Questions and answers whistleblower system

Information about potential violations of rules can be uncovered at an early stage, thus preventing the occurrence of imminent damage. We therefore welcome any information on possible violations of rules and laws. This includes, for example, corruption, bribery, embezzlement, fraud, discrimination and harassment, antitrust violations, insider trading, money laundering, tax evasion, accounting fraud, data protection, business secrets and more.

You can submit a report anonymously. The employees of the ombudsman’s office are obligated to maintain confidentiality. They will not disclose your identity as a whistleblower to third parties without your consent, unless there is a legal obligation to do so. Please note, however, that it is generally easier to process reports if you do not submit them anonymously and the ombudsman’s office can contact you in the event of queries. We have a duty to disclose the identity of the whistleblower to the accused if the whistleblower chooses to make a non-anonymous report.

The ombudsman’s office receives your enquiry, prepares a written report and forwards it to the management of the company concerned. The report will then be carefully examined in accordance with the internal instructions for the management of compliance incidents and, if necessary, appropriate measures will be taken by those responsible.

Your data will be treated confidentially and protected in accordance with the relevant European and national data protection regulations, in particular the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act.

If you make a report to the ombudsman’s office, the ombudsman’s office will act as a data protection controller within the meaning of Art. 4 No. 7 GDPR when processing your personal data and the people named by you. In this capacity, it will take the appropriate precautions to ensure that the data is handled in accordance with data protection law to the extent required by law.

Whistleblowers will be uniformly well protected throughout the EU. The Whistleblower Protection Policy, which prescribes uniform standards, entered into force on December 16, 2019.

As a general principle, the data subjects will not be informed about who has submitted a report. Please note that the data subjects must regularly be confronted with the allegations made against them, if only so that they can protect their own rights of defense, e.g. the right to a hearing or in the event of questioning by law enforcement authorities or the police.

If we are legally obligated to do so or if this is permitted under data protection law, we may pass on personal data to authorities, for example the police or public prosecutor’s office (Art. 6 Para. 1 lit. c GDPR). In the course of processing a report or in the course of an investigation, it may be necessary to make reports available to additional employees or employees of other group companies if, for example, the notices relate to events at subsidiaries. The latter may also have their registered offices in countries outside the European Union, in which different regulations for the protection of personal data may exist. We always ensure that the relevant data protection regulations are complied with when passing on reports. The disclosure of this data is based on our legitimate interest in combating abuse, prosecuting criminal offences and securing, asserting and enforcing claims and that your rights and interests in the protection of your personal data are not overridden, Art. 6 (1) lit. f GDPR.

Whistleblowers acting in good faith will not be disadvantaged or sanctioned in any way by their company for submitting a notice – even if the suspicion subsequently turns out to be unfounded. However, we reserve the right to take legal action in the event that notices are given incorrectly against better knowledge.

When reports are made, the following personal data and information are collected:

Your name, if you have provided your identity, whether you are an employee and, if applicable, the names of people and other personal data of the people you name in your notification. We also process personal data from you that you provide or that results from the circumstances of your notification, for example, as part of the contact information you provide. Personal data may include your name, work or home email address and/or phone number, and other contact information or positions and job titles within the company. The actual information from the report itself may also contain personal data.

The processing of personal data is based on legal obligations and the legitimate interest of the company in the detection and prevention of corruption, antitrust violations, fraud and other malpractices and thus in the prevention of damage to their company, employees, customers and suppliers. The legal basis for this processing of personal data is Article 6 (a) GDPR, paragraph 1f GDPR.

As a rule, there is no right to object to data processing on the basis of the so-called legitimate interest, Art. 21 (1) p. 2 GDPR.

In addition, the requirements of the “Works Agreement on the Introduction of a Compliance Incident Management and an Anonymous Whistleblower System” which has been concluded in your company shall apply. The works council is involved in the process.

Your personal data will only be processed to the extent necessary to operate the whistleblower system and to perform the tasks of the ombudsman’s office and to investigate the notices in accordance with the company agreement, e.g., the legal examination of the notices and, in the case of the ombudsman’s office of the company we serve, the identified facts, conduct and potential violations. Personal data will be stored for as long as it is required for the clarification and final assessment of the report or we are otherwise entitled or obliged to do so.

We use the information you provide in the whistleblower system, among other things, for the purpose of verifying and documenting the reports, for internal investigations (including forwarding to external lawyers, auditors or other professionals bound by professional secrecy as well as to affected group companies) and, if necessary, for forwarding to government agencies (such as the police, public prosecutor’s office or courts). We assure all whistleblowers that their information will be handled confidentially. The legal basis is the fulfillment of legal obligations pursuant to Art. 6 (1) sentence 1 lit. c GDPR.

As a matter of principle, we will try to keep you informed about the status and outcome of our investigation. However, for various legal and confidentiality reasons, this is unfortunately not always possible for us. Therefore, we cannot guarantee to provide you with information in particular if this would jeopardize the purpose of the investigation or if confidentiality, data protection and the rights of defense and personality of reported persons cannot be adequately guaranteed.

As a whistleblower, you have special data subject rights (Art. 15 et seq. GDPR), including the right to information about the data processed about you, the right to correct incorrect or incomplete data, and, under certain conditions, the right to restrict the processing of your data or to delete the data processed about you. You also have the right to contact our data protection officer or the data protection officer of your company if you wish to obtain further information about the data processing or raise concerns about the data processing. You have the right to lodge a complaint with the competent data protection authority if you have doubts about the lawfulness of the data processing.

You submit your report in an end-to-end encrypted system. This means that the input in the form and the transport to our reporting system is already encrypted SSL/TLS. In addition, all reports via the form, e-mail or phone records are stored in the reporting system PGP encrypted. All written records are digitized and stored PGP encrypted. We only use service providers and IT systems from Germany, which we have committed to data protection and data security via contractual regulations. Two-factor authentication (2FA) is set up for all accesses. The keys for encryption are held exclusively by the ombudsman’s office.

Contact the ombudsman responsible for you. He or she can provide information on any questions and advise you on any situation. This is done under the condition of confidentiality.