I. Who is responsible for the data processing and who is the data protection officer?

1. The controller for the processing of your personal data is:

• Deutsche Forschungsgemeinschaft e. V. (DFG)
  Kennedyallee 40
  53175 Bonn
  Germany
  Tel. +49 228 885-1
  postmaster@dfg.de
  www.dfg.de/en

2. You can contact our data protection officer as follows:

• Attorney-at-law Dr. Karsten Kinast, LL.M.
  KINAST Rechtsanwaltsgesellschaft mbH
  Hohenzollernring 54
  50672 Cologne
  Germany
  Tel. +49 221 222 1830
  mail@kinast.eu
  www.kinast.eu

II. What is the subject matter of data protection?

The subject matter of data protection is personal data. This is all information which relates to an identified or identifiable natural person (so-called data subject). This includes information such as name, postal address, e-mail address and telephone number.

III. What personal data relating to me will be processed?

Under the incident reporting system, we only process the personal data provided to us by the complainant/whistleblower on a voluntary basis. Specifically, this may include:

1. Data relating to complainants/whistleblower

• Name, contact details if provided and if the complainant/whistleblower has disclosed his or her identity,
• Name of the institution at which the complainant/whistleblower is employed (if this information is provided),
• The incident being reported and, in this connection, any names of individuals mentioned in this report where relevant (accused person(s), witnesses, third parties etc.) and
• Date and time at which the incident is reported.

2. Accused persons

Reports from complainants/whistleblowers may contain personal information about the accused persons (reviewers, committee members, applicants, funding recipients, DFG employees, etc.), e.g. name, position, employer and other personal information in connection with the description of the allegation in question. This applies to the review of allegations of research misconduct related to DFG-funded research/activities, allegations of misuse of DFG grant funds and suspected cases of corruption/conflicts of interest related to DFG-funded research/activities.

3. Other persons mentioned in the report (witnesses, third parties)

Reports submitted by complainants/whistleblowers may contain personal information about witnesses and other third parties, e.g. names, contact details and other personal information in connection with the description of the allegation in question.

The accused person will only be informed in absolutely exceptional cases and only in the cases described under Number IX. (private bodies/accused person) about the identity of the complainant/whistleblower.

IV. What are the purposes of the processing of my personal data and on what legal basis does this take place?

Below, we wish to provide you with an overview of the purposes and legal basis for processing your personal data within the framework of the DFG Research Integrity Incident Reporting System:

1. Purpose of processing

We process the personal data listed above which is provided to us in the context of a report via the incident reporting system. Processing is carried out for the purpose of handling the report. This concerns the review of allegations of research misconduct related to DFG-funded research/activities, allegations of misuse of DFG grant funds and suspected cases of corruption/conflicts of interest related to DFG-funded research/activities.

2. Legal basis for processing personal data in the context of handling reports in the DFG Research Integrity Incident Reporting System

We process personal data of complainants/whistleblowers, accused persons, witnesses and third parties for the purpose of handling a report only where there is a sufficient legal basis. This includes:

1. Legal basis for processing personal data of complainants/whistleblowers
   If complainants/whistleblowers provide us with information about their identity as part of their report, we process the data on the basis of their consent under point (a) of Article 6 Paragraph 1 GDPR. However, the complainant/whistleblower also has the option of submitting a completely anonymous report.
   
   Insofar as a report is not anonymous and depending on the specific individual case, we also process the data to the necessary extent based on point (f) of Article 6 Paragraph 1 GDPR (legitimate interests). Our legitimate interests in processing data for the purpose of conducting investigations of the type in question arise from the DFG’s statutory tasks deriving from its status as an association and our obligations (under funding law).
2. Legal basis for processing personal data of accused persons
   We process personal data relating to the accused person that complainants/whistleblowers provide to us as part of their report via the incident reporting system.
   
   Depending on the group of persons, the data processing is based on point (f) of Article 6 Paragraph 1 GDPR (legitimate interests) and, where applicable, additionally on Article 88 GDPR, § 26 Paragraph 1 Sentence 2 BDSG (if DFG employees are accused).
   
   Our legitimate interests in processing data for the purpose of conducting investigations of the type in question arise from the DFG’s statutory tasks deriving from its status as an association and our obligations (under funding law).
   
   Insofar as a report via the incident reporting system concerns a contractual relationship between the DFG and an accused person, the data processing is also carried out for the purpose of fulfilling the contract. In such a contract-related case, the review of the incident report is carried out in accordance with point (b) of Article 6 Paragraph 1 GDPR. If there is a legal obligation on our part, the data processing is also carried out in accordance with point (c) of Article 6 Paragraph 1 GDPR. Reference is made to the relevant data protection notice (see www.dfg.de/privacy_policy ):
   
   • Data Protection Notice for Research Funding
   • Data Protection Notice for Reviewers
   • Data Protection Notice for Committee Members
3. Legal basis for processing personal data of witnesses, third parties
   We process personal data relating to witnesses and third parties that complainants/whistleblowers provide to us as part of their report via the incident reporting system. The data processing takes place based on point (f) of Article 6 Paragraph 1 GDPR (legitimate interests).

Our legitimate interests in processing data for the purpose of conducting investigations of the type in question arise from the DFG’s statutory tasks deriving from its status as an association and our obligations (under funding law).

V. For how long will my data be stored?

Personal data is stored for as long as it is necessary for the clarification and final assessment of the incident report or if there is a legitimate interest on the part of the DFG or if this is required by law (e.g. in the event of the initiation or announcement of legal proceedings or disciplinary measures against the accused person or in order to fulfil the reporting obligation to the DFG Executive Board, the funding bodies, members and the Audit Committee). After the processing of the information has been completed, this data is erased in accordance with legal requirements.

