BKMS System
BOSCH Group, Compliance
Cookies are disabled in your browser.
Please enable cookies to use the BKMS® System.
For more information about cookies, please click here.

The compliance topic is one that concerns all associates, as everyone is affected – directly or indirectly – by violations: on the one hand, violations of the law may lead to criminal prosecution, depending on the seriousness of the case. On the other hand, violations of the compliance principle harm the company both in material terms and in terms of the Bosch Group’s public image. The result is a deterioration in the company’s business efficiency, and thus in its profit.

Compliance also relates to business relations between Bosch and third parties: Bosch does not want to be involved in other parties’ violations of the compliance requirement.

Apart from supervisors, it is up to every Bosch associate and every Bosch business partner to report any possible violations of the compliance requirement, and in this way to help limit the consequences of such violations and prevent similar misconduct happening in the future.

For notifications of data protection issues

  • notification of data protection incidents
  • submission of a data subject request

please use following link.

If you would like to send your first report, please click here:
If you have already set up a postbox, you may login here:
Information for telephone submission:
  • What is the process for submitting a report? How do I set up a postbox?

    To submit an anonymous or personalized report, start by clicking the "Submit report" button located on the top left of our introduction page.

    There are 4 steps to the reporting process:

    1. First, you will be asked to read information on the protection of your anonymity and to respond to a security query.
    2. On the following page, you will be asked to categorize your report.
    3. On the report page, you can elaborate on your report in your own words and answer questions about the incident by simply selecting responses. You can type up to 4,096 characters into the free text field, which corresponds to a full page. You may also submit a file of up to 5MB to support your report. Please note that documents may contain information about the author. Following the submission of your report, you will receive a reference number as confirmation that you have filed this report.
    4. Please subsequently set up your own secured postbox. Via this postbox you will receive feedback, answer questions and will be informed about the progress of your report.

    If you already have a secured postbox, you can access it directly via the "Login" button. First, you will have to answer a security question.

    As long as you do not enter any data which can identify you, the technology of the BKMS® System will protect your anonymity.

  • How do I receive feedback and remain anonymous at the same time?

    The overriding principle of the BKMS® procedure in use is the protection of the whistleblower. The system’s anonymity protection function is certified by an independent body.

    When setting up your secured postbox, please select your own user name and password. Your report is kept anonymous through encryption and other special security procedures. You will never be asked for personal information at any time during the reporting process. Do not submit any information that can be traced back to you.

    Via the secured postbox, an investigator will provide you with feedback on what is happening with your information or may pose questions if details need to be clarified - you will also remain anonymous during the dialogue. We are interested in reports to avoid damages, not in you as a whistleblower.

  • Data Protection Notice

    Bosch respects your privacy

    The protection of your privacy throughout the course of processing personally identifiable information, like the security of all business data, is a very important concern for us that we take into consideration in all of our business processes. We process personal data, when you report a violation of the compliance requirement ("compliance report"), confidentially and only in accordance with statutory regulations.


    The controller as defined by the European General Data Protection Regulation ("GDPR") for the BKMS® System used for your compliance report (available at https://www.bkms-system.net/bkwebanon/report/clientInfo?cin=18RB2) is Robert Bosch GmbH, Post Office Box 10 60 50, 70049 Stuttgart as the parent company (hereinafter referred to as "Robert Bosch GmbH", "Bosch", "we" or "us").

    Our contact details are:

      • Robert Bosch GmbH
      • Department Corporate Compliance Management (C/CM)
      • Post Office Box 10 60 50
      • 70049 Stuttgart
      • GERMANY
      • Email: Compliance.Management@de.bosch.com

    Processing of personal data

    The term personal data means all information related to an identified or identifiable natural person, thus – for example – names, addresses, telephone numbers, e-mail addresses, contractual master data, contract accounting and payment data, insofar as this is an expression of a natural person's identity.

