Data protection information about the processing of personal data by the internal reporting office
The Legal and Compliance (RCC) corporate unit of Flughafen München GmbH (“FMG” or “we”) offers employees and external parties the opportunity to report compliance violations to an internal reporting office. Employees and external parties such as providers, contractors, suppliers and customers can contact the internal reporting office and report violations of legal provisions within the scope of § 2 of the Whistleblower Protection Act (HinSchG), in particular in connection with corruption, fraud, theft, embezzlement, vandalism, property damage, competition offenses. Issues related to the Lieferkettensorgfaltspflichtengesetz (LkSG) [Supply Chain Due Diligence Act], the prevention and handling of sexual harassment, violations of the Code of Conduct and the guidelines of the FMG Corporation such as the “Gifts and Invitations Guideline” and other regulations applicable in the FMG can also be reported.
Name and contact data of the controller
FMG is controller for the internal reporting office under the data protection law. As part of the option provided in the Whistleblower Protection Act (HinSchG) of entrusting a third party with the tasks of an internal reporting office, FMG also assumes the tasks of an internal reporting office for the following corporate companies as joint controller in accordance with art. 26 GDPR:
- aerogate München Gesellschaft für Luftverkehrsabfertigungen mbH
- AeroGround Flughafen München GmbH
- Allresto Flughafen München Hotel und Gaststätten GmbH
- Cargogate Munich Airport GmbH
- eurotrade Flughafen München Handels-GmbH
- FMSicherheit Flughafen München Sicherheit GmbH
- FMV - Flughafen München Versicherungsvermittlungsgesellschaft mbH
- LabCampus GmbH
- Flughafen München Realisierungsgesellschaft mbH
- Terminal 2 Gesellschaft mbH & Co oHG
In principle, the data subjects can contact the controller of the internal reporting office (FMG) as well as the controller of the corporate companies, which the FMG entrusted with the tasks of the internal reporting office. As part of the agreement about joint controllership, FMG and the above-mentioned corporate companies also agreed about close coordination when fulfilling requests from data subjects and notifications of data protection violations and possible communications to the data subjects in accordance with art. 34 GDPR. You can reach the internal reporting office of FMG using the following contact data:
Interne Meldestelle RCC
Flughafen München GmbH
Nordallee 25
85356 München
Germany
Phone. +49 89 975-40340 (Monday to Friday during normal office hours)
Email: hinweise@munich-airport.de
The contact data of the entrusting corporate companies and the contact details of the respective data protection officers can be found under https://www.munich-airport.com/privacy-policy-376755#9b702717
Contact data of the FMG data protection officer:
Datenschutzbeauftragter
Flughafen München GmbH
Nordallee 25
85356 München
Germany
Email: datenschutzbeauftragter@munich-airport.de
Categories of personal data
The submission of notices to the reporting office is voluntary, a report can also be made without us processing the data of the person providing the notice.
In particular, we use the online portal "Business Keeper Monitoring System" of the EQS Group AG, Karlstraße 47, 80333 Munich (hereinafter: BKMS® System). In this context, please note that anonymous tips should only be submitted from private devices outside the company network, as this is the only way to ensure the required confidentiality.
As part of the task completion, the following personal or person identifying data are regularly processed by the reporting office:
- Data of persons named as part of reports;
- Data of persons processed as part of the exercise of tasks of a reporting office, especially in the area of the procedure and documentation;
- Data of persons who are consulted by the reporting office for the exercise of tasks;
- Data of persons providing notices that they voluntarily disclose to the reporting office.
Purposes
FMG offers employees and business partners the opportunity to report compliance violations directly to the internal reporting office. This can be provided via various reporting channels, e.g. personal conversation, phone, letter, email or the BKMS® system.
The internal reporting office is responsible to maintain reliable principles of corporate management in day-to-day operations, the possibility of reporting violations via the BKMS® system is designed as an additional mechanism for employees and external parties to also anonymously submit notices and be available for questions.
