Privacy Policy SpeakUP!
Dear Sir or Madam!
As a family-owned company, Miba has assumed responsibility as employer and business partner for more than 90 years. Compliance with the applicable laws and other external and internal regulations is an integral part and the foundation of our business activities and decisions.
Therefore, Miba takes data protection seriously. In this Privacy Policy, we inform about our processing activities in connection with the Miba Reporting System SpeakUP! (“SpeakUP!”) and thereby comply with the provisions of the General Data Protection Regulation (GDPR).
Controller:
The controller of the data processed within the whistleblowing system SpeakUP! is Miba AG, Dr.-Mitterbauer-Str. 3, 4663 Laakirchen, Austria, and its subsidiaries as joint controllers (hereafter each referred to as "Miba"). Being the “Controller” means having the responsibility on the purposes and means of processing personal data. “Subsidiaries” meansall companies in which Miba AG directly or indirectly holds more than 50% of the shares. An overview of the Miba sites including contact details can be found on our website at http://www.miba.com/en/company/global-sites/.
The reporting system is operated by a specialized company, EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin in Germany, on behalf of Miba.
Personal data and information entered into the reporting system are stored in a database operated by EQS Group GmbH in a high-security data center. Only Miba has access to the data. EQS Group GmbH and other third parties do not have access to the data. This is ensured in the certified procedure through extensive technical and organizational measures.
All data are stored encrypted with multiple levels of password protection so that access is restricted to a very small selection of expressly authorized persons at Miba.
Categories of Personal Data:
Miba processes the following categories of data or elements thereof. Please note that not all items on the list must apply to you. The specific data that are processed depend primarily on the concrete report in the whistleblowing system. Please also note that the examples for the categories are not exhaustive.
- Contact data (generally company contact data unless provided private contact data are provided): e.g., name, form of address, title, address, telephone number, mobile phone number, e-mail address and other information necessary for addressing based on modern communications technology
- Company and workplace data: e.g., company name, occupational function and position, organizational assignment within the company, scope of representational authority
- Activity and incident-related data: These include business cases, legal cases and contracts handled by you, questions you have asked, contracts and contract documents you have signed, customs registrations, role in compliance-relevant issues (e.g. whistleblower, witness, supervisor, gift giver or receiver, inviter or invitee, approver), accepted or declined invitations or gifts, payments or donations made, payment receipts, conflicts of interests, travel and visit information, events, country where the incident occurred, impacted Miba company, process history and measures taken
- Other personal data shared in a report
Purpose and Legal Basis:
The whistleblowing system SpeakUP! serves the purpose of securely and confidentially receiving, processing and managing reports regarding violations of the compliance rules of Miba.
Miba processes your personal data to pursue Miba's legitimate interests in processing your data (Art 6 (1) lit f GDPR). Miba has a legitimate interest in ensuring the compliance with laws and other compliance requirements by Miba and its employees, also to ensure smooth business operations. Miba has a legitimate interest on capturing and preventing misconduct and thus avoid damage to Miba, its employees and business partners.
If such data are contained in the report, Miba also processes special categories of personal data (referred to as sensitive data) to assert, exercise or defend legal claims or for court actions with respect to its judicial work (Art 9 Abs 2 lit f GDPR).
Use of the whistleblowing system takes place on a voluntary basis. Depending on the category of data, failure to provide personal data could mean that we cannot achieve the listed objectives (in particular the uncovering of malpractice).
Confidential Handling of Reports:
Incoming reports are received by a small selection of expressly authorized and specially trained employees of the Compliance organization of Miba and are always handled confidentially. The employees of the Compliance organization of Miba will evaluate the matter and perform any further investigation required by the specific case.
During the processing of a report or the conduction of a special investigation, it may become necessary to share reports with additional employees of Miba or employees of other group companies, e.g. if the reports also refer to incidents in other group companies. The latter may be based in countries outside the European Union or the European Economic Area with different regulations concerning the protection of personal data. We always ensure that the applicable data protection regulations are complied with when sharing reports.
All persons who receive access to the data are obligated to maintain confidentiality.
