Information on data protection
In the following, we would like to inform you about the collection, processing and use of personal data within the framework of the whistleblowing system. Please read this data protection information carefully before submitting a report.
Purpose of the whistleblowing system
The whistleblowing system (BKMS® System) serves the purpose of receiving and processing reports concerning (suspected) violations of laws or internal rules of the Schörghuber Group as well as reports concerning irregularities in one’s own business area or the supply chain of the Schörghuber Group via a secure and confidential channel. The goal is to effectively and with a high level of confidentiality identify, investigate, eliminate and penalise such legal violations and serious violations of the obligations of employees, including behaviour harmful to the company and instances of business crime that arise anywhere in the group as well as misconduct at suppliers and business partners and to avert associated damages and liability risks for Schörghuber Stiftung & Co. Holding KG, its affiliated companies, all employees, customers and business partners as well as all other people and the environment (Sections 30, 130 Administrative Offence Act [OWiG]).
Processing of personal data and legal basis
Personal data are collected and stored within the framework of the BKMS® System. The handling of these data complies with the applicable data protection laws.
Only the data that are objectively required for the purposes of the whistleblowing system (see above) will be processed.
The collected data are used exclusively for the purposes of the whistleblowing system as described above. The data are provided, in particular, to safeguard the legal obligations of the company and compliance requirements at the company. Processing of the data takes place within the framework of fulfilling employment contract obligations on the basis of Section 26 (1) German Data Protection Act (BDSG) and based on legitimate interests of Schörghuber Stiftung & Co. Holding KG that override the interests of the respective data subject on the basis of Art. 6 (1)(f) General Data Protection Regulation (GDPR). Legitimate interests include ensuring compliance within the company. This includes discovering and investigating legal violations and serious violations of the obligations of employees, including behaviour harmful to the company and business crime as well as misconduct in one’s own business area and in the supply chain of the Schörghuber Group, and for the protection of all employees, customers and business partners as well as all other people and the environment. A further legal basis is Art. 6 (1)(c) GDPR in connection with the German Supply Chain Act.
Responsible authority and data security
The party responsible for data protection in the whistleblowing system is:
Schörghuber Stiftung & Co. Holding KG
Möhlstrasse 10
81675 Munich
Phone +49 89 3074917-0
Email: kontakt@schoerghuber.group
The whistleblowing system is operated by a specialised company, EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin in Germany, on behalf of Schörghuber Stiftung & Co. Holding KG.
Personal data and information entered into the whistleblowing system are stored in a database of a high security data centre in Germany operated by EQS Group GmbH, separate from the other data stored by Schörghuber Stiftung & Co. Holding KG. Only Schörghuber Stiftung & Co. Holding KG has access to the data. EQS Group GmbH and other third parties do not have access to the data. This is ensured in the certified procedure through a corresponding permission system and extensive technical and organisational measures.
All data are stored encrypted with multiple levels of password protection so that access is restricted to a very small selection of expressly authorised persons at Schörghuber Stiftung & Co. Holding KG. In addition, a contract processing agreement as per Art. 28 GDPR was concluded between Schörghuber Stiftung & Co. Holding KG and EQS Group GmbH to ensure a high level of data protection and data security.
Schörghuber Stiftung & Co. Holding KG has appointed a data protection officer. Inquiries concerning data protection can be directed to:
Schörghuber Stiftung & Co. Holding KG
Data protection officer
Möhlstrasse 10
81675 Munich
Phone +49 89 3074917-0
Email: datenschutz@schoerghuber.group
Type of the collected personal data
Use of the whistleblowing system is voluntary. You have no legal or contractual obligation to provide your personal data.
If you submit a report via the whistleblowing system, we collect the following personal data and information:
- Your name and private contact and identification information, if you disclose your identity and these data (non-anonymous report)
- Whether you are employed by a company of the Schörghuber Group, i.e. professional contact information and organisation affiliation, if you provide this (non-anonymous report)
- The names and other personal data of persons whom you list in your report, if applicable.
Confidential handling of reports
Incoming reports are received by a small selection of expressly authorised and specially trained employees of Schörghuber Stiftung & Co. Holding KG and always handled confidentially. The employees evaluate the matter and carry out any further investigation that may be required by the specific case. Only these employees have access to the data stored in the whistleblowing system.
While processing a report or conducting an internal investigation, it may be necessary in justified individual cases to share reports with other employees of Schörghuber Stiftung & Co. Holding KG or with employees of another group company affiliated with Schörghuber Stiftung & Co. Holding KG, e.g. if the reports refer to incidents at subsidiaries of Schörghuber Stiftung & Co. Holding KG. It may be necessary for the investigation to share data with subsidiaries of the Schörghuber Group located in a country outside of the European Union or the European Economic Area where different regulations concerning the protection of personal data may apply. We will always ensure that the applicable data protection regulations are complied with when sharing reports and that appropriate guarantees under data protection law are provided for the protection of data subjects (e.g. EU standard data protection clauses or exemptions as per Art. 49 GDPR).
