Data Protection Information

We are very pleased about your interest in our company. Data protection is extremely important to us at D-Trust GmbH. Whenever you want to use one of our services, the processing of your personal data is largely determined by the service you request or use.

The data is always processed in accordance with the EU General Data Protection Regulation (hereinafter: GDPR).

Responsible for Data Processing

D-Trust GmbH
Kommandantenstr. 15
10969 Berlin

You can reach our data protection officer at the email address:

General Data and Information

We therefore provide you with the following information about the processing of your personal data for the associated business processes.


As part of a telephone campaign, we contact the digitisation managers of counties and municipalities for marketing purposes. To do this, we use the contact information published on the website.  The legal basis for this is our legitimate interest (Art. 6 (1) (f) GDPR). After consent has been given by telephone, we send an email with the product information we discussed on the subject or with a meeting date agreed with you. You will receive this email at the email address you have confirmed. This is a double opt-in procedure. Further confirmation is necessary so that we can reach you at the correct email address you have specified. We store your consent with time stamps in the call history. The legal basis for this storage is our legitimate interest (Art. 6 (1) (f) GDPR), such as our legitimate interest in proving in cases of doubt that consent has been given to use the data to receive product information.

The legal base for sending product and service information and for processing your personal data is your informed, voluntary consent in accordance with Sec. 7 (2) (2) of the Unfair Competition Act (Gesetz gegen unlauteren Wettbewerb, UWG) in conjunction with Art. 6 (1) (a) GDPR.

Service Partner: In our telephone campaign, we are supported by our service partner, especially in contacting those responsible for digitisation: Sales People GmbH, Mallaustr. 75, 68219 Mannheim, Sales People GmbH (

If there is collaboration, such as support services, D-Trust will transfer personal data to service providers (data processors). These service providers only act on the instructions of D-Trust and are contractually obliged to comply with data protection requirements. D-Trust will continue to be responsible for the data processing.

In addition, we will share your personal information with courts, regulatory agencies or law firms

  • if we are required to do so by law or court order or
  • if this is legally permissible and necessary to maintain or assert valid legal claims.

Ensuring compliance with legal regulations and internal rules, such as our Code of Conduct, and also with our Code of Conduct for Business Partners is a top priority for the Bundesdruckerei Group. This applies to our own business unit as well as to our supply chains.

It is important to us that risks are identified at an early stage and violations are avoided as far as possible. We want to initiate appropriate countermeasures in good time and avoid possible damages for those affected, as well as customers, employees, business partners and our group of companies.

That is why we have set up an independent, impartial and confidential whistleblowing system that allows internal and external whistleblowers to also report anonymously.

With the help of the transparent Complaints Procedure, we create the greatest possible protection for those affected, the whistleblowers and the employees who are involved in clarifying the reported facts. All actual and alleged violations of legal requirements, the Code of Conduct and the Code of Conduct for Business Partners can be reported under the Complaints Procedure. Likewise, the subject of a report may involve human-rights or environmental risks, or breaches of duty along the entire supply chain of our Group companies and in our own business area.

Rapid, standardised processes plus confidential and professional processing of tips by internal experts form the foundation of this system, which is based on the principle of fair proceedings.

Discrimination or punishment of whistleblowers and persons entrusted with the handling of complaints and tips will not be tolerated.

The aformentioned Complaints Procedure is applicable to Bundesdruckerei Group GmbH and the group companies Bundesdruckerei GmbH, Maurer Electronics GmbH, genua GmbH, D-Trust GmbH, Maurer Electronics Split d.o.o, iNCO Sp. z o.o. and Xecuro GmbH (together being the “Bundesdruckerei Group”).

a) Purpose and legal basis of data processing

The purpose of processing personal data is the management of the whistleblower system, including the detection of serious violations or potential violations of applicable law or other serious matters.

The processing of personal data is necessary for the fulfillment of legal obligations to which we are subject; see Art. 6 (1) (1) (c) GDPR. This is the law for better protection of whistleblowers (Whistleblower Protection Act – Hinweisgeberschutzgesetz, HinSchG).

The processing serves to safeguard the legitimate interest in the detection of serious violations or potential violations of applicable law or other serious matters pursuant to Art. 6 (1) (1) (f) GDPR.

As far as the processing of special categories of personal data is concerned, processing on the basis of the Whistleblower Protection Act is necessary for reasons of substantial public interest, see Art. 9 (2) (g) GDPR. Special categories of personal data are processed pursuant to Art. 9 (2) (f) GDPR in conjunction with Art. 6 (1) (1) (f) GDPR for the establishment, exercise or defence of legal claims.

Data subjects are persons who are the subject of the notification. They may be employees, contractual partners or other persons who are professionally associated with us. In addition, we process personal data about whistleblowers even if the contact information or other information transmitted or communicated by them exposes their identity. Whistleblowers must therefore be aware that we may process personal data about them in connection with the processing of the reported case.

b) Categories of personal data

The report can be made anonymously. In this case, no personal data of the whistleblower will be processed.

