Data processing Whistlerblower
SARIA International GmbH
Phone: +49 2592 210 0
Purposes and legal basis of data processing:
We process personal data in compliance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and all other relevant laws. The purpose of the data processing is the investigation of information provided by you regarding violations of applicable laws and other internal regulations. In the case of reports from persons who are willing to disclose their identity, the data controller processes personal data pursuant to Art. 6 (1) (a) GDPR as the legal basis. In all other cases, the data controller relies on the legal basis of legitimate interest pursuant to Art. 6 (1) (f) GDPR, which particularly serves the prevention and combating of breaches of regulations, the investigation of serious cases of suspicion and the prevention of corporate group damages.
Sources of data processing
As a matter of principle, considering our internet-based whistleblowing procedure, we receive and process personal data directly from the data subject and / or informant.
Categories of personal data:
The data controller processes the following categories of data:
- Information on potential criminal offences, suspicions of criminal offences, other in the context of the processing activity relevant breaches of rules and regulations, as well as other associated reporting data on the accused person.
The controller’s reporting procedures offers full anonymity when filing a report. If the data subject chooses not to remain anonymous, the following personal data is processed:
- Master data (e.g. name, function, organization)
- Communication data (e.g. phone number, e-mail)
Transfer to third parties & data recipients:
Personal data processed in context of this processing activity will be transferred to a strictly limited number of authorized persons on a need-to-know basis. Should it be required for the conclusion of an investigation, personal data may also be disclosed to subsidiaries within the SARIA Group as well as a selected number of staff belonging to such subsidiaries. In any event, any person authorized to gain access to the data is obliged to maintain confidentiality.
The transfer of personal data to third parties is exclusively based on a legitimate legal basis and includes, for the processing activity described, the transmission to the processor as the licensor of the whistleblowing platform and its contractually assigned sub-processors. If personal data is transferred to recipients outside of the EU, the controller ensures that the recipient of the personal data guarantees an adequate level of data protection within the meaning of Chapter V of the GDPR, and that no other of the data subjects interests worthy of protection oppose the transfer of data. When transferring personal data outside of the EU, the Data Controller particularly relies on legal grounds such as those set forth in the EU Commission’s model contracts for the transfer of personal data to third countries (so-called standard contractual clauses).
Insofar as individual incidents require the data controller to transfer personal data to public authorities, the data controller will review the legal requirements for a transmission and act in accordance with the law. The transmission of personal data will only take place if the legal requirements are met.
Data storage and erasure of data:
The storage of personal data is limited to a period of six years after completion of the underlying investigation. In the event of the initiation of legal and/or disciplinary proceedings, the data controller furthermore may retain personal data until the proceedings have been concluded and the statutory period for appeal has lapsed. If, moreover, the information received via the Integrity Line, affects further legal provisions including corresponding statutes of limitations and periods of retention, the data controller reserves the right to store personal data in accordance with such legal provisions.
Automated decision-making an profiling:
The data controller does not process personal data for automated decision-making within the meaning of Art. 22 (1) GDPR.
Rights of the data subject:
In addition to the aspects presented before, further far-reaching rights for the data subject arise from data protection law. These include in particular:
- Right to transparent and comprehensible information: Whether we obtain your personal data directly through you or via third party, you have the extensive right to be informed about the modalities of the data processing concerning you before the processing takes place (Arts. 12-14 GDPR).
- Right to information: Upon request, we will provide you with information in writing or electronically as to whether and which data relating to you is stored by us (Art. 15 GDPR).
- Right to rectification: You have the right to rectification and/or completion vis-à-vis the controller if the personal data processed concerning you is inaccurate or incomplete (Art. 16 GDPR).
- Right to erasure: You may request the controller to erase the personal data concerning you without undue delay (Art. 17 GDPR).
- Right to restriction of processing: You have the right to request the restriction of processing (Art. 18 GDPR).
- Right to data portability: You have the right to receive the personal data concerning you in a machine-readable format (Art. 20 GDPR).