Data protection policy
We take data protection and confidentiality very seriously and adhere to the provisions of the EU General Data Protection Regulation (“GDPR”) as well as current national data protection regulations. Please read this data protection information carefully before submitting a report.
Purpose of the whistleblowing system and legal basis
The ZF whistleblowing system (BKMS® System) serves the purpose of securely and confidentially receiving, processing and managing reports regarding violations that fall within the material scope of the EU Whistleblowing Directive (2019/1937) or the German Whistleblower Protection Act (hereinafter referred to as “Whistleblower Protection Act”).
The processing of personal data in the BKMS® System is based on sections 10 and 13 of the Whistleblower Protection Act. Detecting relevant misconduct moreover represents a legitimate interest of ZF according to Art. 6 (1) (f) GDPR.
If you submit a report via the telephone function (answering machine), the processing of your voice recording is based on your consent (Art. 6 (1) (a) GDPR), which you give voluntarily by leaving a message on our answering machine. If you do not want us to process your voice recording, please do not use the answering machine. Instead, you may use the electronic postbox of our whistleblower system, which supports anonymous reporting if desired. For information on how you can withdraw your consent after you have left a voice message, please see the description of your rights below.
Any abuse or misuse of the whistleblowing system, e.g. by maliciously submitting false statements against others, can result in disciplinary measures and/or legal prosecution.
Data controller
The party responsible for data protection in the whistleblowing system is ZF Friedrichshafen AG. ZF Friedrichshafen AG can be contacted either via postal mail at Löwentaler Str. 20, Corporate Compliance, 88046 Friedrichshafen, Germany, electronically at compliance@zf.com, or by telephone at +49 7541 77-0.
The reporting system is operated by a specialised company, EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin in Germany, on behalf of ZF Friedrichshafen AG.
Personal data and information entered into the reporting system are stored in a database operated by EQS Group GmbH in a high-security data centre. Only ZF Friedrichshafen AG has access to the data. EQS Group GmbH and other third parties do not have access to the data. This is ensured in the certified procedure through extensive technical and organisational measures (further details at https://www.eqs.bkms-system.com/en/).
All data are stored encrypted with multiple levels of password protection so that access is restricted to a very small selection of expressly authorised persons.
ZF Friedrichshafen AG has appointed a data protection officer (DPO), who can be contacted via postal mail at ZF Friedrichshafen AG, Data Protection Officer, Löwentaler Str. 20, 88046 Friedrichshafen, Germany, or electronically at datenschutz@zf.com.
Type of the collected personal data
Use of the reporting system takes place on a voluntary basis. If you submit a report via the whistleblowing system, we collect the following personal data and information that you choose to provide:
- your name, if you choose to reveal your identity,
- your observations and information contained in your report, and
- your voice recording, if you choose to leave a voice message on the whistleblowing system’s answering machine.
Confidential handling of reports, recipients of data and international data transfers
Incoming reports are received by a small selection of expressly authorised and specially trained employees of the Compliance organization of ZF Friedrichshafen AG and are handled confidentially subject to applicable laws. The employees of the Compliance organization will assess the matter and make a decision on the next steps to be taken in order to protect the company.
During the processing of a report or the conduction of a special investigation, it may become necessary to share your personal data with additional employees of ZF Friedrichshafen AG or employees of other ZF Group companies, e.g. if the report refers to incidents in subsidiaries or if the subject of the reported matter relates to a different department, in which case the investigation and reporting may be handled by such other department(s) within the ZF Group. It may also become necessary to share your personal data with external service providers (as e.g. lawyers, auditors, etc.) or with public officials (as e.g. prosecutors, judges, etc.) in order to protect the ZF Group. This may include sharing of your personal data to employees of ZF Group or other third parties in countries outside the European Union or the European Economic Area.
We always ensure that the applicable data protection regulations are complied with when sharing reports and that said reports are only transferred to countries that have adequate data protection standards as per the European Commission's specifications. Alternatively, the reports will only be transferred after implementation of appropriate safeguards to adequately protect personal data and secure that such data transfers are in compliance with applicable data protection laws. ZF Group has implemented agreements based on EU model clauses to cover international data transfers. A copy of these agreements can be obtained by contacting the ZF DPO.
In any case, access to your personal data will only be granted on a strict need-to-know basis and with due regard to applicable rules of the Whistleblower Protection Act.
Information of the accused person
As a basic principle, we are bound by law to inform the accused persons that we have received a report concerning them (including information from which source it comes from), unless this threatens further investigations into the report, i.e. where there is substantial risk that such notification would render the investigation impossible or seriously impair the achievement of its objectives, notification to the accused person may be delayed as long as such risk exists. The same applies to notifications of other persons named in your report.
When making the notifications, we keep your identity confidential subject to applicable laws. Incorrect reports due to intent or gross negligence are not protected by the Whistleblower Protection Act and are explicitly exempted from its confidentiality rules where applicable.
Your Rights
Subject to applicable data protection laws, you can exercise the following rights:
- Right of access to your personal data
- Right to rectify your personal data
- Right to erase your personal data
- Right to restrict the processing of your personal data
- Right to data portability of your personal data
- Right to object to the processing of your personal data
These rights can be exercised at any time by contacting the ZF Corporate Compliance department or the ZF DPO. In addition, you have the right to lodge a complaint with the responsible data protection supervisory authority.
If you have submitted your report via our telephone function (answering machine), you can withdraw your consent for the processing of your voice recording at any time by contacting the ZF Corporate Compliance department via e-mail at compliance@zf.com or by telephone at +49 7541 / 77-0. The legality of the processing of your voice recording carried out before the withdrawal of your consent is not affected by such withdrawal.
Retention period of personal data
Reports including personal data are retained for 3 years after closure of the proceeding. If you have submitted your report via our telephone function, this also applies to your voice recording, unless your voice recording is deleted upon withdrawal of your consent.
Reports found to be unsubstantiated and outside the relevant scope will be deleted without undue delay.
Use of the reporting portal
Communication between the computer used to submit a whistleblower report and the reporting system takes place over an encrypted connection (SSL). The IP address will not be stored during the use of the reporting system. In order to maintain the connection between the whistleblower's computer and the BKMS® System, a cookie is stored on the computer that merely contains the session ID (a so-called null cookie). This cookie is only valid until the end of the session and expires once the browser is closed.
It is possible to set up a postbox within the reporting system that is secured with an individually chosen pseudonym / user name and password. This allows to send reports to the responsible employee of the ZF Corporate Compliance team either by name or in an anonymous, safe way. This system only stores data inside the reporting system, which makes it particularly secure. It is not a form of regular e-mail communication.
Note on sending attachments
When submitting a report or an addition, it is possible to simultaneously send attachments to the responsible employee of the ZF Corporate Compliance team. Before submitting an anonymous report, it should be paid attention to the following security advice: Files can contain hidden personal data that could compromise the whistleblower's anonymity. This data should be removed before sending. If manually removing the data is not feasible, we recommend to copy the text of the attachment into the whistleblower report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the reporting process.