Business Keeper AG proved that its IT-based service BKMS® Compliance System complies with EU data protection law.
At the core of this service is the BKMS® System (v3.1), which already received the EuroPriSe seal before several times. The BKMS® System is a whistleblowing system, technically designed as a web based service (software as a service – SaaS).
In addition, BKMS® Compliance System also consists of several other modules / extensions, which are covered by this recertification for the first time:
– BKMS® VoiceIntake and BKMS® Translation as extensions to BKMS® System, v. 3.1,
– BKMS® Case Management, v.3.1,
– BKMS® Third Party, v.1, and
– BKMS® Business Approvals, v.1
Please find further information on all functionalities of the BKMS® Compliance System below.
Users of the certified service are controllers in respect of the processing of personal data relating to whistleblowers and reported / accused persons as well as to their business partners and employees. They are provided with guidance on how to comply with EU data protection law in a data protection leaflet. They can be sure to act in compliance with the law if they follow this guidance.
BKMS® Compliance System
Function as provided in May 2020
Qualification: IT-based service (processor service)
View the BKMS® Compliance System certificate
Version of Certification Criteria
13/05/2020 until 31/05/2022
Recertification No. 2: 14/12/2017
Recertification No. 1: 13/08/2015
Initial Certification on June 07, 2013
Business Keeper AG
Bayreuther Straße 35
The confidentiality of the personal data that are processed via the BKMS® Compliance System is secured by means of a sophisticated encryption solution. This solution prevents employees of Business Keeper AG and of relevant sub-processors from accessing clear text data. The only persons who can access decrypted clear text data are
- the competent employees of
- third parties such as translators or ombudsmen commissioned by
the respective clients making use of the BKMS® System.
Business Keeper AG makes customers aware of relevant data protection requirements by means of an informative and comprehensible privacy leaflet covering all modules / extensions of the BKMS® Compliance System.
The certified service offers a “privacy functionality”: An examiner may specify personal data such as names or unique identifiers that are part of a report. The application of the privacy functionality results in the blacking of the specified data (making them unreadable). Only an examiner with the right to undo the privacy functionality is able to retrieve the original report.
BKMS® Compliance Platform facilitates its privacy compliant use. However, the actual legitimacy of the processing of personal data must be evaluated by the customers (controllers) when making use of the service.
The BKMS® Compliance System allows for the management of compliance processes. At the core of the service is the BKMS® System. BKMS® System is a whistleblowing system, technically designed as a web based service (software as a service – SaaS). Customers of Business Keeper AG may provide a link to the system on their websites. Whistleblowers (e.g., employees of the customers) may use the service in order to report grievances (e.g., criminal activities such as fraud or embezzlement). BKMS® System facilitates a dialogue between whistleblowers and examiners (e.g., compliance officers or corruption agents). Whistleblowers are enabled to set up a post box in order to exchange messages with examiners.
Customers can also make use of the extensions BKMS® VoiceIntake, BKMS® Translation, BKMS® Case Management, BKMS® Third Party, and BKMS® Business Approvals. With VoiceIntake, voice messages of whistleblowers can be recorded and stored in the BKMS® system. BKMS® Translation allows for the translation of reports and replies / follow-ups within the service with the help of a translation agency to be chosen and commissioned by the user. BKMS® Case Management facilitates the management of compliance related matters in a case system. BKMS® Third Party supports a risk-oriented assessment and approval of business partners. Finally, with BKMS® Business Approvals, mandatory information and approval processes can be documented in an audit-proof way, e.g. when implementing gift acceptance guidelines within a company.
The core service BKMS® System (v3.1) has not changed since the previous recertification in 2017. However, the target of evaluation of the current recertification does not only cover this core service, but the whole BKMS® Compliance System with the further modules / extensions:
- BKMS® VoiceIntake;
- BKMS® Translation;
- BKMS® Case Management;
- BKMS® Third Party;
- BKMS® Business Approvals.
However, the ToE does not include
- the creation or use of individual reports (BKMS® System);
- the individual establishment or use of topics for reports (BKMS® System);
- the individual installation or use of information texts or declarations of consent in the context of the submission of reports (BKMS® System);
- BKMS® Translation in combination with the translation agency contractually bound to Business Keeper AG;
- the optional configuration of an automatic voice distortion for BKMS® VoiceIntake by Business Keeper AG;
- the use of the Alert Manager function and the Dow Jones Risk & Compliance watch list within BKMS® Third Party
- the use of the function for integrating search engines in BKMS® Third Party;
- the integration of user-specific questionnaires and self-disclosure forms in BKMS® Third Party and their subsequent use;
- the licensing and sales processes at Business Keeper AG, apps for tablets or smartphones or further services or consulting provided by Business Keeper AG.
The ToE version (v3.1) has not changed since the previous recertification in 2015. However, a new role (“auditor”) has been introduced. Auditors are given read-only rights to personal data that are necessary to perform an audit regarding the use of the BKMS® system (e.g., to activity logs, audit logs and user administration data), but they cannot access any whistleblowing reports. A few other (minor) changes have been made to the ToE as well. These changes are outlined at No. 11 of the Short Public Report.
Existing documentation has been updated and new documentation (e.g., records of processing activities pursuant to Art. 30(2) GDPR) has been added to comply with the new legal requirements of the General Data Protection Regulation (GDPR). The same holds true in respect of the privacy notices for the BKMS® System and the commercial website.
Apart from layout, hotfixes, patches and some other internal organisational documents, nothing else relevant with regard to the ToE has been added, nothing has been removed.
The ToE version has changed from 2.7.3 to 3.1. Apart from layout, hotfixes, patches and some internal organisational documents nothing relevant with regard to the ToE has been added, nothing has been removed.
SSLv3 has been turned off. The session key is now automatically changed. Freak-Prevention avoids the use of lower key standards. The connection of TOMCAT and database has been encrypted.
Initial Certification 2013:
Whistleblowers can submit a report via a web form. They may reveal their identity or act anonymously or pseudonymously. Furthermore, they are given the possibility to set up a post box and to conduct a dialogue with examiners (e.g., provide them with further relevant information on the particular grievance).
The reports that are stored in the BKMS® System database are encrypted using asymmetric encryption. The same holds true for the content of the communications between whistleblowers and examiners (in the post box scenario).
Examiners can access the BKMS® System via an https interface at https://www.business-keeper.com/for-clients.html.
Customers of Business Keeper AG qualify as controller of the processing of personal data that results from the use of the BKMS® System. The Business Keeper AG qualifies as processor on behalf of its customers. It is noteworthy that Business Keeper AG cannot access clear text, but only encrypted data.
Target of Evaulation (ToE) is the Business Keeper Monitoring System (BKMS® System) v.2.7.3, functionality as provided in May 2013. The ToE is available in three different configurations:
- BKMS®-Z: Collection, first verification and coordination of incoming reports by a central department;
- BKMS®-D: Reports are forwarded to the competent examiners by the system automatically;
- BKMS®-O: External experts (e.g., ombudsmen) deal with the collection and first verification of reports.
The ToE comprises a production system with a load balancer, two application servers and a database server as well as a development and test system.
Technical Evaluator (since 07/2018)
Dr. Irene Karper LL.M.Eur.
datenschutz cert GmbH
Technical Evaluator (until 06/2018)
datenschutz cert GmbH
Legal Evaluator (since 11/2019)
datenschutz cert GmbH
Legal Evaluator (until 10/2019)
Dr. Irene Karper
datenschutz cert GmbH