    We process personal data only when there is either a statutory legal basis to do so or you have given your consent to the processing of personal data.

    Processed categories of data

    The use of the BKMS® System for a compliance report is voluntary. When you use the system, we will ask you to provide data related to the following data categories:

    • Communication data (e.g. name, telephone, email, address)
    • Employee data of Bosch employees and
    • Where applicable, names of persons and other personal data relating to the persons you name in your notification

    If you answer all the questions asked in the context of the compliance report completely, this will help us to process your report. If you provide incomplete data, we might not be able to process your report or might be able to process it only with delay.

    Purposes of processing and legal bases

    The aim of the BKMS® System is to provide a communication channel for your compliance report and to ensure that your report is handled by Robert Bosch GmbH in accordance with the processes of the Compliance Management System as implementation of the requirements of company law and of the German Regulatory Offences Act (OWiG).

    Your personal data is processed for the following purposes, in particular:

    • Compliance report: Indications and tracking of reports concerning a potential violation of the compliance requirement. You can report such violations to the responsible Bosch department using your name or anonymously and securely via the BKMS® System.

      Legal basis: Legitimate interest of Robert Bosch GmbH to prosecute criminal offences, to enforce civil claims, for the further progress or the termination of an employment relationship or rather to detect criminal offences related to the employment relationship and to avoid violations of requirements of OWiG (Article 6 (1) f) GDPR , Section 24 (1) German Data Protection Act (BDSG); Article 88 GDPR, Section 26 (1) BDSG and Sections 30, 130 (OWiG).

    • Compliance management: Central administration and allocation of group-wide compliance issues.

      Legal basis: Legitimate interest of Robert Bosch GmbH in obtaining a central overview of compliance reports as part of the governance function (Article 6 (1) f) GDPR) and for exercising and defending our rights.

    Storage of log files/use of cookies

    In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that contains only the session ID (a session cookie). This cookie is valid only until the end of your session and will be invalid when you close your browser.

    It is possible to set up a postbox for further communication within the BKMS® System that is secured with an individually chosen pseudonym/user name and password after making the compliance report.

    Transfer of data to Bosch employees, to potentially suspected persons and to other controllers

    When processing a compliance report, it is necessary to share the report in whole or in part with the Robert Bosch GmbH employees responsible for working on it or employees of those subsidiaries that are affected by the report. Your information is made available only to those employees who need to have it in order to handle your report.

    If you provide your identity in the compliance report, we are due to GDPR obliged to inform potentially suspected persons about your identity as source of the personal data received (Article 14 (3) a) GDPR). If there is a serious risk that providing this information would jeopardize our ability to conduct an effective investigation of the allegation or to collect necessary evidence, the needed information of the suspected person can be postponed as long as that risk exists (Article 14 (5) b) GDPR).

    Your personal data shall only be transferred to other controllers to the extent this is necessary to satisfy further legal obligations.

    In addition, data can be transferred to other controllers (e.g. authorities) if we should be required to do so due to statutory regulations or enforceable orders issued by authorities or courts.

    Service provider (general)

    Robert Bosch GmbH has commissioned the company Business Keeper AG, Bayreuther Str. 35, 10789 Berlin (the "Service Provider") to operate the system for compliance reports on behalf of Robert Bosch GmbH; the data entered into this system are stored in a database operated by Business Keeper AG in a high-security data center located in the European Union.

    Robert Bosch GmbH has selected the Service Provider with care and monitors it on a regular basis, particularly its careful handling and securing of the data it stores. Only selected Bosch employees have access to the data (see above "Transfer of data to Bosch employees and to other controllers"). The Service Provider has no access to the data. This is ensured by a certified procedure utilizing extensive technical and organizational measures.

    Robert Bosch GmbH has imposed an obligation on the Service Provider to keep the data confidential and to comply with the statutory regulations.

