Privacy statement pursuant to Article 13 General Data Protection Regulation
Bilfinger SE takes your data protection very seriously and handles your personal data confidentially and in accordance with the statutory provisions.
This privacy statement is intended to inform whistleblowers about the nature, scope and purpose of the collection and use of personal data within the framework of the whistleblowing system (BKMS® Incident Reporting).
The controller responsible for data protection pursuant to GDPR is
The whistleblowing system is operated by Business Keeper GmbH, Bayreuther Str. 35, 10789 Berlin, Germany, on behalf of Bilfinger SE. Personal data or other information that is entered into the whistleblowing system is stored in a database operated by Business Keeper GmbH in a high-security data centre in the European Union. Business Keeper GmbH and other third parties do not have access to the data. This is guaranteed by a certified procedure through comprehensive technical and organisational measures (TOMs).
We have appointed a data protection officer for our company:
René Raumanns, Christian Schosnig
Telephone: +49 (0)621 459-0
Purpose of data processing
The whistleblowing system BKMS® Incident Reporting serves to provide employees and external parties with a confidential communication channel to enable them to submit reports, either by name or anonymously, about suspected violations of laws or compliance rules in the Bilfinger Group. Furthermore, the whistleblowing system enables reports to be processed, managed and documented.
Collection and processing of personal data
Submitting a report via BKMS® Incident Reporting is voluntary. We collect and process the personal data and information you provide. To enable us to process your report as effectively as possible, we ask you to provide the following information:
- Your communication data (e.g. name, telephone number, email), unless you wish to remain anonymous
- Personal data of employees or individuals to which your report relates or other persons who you name in your report
You have the option of choosing a pseudonym/user name and a password to set up a secured postbox in BKMS® Incident Reporting. An authorised Bilfinger employee will get in touch with you via this secured postbox and ask any further questions. You continue to remain anonymous during communication via this postbox. This system only stores data in the whistleblowing system, which makes it particularly secure; it is not a form of regular email communication.
Communication between the whistleblowing system and your computer takes place over an encrypted connection. In order to maintain the connection between your computer and BKMS® Incident Reporting, a cookie is stored on your computer that merely contains the session ID (a session cookie). This cookie is only valid until the end of your session and expires when you close your browser.
All data is encrypted with multiple levels of password protection. Your report is kept anonymous through encryption and other specialised security measures.
Legal basis of the data processing
The processing of the personal data is based on the legitimate interest of Bilfinger SE in the prosecution and uncovering of crimes, the prevention of administrative violations, the implementation or termination of employment relationships and the assertion of civil law claims (Article 6(1)(f) GDPR in connection with Section 24(1) Federal Data Protection Act, Article 88 GDPR in connection with Section 26(1) Federal Data Protection Act in connection with Sections 30, 130 Code of Administrative Offences).
Insofar as we require your consent to the processing of personal data, this processing takes place on the basis of Article 6(1)(a) GDPR.
For how long will this data be stored?
The personal data will be stored for as long as is necessary to verify and investigate the case, Bilfinger has a legitimate interest in the storage, or statutory retention periods apply.
With whom does Bilfinger share your data?
Incoming reports are exclusively received and processed by a small selection of expressly authorised and specially trained Bilfinger employees and always handled confidentially. These employees review the case that has been reported and may carry out a further internal investigation relating to the individual case where necessary. Employees who receive access to the data are obliged to maintain confidentiality.
Insofar as this is required to investigate the case, data may be transmitted to subsidiaries of the Bilfinger Group, including outside the EU and EEA.
In addition, we are legally obliged to inform accused parties that we received a report against them once the investigation is complete, provided that the disclosure no longer jeopardises the purpose of the investigation. Your identity as a whistleblower will not be shared unless we are legally bound to do so.
Furthermore, data may be transmitted to other controllers, e.g. law enforcement agencies, other administrative authorities, courts or (international) law and audit firms commissioned by the Bilfinger Group.
- Right of access
You have the right to receive access to personal data concerning you which we process on request within the scope of Article 15 GDPR. To do this, you can send a request by post or email to the above address.
- Right to the rectification of incorrect data and right of erasure
You have the right to ask us to rectify the personal data concerning you without undue delay insofar as it is incorrect. Further, under the prerequisites set out in Article 17 GDPR, you have the right to ask us to erase the personal data concerning you.
- Right to restriction of processing
You have the right to ask us to restrict the processing of your personal data in accordance with Article 18 GDPR.
Right to object to data collection in special cases
Further, you have the right to object to the data processing at any time for reasons that arise from your particular situation, insofar as this is based on the legal basis or ‘legitimate interest’. We will then stop the processing of your data, unless we can prove compelling legitimate reasons for the processing which outweigh your interests, rights and freedoms or if the processing serves the assertion, exercise or defence of legal claims (Right to object pursuant to Art. 21(1) GDPR).
Right of appeal to a competent supervisory authority
You have the right to file a complaint with a competent data protection authority.
The supervisory authority responsible for us is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit
Postfach 10 29 32
70025 Stuttgart, Germany
Phone: +49 (0)711/615541-0