Data protection notices
We take data protection and confidentiality very seriously and comply with the applicable national and European data protection provisions. The key aspects of our data storage policy are explained briefly below.
This page provides information about how we process reports that you have submitted to the whistleblowing system and how we ensure that they are handled confidentially.
Purpose of the data processing, legal basis and confidential report handling
The purposes of the data processing are the handling and further investigation of the reports received through the whistleblowing program, as well as to take any actions that may be required in the light of it.
Incoming reports are routed to specially trained employees in Beiersdorf AG's Corporate Auditing and/ or Corporate Compliance Management departments and are always handled confidentially. These employees examine the case, investigate it further and, in the event of reasonable suspicion, can pass it on to the appropriate criminal prosecution authority or internal department (e.g., to the Executive Board in material cases or to Human Resources in order to initiate sanctions against the person or persons accused). Reports relating to the data protection, tax, customs, securities trading/ insider trading, and discrimination/ harassment categories will be passed on to the relevant in-house department for examination and investigation.
When investigating the report, it may be necessary to provide the reports to other Beiersdorf AG employees or employees of other Beiersdorf AG group companies (e.g., if the reports relate to events at Beiersdorf AG subsidiaries). Group companies may be based in countries outside the European Union or the European Economic Area that have different rules on protecting personal data. In this case, we ensure that the data is transferred in line with the applicable data protection regulations. Depending on the data's destination in the case in question, we agree standard data protection clauses, apply binding internal data protection rules, or transfer data only to companies that are EU-U.S. Privacy Shield-certified or that are located in countries for which the European Commission has issued an adequacy decision. In addition, we always comply with the relevant data protection laws when processing reports. We are permitted to process the personal data contained in the reports because we have a legitimate interest in investigating, sanctioning, and preventing misconduct within the company (Art. 6, para. 1f GDPR, among other things) and because processing is necessary for compliance with our legal obligations (Art. 6, para. 1c GDPR, among other things) or to assert or defend legal claims.
You have nothing to fear if you use the whistleblowing system in good faith. In the event of misuse, e.g., if a whistleblower were to deliberately submit a false report with the aim of discrediting someone, we reserve the right to take action against him/ her.
Notification of the person accused
As a matter of principle, we are bound by law to inform the person or persons accused that we have received a report on them, unless this endangers further investigations into the report. Your identity as whistleblower will not be revealed as far as is legally possible.
Using the whistleblowing system
Communication between your computer and the whistleblowing system uses an encrypted connection (SSL). Your computer's IP address is not stored when you use the system. A cookie is stored on your computer to maintain the connection between it and the BKMS® system. This cookie only contains the session ID and is only valid until the end of your session, i.e., it becomes invalid when you logout or close your browser.
However, please note that accessing the the whistleblowing system may leave traces on your computer. If you use a company computer to access the system you should consider deleting the temporary data (cache) and your browser history afterwards. If your browser offers a "private mode" you should use this for preference, as it saves you having to make deletions manually.
You can also set up a secure postbox with a pseudonym/ username and password of your choice. This allows you to send reports to your Beiersdorf AG case manager anonymously and safely. This system only saves data in the whistleblowing system and specially protects it in the process; it is not comparable to standard e-mail communication.
You can also send attachments to your Beiersdorf AG case manager when submitting reports or sending additional information. If you would like to submit your report anonymously, please note the following safety advice: Files may contain hidden personal information that could jeopardize your anonymity. Please remove all such information before sending any file. If you are unable to remove the information or are unsure how to do this, please copy the text or submit a printed copy of the document anonymously to the case manager using the reference number provided at the end of the reporting process (see footnote).
Your rights regarding processing of your personal data
Under German and any applicable European data protection law, you have the right to information and – where the relevant preconditions are met – to access, rectify or erase your personal data and to restrict its processing, as well as the right to data portability, where applicable. You can revoke your consent to your data being stored at any time for reasons relating to your specific situation. In this case, we will immediately examine the extent to which a report still has to be investigated. Your data will not be processed anymore, unless this is compulsory and there are legitimate reasons for doing so.
In addition, you have the right to file a complaint with the supervisory authority responsible.
We store reports for as long as they are required for prosecution/ for as long as we have a legitimate interest in their storage, or until we come to the conclusion that the report is unfounded. After this, reports are deleted or anonymized, e.g., references to your identity as the whistleblower and to the person accused are irretrievably and irreversibly erased.
Responsible departments and data security
The department responsible for the data protection within the whistleblowing system is Beiersdorf AG's Corporate Compliance Management department, Unnastr. 48, 20245 Hamburg, Germany. It is represented by the Executive Board. You can contact our data protection officer at the above mentioned address or via firstname.lastname@example.org. The whistleblowing system is operated in Beiersdorf AG's name and on its behalf by a German company that specializes in this area, Business Keeper AG, Bayreuther Str. 35, 10789 Berlin, Germany. In this capacity, it acts as a service provider on the instructions of the data controller within the meaning of the GDPR. The data in the whistleblowing system is stored using comprehensive technical and organizational measures. It is specially encrypted in such a way that Business Keeper AG cannot view it and only specified persons at Beiersdorf AG have access to it.