    Transfer to recipients outside the EU and/or the EEA

    We can transfer personal data also to Bosch legal entities or authorities located outside the European Union or the European Economic Area in third countries. In such cases, we make sure prior to the transfer either that the data recipient provides an appropriate level of data protection (e.g. due to a adequacy decision by the European Commission for the respective country or due to an agreement on EU standard data protection clauses with the recipient) or that you have consented to the transfer.

    You can obtain a list of the recipients in third countries and a copy of the specifically agreed provisions securing the appropriate level of data protection from us. To request a list, please use the statements made in the Contact section.

    Duration of storage; retention periods

    In principle, we store your data for as long as necessary in order to investigate the compliance incident that is subject of your report.

    After completing all work relating to the compliance report, we delete your personal data, except for the data that must be stored and processed further so that we can exercise and defend our rights.

    When we delete personal data that we store and process further so that we can exercise and defend our rights depends on the end of the maximum limitation period for regulatory offences and criminal offences or rather for enforcement of civil claims (Sections 31 (2), 33 (3) OWiG, Sections 78 (3), 78c (3) StGB, Sections 195 et seq. German Civil Code (BGB)).


    Our employees and our service providers have an obligation to keep our dealings confidential and to comply with the applicable data protection regulations.

    Any incoming reports are received by a small selection of explicitly authorized and especially trained Bosch employees and are always handled confidentially. The Bosch employees examine the facts and perform any further investigation required by the specific case.

    All of these persons who are given access to the data are required to maintain confidentiality.

    We implement all necessary technical and organizational measures to warrant an appropriate level of security and to protect your data that are administrated by us especially against the risks of unintended or unlawful destruction, manipulation, loss, change or unauthorized disclosure or unauthorized access. Our security measures are regularly improved in accordance with technological developments. The communication between your computer and the BKMS® System for the report of a violation of the compliance requirement takes place via an encrypted connection (TLS).

    Right to information and access

    You have the right to obtain information from us about whether or not your data is being processed and, if this is the case, to access your personal information that we process.

    Right of rectification and erasure/deletion

    You can demand that we rectify inaccurate data and complete or erase your data if the statutory requirements are met. This does not apply to any data required for payroll and accounting purposes or subject to a statutory retention duty. If access to such data is not required, however, the processing of such data is restricted (see below).

    Restriction of processing

    You can demand that we restrict the processing of your data if the statutory requirements are met.

    Objection to data processing

    In addition, you have the right to object to the data processing by us at any time, on grounds relating on your particular situation, as long as this processing is carried out on the legal basis of "legitimate interest". We will then terminate the processing of your data unless we are able – in accordance with the statutory requirements – to demonstrate compelling legitimate grounds for further processing which override your rights or for the establishment, exercise or defense of legal claims (Article 21 GDPR).

    Right to lodge complaint with supervisory authority

    You have the right to lodge a complaint with a data protection authority. In this context, you may approach the data protection authority competent for your place of residence or your German state or the data protection authority competent for us. The latter is:

      • Der Landesbeauftragte für Datenschutz und Informationsfreiheit

      • Street address:
        Königstrasse 10a
        70173 Stuttgart

      • Postal address:
        Post Office Box 10 29 32
        70025 Stuttgart

    Changes to the Data Protection Notice

    We reserve the right to change our security and data protection measures. In such cases, we will also adjust our information on data protection notice accordingly. Therefore, please take note of the latest version of our data protection notice, as this is subject to changes.


    You can contact us at the address provided in the "Controller" section.

    To assert your rights and to report data protection incidents, use the following link: https://www.bkms-system.net/bosch-datenschutz

    If you have any suggestions or complaints regarding the processing of your personal data, we recommend that you contact our data protection officer:

      • Data Protection Officer
      • Department Information Security and Privacy (C/ISP)
      • Post Office Box 30 02 20
      • 70442 Stuttgart
      • GERMANY
      • Email: DPO@bosch.com

    Effective date: 25 May 2018