Bosch respects your privacy
The protection of your privacy throughout the course of processing personally identifiable information, like the security of all business data, is a very important concern for us that we take into consideration in all of our business processes. We process personal data, when you report a violation of the compliance requirement ("compliance report"), confidentially and only in accordance with statutory regulations.
The controller as defined by the European General Data Protection Regulation ("GDPR") for the BKMS® System used for your compliance report (available at https://www.bkms-system.net/bkwebanon/report/clientInfo?cin=18RB2) is Robert Bosch GmbH, Post Office Box 10 60 50, 70049 Stuttgart as the parent company (hereinafter referred to as "Robert Bosch GmbH", "Bosch", "we" or "us").
Our contact details are:
- Robert Bosch GmbH
- Department Corporate Compliance Management (C/CM)
- Post Office Box 10 60 50
- 70049 Stuttgart
- Email: Compliance.Management@de.bosch.com
Processing of personal data
The term personal data means all information related to an identified or identifiable natural person, thus – for example – names, addresses, telephone numbers, e-mail addresses, contractual master data, contract accounting and payment data, insofar as this is an expression of a natural person's identity.
We process personal data only when there is either a statutory legal basis to do so or you have given your consent to the processing of personal data.
Processed categories of data
The use of the BKMS® System for a compliance report is voluntary. When you use the system, we will ask you to provide data related to the following data categories:
- Communication data (e.g. name, telephone, email, address)
- Employee data of Bosch employees and
- Where applicable, names of persons and other personal data relating to the persons you name in your notification
If you answer all the questions asked in the context of the compliance report completely, this will help us to process your report. If you provide incomplete data, we might not be able to process your report or might be able to process it only with delay.
Purposes of processing and legal bases
The aim of the BKMS® System is to provide a communication channel for your compliance report and to ensure that your report is handled by Robert Bosch GmbH in accordance with the processes of the Compliance Management System as implementation of the requirements of company law and of the German Regulatory Offences Act (OWiG).
Your personal data is processed for the following purposes, in particular:
Compliance report: Indications and tracking of reports concerning a potential violation of the compliance requirement. You can report such violations to the responsible Bosch department using your name or anonymously and securely via the BKMS® System.
Legal basis: Legitimate interest of Robert Bosch GmbH to prosecute criminal offences, to enforce civil claims, for the further progress or the termination of an employment relationship or rather to detect criminal offences related to the employment relationship and to avoid violations of requirements of OWiG (Article 6 (1) f) GDPR , Section 24 (1) German Data Protection Act (BDSG); Article 88 GDPR, Section 26 (1) BDSG and Sections 30, 130 (OWiG).
Compliance management: Central administration and allocation of group-wide compliance issues.
Legal basis: Legitimate interest of Robert Bosch GmbH in obtaining a central overview of compliance reports as part of the governance function (Article 6 (1) f) GDPR) and for exercising and defending our rights.
In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that contains only the session ID (a session cookie). This cookie is valid only until the end of your session and will be invalid when you close your browser.
It is possible to set up a postbox for further communication within the BKMS® System that is secured with an individually chosen pseudonym/user name and password after making the compliance report.
Transfer of data to Bosch employees, to potentially suspected persons and to other controllers
When processing a compliance report, it is necessary to share the report in whole or in part with the Robert Bosch GmbH employees responsible for working on it or employees of those subsidiaries that are affected by the report. Your information is made available only to those employees who need to have it in order to handle your report.
If you provide your identity in the compliance report, we are due to GDPR obliged to inform potentially suspected persons about your identity as source of the personal data received (Article 14 (3) a) GDPR). If there is a serious risk that providing this information would jeopardize our ability to conduct an effective investigation of the allegation or to collect necessary evidence, the needed information of the suspected person can be postponed as long as that risk exists (Article 14 (5) b) GDPR).
Your personal data shall only be transferred to other controllers to the extent this is necessary to satisfy further legal obligations.
In addition, data can be transferred to other controllers (e.g. authorities) if we should be required to do so due to statutory regulations or enforceable orders issued by authorities or courts.
Service provider (general)
Robert Bosch GmbH has commissioned the company Business Keeper AG, Bayreuther Str. 35, 10789 Berlin (the "Service Provider") to operate the system for compliance reports on behalf of Robert Bosch GmbH; the data entered into this system are stored in a database operated by Business Keeper AG in a high-security data center located in the European Union.