The categories of personal data processed will depend on the information reported. If the whistleblower reports personal data about another person, including that of the person or persons being reported on, this personal data will also be processed. The following categories of personal data may be processed:

  • General personal data (name, address, e-mail address, telephone number, position, etc.)
  • Personal data relating to criminal convictions or suspicion of such
  • Special categories of personal data (information revealing racial or ethnic origin, political opinions, religious or philosophical convictions or trade union membership, data concerning health and data concerning a person’s sex life or sexual orientation)

We advise the whistleblower only to report information that is of specific relevance to the reported case and, in particular, not to report sensitive information unless it is of central importance for the processing of the reported case.

c) Obligation to provide personal data

There is no obligation to provide the personal data listed under section b, as it is also possible to report anonymously. However, it may not be possible for us to process the report without being provided with personal data.

d) Recipients of personal data

The reports are documented as a process in the WhistleB System at Bundesdruckerei GmbH. Following an assessment, the processes are passed on internally to the relevant departments, and any necessary follow-up measures are initiated. If a report concerns one of the Group companies of the Bundesdruckerei Group, these processes will be forwarded to the responsible persons of the respective Group company and evaluated internally by the responsible person, and any necessary follow-up measures will be initiated. Personal data is only passed on for a specific purpose and in accordance with the principle of data minimisation; in other words, only the personal data that is absolutely necessary to process the notification is passed on.

We disclose personal data about the whistleblower to authorities if this is necessary to deal with serious offences or serious matters or to ensure the right of defending the data subjects. In other cases, personal data about the whistleblower will only be passed on with the consent of the whistleblower. Personal data about persons other than the whistleblower will only be passed on in the context of following up a reported case or to deal with serious offences or serious matters.

The reporting platform is provided by the processor, WhistleB Whistleblowing Centre AB, Stockholm, Sweden. Further information on WhistleB, Whistleblowing Centre AB can be found in the Terms of Use.

e) Storage duration

Personal data that proves to be irrelevant for the processing of a reported case, along with reports that we consider to be unfounded, is immediately categorised as “irrelevant”, and any personal reference (unless it is already an anonymous report) is removed. In order to guarantee compliance with the legally required documentation obligation or statutory deletion period from Sec. 11 (1), (5) HinSchG, this report will then be archived at first (without personal reference), but not yet deleted. Archived cases are used exclusively to fulfil documentation obligations and can therefore no longer be called up for processing.

Reports and personal data collected in the course of processing a report form the basis for further processing and are anonymised as soon as possible. However, if the need for follow-up measures within the meaning of Sec. 3 (8) and Sec. 18 HinSchG arises, it is possible that the anonymisation must be deviated from due to an official order or in order to secure legal claims. In this case, pseudonymisation is generally striven for unless something else has been specified (e.g., by a court order). The documentation will be deleted three years after completion of the procedure. The documentation may be kept for longer to fulfil the requirements of this Act or other legislation, as long as this is necessary and proportionate.

If the collection of data is not based on consent and an explicit retention period has been specified, your personal data will be deleted as soon as it is no longer required to achieve the stated purposes and no statutory retention periods (e.g., the obligation to provide proof of certification) prevent their erasure.

The following is a list of the rights to which you as the data subject are entitled vis-à-vis D-Trust with regard to the processing of your personal data.

  • Right of confirmation and information (see Art. 15 GDPR): You have the right to request confirmation from us as to whether personal data concerning you is being processed and to request knowledge and further information about the personal data concerning you that is being processed.
  • Right of correction (see Art. 16 GDPR): You have the right to ask us to correct or complete your personal data.
  • Right to erasure (Art. 17 GDPR): You may ask us to erase the personal data concerning you.
  • Right to restriction of processing (see Art. 18 GDPR): You have the right to ask us to limit the processing of your personal data.
  • Right of data portability (see Art. 20 GDPR): You have the right to receive personal data that you have provided to us in a structured, common and machine-readable format.
  • Right to object to processing (see Art. 21 GDPR): If your personal data is processed on the legal basis of legitimate interest (Art. 6 (1) (f) GDPR) or for the purpose of direct marketing, you may object to the data processing.

If the processing of your personal data is based on your consent, you can withdraw this consent at any time with future effect. The withdrawal of your consent will not affect the legality of the processing carried out prior to the withdrawal. You can withdraw your consent by sending an email to or by using the contact details above.

You have the right to lodge a complaint with a data protection supervisory authority pursuant to Art. 77 GDPR.

Responsible for D-Trust GmbH is the Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin, tel.: +49 (0) 30 13889-0, email:

This data protection policy was last revised on: 21.12.2023