We, the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation), take the protection of your personal data and its confidential treatment extremely seriously. Therefore, we wish to inform you about the processing of your personal data in connection with reports of sexual harassment and the rights to which you are entitled.

The processing of your personal data takes place exclusively within the framework of the applicable statutory provisions of data protection laws, in particular the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

• I. Who is responsible for the data processing and who is the data protection officer?
• II. What is the subject matter of data protection?
• III. What personal data relating to me will be processed?
• IV. What are the purposes of the processing of my personal data and on what legal basis does this take place?
• V. For how long will my data be stored?
• VI. Will my personal data also be collected from third parties?
• VII. Does automated decision-making or profiling take place?
• VIII. Am I required to provide my personal data?
• IX. Who has access to my personal data and which recipients obtain it?
• X. Will my personal data be transferred to third countries?
• XI. What are my rights as a data subject?
• XII. Who can I contact if I have any questions or wish to assert my rights as a data subject?

I. Who is responsible for the data processing and who is the data protection officer?

1. The controller for the processing of your personal data is:

• Deutsche Forschungsgemeinschaft e. V. (DFG)
  Kennedyallee 40
  53175 Bonn
  Germany
  Tel. +49 0228 885-1
  postmaster@dfg.de
  www.dfg.de/en

2. You can contact our data protection officer as follows:

• Attorney-at-law Dr. Philip Lüghausen
  BHO Consulting GmbH
  Vorgebirgstraße 132
  50969 Köln
  Germany
  Tel. +49 (0) 221 204 63 884
  dfg-dsb@bho-consulting.com
  www.bho-consulting.com/en

II. What is the subject matter of data protection?

The subject matter of data protection is personal data. This is all information which relates to an identified or identifiable natural person (so-called data subject). This includes information such as name, postal address, e-mail address and telephone number.

III. What personal data relating to me will be processed?

In connection with reports and enquiries concerning “Reports of sexual harassment relating to the DFG’s funding activities”, we only process the personal data provided to us by the whistleblower on a voluntary basis.

Specifically, this may include:

1. Data relating to whistleblowers

• Name, contact details if provided and if the whistleblower has disclosed his or her identity,
• Name of the institution at which the whistleblower is employed (if this information is provided),
• The incident being reported and, in this connection, any names of individuals mentioned in this report where relevant (accused person(s), witnesses, third parties etc.),
• where applicable date and time at which the incident is reported and
• where applicable, if provided when reporting an incident, descriptions of persons, health data, details of sex life or sexual orientation.

2. Accused persons

Reports from whistleblowers may contain personal information about the accused persons (reviewers, committee members, applicants, funding recipients, personnel involved in funded projects, DFG employees, other people affected by the reported incident), e. g. name, position, employer and other personal information in connection with the description of the allegation or suspected case in question.

3. Other persons mentioned in the report

Reports submitted by whistleblowers may, in the description of an incident, contain personal information about other individuals (such as witnesses), e. g. names, contact details and other personal information in connection with the description of the incident in question.

The accused person will only be informed in absolutely exceptional cases and only in the cases described under Number IX. (private bodies/accused person) about the identity of the whistleblower.

IV. What are the purposes of the processing of my personal data and on what legal basis does this take place?

Below, we wish to provide you with an overview of the purposes and legal basis for processing your personal data within the framework of suspected cases of sexual harassment reported to the DFG:

1. Purpose of processing

We process the personal data listed above which is provided to us in the context of a report. Processing is carried out for the purpose of handling the report of sexual harassment relating to the DFG’s funding activities, for the purpose of advising and supporting data subjects or whistleblowers, and for the purpose of monitoring the DFG’s processing procedure.

Note:

The underlying responsibility for investigating and punishing incidents of sexual harassment lies with the employing institution and/or the police/prosecutor’s office/courts according to the legal provisions applicable in Germany. The DFG does not conduct investigative procedures but records the incident for the following purposes:

a) To refer inquirers/whistleblowers to the relevant offices and to refer them to sources of assistance (specialised counselling centres) as well as to provide advice on potential consequences regarding the DFG funding contract concerned.

b) To assess whether there is a need for action under contract law with regard to the DFG-funded research project concerned (such as the amendment or withdrawal of the funding agreement).

c) To assess whether or not – from the point of view of the DFG’s responsibility for equality in academia and for researchers at an early stage of their careers – there are persons working on the project concerned for whom an appropriate solution must be found at the end of the qualification phase in the event of changes to the funding contract, or if there are persons who should not lose their DFG-funded job as a result of action taken against sexual harassment by their project leader.

The DFG maintains a statistics file on reported (suspected) cases of DFG-related sexual harassment. The statistics themselves do not contain any personal details but only pseudonymised data. After the destruction of the original documents in accordance with data protection regulations, it is no longer possible to establish a link with individual persons, so the data in the statistics file is completely anonymised from this point onwards.

