Data protection
Personal data are processed within the framework of the whistleblowing system. You will be informed about the details of the processing and your rights in this context below. Personal data are always processed in compliance with the European General Data Protection Regulation 2016/679 (hereinafter referred to as “GDPR”) and the applicable data protection laws as well as any other relevant legal provisions.
CA Immo has appointed a data protection officer who can be contacted via dsb@caimmo.com for any questions relating to the processing of your personal data.
Data controller
The parties responsible for data protection in the whistleblowing system are
- CA Immobilien Anlagen AG, Mechelgasse 1, 1030 Vienna
- CA Immo Deutschland GmbH, Friedrich-Ebert-Anlage 35-37, 60327 Frankfurt am Main
- CA Immo Konzernfinanzierungs GmbH, Mechelgasse 1, 1030 Vienna
- CA Immo Real Estate Management Hungary Kft., Lechner Ödön fasor 6, HU-1095 Budapest
- CA Immo Real Estate Management Poland Sp. z o.o., ul. Sienna 39, PL-00-121 Warsaw
- CA Immo Real Estate Management Czech Republic s.r.o, Karolinská 661/4, CZ-186 00 Prague 8
- CA Immo DOO Beograd, Djordja Stanojevica street no 12, Beograd, Novi Beograd
each as parties with joint responsibility.
Purpose of the whistleblowing system
The whistleblowing system (BKMS® System) serves for securely and confidentially receiving, processing and managing reports concerning violations of applicable laws or the values (Code of Conduct) of CA Immobilien Anlagen AG and its group companies.
Incoming reports are received by a small selection of expressly authorised and specially trained employees in the CA Immo Compliance Organisation and are always handled confidentially. These employees evaluate the matter and carry out any further investigation that may be required by the specific case.
Scope of data processing
Use of the whistleblowing system is voluntary. We collect the following personal data and information when you submit a report using the whistleblowing system:
- Identity of the whistleblower (your name and possibly your contact data, if you choose to reveal your identity, your relationship to the company) and the
- identity of the affected party (name, other personal information disclosed in connection with the reported incident).
The processing also includes:
- Data concerning acts or omissions punishable by law or by administrative authorities, in particular suspicion of the committing of criminal offences, as well as
- criminal convictions or preventive measures pursuant to Art. 10 GDPR.
Legal basis
The processing of personal data within the framework of the BKMS® System takes place in the context of the purposes of Art. 6(1)(e) and Art. 9(2)(f) and (g) GDPR in conjunction with Section 8(1) of the Austrian Whistleblowing Act and Section 12 ff. of the German Whistleblower Protection Act as well as other relevant national legislation in Hungary, Poland, the Czech Republic and Serbia.
The Whistleblowing Act and the Whistleblower Protection Act, which are based on EU law (Directive 2019/1937/EU on the protection of persons who report breaches of EU law), are intended to strengthen protection and the procedure for reporting breaches of the law in the public interest. This creates additional incentives and opportunities to prevent and penalise breaches of the law.
Recipients:
Pursuant to the Whistleblowing Act and the Whistleblower Protection Act, recipients of data contained in reports may be:
- internal bodies in legal entities
- management of a company
- external bodies for the receipt and handling of information and
- authorities that receive data contained in reports in order to follow up on a report.
Within the framework of processing a report or within a special investigation, it may be necessary to share reports with additional employees of CA Immo or with group companies (subsidiaries) if the reports refer to incidents in subsidiaries or if it is necessary to involve the Internal Audit department in the event that the incoming report relates to the Corporate Office & Compliance department. Furthermore, it may also be necessary to share reports with external consultants hired to carry out a special investigation. This may in some cases include persons based in countries outside the European Union or the European Economic Area, which may have different regulations about the protection of personal data.
Commissioned data processor
The whistleblowing system is operated by a specialised company, EQS Group AG, Karlstr. 47, 80333 Munich on behalf of the company.
Personal data and information entered into the whistleblowing system are stored in a database at a high security data centre operated by EQS Group AG. Only CA Immo has access to the data. EQS Group AG and other third parties do not have access to the data. This is ensured in the certified procedures through extensive technical and organisational measures.
All data are stored encrypted with multiple levels of password protection so that access to the data is restricted to a very small selection of expressly authorised persons at CA Immo.
Retention period
Personal data are retained for as long as necessary to clarify the situation and perform a final assessment or for as long as a legitimate interest exists on the part of the company or retention is required by law. The personal data are deleted no later than 2 months after completion of the investigation as long as the investigation has not revealed the need for further action (such as forwarding to law enforcement agencies, disciplinary measures or other court or administrative procedures). In these cases, the submitted data will be stored to the extent and for as long as required to undertake and complete such actions.
Your rights
You have the fundamental rights of access, rectification, erasure, restriction, data portability, revocation and objecting to the processing of your personal data. If you believe that the processing of your data violates data protection law or that your legal data protection rights have been otherwise violated, you can register a complaint with the supervisory authority. In Austria, this is the Data Protection Authority.
Use of the whistleblowing system
Communication between your computer and the whistleblowing system takes place over an encrypted connection (SSL). The IP address of your computer will not be stored during your use of the whistleblowing system. In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that contains only the session ID (a so-called session cookie). This cookie is only valid until the end of your session and expires when you close your browser.
You can set up a secured postbox within the whistleblowing system that is secured with an individually chosen pseudonym/user name and password. This allows you to send reports to the respectively responsible employee of CA Immo either by name or in an anonymous, safe way. This system stores the data exclusively within the whistleblowing system, which makes the data particularly secure. It differs from regular e-mail communication.
Note on sending attachments
When submitting a report or an addition, you can simultaneously send attachments to the responsible CA Immo employee. If you wish to submit an anonymous report, please take note of the following security advice: Files may contain hidden personal data that could jeopardise your anonymity. Please remove all such information before sending a file. If you are unable to remove such data or are uncertain about how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the reporting process.