Information of the Accused Person:
As a basic principle we are bound by law to inform the accused persons that we have received a report concerning them, unless this threatens further investigations into the report. Even if you have not submitted your report anonymously, but stated your name, your identity as a whistleblower will not be revealed as far as legally possible. The protection of a whistleblower always has the highest priority for us.
Use of the Reporting Portal:
Communication between your computer and the reporting system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the reporting system. In order to maintain the connection between your computer and the whistleblowing system SpeakUP!, a cookie is stored on your computer that merely contains the session ID (a so-called null cookie). This cookie is only valid until the end of your session and expires when you close your browser.
After the submission of the initial report it is possible to set up a postbox within the SpeakUP! reporting system that is secured with an individually chosen pseudonym/user name and password. The secured postbox allows you to exchange further information with the responsible employees at Miba and within the SpeakUP! reporting system either by name or anonymously.
This system stores data inside the SpeakUP! reporting system only, which makes it particularly secure. It is not a form of regular e-mail communication.
Note on Sending Attachments:
When submitting a report or an addition, you can simultaneously send attachments to the responsible employees of Miba. If you wish to submit an anonymous report, please take note of the following security advice: Files can contain hidden personal data that could compromise your anonymity. Remove this data before sending. If you are unable to remove this data or are unsure how to do so, copy the text of your attachment into your report text or send the printed document by letter anonymously to "Miba AG, Head of Legal & Compliance, Dr.-Mitterbauer-Str. 3, 4663 Laakirchen, Austria", citing the reference number received at the end of the reporting process.
Sources:
The processed personal data originate primarily from the reporting person; however, they can also come from witnesses named in the report and other informants.
Recipients:
To fulfill a processing purpose, it may be necessary, in a particular case, to transmit relevant data to other companies in the Miba Group or to third parties, who may be outside of the EU/EEA. Possible recipients may be:
- competent authorities and courts (e.g. tax authorities, security authorities);
- legal representatives, tax advisors, auditors;
- management and supervisors in other Miba companies whose employees are involved in the particular situation.
If it is necessary to transmit relevant data to recipients outside the EU/EEA in a particular case in order to fulfill the purpose of the processing, an adequate level of protection is generally demonstrated by the existence of an adequacy decision from the European Commission, by the use of inter-company or external agreements based on standard EU data protection clauses (in accordance with Art 46 (2) lit c and d GDPR) or by the existence of one of the exceptions provided in the GDPR for specific cases (in accordance with Art 49 (1) GDPR, e.g., if the data transfer is necessary to implement the contract between the reporting person and Miba, processing is necessary for the establishment, exercise or defense of legal claims). A copy of the applicable appropriate or suitable safeguards can be obtained by contacting us at compliance@miba.com.
Storage Period:
The reported data are deleted no later than five months, when it comes to personal data, and eight months concerning log data. If they are needed for a court or administrative procedure or for other disciplinary or official procedures, the reported data are saved for as long as and to the extent that is necessary for pursuing and concluding such procedures.
Rights of the reporting person:
In general, the reporting person has a right of access to the personal data as well as a right to rectification, erasure, restriction, data portability and objection. However, please note that Miba is not always required to fulfill such a request, in particular in cases where and insofar it is necessary to protect the identity of a reporting person and to fulfil the purposes of the processing. This must be determined case-by-case based on Miba's statutory obligations and any applicable exceptions. If processing is based on the consent of the reporting person, there is the right to revoke the consent at any time. The revocation of consent will not affect the lawfulness of any processing that has occurred based on the given consent prior to its revocation.
If the reporting person believes that the processing of your personal data violates data protection law or that your data protection law rights have been otherwise violated, the SpeakUP! Team (compliance@miba.com) can be contacted, so that we can find a remedy. The reporting person also has the right to file a complaint with a data protection supervisory authority. The data protection supervisory authority with jurisdiction over Miba AG and its Austrian Subsidiaries is the Austrian data protection authority.
Additional Information:
We hope that this Privacy Policy has clarified the purposes for which Miba processes your personal data. If there are still questions regarding data protection matters or wishes to assert your aforementioned rights, please contact the SpeakUP! Team (compliance@miba.com).
This Privacy Policy for Miba SpeakUP! may be adapted from time to time to reflect current conditions.
Miba AG
Legal & Compliance
August 2023
