IT security & data protection of whistleblower systems

In digital whistleblower systems, a variety of IT security and data protection requirements must be implemented. The reports from whistleblowers about violations of laws or corporate policies may contain personal data, some of which may be sensitive. The following blog post outlines the essential requirements. In addition, we will show you that our Hintbox meets all of these requirements, both technically and organizationally, as well as legally.

Use of the latest encryption technologies 

European data protection law stipulates that whistleblower system controllers and processors must implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk. This includes, in particular, the encryption of personal data (Art. 32 (1) (a) GDPR). 

Hintbox's databases are comprehensively protected against unauthorized access using state-of-the-art encryption technologies. TLS (Transport Layer Security) encryption ensures secure data transmission between you and Hintbox and our website.

Furthermore, we are currently implementing end-to-end encryption, from the entry of a tip by the whistleblower to its storage at our hoster, in order to provide our customers with the highest possible security standard. As a result, the personal data in our whistleblower system is encrypted across all transmission stations and only the authorized parties (whistleblower as well as the company/authority or compliance officer/responsible party) can decrypt and view the data. Encryption takes place exclusively at the whistleblower's or compliance manager's site. This means that the data arrives on our servers already encrypted, so that neither we, the lawcode, nor other third parties can read the information at any time.

Ensuring the confidentiality, integrity and availability of the systems and recovery

Our Hintbox system also ensures the confidentiality, integrity and availability of the systems and data (Art. 32(1)(b) DSGVO). Each Hintbox user can activate secure 2-factor authentication to ensure data confidentiality. In addition, each of our Hintbox customers receives their own separate Hintbox instance, ensuring stringent data separation. Unauthorized access to third-party data is therefore excluded due to our isolated data storage in our whistleblower system.

By using the highest encryption technologies and indexing the input of data and its changes, we also ensure data integrity in the Hintbox. Our whistleblower system is also highly available. We also enable the implementation of deletion requirements demanded by both data protection law and the EU Whistleblower Directive. Our whistleblower system also enables the implementation of an authorization concept in which only individual authorized persons (such as the compliance officer) are granted access to the reports received.

Furthermore, the data can be easily restored through real-time backups (Art. 32 (1) (c) GDPR). As part of our implemented data protection management system, the effectiveness of our technical and organizational measures is also regularly audited and evaluated (Art. 32 (1) (d) GDPR).

Data hosting at a certified data center in Germany

All data of our whistleblower system is hosted in Germany in an ISO/IEC 27001 certified data center. There is no data hosting and no data transfer to third countries. This means that there are no critical issues for our customers in connection with a third-country transfer that are raised by data protection supervisory authorities or courts (effectiveness of standard contractual clauses or ECJ rulings "Schrems I and II").

Ensuring anonymity

The Hintbox technically ensures the anonymity of a whistleblower in the event of an anonymous report. No IP or MAC addresses, location data or other information that allows conclusions to be drawn about a data subject are stored. The login data for an anonymous whistleblower are also randomly and automatically generated. These login data enable anonymous communication between the whistleblower and the compliance officer or responsible party. This allows information on the report to be supplemented or follow-up questions to be asked.

Fulfillment of data protection requirements for a whistleblower system

Hintbox complies with the rules for processing personal data and thus complies with the General Data Protection Regulation and the Federal Data Protection Act. Compliance with these requirements is also an explicit obligation of the EU Whistleblower Directive. We process personal data exclusively according to documented instructions and on behalf of our customers as a processor. For this purpose, we conclude a commissioned processing agreement with our customers in accordance with Art. 28 DSGVO. This agreement also contains the high standards of technical and organizational measures that we ensure with our hintbox system. As a result, our Hintbox also complies with the requirements of the supervisory authorities for a whistleblower system (Conference of the Independent Data Protection Authorities of the Federal Government and the Länder, Guidance of the Data Protection Supervisory Authorities on Whistleblowing Hotlines: Company Internal Warning Systems and Employee Data Protection of November 14, 2018).