Legal basis
For processing of notices as per HinSchG:
The reporting office processes the personal data of persons providing notices, persons involved in the proceedings and persons who may be accused due to legal obligations (art. 6 para. 1 lit. c GDPR). These obligations are applicable for HinSchG for
- the establishment and design of the reporting office (§ 10 p. 1 i.c.w. §§ 16 HinSchG),
- the process for internal reports (§ 17 HinSchG),
- the execution of follow-up actions (§ 18 HinSchG).
If special categories of personal data are processed by the reporting office, then this is justified with the necessity for the fulfillment of the task (art. 9 para. 2 lit. g GDPR i.c.w. § 10 sentence 2 HinSchG).
If the HinSchG requires consent as a prerequisite for certain actions by the reporting office (e.g. for the transfer of personal data of the person giving the notices or phone recordings or word logs in case of phone reports), then such consent will be obtained. In these cases, the processing is carried out with art. 6 para. 1 lit. a GDPR.
If the legitimate interests of the controller or a third party require further processing and do not outweigh the interests or fundamental rights and freedoms of the data subjects, processing can also be carried out on the basis of art. 6, para. 1 lit. f GDPR for example to protect against accusations of reprisals.
For the processing of notices outside the application area of HinSchG:
For reports that are assigned to the Lieferkettensorgfaltspflichtengesetz (LkSG) [Supply Chain Due Diligence Act], the legal basis for the processing is based on art. 6 para. 1 lit. c GDPR in conjunction with § 8 LkSG (enabling of and procedural rules for the complaints procedure, confirmation of receipt of notices, discussion of the facts). Data processing when taking remedial measures is based on art. 6 (1) (c) GDPR i.c.w. § 7 LkSG.
The processing of personal data in the context of processing notices that contain violations of regulations outside the scope of the HinSchG is justified with the protection of legitimate interests (art. 6 para. 1 lit. f) GDPR). The legitimate interest lies in uncovering and preventing grievances and thus in averting damage to the FMG corporation, employees and customers. The processing of notices serves primarily to uncover and check abuses and violations of the law, and is embedded in our compliance management system. Based on this regulation and liability scope, the personal data required for processing the notices must also be processed. The interest of data subjects in not processing the data takes second place, since reports can be made voluntarily and anonymously and an appropriate level of protection is guaranteed for the confidentiality and integrity of the data of the whistleblower and any third parties involved through technical and organizational measures.
Type and scope of the data use
The personal data is processed exclusively for the purpose of processing notices and strictly under the stipulation that access to the data is only granted to certain persons and only to the extent that is absolutely necessary for the processing of the notice. Of course, all persons who have access to data are obligated to confidentiality.
Recipients
- Internal use and possible transfer of that data within the corporation
The specific recipients of data depend on the content of the notice. Incoming notices are received by a small group of expressly authorized and specially trained employees of the compliance organization at FMG (employees of the reporting office) and the notices are always treated confidentially.
The reporting office checks whether an in-depth investigation is required and which internal bodies must be involved in clarifying the facts of a case. The reporting office also regularly informs top management about the content of the notices received, since the resolution of reported violations is one of their areas of responsibility. In addition, the auditing, corporate safety, legal and human resources departments are often called in to process notices or additional contact persons, which are required to execute the follow-up actions, are identified.
If reports for subsidiaries are received by the reporting office within the context of the entrusting relationship, or if notices addressed to the parent company also affect corporate companies, then the management of the subsidiaries and, if necessary, the responsible offices or departments of the corporate companies will be informed and consulted to process the notice, because the respectively affected corporate companies have the original responsibility to resolve and pursue an identified violation.
