Privacy Policy
CrefoWhistle is our whistleblowing system. Employees, customers, business partners or other whistleblowers can use CrefoWhistle to report suspected violations of laws and internal rules to our Compliance Department. CrefoWhistle is part of our compliance management system.
Who is responsible for data processing?
The person responsible for processing your personal data is:
Creditreform Compliance Services
Hammfelddamm 13
41460 Neuss
Tel: +49 2131 109-1089
Fax: +49 2131 109-81089

Which data is processed?
The use of CrefoWhistle is on a voluntary basis. In case of hints the following personal data is processed:
a) Whistleblower: name (if you disclose your identity), contact details (if you provide them)
b) Persons affected by incidents: First and last name, information about incidents and suspected violations of laws and regulations
c) Witnesses and/or third parties named in the notice (e.g. customers, suppliers, colleagues or business partners): first and last name, contact details.
Purpose and legal basis for data processing
The above-mentioned data is processed for the purpose of uncovering and preventing serious wrongdoing and avoiding and defending against particularly drastic or existence-threatening legal consequences and damage, both for our organization (criminal prosecution, claims for damages, damage to our image, supervisory measures) and for our employees. The legal basis for the processing is a legal obligation (pursuant to Art. 6 para 1 lit b DSGVO) to comply with the requirements under the EU Whistleblower Directive of 23.10.2019 (EU 2019/1937) and the national implementing laws in this regard. In addition, the processing is based on the overriding legitimate interest of our organization to comply with archiving rules (pursuant to Art. 6 Para. 1 lit f DSGVO). 

Data Recipients
The platform is operated and administered by Creditreform Compliance Services GmbH (hereinafter CCS), which constitutes the Compliance Office on behalf of Creditreform Compliance Services. CCS processes compliance data in order to review reported incidents, initiate and conduct investigations, and take remedial action where necessary. As part of the reviews, investigations and remedial actions to be taken, it may be necessary to share information about a reported incident with employees of other departments or with the management of Creditreform Compliance Services, other Creditreform companies, external advisors (e.g. legal advisors) or the relevant authorities. We may also be required to report a reported incident to the appropriate authorities and to the affected individuals.

CrefoWhistle is operated by the specialized software service provider iComply GmbH, Große Langgasse 1a, DE-55116 Mainz, on our behalf. iComply GmbH is contractually obligated to maintain strict confidentiality and to comply with all data protection requirements. The data center operator has no access to data of any kind, it serves exclusively to store the application as well as the data stored in it.

What data security measures does CrefoWhistle have?
Personal data and information entered into CrefoWhistle is stored in a database operated by iComply GmbH in an ISO/IEC 27001 certified data center in Germany. Only CCS is allowed to view the data. The iComply GmbH and other third parties have no access to the data. This is guaranteed in a certified procedure by comprehensive technical and organizational measures. All data is encrypted and stored with multi-level password protection, so that access is limited to a very narrow circle of explicitly authorized persons. Communication between your end device and CrefoWhistle takes place via an encrypted connection. The IP address of your end device is not stored during use.

What data protection rights do you have?
You have the right, upon request and free of charge, to receive information about the personal data stored about you, its origin and recipient, as well as the purpose of the data processing.
If we process your data on the basis of our legitimate interest, you have the right to object to the processing if there are legitimate grounds arising from your particular situation (right of objection). In addition, you have the right to correct incorrect personal data, the right to delete personal data, the right to restrict the processing of personal data and the right to data portability.
You can contact us at any time at for this and other questions on the subject of personal data. Finally, you have the option of filing a complaint with the supervisory authority if you believe that the processing of your data violates data protection law or your data protection rights have been violated in any other way.

How long is the personal data stored?
Personal data is retained for as long as is required for clarification and final assessment or for a legitimate interest of the company or as required by law. After that, this data will be deleted in accordance with legal requirements. If a notice proves to be unfounded, the notice and the personal data it contains will be deleted immediately.