data protection statement of Carestone Group GmbH

With this data protection statement, we, Carestone Group GmbH (hereinafter Carestone), would like to inform you, as a user of our internal whistleblowing system „easyline“, what data we collect in the course of a report, for what purposes this data is processed, how your data is protected and to what extent it is transferred, what rights you have with regard to this data, as well as useful contact details. Personal data are collected and processed in accordance with applicable law, namely the General Data Protection Regulation (GDPR)), the current Federal Data Protection Act (BDSG) and the Whistleblower Protection Act (HinSchG).

1. Purpose of the whistleblowing system

The easyline whistleblowing system is an internal reporting channel within the meaning of the European Whistleblowing Directive and the German Whistleblower Protection Act. It serves to give our employees, business partners and customers as well as other persons who are in contact with Carestone in the course of their professional activities the opportunity to report facts that have become known to them that indicate serious irregularities in this company. Your data will be processed for this purpose if you provide it to us. However, you can also remain anonymous when making a report - as well as in any further communication with us. We recommend this for the reason stated under 2.

2. Data processing

We only collect and process the personal data that you disclose with your message. Your IP address is not accessible to us. Cookies are not set. It is therefore your personal data (if you do not submit an anonymous report) and personal data of third parties if these are visible in the context of your report.
The personal data you disclose will be processed for the purpose of evaluating your report and the possible subsequent case processing by Carestone and, if applicable, internal or external case handlers commissioned by Carestone who are under a special obligation of confidentiality.

a. Your personal data

We recommend that you submit your report anonymously.

Important notes in this context:

If you disclose your identity to us despite our recommendation, we will treat your data as strictly confidential. However, it cannot be ruled out that third parties who are affected by your report must be informed of the source of the data concerning them in accordance with Art. 14 GDPR. Data subjects may therefore be informed of your identity. If necessary, this information must be provided within one month of the notification, as required by law, but at the latest when it no longer seriously affects the clarification of the facts or necessary measures. You should take this into account when deciding whether to disclose your identity.

If you disclose your data, you thereby implicitly declare your consent to its processing in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke this consent in accordance with Art. 7 GDPR, but this has no effect if the data was disclosed with your consent and the aforementioned notification of affected third parties has already taken place.

We also cannot rule out the possibility that your data may have to be disclosed to a public authority or court within the framework of the applicable laws.

b. Personal data of third parties

Please limit the input of personal data of third parties to what is absolutely necessary for the evaluation and processing of your report.

The legal basis for the processing of the personal data of third parties, which is essential for the evaluation of your report and the possible subsequent case processing, is the legitimate interest of Carestone in being able to clarify internal grievances (Art. 6 para. 1 lit. f GDPR).

3. Communication with you

The content of your report and any subsequent communication with you is encrypted in the IT system and cannot be accessed by unauthorized persons. The sole key for protected communication consists of a case ID and a password, which are generated by the system after your report and communicated to you. You are requested to log in with your password and the case ID assigned to your report at regular intervals in order to take note of messages from our case handlers and to be able to answer questions. Files (text files, PDFs and photos) can be uploaded to the platform. Their content is also stored in encrypted form.

We and any internal or external case handlers commissioned by us have password-protected access to communicate with you.

For necessary internal investigations into the facts of the case, external case handlers commissioned by us who are under a special obligation to maintain confidentiality may be informed about the content of the report and the subsequent communication with the respective whistleblowers.

4. Data security and data transmission

We ensure the security of the data we collect and process by taking technical and organizational measures to guarantee this protection. Only we or our designated case handlers have access to the content of the reports. This may be a qualified external body, such as a law firm, or a case handler from our company who has been specially sworn to secrecy and is independent. The content of your reports is immediately encrypted and stored on the platform. The content of any subsequent communication with you will also be encrypted. Decryption only takes place when you log in with your case ID and password or when you log in as a case handler from our site.

The IT administrator of the platform and the host do not have access to the content of the report or the communication with you at any time. The servers on which the reports are stored are located in the Federal Republic of Germany. The processing of personal data by the IT administrator and host is carried out on our behalf and strictly in accordance with our instructions on the basis of corresponding contracts for order processing in accordance with Art. 28 GDPR.

The data contained in the notification and further communication will not be transferred outside the EU/EEA at any time.

5. Deletion of your data

If you have provided us with your personal data in dialog, it will be stored for as long as is necessary to clarify and conclusively assess the reported facts. Once the processing of the report has been completed, this data will be deleted in accordance with legal requirements.

6. Your rights as a data subject of the processing of your personal data

You have the following rights under applicable data protection laws:
  • Right to information about your personal data stored by us
  • Right to erasure and restriction of processing of your personal data
  • Right to rectify your personal data
  • Right to data portability
  • Right to complain to a supervisory authority
  • You can revoke your consent to the collection, processing and use of your personal data at any time with effect for the future.
If you wish to exercise your rights, please send your request to the following e-mail address:

equeo CompCor GmbH
Kissinger Straße 1
14199 Berlin
Tel.: 0800 313 400900
eMail: dsb-carestone@compcor.de

7. Responsible for data protection

Responsible for data protection is the

Carestone Group GmbH
An der Börse 3
30159 Hannover

8. Right of appeal

If you consider that the processing of personal data concerning you violates the GDPR, the BDSG or the Whistleblower Protection Act, you have the right to lodge a complaint at a competent data protection supervisory authority.




Status: 06/2025