We ask that you only send the notices to the reporting office that relate to the reporting categories listed in paragraph 1 of this data protection information. We will not forward your request for reasons of confidentiality, but ask you to contact a suitable office if your notice is outside the area of responsibility of the reporting office. - Disclosing data to controllers outside the FMG corporation
Investigations may require the involvement of other FMG employees or employees of corporate companies and possibly also external parties such as specialized law firms, auditors or forensic experts. Of course, all internal and external parties involved in the process are obligated to the confidential treatment of disclosed information. - Disclosure to government agencies
If necessary, FMG may be legally obligated to provide information on compliance violations to government agencies (e.g. investigating authorities or courts). In case of such obligations, as well as seizures, we are unable to withhold the information you have submitted. - Whistleblower system service provider
The BKMS® system is provided by EQS Group AG (member of the EQS Group), Bayreuther Str. 35, 10789 Berlin in Germany as processing on behalf of FMG.
Personal data and information entered into the whistleblower system is stored in the BKMS® system in a high-security computer center. Only FMG can review the data; the processor and third parties have no access to the data. This is ensured in a certified process through comprehensive technical and organizational measures.
Disclosure of data to third countries
As a matter of principle, personal data is not transferred to third countries outside the EU/EEA as part of the fulfillment of the duties of the reporting office.
Depending on the content of the notice, it may be necessary in individual cases to also pass on the data to recipients in third countries. In third countries, the rights of data subjects and the confidential treatment of personal data may not be legally guaranteed to the same extent as in the EU.
If you, as the reporting person, do not want us to transfer your personal data to countries outside the EU, please let us know in your report and we will check whether a transfer is not necessary to protect our legitimate interests. Please note that it may not be possible to fully process your report without passing on your data.
Duration of the storage
After the plausibility check has been carried out, the reporting office will check whether storage is required.
Irrespective of the storage periods listed below, after the notice has been checked and the notice procedure has been completed, measures are taken to make the process documentation as data-efficient as possible, e.g. by means of blacking out or pseudonyms.
The procedural documents are generally deleted after the individual case has been examined 3 years after the conclusion of the notice procedure. The documentation may be kept longer to meet the requirements of the Whistleblower Protection Act or other legislation, as long as this is necessary and proportionate.
Rights of the data subject
As a person providing notices, a person involved in the process and possibly an accused person, you are entitled to the following rights of a data subject based on the GDPR:
- Right to information,
- Right to correction or deletion,
- Right to the restriction of the processing,
- Right to object to processing,
- Right to data transferability.
To exercise your rights and to revoke your consent, please contact the controller at the contact address given above. Alternatively, you can also assert your data protection rights via the BKMS® system or at the following email address: datenschutzanfrage@munich-airport.de
Please note that the reporting office must also protect the rights of third parties and can therefore only provide information in abridged form or blackened out if this would seriously impair the achievement of the processing goals (art. 14 para. 5 lit. b GDPR) or would disclose information which by its very nature should be kept secret (§ 29 para.1 BDSG).
Right for a complaint to the supervisory authority
You have the right to file a complaint with the supervisory authority if you believe that the processing of your personal data is unlawful. The contact data for the supervisory office responsible for us are: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Post office box 1349, 91504 Ansbach, Germany, Phone: +49 (0) 981 / 53 1228, poststelle@lda.bayern.de, www.lda.bayern.de.
Change in the data protection information
We reserve the right to change our safety and data protection measures if this is required due to legal or technical developments. In these cases, we will also adapt our data protection notices accordingly. Therefore, please note the current version of our data protection information.
Miscellaneous
The communication between your terminal and the BKMS® system takes place via an encrypted connection (SSL). The IP address of your computer will not be saved while using the whistleblower portal. To maintain the connection between your computer and the BKMS® system, a cookie is stored on your computer that only contains the session ID (so-called null cookie). The cookie is only valid until the end of your session and becomes invalid when the browser is closed. As the person providing the notice, you have the option of setting up a protected mailbox in the BKMS® system with a pseudonym/user name and password of your choice. Therefore, you can communicate securely with the reporting office using your name or anonymously.
Version: June 23, 2023