DATA PROTECTION POLICY
Exiros takes the protection of personal data very seriously, making reasonable efforts to ensure that they are handled confidentially. To this end, Exiros complies with the applicable legislation, including the provisions of the European Union General Data Protection Regulation (GDPR) and other similar regulations applicable to the different countries in which Exiros operates. Before submitting a report through this platform, please read this information carefully in order to understand the Data Protection Policy that will be applied by Exiros in coordination with its service provider EQS Group GmbH, in order to process reports of irregularities through this BKMS® System platform.
Purpose and legal basis of the irregularities reporting system
The BKMS® System system serves to securely and confidentially receive, process and manage reports about violations of the law or the internal norms of Exiros. The processing of personal data within the scope of the BKMS® System system is based on the legitimate interest of our company in preventing and investigating, where applicable, irregular and/or illegal conduct in order to avoid damage to Exiros, its subsidiaries, employees, suppliers and customers. As a general rule, the legal basis for processing personal data in this system shall be the legitimate interest of Exiros and the consent provided by each individual at the time of reporting irregularities.
Responsibility for the processing of personal data within BKMS® System system
The parties responsible for data protection within the whistleblowing system (BKMS® System) shall be Exiros and its subsidiaries, who have entrusted the operation of the irregularities reporting system (BKMS® System) to a specialized company, named EQS Group GmbH, with registered office at Bayreuther Str. 35, 10789, Berlin, Germany and who will comply with Exiros’ instructions to receive the reports.
Personal data and information entered in the BKMS® System system are stored in a database operated by EQS Group GmbH in a highly secure data center. Only Exiros can see the data entered by each user when submitting a report. EQS Group GmbH and other third parties do not have access to the data. This is guaranteed by the procedure implemented by EQS Group GmbH which is certified through extensive technical and organizational measures.
All data will be stored encrypted with various levels of password protection so that access is restricted to a group of persons defined by Exiros.
Type of personal data collected
Use of the irregularities reporting system is voluntary. If the user sends a report through the irregularities reporting system, we will collect, among other data that the user chooses to provide, the following personal data:
- Your name, if you choose to disclose your identity
- If you are an employee of Exiros or submit the report in another capacity (depending on whether or not you choose to disclose this information), and
- The names and other personal data of the persons you mention in your report when explaining the facts or the event involving an irregularity, if applicable
Confidential handling of reports
Reports will only be accessed by staff authorised by Exiros who have specific training to appropriately process and handle reports of irregularities. Reports will always be treated as confidential. Only staff authorised by the Internal Audit Department of Exiros (and other departments if decided by the head of the Internal Audit department) will access the reports to evaluate the case and carry out necessary investigations as applicable. In the same way, Exiros’ lawyers and legal advisors may access the information where necessary.
When processing a report or conducting a special investigation, it may be necessary to share reports with other specialized Exiros employees, or with other subsidiary or affiliated companies of Exiros (for example, when reports refer to incidents that affect more than one company of the economic group to which Exiros belongs). The subsidiary companies of the Exiros Group (including affiliated companies of Exiros with whom it may be necessary to share information) may be located in countries outside of the European Union or the European Economic Area, and/or in countries which are not recognised by the European Commission as countries with adequate personal data protection legislation and which, therefore, have insufficient and inadequate data protection regulations. When sharing reports, Exiros will provide the means to ensure compliance with the applicable regulations and the provisions of its internal policies and procedures on personal data protection, even in countries that lack of adequate legislation.
Informing the accused
In some countries, Exiros may be obliged to inform the accused persons that Exiros has received a report about them. It is important that the system users know that Exiros will only disclose information on reported persons if there is a legal obligation to do so (for example, to guarantee the rights of defense of the accused persons or to ensure that investigation processes are properly conducted).
Rights of the data subject
In accordance with the legislation on access rights applicable in each country, the reporting person, as well as the persons mentioned in a report, may have the right of access, consultation, rectification, erasure, restriction of processing, as well as the right to object to the processing of personal data concerning them. The reporting persons may also have the right to lodge queries and complaints with the competent personal data authorities in the relevant jurisdiction. Exiros and, where appropriate, EQS Group GmbH will provide the means by which the rights of access available to reporting persons can be exercised in accordance with the provisions of the applicable law in each case.
Personal data retention period
Personal data will be stored for the time required to clarify the situation and conduct an investigation and assessment of the case, as appropriate, or as long as it is required by law or there is a legitimate interest of Exiros in its retention.
Use of the irregularities reporting system
The connection between the device from which a report is made and the irregularities reporting system is established through an encrypted connection (SSL). Your IP address will not be stored when you use the irregularities reporting system. To maintain the connection between your device and BKMS® System, a cookie will be stored in your device containing only the session ID (a so-called session cookie). This cookie is only valid until the end of the session and will expire when the user closes their browser.
In the irregularities reporting system (BKMS® System), the user has the option of setting up a secured postbox using a user name/pseudonym and a password which can be chosen freely. This allows the user to send reports to Exiros in a secure way, and anonymously if the user wishes. This system only stores data within the irregularities reporting system (BKMS® System), in a secure environment.
Submitting reports via telephone
When you report an irregularity via telephone, your anonymity will also be protected by BKMS® System. Neither Exiros nor EQS Group GmbH will have access to the phone numbers from which the report is made. The description of the incident or the report will be recorded in BKMS® System and the encrypted sound file will be transcribed by the responsible Exiros employee. If the user sets up a secured postbox after submitting the report via telephone, they can receive messages in the form of voice recordings from the responsible employee of Exiros and may add information to their report if necessary. The user will also log in to their secured postbox via the web application, review the report and add additional written information.
Note on sending additional reports and attachments
When a user decides to attach additional information or files or documents to a report that has already been submitted, the system will allow them to do so in order to provide supporting information for the report. It is important for reporting persons that prefer to remain anonymous to bear in mind that the files or documents sent as attachments may contain personal data (hidden as metadata or only visible as document properties). It is recommended to delete this information before sending any document or file as an attachment or to take steps to anonymise the documents, files or additions that they want to provide.
Version: 13 September 2021