Information on the processing of your personal data when using the whistleblowing system BKMS
1. What information does this document contain for you?
The protection of your personal data and the confidentiality of your identity is very important to thyssenkrupp AG (hereinafter also "we", "us"). Of course, we process personal data only within the framework of the EU General Data Protection Regulation (EU GDPR) and the applicable national data protection regulations (German Federal Data Protection Act). In addition, our encryption and authorization concept ensures a very high level of protection for the data in the whistleblower system - including your identity. We also offer you the option of submitting your information anonymously.
Please read this privacy notice carefully before submitting a report.
2. Who is Controller for data processing and who is the data protection officer?
thyssenkrupp Alley 1
45143 Essen, Germany
Phone: +49 201 844-0
You can reach the data protection officer of the data controller at:
3. Use of the whistleblower portal
Communication between your computer and the whistleblower system takes place via an encrypted connection (SSL). The IP address of your computer is not stored during the use of the whistleblower portal. To maintain the connection between your computer and the BKMS® Compliance System, a cookie is stored on your computer that only contains the session ID (so-called zero cookie). The cookie is only valid until the end of your session and becomes invalid when you close the browser.
You have the option of setting up a protected mailbox in the whistleblower system with a pseudonym/user name and password of your own choosing. In this way, you can send further information to the employee responsible for processing your report by name or anonymously and answer any queries. All data transmitted via the mailbox is encrypted and stored exclusively in the whistleblower system - and is thus particularly secure; it is not an ordinary e-mail communication.
4. What categories of data do we process and where do they come from?
The use of the whistleblower system is on a voluntary basis. If you submit a report via the whistleblower system, we initially only collect the personal data that you submit to us. These are usually:
- Your name, if you disclose your identity,
- whether you are employed by thyssenkrupp and in which area,
- other personal data resulting from your notification, and
- where applicable, the names and other personal data of the persons you name in your notification.
In the event that further personal data are collected in the course of the investigation carried out in response to your report, these data may also be processed via the whistleblowing system.
5. For what purposes and on what legal basis is data processed?
The whistleblower system (BKMS® Compliance System) is used to receive, process and manage information about certain compliance violations against legal regulations and internal company rules from employees, customers, suppliers and other third parties in a secure and confidential manner.
The processing of personal data within the framework of the BKMS® Compliance System is carried out in accordance with Art. 6 para. 1 sentence 1 lit. f EU GDPR on the basis of a legitimate interest of thyssenkrupp AG in the detection and prevention of legal violations and wrongdoing. There is a legitimate interest in the detection and prevention of legal violations and malpractices because, in addition to considerable economic damage, these can also lead to a major loss of reputation.
6. Who gets your data?
The whistleblower system is operated by a company specializing in this area, Business Keeper GmbH, Bayreuther Str. 35, 10789 Berlin in Germany, according to instructions from thyssenkrupp AG.
Personal data and information entered into the whistleblower system are stored in a database operated by Business Keeper GmbH in a high-security data center. Only thyssenkrupp AG is able to decrypt and view the data. Neither Business Keeper GmbH nor other third parties have access to interpretable data. This is guaranteed in the certified process by comprehensive technical and organizational measures. All data is encrypted and stored with multi-level password protection so that access is restricted to a very narrow circle of recipients of expressly authorized persons at thyssenkrupp AG.
In the course of processing a report or in the course of a special investigation it may be necessary to transfer information to other employees of thyssenkrupp AG or employees of other Group Companies.
7. How long will your data be stored?
Personal data will be stored for as long as is necessary for the clarification and final assessment of the information or if there is a justified interest of the company or if this is required by law. After completion of the tip processing, this data is deleted in accordance with the legal requirements.
8. Are you obliged to provide your data?
Use of the whistleblower system is on a voluntary basis.
9. Will your data be transferred to a third country (outside the EU/EEA)?
As a rule, no personal data is transferred to countries outside the EU. When processing a report or in the context of a special investigation, it may be necessary to pass on information to employees of other Group companies. Those may also be based in countries outside the European Union or the European Economic Area, which may have different regulations on the protection of personal data. We always ensure that the relevant data protection regulations are complied with when passing on information.
10. Confidential treatment of information
Incoming information is received by a narrow circle of expressly authorized and specially trained employees of the Investigation department of thyssenkrupp AG and is always treated confidentially. The employees of the Investigation department examine the facts and, if necessary, carry out further case-related clarification of the facts.In the course of processing a report or as part of a special investigation it may be necessary to pass on information to other employees of thyssenkrupp AG or employees of other Group companies.
Any person who has access to the data is bound to confidentiality.
11. Information of the accused person
We are generally required by law to inform the accused person that we have received a report about them as soon as this information no longer jeopardizes the follow-up of the report. thyssenkrupp and the Legal & Compliance Group Function protect the interests of whistleblowers not only by setting up this secure whistleblowing system but also by promising to treat incoming tips and the identity of the whistleblower confidentially.
12. Notes on sending attachments
When submitting a report or sending a supplement, you have the option of sending document attachments to the employees responsible for processing your report. If you wish to remain anonymous, please note the following security advice:
Files may contain hidden personal data that could compromise your anonymity. Remove this data before sending. If you cannot remove this data or you are unsure, copy the text of your attachment to your message text or send the printed document anonymously to the address listed in the footer, quoting the reference number you receive at the end of the message process.
13. What data protection rights can you assert as a data subject?
You have the right to request information about the data stored about you. In addition, you may, under certain conditions, request the correction or deletion of your data. You also have the right to restrict the processing of your data and the right to data portability.
Right of withdrawal:
You can revoke any consent you may have given for the processing of your personal data at any time with effect for the future without any disadvantages for your employment relationship. Please note that the revocation has no effect on the lawfulness of the previous data processing and that it does not extend to such data processing for which there is a legal reason for permission and which may therefore also be processed without your consent.
Right to object:
If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) lit. f EU GDPR, you have the right to object to the processing of your personal data at any time, provided that there are grounds for doing so that arise from your particular situation.
Please contact our data protection officer to exercise these rights:
You can reach the data protection officer at the contact details given above.
14. Right of appeal to a supervisory authority
You also have the possibility to lodge a complaint with a data protection supervisory authority (cf. Art. 77 EU GDPR). The right of appeal is without prejudice to any other administrative or judicial remedy.
Status: January 2021