Image

Disclaimer:

This register is kept with the utmost care. However, EuroPriSe does NOT guarantee the accuracy of information found on the Site. Your reliance on information found on the Site is at your own risk. For more information please go to EuroPriSe Terms & Conditions.

Product/Version

BKMS® System (Business Keeper Monitoring System)
Version 3.1
Function as provided in December 2017

Qualification: IT-based service (processor service)

View the BKMS® System v3.1 certificate 

Version of Certification Criteria

01/2017

Cert. No.

EP-S-L8DLXC

Validity

14/12/2017 until 31/12/2019

Recertification 13/08/2015 

Initial Certification on June 07, 2013

Monitoring

08/2018

04/2019

Public report

2017 Short Public Report BKMS® System v3.1 [PDF] Image 

2015 Short Public Report BKMS® System v3.1 [PDF] Image

2013 Short_Public_Report_BKMS® System_[PDF] Image

2013 Short_Public_Report_BKMS® System_[PDF] Image

Manufacturer/Provider

Bild

Business Keeper AG
Bayreuther Straße 35
10789 Berlin

Germany

BEST

The confidentiality of the personal data that are processed via the BKMS® System is secured by means of a sophisticated encryption solution. This solution prevents employees of Business Keeper AG and of relevant sub-processors from accessing clear text data. The only persons who can access decrypted clear text data are the competent employees of the respective clients making use of the BKMS® System.

The Business Keeper AG makes customers aware of relevant data protection requirements by means of an informative and comprehensible privacy leaflet.

The BKMS® System offers a "privacy functionality": An examiner may specify personal data such as names or unique identifiers that are part of a report. The application of the privacy functionality results in the blacking of the specified data (making them unreadable). Only an examiner with the right to undo the privacy functionality is able to retrieve the original report.

ATTENTION:

The BKMS® System supports both reporting by name and anonymous / pseudonymous reporting. Customers are advised in a privacy leaflet to prefer reporting by name over anonymous / pseudonymous reporting to reduce the risk of misuse of the system.

Customers of Business Keeper AG may ask for a specific customisation in respect of anonymous / pseudonymous reporting or reporting by name. They are advised in the privacy leaflet to consult with the competent data protection authority if they want to deviate from the advise mentioned in the previous paragraph.

Summary

The BKMS® System is a whistleblowing system, technically designed as a web based service (software as a service - SaaS). Customers of Business Keeper AG may provide a link to the system on their websites. Whistleblowers (e.g., employees of customers) may use the BKMS® System in order to report grievances (e.g., criminal activities such as fraud or embezzlement). The BKMS® System facilitates a dialogue between whistleblowers and examiners (e.g., compliance officers or corruption agents). Whistleblowers are enabled to set up a post box in order to exchange messages with examiners.

Details

Recertification 2017:

The ToE version (v3.1) has not changed since the previous recertification in 2015. However, a new role ("auditor") has been introduced. Auditors are given read-only rights to personal data that are necessary to perform an audit regarding the use of the BKMS® system (e.g., to activity logs, audit logs and user administration data), but they cannot access any whistleblowing reports. A few other (minor) changes have been made to the ToE as well. These changes are outlined at No. 11 of the Short Public Report.

Existing documentation has been updated and new documentation (e.g., records of processing activities pursuant to Art. 30(2) GDPR) has been added to comply with the new legal requirements of the General Data Protection Regulation (GDPR). The same holds true in respect of the privacy notices for the BKMS® System and the commercial website.

Apart from layout, hotfixes, patches and some other internal organisational documents, nothing else relevant with regard to the ToE has been added, nothing has been removed.    

Recertification 2015:

The ToE version has changed from 2.7.3 to 3.1. Apart from layout, hotfixes, patches and some internal organisational documents nothing relevant with regard to the ToE has been added, nothing has been removed.

SSLv3 has been turned off. The session key is now automatically changed. Freak-Prevention avoids the use of lower key standards. The connection of TOMCAT and database has been encrypted.

Initial Certification 2013:

Whistleblowers can submit a report via a web form. They may reveal their identity or act anonymously or pseudonymously. Furthermore, they are given the possibility to set up a post box and to conduct a dialogue with examiners (e.g., provide them with further relevant information on the particular grievance).

The reports that are stored in the BKMS® System database are encrypted using asymmetric encryption. The same holds true for the content of the communications between whistleblowers and examiners (in the post box scenario).

Examiners can access the BKMS® System via an https interface at https://www.business-keeper.com/for-clients.html.

Customers of Business Keeper AG qualify as controller of the processing of personal data that results from the use of the BKMS® System. The Business Keeper AG qualifies as processor on behalf of its customers. It is noteworthy that Business Keeper AG cannot access clear text, but only encrypted data.

Target of Evaulation (ToE) is the Business Keeper Monitoring System (BKMS® System) v.2.7.3, functionality as provided in May 2013. The ToE is available in three different configurations:

  • BKMS®-Z: Collection, first verification and coordination of incoming reports by a central department;
  • BKMS®-D: Reports are forwarded to the competent examiners by the system automatically;
  • BKMS®-O: External experts (e.g., ombudsmen) deal with the collection and first verification of reports.

The ToE comprises a production system with a load balancer, two application servers and a database server as well as a development and test system.

Technical Evaluator

Alexey Testsov
datenschutz cert GmbH
Konsul-Smidt-Str. 88a
28217 Bremen
Germany
ATestsov@datenschutz-cert.de

Legal Evaluator

Dr. Irene Karper
datenschutz cert GmbH
Konsul-Smidt-Str. 88a
28217 Bremen
Germany
ikarper@datenschutz-cert.de

Formerly Certified Versions

v2.7.3

View the BKMS® System v2.7.3 certificate

Image

European Privacy Seal for Business Keeper

Recertification: 12/2017

Press Release by the seal holder [external link / TLS]

Business Keeper AG proved that its IT-based service "Business Keeper Monitoring System (BKMS® System)" complies with EU data protection law. The BKMS® System is a whistleblowing system, technically designed as a web based service (software as a service - SaaS). Users of BKMS® System are controllers in respect of personal data relating to whistleblowers and persons who are reported through the scheme. They are provided with guidance on how to comply with EU data protection law in a data protection leaflet. Thus, they can be sure to act in compliance with said law if they follow this guidance.

 

© 2008 - 2017 | EuroPriSe GmbH - European Privacy Seal | Handelsregister-Nr. (Commercial Register No.): Bonn HRB 20387

No responsibility for the accuracy of the information. Contact | Privacy Notice | Imprint