Notes on Data Protection
In the following we inform you about the collection, processing and use of personal data in the framework of the G+D Whistleblowing System.
Please read these data protection instructions carefully before you submit a message.
Purpose of the whistleblower system
The G+D Whistleblowing System (hereinafter referred to as BKMS System) serves to receive and process information about (presumed) legal or serious internal breaches of the rules against the G+D Group in a secure and confidential way.
The processing of personal data in the framework of the BKMS System is based on the interest of the G+D Group in the detection and prevention of maladministration and the avoidance of damage and liability risks for the G+D Group (Article 6 (1) f DSGVO in conjunction with §§ 30, 130 OWiG).
If a disclosure received concerns an employee of the G+D Group, processing also serves to prevent crimes or other legal violations that are related to the employment relationship (§ 26 (1) BDSG).
The information you provide will be evaluated by G+D GmbH and, if necessary, its subsidiaries. They can lead to the initiation of internal or even regulatory investigation proceedings, as well as other adverse consequences for those affected.
Therefore, only provide us with information that you believe to be accurate. If you knowingly provide false or misleading information, you will face consequences. Knowingly spreading false information is punishable in many countries.
Please do not provide us with any information if this is punishable under the laws of your country.
The body responsible for the BKMS System is:
The Data Protection Officer of G+D GmbH can be reached at:
Data Protection Officer
Prinzregentenstraße 161, 81677 München
The BKMS System is operated by the specialist company Business Keeper GmbH, Bayreuther Str. 35, 10789 Berlin, Germany, on behalf of Giesecke+Devrient GmbH.
Technical protection of the BKMS system:
The BKMS System is technically supervised by the independent operator Business Keeper GmbH (Bayreuther Str. 35, 10789 Berlin, Germany, hereinafter "BK AG").
Personal data entered into the BKMS System are stored in a database operated by BK AG, on protected servers of Telekom Deutschland GmbH in a high security data center in Germany.
The content of the notes is exclusively handled by G+D. All data is encrypted and password-protected so that access to a narrow circle of authorized persons is limited to G+D. BK AG cannot view the contents of the data stored electronically in the database.
As long as you do not enter any personal information that allows you to identify yourself, the BKMS System automatically protects your anonymity through a certified process that is backed by comprehensive technical and organizational measures.
The communication between your computer and the BKMS System takes place via an encrypted connection (SSL). The IP address of your computer during the use of the BKMS System will not be saved and no cookies will be stored on your computer.
Your visit to the BKMS System can still leave a mark on your computer. Therefore, if you visit the BKMS System from a company computer, it is recommended that you subsequently delete the temporary files and the browser cache.
Type of personal data collected
The BKMS System is used on a voluntary basis. If you submit a message via BKMS System, we collect the following personal data and information:
- your name, if you disclose your identity,
- whether you are employed at G+D and
- if applicable, names of persons and other personal information of the persons you include in your report.
When submitting a message or when sending a supplement, you have the option of sending attachments to the responsible G+D employee.
If you want to submit an anonymous message, please note the following details:
Files may contain hidden personal information that could endanger your anonymity. Remove this data before sending. If you are unable to remove this information or are unsure, copy the text of your attachment to your message text or send the printed document anonymously by mail, quoting the reference number, to the above-mentioned responsible person.
Personal data are kept for as long as the information and final assessment requires, or as long as a legitimate interest of G+D under Art. 6 (1) (f) GDPR is required. Thereafter, these data will be anonymized or deleted in accordance with legal requirements.
Confidential treatment of information
Access to incoming information is restricted to a narrow circle of authorized persons of G+D. Incoming messages are always treated confidentially.
In certain cases, G+D has a legal obligation to inform the accused person of the allegations against him. In such cases, this is legally required if it is objectively established that the provision of information to the accused person can no longer affect the clarification of the specific case.
Unless mandatory law provides otherwise, your identity as a whistleblower will not be disclosed and it will also be ensured that no inference is possible as to the identity of you as a whistleblower.
Confidentiality cannot be guaranteed by deliberately misrepresenting a person with the aim of discrediting a person (denunciation).
You have the option to set up a protected postbox in the whistleblower portal with a self-selected pseudonym / username and password. In this way, you can exchange messages and files anonymously and securely with the responsible G+D employee. In this system, the data is stored exclusively in the BKMS System and thus particularly secured.
Any person who gains access to the data is obligated to maintain confidentiality.
Disclosure of information:
As part of the processing of a disclosure or in the course of an investigation, it may be necessary to pass on information to other employees of G+D or to subsidiaries of the G+D Group and their employees (e.g. if the information relates to an incident in a subsidiary of the G+D Group).
If you have provided personal information in your disclosure, in such cases it may be transferred to countries outside the EU where the confidentiality of your personal information is not guaranteed to the same extent by law as in Europe. This applies in particular to countries that, according to EU regulations, are considered as countries without an adequate level of data protection.
Within the G+D Group, an appropriate level of data protection is guaranteed by the G+D Binding Corporate Rules (BCR) also in countries outside Europe.
If you do not want us to share your personal information, including your name, with countries outside the EU (unless required to protect the legitimate interests of G+D), please let us know. We point out, however, that we may not be able to process your disclosure comprehensively.
In the event of a corresponding statutory obligation or data protection requirement for the provision of information, it may be necessary to also transmit data to law enforcement authorities, antitrust authorities, other administrative authorities, courts or international law firms and accounting firms commissioned by G+D.
The persons concerned have the following rights under DSGVO:
Right to information, correction, deletion, limitation of processing, data portability, objection, revocation of consent, complaint to the supervisory authority.
The supervisory authority responsible for G+D is the State Office for Data Protection Supervision in Bavaria (www.lda.bayern.de).
As of May 25st, 2018