Data protection information
Who is my personal data collected and processed by?
Deutsche Bahn AG, Potsdamer Platz 2, 10785 Berlin, Germany (hereinafter referred to as "DB"), is the controller for its whistleblowing system and collects and processes your data in this regard. The DB whistleblowing system is operated on behalf of DB by EQS Group AG, Bayreuther Str. 35, 10789 Berlin, Germany. It offers a secure, confidential way to receive and process reports about certain crimes and serious violations of the law that are related to the DB Group.
DB's data protection officer can be reached at konzerndatenschutz@deutschebahn.com.
What data do you collect, and why and how do you process it?
Personal data – personal information about natural persons – that is entered into DB's whistleblowing system is stored in an encrypted, password-protected form in a database which is operated by EQS Group AG on DB's behalf. It is stored at a data center on a high-security level in Germany.
DB treats personal data (such as names and other communication and content data) confidentially. T Personal data are solely used for the purpose of receiving and processing information in a secure and confidential manner. It concerns certain crimes and serious violations of the law, such as economic ("white-collar") crime, corruption, human rights violations and data protection violations. If we ask for and receive your consent to perform processing operations on your personal data, your consent is considered, in accordance with point (a) of Article 6(1) of the EU General Data Protection Regulation (GDPR), to give us the legal basis to perform such processing operations. In all other cases, the legal basis stems from point (f) of Article 6(1) of the GDPR: we process your personal data to protect our overriding legitimate interest in addressing DB-related crimes and violations of the law and in protecting the DB Group and its employees from the potentially detrimental effects of such crimes and violations.
Do we share your data with other parties?
Only DB can consult your data. Access to your data is limited - based on the specifics of what your report pertains to and depending on the specialized competence- to a very small group of explicitly authorized, specially trained persons from DB's compliance organization, corporate privacy department, procurement organization or HR organization. Depending on the information contained in your report, and depending on the steps taken to investigate this information, a very limited number of additional authorized persons – in particular persons at DB's corporate security department or persons in the compliance organization of a DB subsidiary or subsidiaries if for example the information relates to actions or occurrences at one or more subsidiaries – may be granted access to your data. Those DB subsidiaries may be headquartered outside the European Union or the European Economic Area.
Every person who is granted access to your data is required to treat the data as confidential. If the actions or occurrences you reported are prosecuted under criminal law, it is possible that we will be required by law to share your data with the officials investigating the situation.
How long do we store your data?
We store your data only for as long as it is necessary to fulfil the purpose for which the data was collected or as long we do need to comply with legal requirements. In every specific case, we use a set of criteria established as part of our data erasure policy to check whether and how long your data may be stored or archived before it is erased. At the latest, data will be erased six years after the case it relates to is closed.
What rights do users of the DB whistleblowing system have?
As a whistleblower you have the right of access to your personal data; the right to rectification, erasure and restriction of processing (blocking) of your personal data; and the right to object to the processing of your personal data. Equally rights have the person(s) named in the report(s) you submit in regards to their own personal data.
You have the right, at any time within the applicable legal framework, to obtain information about the personal data which has been stored about you ("right of access"). You also have the right to have inaccurate personal data concerning you rectified; this includes having incomplete personal data completed, if applicable by means of a supplementary statement. You have the right under certain circumstances to have personal data, which has been stored about you, erased. If retention periods or other legal regulations preclude erasure, you have the right to have the processing of your data restricted instead (in other words, to have your data blocked), so that your data will only be accessible for the purposes of compliance with mandatory legal regulations. If you provide personal data to us and we process it by automated means on the basis of consent provided by you or on the basis of a contract to which you are party, you have the right to have the data transmitted to you or, if you so wish, to a third party specified by you. You have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on our overriding legitimate interest or is necessary for the performance of a task carried out in the public interest.
If a person is accused of something in a report submitted by a whistleblower, we are generally required by law to inform that person that we have received information about them, as soon as doing so would not jeopardize our investigation into the information. We will not reveal your identity as the whistleblower in such cases unless we are required to do so by law.
You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for DB is: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin, Germany; e-mail: mailbox@datenschutz-berlin.de. You also have the option of lodging a complaint with any other data protection supervisory authority in the European Union.
If the processing of your personal data is based on consent you have granted, you can withdraw this consent at any time in the same way you originally granted it. If you have a postbox in the DB whistleblowing system, you can use it to let us know you are withdrawing your consent. You can also submit a new report in which you withdraw your consent (make sure that your new report includes the reference number of the report in which you originally granted your consent). Any processing of your personal data that took place from the time at which you granted your consent to the time at which you withdrew it will still be considered to have been lawful.
To exercise your rights, it is also sufficient to send a letter or e-mail to the following address:
Deutsche Bahn AG
Compliance Hinweismanagement
Potsdamer Platz 2
10785 Berlin
Germany
compliance.hinweismanagement@deutschebahn.com