BKMS® System (Business Keeper Monitoring System)
Function as provided in April 2015
Qualification: IT-based service
13/08/2015 - 31/08/2017
Initial Certification on June 07, 2013
Business Keeper AG
Bayreuther Straße 35
The Business Keeper AG makes customers aware of relevant data protection requirements by means of an informative and comprehensible privacy leaflet.
The BKMS® System offers a "privacy functionality": An examiner may specify personal data such as names or unique identifiers that are part of a report. The application of the privacy functionality results in the blacking of the specified data (making them unreadable). Only an examiner with the right to undo the privacy functionality is able to retrieve the original report.
The privacy functionality is a tool to facilitate the "need to know" principle and thus supports the principle of data avoidance and minimization.
The BKMS® System supports both reporting by name and anonymous / pseudonymous reporting. Customers are advised in a privacy leaflet to prefer reporting by name over anonymous / pseudonymous reporting to reduce the risk of misuse of the system.
Customers of Business Keeper AG may ask for a specific customisation in respect of anonymous / pseudonymous reporting or reporting by name. They are advised in the privacy leaflet to consult with the competent data protection authority if they want to deviate from the advise mentioned in the previous paragraph.
The BKMS® System is a whistleblowing system, technically designed as a web based service (software as a service - SaaS). Customers of Business Keeper AG may provide a link to the system on their websites. Whistleblowers (e.g., employees of customers) may use the BKMS® System in order to report grievances (e.g., criminal activities such as fraud or embezzlement). The BKMS® System facilitates a dialogue between whistleblowers and examiners (e.g., compliance officers or corruption agents). Whistleblowers are enabled to set up a post box in order to exchange messages with examiners.
The ToE version has changed from 2.7.3 to 3.1. Apart from layout, hotfixes, patches and some internal organisational documents nothing relevant with regard to the ToE has been added, nothing has been removed.
SSLv3 has been turned off. The session key is now automatically changed. Freak-Prevention avoids the use of lower key standards. The connection of TOMCAT and database has been encrypted.
Whistleblowers can submit a report via a web form. They may reveal their identity or act anonymously or pseudonymously. Furthermore, they are given the possibility to set up a post box and to conduct a dialogue with examiners (e.g., provide them with further relevant information on the particular grievance).
The reports that are stored in the BKMS® System database are encrypted using asymmetric encryption. The same holds true for the content of the communications between whistleblowers and examiners (in the post box scenario).
Examiners can access the BKMS® System via an https interface at https://www.business-keeper.com/for-clients.html.
Customers of Business Keeper AG qualify as controller of the processing of personal data that results from the use of the BKMS® System. The Business Keeper AG qualifies as processor on behalf of its customers. It is noteworthy that Business Keeper AG cannot access clear text, but only encrypted data.
Target of Evaulation (ToE) is the Business Keeper Monitoring System (BKMS® System) v.2.7.3, functionality as provided in May 2013. The ToE is available in three different configurations:
The ToE comprises a production system with a load balancer, two application servers and a database server as well as a development and test system.
Ralf von Rahden
datenschutz cert GmbH
Dr. Irene Karper
datenschutz cert GmbH
Business Keeper AG proved that its IT-based service "Business Keeper Monitoring System (BKMS)" complies with EU data protection law. The BKMS® System is a whistleblowing system, technically designed as a web based service (software as a service - SaaS). Users of BKMS are controllers in respect of personal data relating to whistleblowers and persons who are reported through the scheme. They are provided with guidance on how to comply with EU data protection law in a data protection leaflet. Thus, they can be sure to act in compliance with said law if they follow this guidance.