VI. Will my personal data also be collected from third parties?

We process the personal data we receive from complainants/whistleblowers in connection with a report submitted via the incident reporting system.

VII. Does automated decision-making or profiling take place?

We do not use automated decision-making or profiling in accordance with Article 22 GDPR.

VIII. Am I required to provide my personal data?

When using the incident reporting system, you provide the personal data that you consider necessary for the processing of your incident report. However, you also have the option of submitting a completely anonymous report. Please note that we can only investigate a report on the basis of sufficient information underpinning the facts of the case.

IX. Who has access to my personal data and which recipients obtain it?

Within the DFG Head Office, only a narrow circle of expressly authorised and specially trained DFG employees have access to incoming incident reports and thus to any personal data you may have provided, so this data is always treated confidentially. The employees of the DFG review the facts of the case and, if necessary, carry out further case-related clarification of the facts. Every employee who has access to the data is obliged to maintain confidentiality.

We only pass your personal data on to external recipients if a legal basis exists for this or if you have given your consent to such. Possible external recipients include:

• Public bodies: Authorities and state institutions such as public prosecutor's offices, courts and financial authorities, as well as public donors to the DFG to whom we may be required to provide personal data in individual cases.
• Private bodies: Private bodies to whom we pass on your personal data in accordance with a legal regulation or with your consent, for example lawyers and auditors.
• Other bodies: The following potential recipients also receive or have access to your data:
  • Reviewers: As part of the investigation of the facts, reviewers are asked for a statement on the incident report.
  • Committee members: Once the facts have been established by the Head Office, the Committee on Inquiry on Allegations of Scientific Misconduct deals with the allegations as a subcommittee of the Joint Committee. The final decision on misconduct is made by the Joint Committee of the DFG.
  • Accused person: In principle, the accused person does not learn of your complaint unless, if necessary, they are asked for a statement in the event of sufficient initial suspicion. Your identity as a complainant/whistleblower is only disclosed by way of an exception if the accused person cannot otherwise defend himself or herself properly or if the documents are requested by the competent authorities/courts as part of a criminal prosecution or judicial proceedings.
  • Processors: We use Business Keeper GmbH as a processor, which is entrusted with the provision and maintenance of the electronic incident reporting system. This processor has been carefully selected by us and is regularly audited in order to ensure that your personal data remains protected. The service provider may only process your personal data for the purposes stated by us. Information entered in the incident reporting system cannot be viewed in plain text by Business Keeper GmbH.
  • Employer, Universities / research institutions or research funding organisations: Personal data is only ever disclosed after prior consent has been given. With regard to the disclosure of personal data in a contract-related case, reference is made to the following data protection notice:
    
    • Data Protection Notice for Research Funding
    • Data Protection Notice for Reviewers
    • Data Protection Notice for Committee Members

X. Will my personal data be transferred to third countries?

In the case of reports of international relevance (e.g. because the complainant/whistleblower, accused person or witness is in a third country), it may be necessary in individual cases to transfer personal data for the purpose of processing the report to bodies whose registered office or place of data processing is not located in a member state of the European Union or in another state party to the Agreement on the European Economic Area. In such a case, prior to the transfer, we ensure that either an adequate level of data protection exists (for example by means of an adequacy decision of the European Commission, suitable guarantees, such as the agreement of so-called EU standard data protection clauses of the European Commission with the recipient) or you have given your express consent, with the exception of exemption cases which are permitted by law. Personal data is transmitted to third countries only to the extent absolutely necessary to process the incident report. As far as possible, personal data is anonymised or pseudonymised prior to transmission.

XI. What are my rights as a data subject?

You are entitled to the following rights in connection with the processing of your personal data:

1. Right of access

You have the right to receive confirmation from us as to whether we process personal data relating to you or not. Should this be the case, you have the right to receive information concerning your personal data and to receive further details concerning the processing.

2. Right to rectification

YYou have the right to request the rectification of incorrect personal data relating to you and to have incomplete personal data completed.

3. Right to erasure (“right to be forgotten”)

Under certain circumstances, you have the right to request that we erase your personal data. For example, this right exists if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed or if the personal data was processed unlawfully.

4. Restriction of processing

Under certain circumstances, you have the right to request that the processing of your personal data be restricted. In such a case, we will only store such personal data in relation to which you have given your consent or processing is permitted by the GDPR. For example, you may have a right to restrict processing if you have disputed the correctness of your personal data.

5. Data portability

Should you have provided us with personal data under a contract or with your consent, then provided that the statutory requirements are met, you can request to receive the data which you have provided in a structured, commonly used and machine-readable format or request that we transfer this data to another controller.

6. Withdrawal of consent

Should you have given us your consent to the processing of your personal data, you can withdraw this at any time with effect for the future. The lawfulness of the processing of your personal data prior to the withdrawal remains unaffected by this. Withdrawal shall not affect further processing even if it can be based on legal grounds for authorisation (point (b) of Article 17 Paragraph 1 GDPR).

7. Objection against processing on the basis of a “legitimate interest”

8. Right to complain to the supervisory authority

You also have the right to lodge a complaint with the responsible supervisory authority, should you consider that the processing of your data breaches applicable laws. For this purpose, you can contact the data protection authority which is responsible for your place of residence, place of employment or the location of the alleged breach or the data protection authority which has jurisdiction over us. The supervisory authority of the German Federal State in which you reside or work or where an alleged breach which forms the subject of the complaint has taken place holds jurisdiction.

XII. Who can I contact if I have any questions or wish to assert my rights as a data subject?

Should you have any questions concerning the processing of your personal data or should you wish to assert your rights as a data subject which are set out in Number XI. 1-7, you can contact us free of charge. Please use the contact details under Number I., 1. To withdraw your consent, you can also use the contact channel which you selected when submitting the declaration of consent.