Information on data protection
In the following we would like to inform you on the collection, processing and use of personal data within the whistleblowing system of WTS. WTS or WTS Group refers to WTS Group AG with its seat in Munich, Germany, as well as all other companies in which this parent company directly or indirectly holds a majority interest.
We take data protection and confidentiality very seriously and adhere to the provisions of the EU General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 - hereafter “GDPR”) as well as current national data protection regulations. Please read this privacy information carefully before submitting a report.
Purpose and legal foundations of the whistleblowing system
The whistleblowing system serves the purpose of receiving and processing reports concerning possible violations of laws, regulations or internal rules of WTS Group via secure and confidential channels. We observe the principle of restricting the use of personal data to specific purposes, and we only process personal data for the purposes that are described in this privacy statement.
The processing of personal data within the framework of the whistleblowing system is based on our legitimate interest in the discovery and prevention of malpractice and the associated averting of damages and liability risks for WTS Group (Section 6 para. 1 item 1 point f GDPR in connection with Sections 30, 130 Code of Administrative Offences (“Ordnungswidrigkeitengesetz” / “OWiG”)).
According to Section 6 para. 5 of the German Act on Tracing Profits from Serious Crimes (Money Laundering Act – “Geldwäschegesetz” / “GwG”), we are obligated to take reasonable measures to enable our employees and persons in a comparable position to report violations of anti-money laundering obligations and regulations to suitable parties while ensuring the confidentiality of their identity (Section 6 para. 1 item 1 point c GDPR).
If a received report concerns an employee of WTS, the processing also serves to prevent criminal acts or other infringements in connection with the employment relationship (Section 26 para. 1 German Federal Data Protection Act (“Bundesdatenschutzgesetz” / “BDSG”)).
Responsible authority, data protection officer and data security
The party responsible for data protection in the whistleblowing portal is
WTS Group AG
Friedenstraße 22
81671 Munich
Germany
Tel.: +49 (0) 89 286 46-0
Fax: +49 (0) 89 286 46-111
e-mail: info@wts.de
WTS Group AG is represented by its Board Members: StB Fritz Esterer Dipl.-Oec. (Chairman), WP StB Franz Prinz zu Hohenlohe, StB Ulrike Schellert, StB Jürgen Scholz.
The Group data protection officer of WTS is:
RA Prof. Thorsten B. Behling
WTS Group AG
Sachsenring 83
50677 Cologne
Germany
e-mail: thorsten.behling@wts.de
The whistleblowing portal is operated on behalf of WTS Group AG by a specialised company: EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin, Germany.
All data in the whistleblowing portal are secured by extensive technical and organisational measures, in particular encrypted to ensure that EQS Group GmbH does not have access to the data, and only WTS more specifically persons appointed by WTS can access the data.
Confidential handling of reports, sharing and recipients of data
Incoming reports are received by selected, specially trained and thus unbias and independent employees of WTS. They are the only persons who have access to the data stored in the whistleblowing portal. The designated employees assess the situation and conduct further investigations, if necessary.
During the processing of submitted report, it can be necessary to share reports with additional employees or offices within WTS or other WTS Group companies, e.g. if a report refers to activities in a subsidiary of WTS Group AG. If there is sufficient reason to suspect a crime, data and information from the reporting process may be shared with a law enforcement agency for the purpose of initiating further investigations and possible penalties. The offices mentioned above and other recipients may be based in countries outside the European Union or the European Economic Area with different regulations regarding the protection of personal data.
In certain cases, we are obligated by data protection law to inform an accused person that we have received a report concerning them. The identity of the whistleblower will not be disclosed – insofar as this is legally permissible – and it will also be ensured that it is not possible to draw any conclusions concerning the identity of the whistleblower.
We will always ensure that the applicable data protection regulations are complied with when sharing reports.
The follow-up of received reports always takes place in strict confidentiality. In general, your name or any circumstances that could reveal your identity as a whistleblower are not mentioned, unless this is absolutely necessary in exceptional cases, such as due to statutory regulations.
The honest use of the whistleblowing portal will not have any adverse consequences for you as a whistleblower. In the case of abuse, such as the deliberate submission of false reports with the intent of discrediting an individual, we reserve the right to take action against the whistleblower.
Categories of personal data that we process
The data categories depend on the decision for or against an anonymous report submission and which data on persons are shared in the report. To satisfy the purposes listed above, the listed types of personal data and data categories are collected, processed and used insofar as such data – in particular – are provided to us in the whistleblowing system:
- Basic personal data (e.g. salutation, title, first name, last name)
- Contact data (e.g. e-mail address, telephone number, possibly fax number)
- Company information (e.g. name of the company, department, location)
- Address data (e.g. street, postal code, city, country)
- Report contents
Sources of personal data that we process
In the course of operating the whistleblowing system and the processing of data in this system, we receive and collect any personal data only from the whistleblower himself in the form of his report.
Storage period
The received personal data are stored only as long as is necessary to satisfy the respective purpose of the storage (see above). If this purpose no longer applies, we will delete or anonymise the data provided and to the extent that no legitimate reasons or obligations to retain the data exist. In the later case, the data are only processed to a limited extent, in other words only to satisfy the retention reason or obligation and otherwise only with consent, for asserting, exercising or defending legal claims, for protecting the rights of another natural or legal person or for reasons of an important public interest of the European Union (EU) or an EU member state. If a retention obligation exists, we will delete or anonymise the data once the retention obligation definitively no longer exists.
Use of the whistleblowing portal
Communication between your computer and the whistleblowing portal takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the whistleblowing system. In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that merely contains the session ID (a so-called session cookie). This cookie is only valid until the end of your session and expires when you close your browser.
It is possible to set up a postbox within the whistleblowing system that is secured with an individually chosen pseudonym/user name and password. This allows you to send reports to the respectively responsible employee at WTS anonymously or by name, if desired. This system only stores data inside the whistleblowing system, which makes it particularly secure. It is not a form of regular e-mail communication.
Your visit to the whistleblowing portal may still leave traces on your computer. If you are accessing the whistleblowing portal from a WTS computer, you might want to clear the temporary files (cache) afterwards.
Rights of the data subjects
Pursuant to European data protection legislation, you and the persons named in the report have a right of access, rectification, erasure, restriction of processing and right to object to the processing of your personal data. If the right to object to the processing of the personal data is exercised, the necessity to store the data, especially for processing a report, will be evaluated immediately. Data that are no longer needed will be deleted at once.
Additional information and an opportunity to assert your rights can be found on the website: https://www.wts.com/de-de/datenschutz
In addition, you can submit a complaint at any time to the competent data protection authority, such as at your place of residence or the location of the alleged violation.
The following data protection supervisory authority has jurisdiction over WTS:
- Data Protection Authority of Bavaria
- Promenade 27
- 91522 Ansbach, Germany
- https://www.lda.bayern.de
Note on sending attachments
When submitting a report or an addition, you can simultaneously send attachments to the responsible WTS employee. If you wish to submit an anonymous report, please take note of the following security advice: files can contain hidden personal data that could endanger your anonymity. Remove this data before sending. If you are unable to remove this data or are uncertain about how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the reporting process.
Status and modifications to this information on data protection
This information on data protection is current as of the date given below. This information is subject to change. We therefore ask you to regularly look at the information on data protection in order to be informed of any changes.
Version: August 2023