Privacy Notice
on personal data processing relating to the Whistleblowing System

Name: Graphisoft SE (hereinafter: Graphisoft)
Registered office: 1031 Budapest, (Graphisoft Park) Záhony u 7.
E-mail address: [email protected]
Telephone number: 0036 1 437 3000

Graphisoft, in addition to its own reporting channels, uses online whistleblowing system of its parent company Nemetschek Group. When operating the whistleblowing system, Nemetschek Group uses the services of LegalTegrity GmbH. The Privacy Notice of Nemetschek Group Whistleblowing system is available on the following link: Whistle Report

Unless otherwise required by law, the personal data processed may only be read and used by persons who need to have access to the data in order to fulfill their professional duties in connection with the investigation of the incident.

If the investigation of the case requires it or the report is received by them, Graphisoft may share your information with other Graphisoft companies, its parent company Nemetschek SE and its sister brands. Graphisoft does not intend to share your personal data, this may only occur in very exceptional cases and to the extent strictly necessary, if justified by the investigation of the case.

Other than the above, Graphisoft does not transfer personal data to any other recipient.

To fulfill its legal obligation based on Act XXV of 2023, Graphisoft processes personal data provided in whistleblowing reports to investigate potential misconduct within the organisation, in line with its legal and ethical obligations.
In order to clarify the details of the case, therefore detect, investigate and prevent misconduct or legal violation, Graphisoft conducts compliance interviews and internal investigations.

Purpose of data processing

Legal basis of data processing

Special Category Data (Article 9 of GDPR)

Operating whistleblowing system due to legal requirement

Legal Obligation (point c) of Art. 6(1) of GDPR)

Substantial Public Interest (Art. 9(2)(g))

Investigating misconduct

Legitimate interest of Graphisoft (point f) of Art. 6(1) of GDPR): detecting, investigating, and preventing misconduct or legal violations

Legal Claims (Art. 9(2)(f)) or Public Interest (Art. 9(2)(g))

Disclosure to law enforcement authorities for law enforcement purposes in the event of criminally relevant actions by the reported persons

Legal Obligation (point c) of Art. 6(1) of GDPR)

Legitimate interest of Graphisoft (point f) of Art. 6(1) of GDPR): detecting, investigating, and preventing legal violations

Legal Claims (Art. 9(2)(f)) or Public Interest (Art. 9(2)(g))

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you.

Scope of the processed personal data:

  • Identification data (incl. first and last name)
  • Contact details (incl. telephone and mobile number, e-mail address)
  • Report details, including descriptions of incidents
  • Names or roles of persons involved
  • Supporting documents or evidence
  • Special category data if disclosed (e.g. health information)
  • CV data & job description (incl. education and work experience) 
  • Notes taken in connection with the compliance interview
  • Recording & evaluation results

Duration of data processing:
Personal data related to whistleblowing reports will be retained only for as long as necessary to investigate and resolve the issue, and as required by law or our internal policy (No longer than 5 years).

As mentioned in point B, in exceptional and absolutely necessary cases, Graphisoft may share your information with other Graphisoft companies, its parent company Nemetschek SE and its sister brands, therefore  Graphisoft and Nemetschek employees, who are outside the EU, EEA countries can access personal data under appropriate safeguards (Article 45 and 46 of GDPR).
Other than the above Graphisoft does not transfer personal data outside the EU.

https://www.graphisoft.com/legal/privacy-policy