Privacy Notice – Whistleblowing System
Under this privacy notice (hereinafter the “Notice”), Deutsche Börse Group (DBG) (hereinafter “We” or “Us”) informs you how we process your personal data provided in the course of the whistleblowing system. Your personal data means any information relating to you (hereinafter the “Personal Data”), such as name or contact details.
We pay special attention on the processing of Personal Data in accordance with the General Data Protection Regulation EU 2016/679 (“GDPR”) and applicable national data protection laws.
Controller
Our identity and contact details
The Deutsche Boerse Group whistleblowing system is provided by:
Deutsche Börse AG
Compliance
60485 Frankfurt am Main
Germany
Tel. +49-(0) 69-2 11-0
E-Mail compliance@deutsche-boerse.com
Contact details of Our data protection officer
Our Data Protection Officer is:
Deutsche Börse AG
Data Protection Officer(Group Data Protection) Mergenthalerallee 61, 65760 Eschborn, Germany
Email: dataprotection@deutsche-boerse.com
phone: +49 69 2 11-1 38 40
Purpose, Categories of Personal Data, Legal Basis and Retention
Categories of your Personal Data and purposes of Our processing
The Whistleblower can choose whether she/he discloses her/his identity (for example, name, surname) or not. In case of a disclosure of the Whistleblower the information given may contain personal data of the Wishtleblower and/or other individuals. We process the provided personal data to assign the case to the responsible department depending on the individual case. If the Whistleblower discloses his identity and further actions are undertaken by Us the personal data may be filed for documentation purposes. We will only process the personal data that is strictly necessary for the purposes described above.
The categories of personal data are depending on the information provided by the whistleblower. We may obtain these data in the context of the use of the whistleblowing tool. In particular, we may obtain these data because you give them to us (e.g. by filing a report), because others give them to us (e.g. because you occur in a report) or because they are generated by using the platform (e.g. because you occur in the investigation of a report).
Legal basis for Our processing of your Personal Data
Our processing described in 2.1 of your Personal Data is allowed by law:
The legal basis for providing the whistleblowing system and/or processing your personal data within a case is Art. 6 para. 1 lit. (f) of the GDPR, permitting the processing of Personal Data for the purposes of Our legitimate interests in monitoring compliance with our Code of Conduct and the applicable laws and regulations and the investigation and prevention of any illegal and/ or business-damaging actions. In this respect, we will always determine case by case whether our interests are not overridden by the interests, fundamental rights and freedoms of the data subjects involved.
The legal basis for providing the whistleblowing system in countries with mandatory requirements and/ or processing your personal data within a case is Art. 6 para. 1 lit. (c) of the GDPR, permitting the processing of Personal Data for compliance with a legal obligation.
In exceptional cases, we may be obliged to cooperate with authorities (e.g. in the prosecution of criminal offences). The legal basis for associated data processing activities is Article 6 para. 1 lit. c GDPR. If we cooperate with authorities to investigate possible criminal offences without such obligation, this is done on the basis of Art. 6 para. 1 lit. e GDPR. By processing data in these circumstances, the public interest in the prosecution and detection of criminal offences is safeguarded.
Do we make automated decisions on you?
We do not make any automated decisions solely on automatic processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
Do you have to provide your Personal Data to Us?
The provision of your Personal Data is generally voluntary within the Whistblowing process. Depending on the individual case the providing of personal data might be necessary to investigate the case.
The whistleblowing system offers you the option of communicating information either anonymously or not anonymously. Before referring to your identity, please consider carefully whether you would like to provide corresponding information anonymously. Please also remember that conclusions about your person can be made not only through your name, but also in other ways. This may be the case, for example, if only you can be considered as a witness to an event, for instance, due to your position in the undertaking, your physical presence or a special access authorization.
Retention periods
The retention periods for Personal Data depend on the purpose of the processing. We will retain Personal Data set out under Section 2.1 above for as long as (i) necessary for the respective purpose, and/or (ii) required by applicable statutory retention laws. In your case, We will retain personal data that you provide to Us for as long as Our processing is necessary to close the Whistleblower’s Case or any applicable retention periods required pursuant to statutory provisions.
Source of data and measures taken to ensure anonymity
We receive your personal data from whistleblowers as far as this arises from the respective notice.
On behalf of the group the whistleblowing system is run by the specialised and thoroughly selected company EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin, Germany. If the whistleblowers provide information by telephone or via a specially set up postbox, this data is stored encrypted at a high-security data processing center operated by EQS Group GmbH. Only authorized examiners at the group can decrypt the data and interpret it. Neither the EQS Group GmbH nor other third parties can decrypt data or interpret it. This is guaranteed through a certified procedure by comprehensive technical and organizational measures.
All data is encrypted and stored through a multiple password protection, so that the access is limited to only authorized persons of DBG.
EQS Group must process the data exclusively for the purposes specified by us and in accordance with our instructions and has been contractually obliged by us to treat your data exclusively in accordance with the applicable data protection laws.
EQS Group will, if necessary, use further service providers bound by instructions to provide the described services. In this case, EQS Group will obligate service providers strictly to the confidentiality of personal data.
Transfer of Personal Data to Third Parties
We will not transfer your Personal Data to third parties except such transfer is permitted by law or you have explicitly consented to the transfer.
We may transfer your Personal Data to public authorities where this is required by the applicable law (e.g. the German Stock Exchange Act (Börsengesetz) or the German Securities Trading Act (Wertpapierhandelsgesetz)). A transfer of your Personal Data is also permitted if there is a suspicion of a criminal offence. In this event, we shall be entitled to transfer your Personal Data to the criminal prosecution authority.
Otherwise, your personal data will be stored exclusively in our database and on our servers, or on those of our commissioned data processing providers. We will only share your Personal Data with other controllers for their own purposes under the condition that you explicitly and voluntarily agreed to such transfer of your Personal Data; in this case, we will obtain your consent separately from this Notice.
In addition, as described above, authorized persons may enter personal data in an encrypted form into the BKMS® System (especially via the postbox) in order to communicate with the whistleblower in the event of queries as well as to other undertakings of the group in order to communicate with them about the information received there and / or the information concerning them.
In order to ensure the protection of your personal rights, the company will only transfer your data to countries outside the European Economic Area, if an adequate level of data protection equivalent to the GDPR is ensured. If this is not the case, the company will make use of one of the mechanisms laid down in Art. 44 et seq. GDPR, in particular via the conclusion of standard data protection clauses adopted by the Commission pursuant to Art. 46 para. 2 lit. c GDPR. These can be viewed at any time at https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32004D0915.
Additionally, Deutsche Boerse AG acts as Data Processor for the DBG affiliates using the whistleblowing system.
Under these conditions, recipients of your personal data can be for example:
- public bodies and institutions in the presence of a legal or regulatory obligation (e.g. financial authorities),
- service providers (processors) in the following areas: Whistleblowing Service Provider
Your Rights
Under applicable data protection laws, you have rights
- of access to, rectification of, and/or erasure of your Personal Data;
- to restrict or object to its processing;
- to tell Us that you do not wish to receive marketing information; and
- (in some circumstances) to require certain of your Personal Data to be transferred to you or a third party, which you can exercise by contacting Us at the details set out at the beginning of this Notice.
To the extent Our processing of your Personal Data is based on your consent, you also have the right to withdraw your consent, without affecting the lawfulness of Our processing based on your consent before its withdrawal.
To exercise your rights, you can contact Us as set out in Section 1.1 above. You can also lodge a complaint about Our processing of your Personal Data with a data protection authority.