Privacy notice
To simplify the reporting of potential compliance violations and ensure effective follow-up measures, the ERGO Group AG in Düsseldorf (hereafter referred to as “ERGO”) has introduced this secure and confidential whistleblowing system, which also satisfies the requirements of the EU Whistleblower Directive (Directive (EU) 2019/1937). The system enables the secure and confidential receipt and processing of information about violations of the law. Use of the whistleblowing system is voluntary.
The whistleblowing system is operated by EQS Group AG, Bayreuther Str. 35, 10789 Berlin, Germany, on behalf of ERGO. The communication between your computer and the whistleblowing system is encrypted (SSL). Personal data entered into the whistleblowing system are encrypted, protected with a password and stored in a database operated by EQS Group in a high-security data centre located in Germany. EQS Group AG has no access to the data.
Who is responsible for processing the data?
1) The party responsible for reports directed to Compliance ERGO is the following company:
ERGO Group AG
ERGO-Platz 1
40198 Düsseldorf
Email: hinweisgeber@ergo.de
If you have any questions about this data privacy information, please contact the data protection officer at ERGO. To reach the data protection officer by post, address your post to the “Datenschutzbeauftragter” at the address given above. You can also send an email to datenschutzbeauftragter@ergo.de.
2) The party responsible for reports directed to the central ombudsperson at ERGO is the following company:
BDO AG Wirtschaftsprüfungsgesellschaft
Markus Brinkmann
Fuhlentwiete 12
20355 Hamburg
Germany
Phone: +49 (40) 33 47 53 74 35
Email: ombudsmann.ergo@bdo.de
3) The party responsible for reports directed to the respective (compliance) officer(s) at individual local companies is the respective local company, which can be selected during the reporting process. The country-specific data protection provisions additionally apply in this case.
Which categories of data do we use, and where do the data come from?
Use of the whistleblowing system is voluntary. If disclosed by you, we collect the following personal data and information within the scope of your report:
- Your first and last name and your contact information
- Whether you are employed by a company which is part of the ERGO Group
- The names and other personal data of persons you name in your report.
The IP address of your computer will not be stored during or after your use of the whistleblowing system. In order to maintain a connection between your computer and the whistleblowing system, a cookie is saved on your computer, which contains only the session ID (known as a session cookie). This cookie is only valid until the end of your session and expires when you close your browser. Nevertheless, your visit to the whistleblowing system can leave traces on your computer. If you access the whistleblowing system from a company computer, you should therefore take care in particular to clear the temporary data (cache) in your browser.
You have the option to set up a secured postbox within the whistleblowing system with an individually-selected pseudonym/user name and password. This will allow you to anonymously and securely exchange messages and files with the (compliance) officer responsible for processing your report. This is not the same as typical email communication. The data are stored exclusively in the whistleblowing system and therefore subject to special protection.
For what purposes and on what legal basis do we process your data?
We process your personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and all other applicable laws and regulations, such as the German Data Protection Act (BDSG).
The purpose of the data processing is ERGO’s obligation, as set out in Section 23 (6) of the German Insurance Supervision Act, to establish a process that enables employees and third parties to report potential or actual violations of important laws and ordinances while protecting the confidentiality of their identity. It is within the legitimate interests of ERGO to effectively and highly confidentially discover, investigate, suspend and penalize illegal activity and serious violations of employee obligations throughout the group in order to avert damages and liability risks. The company to which you direct your report will process personal data as well as the names and other data associated with the report and its contents confidentially and exclusively for the purposes of secure and confidential receipt and processing. If you share information in the whistleblowing system, the system will ask for your consent. This consent forms the legal justification for the processing of your personal data as per Art. 6 (1)(a) GDPR. If you revoke your consent, the processing can be based on Art. 6 (1)(f) GDPR and national regulations implementing the EU Whistleblower Directive (e.g. Section 10 of the German Whistleblower Protection Act), insofar as your personal data are required in the individual case in order to protect the aforementioned legitimate interests of ERGO if these interests are overriding or compelling.
Does any sharing of data take place?
If you disclose your name in the whistleblowing system, we ensure that your identity as a whistleblower is handled confidentially.
Only a very small selection of expressly authorised persons in the respective (compliance) role who are responsible for processing your report (based on your selection of the report recipient) will receive access to the data shared by you. Depending on the content of the report, certain expressly authorised persons in the internal audit department, together with the data protection officer and individual authorised persons in subsidiaries, may receive access to the data insofar as this is necessary for the processing of certain information. If these subsidiaries are headquartered in countries outside the European Union or the European Economic Area, suitable and appropriate data protection guarantees will be ensured. If a specific adequacy decision by the European Commission does not exist for the third country in question, these security measures shall consist in particular of binding internal data protection rules or standard contractual clauses of the European Union. In exceptional cases, we may deviate from the security measures laid out in Art. 49 GDPR. This may be the case, for example, if the transfer is necessary for the establishment, exercise or defence of legal claims.
Investigations of the reported information are handled strictly confidentially. Every person with access to the data is obligated to keep the data secret. Your name and any circumstances that could jeopardise your identity as a whistleblower are not disclosed in principle. Nevertheless, we are obligated to disclose your name in certain exceptional cases, such as when compelled by law.
If a reason for suspicion exists, the information can be forwarded to another internal department for the purpose of initiating a process to penalize offenders or to the criminal justice authorities.
Information about the person(s) involved in the report
In certain cases, we are legally obligated to inform involved persons that we have received information about them. This can only take place when notification of the involved persons no longer jeopardises the investigation of the received information. Furthermore, the involved person may have a right of access with respect to the data concerning them. To the extent legally permissible, no direct or indirect information about the whistleblower will be disclosed in the course of this process.
For how long will your data be stored?
We store personal data in connection with your report for as long as necessary for the investigation and for as long as we are obligated to store personal data on the basis of statutory or contractual retention periods. After this time period, the received information is either deleted or anonymised in accordance with the legal requirements of the specific country; in other words, every reference to your identity as whistleblower will be permanently and irrevocably erased.
Right to withdraw consent and right to object
You have the right to withdraw your consent at any time with effect for the future and to object to the processing of your personal data without suffering any disadvantages as a result. We will cease the processing insofar as we do not have compelling legitimate interests in processing of the data on the basis of Art. 6 (1)(f) and Art. 21 GDPR (data processing on the basis of legitimate interests), insofar as the data are not being processed for the establishment, exercise or defence of legal claims, or national regulations implementing the EU Whistleblower Directive (e.g., Section 10 of the German Whistleblower Protection Act) permit us to continue processing. The withdrawal of consent and the objection can be issued in any form and should be addressed to the respective company to which you directed your report.
What other rights do users of the whistleblowing system have?
In addition to your right to be informed about the processing of your personal data, you have – in accordance with the statutory provisions – a right of access as per Art. 15 GDPR, the right to rectification as per Art. 16 GDPR, the right to erasure as per Art. 17 GDPR, the right to restriction of processing as per Art. 18 GDPR and the right to data portability as per Art. 20 GDPR. Upon request, we will make the data provided by you available in a structured, commonly-used and machine-readable format. To exercise these rights, please contact the respective company to which your directed your report.
You also have the right to lodge a complaint with a supervisory authority of your choice (Art. 77 GDPR in connection with Section 19 BDSG).
The competent authority for ERGO Group AG is:
State Representative for Data Protection and Freedom of Information of North Rhine-Westphalia
Kavalleriestr. 2-4
40213 Düsseldorf
Phone: 0211/38424-0
Fax: 0211/38424-999
Email: poststelle@ldi.nrw.de
Internet: https://www.ldi.nrw.de/
Version: February 2023