Robert Bosch GmbH has selected the Service Provider with care and monitors it on a regular basis, particularly its careful handling and securing of the data it stores. Only selected Bosch employees have access to the data (see above "Transfer of data to Bosch employees and to other controllers"). The Service Provider has no access to the data. This is ensured by a certified procedure utilizing extensive technical and organizational measures.
Robert Bosch GmbH has imposed an obligation on the Service Provider to keep the data confidential and to comply with the statutory regulations.
Transfer to recipients outside the EU and/or the EEA
We can transfer personal data also to Bosch legal entities or authorities located outside the European Union or the European Economic Area in third countries. In such cases, we make sure prior to the transfer either that the data recipient provides an appropriate level of data protection (e.g. due to a adequacy decision by the European Commission for the respective country or due to an agreement on EU standard data protection clauses with the recipient) or that you have consented to the transfer.
You can obtain a list of the recipients in third countries and a copy of the specifically agreed provisions securing the appropriate level of data protection from us. To request a list, please use the statements made in the Contact section.
Duration of storage; retention periods
In principle, we store your data for as long as necessary in order to investigate the compliance incident that is subject of your report.
After completing all work relating to the compliance report, we delete your personal data, except for the data that must be stored and processed further so that we can exercise and defend our rights.
When we delete personal data that we store and process further so that we can exercise and defend our rights depends on the end of the maximum limitation period for regulatory offences and criminal offences or rather for enforcement of civil claims (Sections 31 (2), 33 (3) OWiG, Sections 78 (3), 78c (3) StGB, Sections 195 et seq. German Civil Code (BGB)).
Our employees and our service providers have an obligation to keep our dealings confidential and to comply with the applicable data protection regulations.
Any incoming reports are received by a small selection of explicitly authorized and especially trained Bosch employees and are always handled confidentially. The Bosch employees examine the facts and perform any further investigation required by the specific case.
All of these persons who are given access to the data are required to maintain confidentiality.
We implement all necessary technical and organizational measures to warrant an appropriate level of security and to protect your data that are administrated by us especially against the risks of unintended or unlawful destruction, manipulation, loss, change or unauthorized disclosure or unauthorized access. Our security measures are regularly improved in accordance with technological developments. The communication between your computer and the BKMS® System for the report of a violation of the compliance requirement takes place via an encrypted connection (TLS).
Right to information and access
You have the right to obtain information from us about whether or not your data is being processed and, if this is the case, to access your personal information that we process.
Right of rectification and erasure/deletion
You can demand that we rectify inaccurate data and complete or erase your data if the statutory requirements are met. This does not apply to any data required for payroll and accounting purposes or subject to a statutory retention duty. If access to such data is not required, however, the processing of such data is restricted (see below).
Restriction of processing
You can demand that we restrict the processing of your data if the statutory requirements are met.
Objection to data processing
In addition, you have the right to object to the data processing by us at any time, on grounds relating on your particular situation, as long as this processing is carried out on the legal basis of "legitimate interest". We will then terminate the processing of your data unless we are able – in accordance with the statutory requirements – to demonstrate compelling legitimate grounds for further processing which override your rights or for the establishment, exercise or defense of legal claims (Article 21 GDPR).
Right to lodge complaint with supervisory authority
You have the right to lodge a complaint with a data protection authority. In this context, you may approach the data protection authority competent for your place of residence or your German state or the data protection authority competent for us. The latter is:
- Der Landesbeauftragte für Datenschutz und Informationsfreiheit
- Street address:
- Königstrasse 10a
- 70173 Stuttgart
- Postal address:
- Post Office Box 10 29 32
- 70025 Stuttgart
Changes to the Data Protection Notice
We reserve the right to change our security and data protection measures. In such cases, we will also adjust our information on data protection notice accordingly. Therefore, please take note of the latest version of our data protection notice, as this is subject to changes.
You can contact us at the address provided in the "Controller" section.
To assert your rights and to report data protection incidents, use the following link: https://www.bkms-system.net/bosch-datenschutz
If you have any suggestions or complaints regarding the processing of your personal data, we recommend that you contact our data protection officer:
- Data Protection Officer
- Department Information Security and Privacy (C/ISP)
- Post Office Box 30 02 20
- 70442 Stuttgart
- Email: DPO@bosch.com
Effective date: 25 May 2018