Data Protection

Data processing within the internal whistleblowing system ("Whistleblowing Solution")
You have the option of using our internal whistleblowing system. You should not provide any personal data about yourself. Communication takes place solely via a password assigned by you. Depending on the content of your contribution, however, your report may contain personal data of third parties.

Purpose of the processing
The whistleblower system gives employees of the company the opportunity to point out grievances without themselves becoming visible. In particular, this concerns the following circumstances within the company: 
  • criminal offences or misconduct;
  • serious and flagrant violations of applicable law and/or international agreements;
  • serious threats or endangerment of the public interest of which the whistleblower has personal knowledge;
  • breach of a company code of conduct; and
  • Threats to the health of employees. 

Legal basis for processing
The processing of the data serves the fulfilment of a legal obligation (Art. 6 para. 1 p. 1 c) DSGVO), which follows from the so-called Whistleblower Directive (Directive (EU) 2019/1937 on the protection of persons who report infringements of Union law) and national laws of the EU Member States based thereon. The data processing is also carried out in the legitimate interest of the company to be informed about illegal and reportable events and to be able to clarify them internally (Art. 6 para. 1 p. 1 f) DSGVO).

Storage periods
The reports are checked and answered within the legally specified time limits. The deletion of the data depends on the result of the examination: 
Check revealed no infringement: deletion within 2 weeks after completion of the check.
  1. Audit revealed a violation to be clarified internally: Deletion within 4 weeks after the case has been clarified internally. 
  2. Check revealed cause for the initiation of official or legal proceedings (e.g. through criminal charges, or application for an injunction): with the legally binding conclusion of the proceedings, whereby periods of up to 30 years may apply for the retention of notices and judgements. 
Recipients of the data
The data collected is forwarded by the persons in the company responsible for processing notifications and made available to third parties (lawyers, experts, auditors) for analysis and investigation purposes. Authorities and courts may also be involved if there is cause to do so.

Transfer of data to countries outside the European Union
The data collected may be made available to recipients outside the European Union to the extent that this is absolutely necessary for the processing of the reports received, in particular for determining the materiality of the infringements. Prior to the transfer of personal data, the controller shall ensure - in particular through the European Commission's standard contractual clauses - that the companies or persons gaining access to such data ensure an adequate level of protection.