2. Legal basis for processing personal data in the context of handling reports to the DFG

We process personal data of whistleblowers, accused persons, witnesses and third parties for the purpose of handling a report only where there is a sufficient legal basis and to the extent necessary.

If whistleblowers provide us with information about their identity as part of their report, we process the data on the basis of their consent under point (a) of Article 6 Paragraph 1 GDPR and point (a) of Article 9 Paragraph 2 GDPR, if whistleblowers include particularly sensitive information as defined by Article 9 Paragraph 1 GDPR in their report (e. g. information that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data or data concerning sex life or sexual orientation). However, the whistleblower also has the option of submitting a completely anonymous report.

The processing of personal data of accused persons and other persons mentioned in the report is based on point(f) of Article 6 Paragraph 1 GDPR (legitimate interests). Our legitimate interests in processing data for the purpose of conducting investigations of the type in question arise from the DFG’s statutory tasks deriving from its status as an association and our obligations (under funding law). The DFG is a registered association and receives grants from the federal and state governments for the purpose of research funding. The DFG’s statutes also include the following goals: promotion of researchers at an early career stage, promotion of gender equality in science and promotion of diversity in the science system. These three statutory goals also establish a responsibility to advocate a science system that is free of discrimination and violence. This also includes dealing with enquiries or reports relating to the issue of “sexual harassment”, when perpetrators and/or victims are involved in DFG-funded research projects.

Insofar as a report concerns a contractual relationship between the DFG and an accused person, the data processing is also carried out for the purpose of fulfilling the contract. In such a contract-related case, the review of the incident reported is carried out in accordance with point(b) of Article6 Paragraph1 GDPR. If there is a legal obligation on our part, the data processing is also carried out in accordance with point (c) of Article 6 Paragraph 1 GDPR. Reference is made to the relevant data protection notice (see www.dfg.de/privacy_policy)

• Data Protection Notice for Research Funding
• Data Protection Notice for Reviewers
• Data Protection Notice for Committee Members

The processing of particularly sensitive data disclosed in the context of a report (e. g. concerning sexual orientation and sex life) is carried out on the basis of point (g) of Article 9 Paragraph 2 GDPR in conjunction with point (d) of § 22 Paragraph 1 BDSG, where applicable No. 1 and 2 of § 24 Paragraph 1, § 24 Paragraph 2 BDSG (for reasons of substantial public interest), and in conjunction with the relevant provisions of the General Equality Treatment Act (AGG) (in particular § 12 AGG), taking into account the above considerations regarding our legitimate interests.

In the event of sufficient suspicion of a breach of contractual obligations or circumstances involving a liability to compensation resulting from the report, including the relevant follow-up measures, the DFG also processes the data on the basis of point (f) of Article 9 Section 2 GDPR (enforcement, exercise or defence of legal claims).

Data processing for statistical purposes (cf. Number IV. 1.) is carried out on the basis of point (j) of Article 9 Paragraph 2 GDPR in conjunction with § 27 Paragraph 1, 3, § 22 Paragraph 2 BDSG.

V. For how long will my data be stored?

In principle, your data is erased no later than three years after the conclusion of the processing of the report. Any further storage is only carried out insofar as erasure is contrary to statutory retention obligations, the DFG has a legitimate interest in storing your data for a longer period or if this is required by law (e.g. in the event of the initiation or announcement of legal proceedings or disciplinary measures against the accused person or in order to fulfil the reporting obligation to the DFG Executive Board, the funding bodies, members and the Audit Committee).

VI. Will my personal data also be collected from third parties?

We process the personal data we receive from whistleblowers in connection with reports submitted to the DFG.

VII. Does automated decision-making or profiling take place?

We do not use automated decision-making or profiling in accordance with Article 22 GDPR.

VIII. Am I required to provide my personal data?

When reporting an incident to the DFG, you provide the personal data that you consider necessary for the processing of your incident report. However, you also have the option of submitting a completely anonymous report. Please note that we can only investigate a report on the basis of sufficient information underpinning the facts of the case.

IX. Who has access to my personal data and which recipients obtain it?

Within the DFG Head Office, only a narrow circle of expressly authorised and specially trained DFG employees have access to incoming reports and thus to any personal data you may have provided, so this data is always treated confidentially. The employees of the DFG review the facts of the case and, if necessary, carry out further case-related clarification of the facts. Every employee who has access to the data is obliged to maintain confidentiality.

We only pass your personal data on to external recipients if a legal basis exists for this or if you have given your consent to such. Rights to inspect files in any criminal proceedings remain unaffected. Any further data transfer only takes place if there is a sufficient legal basis and after an assessment of the individual case to this effect.

