Speak up – Information about data protection and consent
Boehringer Ingelheim's1 whistleblower system "Speak up" provides a portal for reporting specific indications of compliance violations. Compliance violations are:
- violations of legal or statutory requirements or
- internal Boehringer Ingelheim policies and procedures, particularly the Code of Conduct and the seven compliance areas Anti-Bribery / Anti-Corruption, Antidiscrimination, Antitrust, Data Protection, Healthcare Compliance, Insider Trading and Export Control & Trade.
Using “Speak up” allows you to report on any of those specific indications of non-compliance and on violations of the Boehringer Ingelheim Code of Conduct.
Please read this policy carefully and contact us should you have any questions (email@example.com). This portal is operated for Boehringer Ingelheim International GmbH, Binger Strasse 173, 55216 Ingelheim am Rhein.
The information you report will be automatically received by:
- the subsidiary of Boehringer Ingelheim located in the country where the incident occurred or to the subsidiary responsible for the country where the incident occurred,
- Compliance Function responsible for the region, and
- Compliance Department within Boehringer Ingelheim International.
Please check http://www.boehringer-ingelheim.com/corporate_profile/annual_report.html where you will find our annual report showing the countries where Boehringer Ingelheim is represented with subsidiaries.
First valuation of the case will be made by the dedicated case examiner in the appropriate subsidiary as mentioned above. Based on the evaluation by the case examiner, the case might be assigned for further handling by the Compliance Function responsible for the region, or to Corporate Compliance within Boehringer Ingelheim International. It may result in the initiation of internal and external investigations conducted by BI resources, external investigation resources working on behalf of Boehringer Ingelheim, or the authorities.
Technical protection of the whistleblower system:
Technical maintenance of the “Speak Up” whistleblower system is performed by Business Keeper AG, an independent operator located in 10789 Berlin, Bayreuther Str. 35 (subsequently "BK AG") acting as commissioned data processor for Boehringer Ingelheim International. The data is provided on protected servers of Telekom Deutschland GmbH in Germany. Only Boehringer Ingelheim is responsible for controlling and processing the content of the reports.
Personal data that is entered in the whistleblower system is stored in a database operated by BK AG in Germany. All data is encrypted, password-protected and stored at a secure location so that access to the content of the data electronically stored in “Speak up” is limited to a narrow circle of authorized persons in the Compliance function of the Boehringer Ingelheim group of companies. BK AG cannot view the content of the data electronically stored in this database.
As long as you do not enter data which makes it possible to draw conclusions about your identity, this whistleblower system protects your anonymity automatically using a certified technical solution which is protected through numerous technical and organizational measures.
Processing and sharing your report within Boehringer Ingelheim:
Depending on your report of the country where the incident took place, the Boehringer Ingelheim dedicated case examiner for this country will receive the information provided by you. These are primarily the responsible members of the Compliance function. Once your report has been received, the dedicated Case Examiner within the Compliance function of the country where the incident occurred creates a case in the case management system. The Case Examiner can add more information on the case in the system and can check whether a further investigation is required. Your report and the opened case can also be accessed by the Compliance function responsible for the region, and by the Compliance function of the company Headquarter, Boehringer Ingelheim International in accordance with applicable data protection / privacy laws.
In case of further investigation, the responsible Case Examiner will assign the case for investigating it locally, or to the regional Compliance function. The regional Compliance function will assess if the case will be investigated on regional level, or if Corporate Compliance has to be involved. The criteria for assignment to local/regional/corporate Compliance are defined in the Boehringer Ingelheim “Speak up procedure” and include – but are not limited to – the level of management involvement, the potential financial damage and the potential reputational damage.
An investigation can be conducted by internal or external investigation specialists. External specialists such as attorneys, auditors or forensic experts whom we engage are bound to Boehringer Ingelheim by contractual or legal confidentiality and data protection / privacy obligations to keep confidential the information provided by you and comply with applicable data protection / privacy laws.
The information in your report may also be given to the management responsible within Boehringer Ingelheim group, which also has to correct the shortcomings and implement corrective measures that may have been discovered during processing of the report. More, information of your report might be shared in established local, regional or corporate Investigation Committees representing typically HR, Compliance, Internal Audit, Legal and Business functions. Management of the function where the incident occurred might also join respective committee meetings.