If necessary, the report text you submit will be shared with subcontracted partners of EQS Group GmbH for translation. The data protection agreement concluded with EQS Group GmbH also applies to these service providers.
Where a corresponding legal obligation exists or in the event of a legitimate interest of Schörghuber Stiftung & Co. Holding KG or a third party in investigation of the report, other possible recipients include law enforcement agencies, anti-trust authorities, other administrative authorities and courts. It may also be necessary to share reports with law firms and auditing firms as well as external data protection and IT security officers hired by Schörghuber Stiftung & Co. Holding KG or another group company affiliated with Schörghuber Stiftung & Co. Holding KG, in which case these recipients are also obligated professionally or by law to maintain confidentiality.
All persons who receive access to the data are obligated to maintain confidentiality.
Information about the accused party
Every person involved in a report will be informed at the appropriate time and in consideration of our notification obligations under data protection law and pursuant to Art. 13, 14 GDPR of the accusations of suspected wrongdoing made against them, as long as this notification would not significantly complicate continuation of the investigation into the situation. If no such danger exists, this notification generally takes place within one month, otherwise no later than upon conclusion of the investigations. In certain cases, the accused person has the right pursuant to Art. 15 GDPR to demand information about the stored data and information concerning them.
Even if you have shared with us your name or other personal data (non-anonymous report), your identity as whistleblower will not be disclosed – insofar as legally possible – either in connection with the fulfilment of our notification obligations or in the provision of information to the accused person and it will also be ensured that it is not possible to draw any conclusions concerning your identity as whistleblower. Deviating rules can apply if you consent to disclosure of your identity or if a corresponding legal obligation applies. This is the case in particular if the disclosure is indispensable in order that persons affected by the report can exercise their right to a hearing. In all cases, you will be informed in advance of the disclosure of your identity. However, disclosure by us will not take place as long as the whistleblower has an overriding, legitimate interest in keeping his or her identity confidential (Section 29(1) BDSG), which is fundamentally the case as long as the investigation into the subject matter of the report has not yet been concluded. Because all information concerning the whistleblower is fundamentally deleted or entirely anonymised upon completion of the investigation (see below), especially if the investigation produced no result, a disclosure of your identity is largely ruled out in this case as well.
Rights of the data subjects
Pursuant to GDPR, you and the persons named in the report have – in addition to the aforementioned right of access and information – a right to rectification, erasure, restriction of processing or blocking and a right to object to the processing of your personal data. If the right to object to the processing of the personal data is invoked, we will immediately evaluate the necessity of the stored data for the examination of a report and inform the data subject of the overriding interests that permit the processing. The data will be blocked for these purposes for the duration of this evaluation. Data that are no longer needed will be deleted at once.
If the data have been shared with a third party, we will inform the recipient of the correction, erasure or blocking of the data in accordance with the statutory regulations. You also have the right to lodge a complaint with the data protection supervisory authority. The applicable authority in our case is the Data Protection Authority of Bavaria.
Retention period for personal data
Personal data are retained for as long as necessary to clarify the situation detailed in the report and perform a concluding evaluation as well as beyond this time if pertinent archiving periods exist on the basis of law, contract or charter. If a report results in criminal, disciplinary or civil court processes, the storage duration can extend until the final conclusion of the respective process. Data collected with a report that are of no relevance for the process will be deleted immediately. After the report processing is concluded, the data will be deleted or anonymised in accordance with statutory requirements. Any links to your identity as a whistleblower will be finally and irreversibly removed during anonymisation.
Use of the whistleblowing system
Communication between your computer and the whistleblowing system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the whistleblowing system. In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that merely contains the session ID (a so-called session cookie). This cookie is only valid until the end of your session and expires when you close your browser.
It is possible to set up a secured postbox within the whistleblowing system with an individually chosen pseudonym/ user name and password. This allows you to send reports to the respectively responsible employee of Schörghuber Stiftung & Co. Holding KG either by name or in an anonymous, safe way. This system only stores data inside the whistleblowing system, which makes it particularly secure. It is not a form of regular e-mail communication.
Note on sending attachments
When submitting a report or an addition, you can simultaneously send attachments to the responsible employee of Schörghuber Stiftung & Co. Holding KG. If you wish to submit an anonymous report, please take note of the following security advice: Files may contain hidden personal data that could jeopardise your anonymity. Please remove all such information before sending a file. If you are unable to remove this data or are uncertain about how to do so, copy the text of your attachment into your report text or send the printed document anonymously (with personal data blacked out) to the address listed in the footer, citing the reference number received at the end of the reporting process.
Version: 15 March 2023