We take data protection and confidentiality very seriously and comply with the provisions of the EU General Data Protection Regulation (GDPR) as well as applicable national data protection regulations. Please read this data protection information carefully before submitting a report.
The purpose of the whistleblowing reporting system is to receive, process and manage reports of unlawful conduct in a secure and confidential manner.
The data controller responsible for data protection within the whistleblowing system is the University Hospital Carl Gustav Carus Dresden (University Hospital Dresden)
Personal data and information entered into the whistleblowing system are stored in a database. Access to this data is limited exclusively to the University Hospital Dresden. No external third parties have access to the data. This is ensured through a certified procedure supported by extensive technical and organizational measures.
All data are stored in an encrypted form and are subject to a strict authorization concept with multi-factor authentication. Access is therefore restricted to a very small group of expressly authorized persons at the University Hospital Dresden.
The University Hospital Dresden has appointed data protection officers. Inquiries relating to data protection may be addressed to dsv@ukdd.de.
Use of the whistleblowing system is voluntary. If you submit a report via the whistleblowing system, the following personal data and information may be collected:
The University Hospital Dresden processes personal data (of both the reporting person and the persons concerned by the report) insofar as this is necessary to fulfill a legal obligation (e.g. under the Whistleblower Protection Act or the German Supply Chain Due Diligence Act). The legal basis for this processing is Article 6 Paragraph 1 Letter c GDPR and Article 9 Paragraph 4 GDPR in conjunction with Section 10 HinSchG and Section 8 LKSG.
For reports that do not fall within the scope of the above-mentioned laws, the processing of personal data is based on legitimate interest of the University Hospital Dresden in detecting and preventing misconduct. In such cases, the legal basis is Article 6 Paragraph 1 Letter f GDPR.
Incoming reports are received by a small group of expressly authorized and specially trained employees of the Legal Department - Compliance Division of the University Hospital Dresden and are handled with strict confidentially. Only employees of the Legal Department - Compliance Division evaluate the reports and conduct any further investigations required in the individual case.
Where necessary for the processing of a report or the conduct of a specific investigation, information may be shared with additional employees of the University Hospital Dresden or with employees of its subsidiaries, for example if the report concerns incidents within a subsidiary.
All persons granted access to the data are obligated to maintain confidentiality.
Pursuant to European data protection legislation, you and the persons named in the report have the right of access, rectification, erasure, and restriction of processing, as well as the right to object to the processing of your personal data.
These rights may be exercised in writing or by e-mail by contacting the data controller.
In individual cases, the right of access may be restricted where disclosure would reveal information that must be kept confidential under statutory provisions or by its nature.
You also have the right to lodge a complaint with the competent supervisory authority.
Personal data are retained for as long as necessary to clarify the reported matter and to carry out a final assessment, or for as long as a legitimate interest exists on the part of the organization, or where retention is required by law. Once report processing has been completed, the data will be deleted in accordance with statutory retention and deletion requirements.
Communication between your computer and the whistleblowing system takes place via an encrypted SSL connection. Your IP address is not stored during use of the whistleblowing system. To maintain the session between your computer and the whistleblowing system, a cookie containing only a session ID (a so-called session cookie) is stored on your device. This cookie is valid only for the duration of your session and expires automatically when you close your browser.
After submitting the report, a secured mailbox is automatically created within the whistleblowing system. This mailbox allows you to submit reports either by name or in an anonymously and to communicate securely with the responsible contact person at the Dresden University Medicine. All communication remains within the whistleblowing system. This is not a form of regular e-mail communication and contributes to a particularly high level of data security.
When submitting a report or additional information, you may upload attachments for the responsible contact person at the Dresden University Medicine. If you wish to submit an anonymous report, please note of the following security advice: files may contain hidden personal data (metadata) that could compromise your anonymity. Please remove all such information before uploading any files.
Version: March 2026