Possible external recipients include:

• Public bodies: Authorities and state institutions such as the police, public prosecutor’s offices, courts and financial authorities, as well as public donors to the DFG to whom we may be required to provide personal data in individual cases.
• Private bodies: Private bodies to whom we pass on your personal data in accordance with a legal regulation or with your consent, for example lawyers and auditors.
• Other bodies:The following potential recipients also receive or have access to your data:
  • Committee members: If a need for action arises on the part of the DFG, which may usually be the case after the conclusion of an investigation carried out by the competent bodies (in particular the employing academic institution or the police/public prosecutor's office/courts), the DFG assesses whether measures are possible and necessary with regard to the funding agreements in question, and if so which measures are to be taken. Depending on how the responsibility for the necessary measures in the programme concerned is regulated, this information must be submitted not only to the DFG Executive Board, but also to the responsible DFG bodies, as applicable.
  • Accused person: It is normally the responsibility of the victims of sexual harassment to decide whether they wish to initiate a formal investigation procedure with the bodies responsible for this (usually the employing academic institution or the police/public prosecutor’s office/courts). In exceptional cases, the DFG may have to pass on a report it has received to the relevant authorities, especially if the persons named as victims are minors or persons incapable of giving consent. The accused person will only learn of the allegations made based on your report from the DFG if the DFG is obliged to inform the accused person for legal reasons due to the initiation of formal review proceedings relating to the funding agreement concerned. Your identity as a whistleblower is only disclosed by way of an exception if the documents are requested by the competent bodies/ authorities/courts in connection with labour law, criminal prosecution or judicial proceedings.
  • Processors: Service providers entrusted with the maintenance of our IT systems. These processors have been carefully selected by us and are regularly audited in order to ensure that your personal data remains protected. The service providers may only process your personal data for the purposes stated by us.
  • Employers, universities / research institutions or research funding organisations:
    As a matter of principle, personal data is only ever disclosed after prior consent has been given or if there is a legal obligation to disclose it (e. g. due to obligations under the statutes). With regard to the disclosure of personal data in a contract-related case, reference is made to the following data protection notice:
    • Data Protection Notice for Research Funding
    • Data Protection Notice for Reviewers
    • Data Protection Notice for Committee Members

X. Will my personal data be transferred to third countries?

In the case of reports of international relevance (e.g. because the whistleblower, accused person or witness is in a third country), it may be necessary in individual cases to transfer personal data for the purpose of processing the report to bodies whose registered office or place of data processing is not located in a member state of the European Union or in another state party to the Agreement on the European Economic Area. In such a case, prior to the transfer, we ensure that either an adequate level of data protection exists (for example by means of an adequacy decision of the European Commission, suitable guarantees, such as the agreement of so-called EU standard data protection clauses of the European Commission with the recipient) or you have given your express consent, with the exception of exemption cases which are permitted by law. Personal data is transmitted to third countries only to the extent absolutely necessary to process the incident report. As far as possible, personal data is anonymised or pseudonymised prior to transmission.

XI. What are my rights as a data subject?

You are entitled to the following rights in connection with the processing of your personal data:

1. Right of access

You have the right to receive confirmation from us as to whether we process personal data relating to you or not. Should this be the case, you have the right to receive information concerning your personal data and to receive further details concerning the processing.

2. Right to rectification

You have the right to request the rectification of incorrect personal data relating to you and to have incomplete personal data completed.

3. Right to erasure (“right to be forgotten”)

Under certain circumstances, you have the right to request that we erase your personal data. For example, this right exists if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed or if the personal data was processed unlawfully.

4. Restriction of processing

Under certain circumstances, you have the right to request that the processing of your personal data be restricted. In such a case, we will only store such personal data in relation to which you have given your consent or processing is permitted by the GDPR. For example, you may have a right to restrict processing if you have disputed the correctness of your personal data.

5. Data portability

Should you have provided us with personal data under a contract or with your consent, then provided that the statutory requirements are met, you can request to receive the data which you have provided in a structured, commonly used and machine-readable format or request that we transfer this data to another controller.

6. Withdrawal of consent

Should you have given us your consent to the processing of your personal data, you can withdraw this at any time with effect for the future. The lawfulness of the processing of your personal data prior to the withdrawal remains unaffected by this. Withdrawal shall not affect further processing even if it can be based on legal grounds for authorisation (point (b) of Article 17 Paragraph 1 GDPR).

7. Objection against processing on the basis of a “legitimate interest”

8. Right to complain to the supervisory authority

You also have the right to lodge a complaint with the responsible supervisory authority, should you consider that the processing of your data breaches applicable laws. For this purpose, you can contact the data protection authority which is responsible for your place of residence, place of employment or the location of the alleged breach or the data protection authority which has jurisdiction over us. The supervisory authority of the German Federal State in which you reside or work or where an alleged breach which forms the subject of the complaint has taken place holds jurisdiction.

XII. Who can I contact if I have any questions or wish to assert my rights as a data subject?

Should you have any questions concerning the processing of your personal data or should you wish to assert your rights as a data subject which are set out in Number XI. 1-7, you can contact us free of charge. Please use the contact details under Number I., 1. To withdraw your consent, you can also use the contact channel which you selected when submitting the declaration of consent.