If the content of your report does not fall under any of the specific compliance categories, we will forward your report to the responsible Boehringer Ingelheim department provided we deem this to be necessary and appropriate. The general rule, however, is that “Speak up” is only used to record reports related to the report categories listed.
Please let us know if you do not want us to share your personal data, particularly your name, with persons outside the Boehringer Ingelheim Compliance Department (unless this is necessary for safeguarding the legitimate interests of Boehringer Ingelheim). Please note, however, that, as a consequence, we may not be able to give full consideration to your report.
Access of government agencies:
Boehringer Ingelheim may also be required by law to provide certain government agencies, including, without limitation, government investigative agencies or courts with information about compliance violations. If we are obligated to provide information, as well as in the event of confiscations, we are not able to withhold the information provided by you.
In some instances, Boehringer Ingelheim is not obligated to share personal data with government agencies, but has the legal right to do so voluntarily.
Please let us know if you do not want us to voluntarily share your personal data, including, without limitation, your name, with government agencies (unless this is necessary to safeguard the legitimate interests of Boehringer Ingelheim). Please note, however, that, as a consequence, we may not be able to give full consideration to your report.
Sharing information with other countries:
Personal information that you may have provided in your report, might automatically be transferred (based on your report of the country where the incident occurred) to other EU/EEA countries or countries outside the EU/EEA where the confidential treatment of personal data is not guaranteed by law to the same extent as it is in Germany. This applies particularly to countries which are not considered to have an adequate level of data protection as provided for in the EU/EEA provisions. Within Boehringer Ingelheim group, however, an adequate level of data protection is guaranteed through binding internal data protection guidelines and the Boehringer Ingelheim Group Data Transfer Agreement, also in countries other than Germany and outside the EU/EEA.
Notification of affected parties:
It is frequently required by law that the persons about which a report on indications of a compliance violation has been received have to be notified and heard. In the course of the investigation, these persons will have the opportunity to present their view about the report.
Please let us know if you do not want us to give your name as the whistleblower. Please note that the person affected may have legal rights according to applicable data protection / privacy laws to information which may require us to disclose your name. Government agencies may also have similar rights to information or confiscation which will result in disclosure of your name. This may be the case in particular if the person affected claims that the information brought forward against him/her is knowingly or negligently untrue and decides to file charges.
Storing personal data:
The personal information you provided will be retained for 5 years after investigating and resolving the compliance report including the remediation of any shortcomings discovered and the handling of any ensuing litigation. Your personal data will be retained even longer if this is required due to legal, regulatory or contractual obligations to retain records or if it is permitted by law. Your personal data will be deleted as soon as this is required by law.
Consent and voluntary nature:
As you enter information into the whistleblowing system, the system will ask for your consent to the collection, processing and use of your personal data included in the information as described above. Please note that you can only proceed to the report form after you have clicked on the data processing consent box.
If you do not want Boehringer Ingelheim to collect, process and use your personal data as described in this policy, you may submit your report anonymously. The disclosure of your personal data is voluntary, as is the use of the whistleblower system.
We would, however, appreciate it, if you could give us your name. Many investigations can be conducted more quickly and efficiently if the name of the whistleblower is known, since the person handling the report can get in touch with the whistleblower directly to clarify any information in the report.
By using this whistleblower system, you agree that your personal data, to the extent provided by you, will be collected, processed and used as described above.
Your data protection rights and contact:
You can request information which personal data we store about you. In justified cases, you may also request the deletion, correction or limitation of the processing of your data. If your personal data is transferred to a country outside the EU that does not provide adequate protection, you may request a copy of the contract that provides adequate protection of personal data. Where you provided consent for the use of your personal data, you can withdraw your consent at any time with future effect.
If you have any questions about our use of personal data, this data protection declaration or would like to exercise your rights, you can contact us at any time or you can contact our data protection officer directly:
- Boehringer Ingelheim International GmbH
- – Data Protection Officer –
- Binger Straße 173
- 55216 Ingelheim am Rhein
- E-mail: firstname.lastname@example.org
1 Boehringer Ingelheim International GmbH, headquarters: Ingelheim, Germany; Court of Registration: Mainz, HRB 21063. Further information can be found at www.boehringer-ingelheim.com