post to the person responsible.

8. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority responsible for us is: The Hessian Commissioner for Data Protection and Freedom of Information Gustav-Stresemann-Ring 1 65189 Wiesbaden. If you are in another federal state or not in Germany, you can also contact the data protection authority there.