The whistleblowing portal serves to recognise and avoid significant risks to the Münchener Rückversicherungs-Gesellschaft Aktiengesellschaft in Munich (hereinafter referred to as “Munich Re”). For this reason, the portal receives and processes information regarding legal infringements securely and confidentially, especially those related to financial crime (e.g. corruption, money laundering), antitrust and insurance supervisory law, market abuse, data protection, or serious breaches of related internal rules. Use of the whistleblowing portal is voluntary.
The whistleblowing portal is operated by Business Keeper AG, Bayreuther Str. 35, 10789 Berlin, Germany on behalf of Munich Re. Communication between your computer and the whistleblower portal is encrypted (TLS). Data entered into the whistleblower system are encrypted, password-protected, and stored in a database operated by Business Keeper, which is located in a high-security data centre in Germany. Business Keeper AG cannot access the data.
Who is responsible for processing the data?
- Münchener Rückversicherungs-Gesellschaft Aktiengesellschaft in München
- Königinstr. 107
- 80802 Munich
- Phone: +49 (89) 38 91- 22 55
- Fax: +49 (89) 39 91 7 22 55
- E-mail: email@example.com
Please contact Munich Re’s Data Protection Officer if you have any questions about this notice. The Officer can be contacted via post addressed to the “Data Protection Officer” at the address above, or via e-mail at firstname.lastname@example.org.
What categories of data do we use, and where does the data come from?
Use of the whistleblowing portal is voluntary. We collect the following personal data and information, when you submit a report:
- Your name, if you choose to provide it
- Whether you are employed at Munich Re
- The names and other personal data of persons you name in your report.
Your computer’s IP address is not recorded during or after use of the whistleblowing portal. In order to maintain the connection between your computer and the BKMS® system, a null cookie is stored on your computer, which contains only the session ID. The cookie is valid only until the end of your session and becomes invalid when you close your browser. Nonetheless, traces of your visit to the whistleblowing portal may be left on your computer. Therefore, if you visit the whistleblowing portal from a company computer, you should consider deleting in particular the temporary data (cache) in your browser.
You have the option to set up a secure mailbox in the whistleblowing portal using a pseudonym/user name and password, which you can select yourself. This way you can exchange messages and files anonymously and securely with the person responsible in the Munich Re compliance department. This system of communication is not like normal e-mail exchange; the data is only saved in the whistleblowing portal and is therefore specially protected.
For what purposes and on what legal basis do we process your data?
We process your personal data in compliance with the EU General Data Protection Regulation (GDPR) and all other applicable laws (e.g. the German Federal Data Protection Act).
Munich Re will process personal data confidentially, such as names and other data related to the communication and its content, and for the sole purpose of receiving and processing the abovementioned information securely and confidentially. In so far as your consent to process your personal data is required, it provides the legal basis in accordance with Article 6(1)(a) of the GDPR. In all other cases, processing within the meaning of Article 6(1)(f) of the GDPR serves to protect the overriding legitimate interests of Munich Re, the investigation of legal infringements and serious breaches of internal regulations, as well as the protection of Munich Re (Group) and its employees from potential related damages.
Will data be passed on?
When you share your name in the whistleblowing portal, we ensure your identity as the whistleblower is treated confidentially.
Only a very limited number of expressly authorised persons from within Munich Re’s compliance department have access to the data you provide. Depending on the report’s content, certain expressly authorised persons from within the internal audit department, with the Data Protection Officer and individually authorised persons in subsidiary companies may receive access to the data on a case-by-case basis, if it is necessary to process a particular information. If these subsidiaries are headquartered in countries outside of the European Union or the European Economic Area, an adequate level of data protection will be ensured through binding company internal regulations on data protection. Each person with access to the data is obliged to treat it confidentially.
Investigations of information reported are highly confidential. Principally, your name or any circumstances which could expose your identity as whistleblower are not revealed. However, in certain exceptional cases, we may be required to provide your name, e.g. as required by law.
If an initial suspicion is confirmed, the information may be passed on to another internal department to initiate sanctions, or to a governmental law enforcement authority.
Information of the subject(s) affected by the whistleblowing
In certain cases we are legally obliged to inform those affected that we have received information about them. This can only be done once the act of informing them no longer jeopardises the investigation of the information received. No direct or indirect information about the identity of the whistleblower, in so far as permitted by law, is revealed in the process.
How long will your data be stored?
We store personal data related to the information for as long as it is required for the investigation or for as long as we are required by law. Following this period, information received is either deleted or anonymized, i.e. any reference to your identity as the whistleblower is finally and irreversibly erased.
What rights do users of the whistleblowing portal have?
In addition to your right to object, you have a right to information, a right to rectify or erase data under certain conditions, as well as a right to restrict data processing. Upon request, we will make the data that you provided available in a structured, accessible and machine-readable format. Please contact the aforementioned address to exercise these rights.
Right to object
If we process your data for the purposes of protecting our legitimate interests, you may object to this processing if your particular situation precludes the processing of your data. In such case we would stop the processing, unless we have overriding legitimate interests. In case you have given consent, you have the right to withdraw your consent without disadvantages at a later stage.
You may contact the aforementioned Data Protection Officer or the data protection authorities. The authority responsible for us is:
- Bayerisches Landesamt für Datenschutzaufsicht
- Promenade 27
- 91522 Ansbach
- Phone: +49 (0) 981 53 1300
- E-mail: email@example.com
- Internet: https://www.lda.bayern.de/de/kontakt.html
Information up to date as of November 2018