Data Privacy Policy of MTU Aero Engines AG on using the iTrust whistleblowing system (BKMS® System)
MTU Aero Engines AG (hereinafter referred to as “MTU”) takes the protection of personal data very seriously. We process personal data in full compliance with all applicable legal regulations on data protection and data security. Please read this data protection information carefully before submitting a report.
§1 Controller and scope
The controller, as defined in the European General Data Protection Regulation (“GDPR”), the German Federal Data Protection Act (“BDSG”) and other data protection regulations, is:
- MTU Aero Engines AG
- Dachauer Straße 665
- 80995 Munich
- GERMANY
§2 Data protection officer
The data protection officer of the controller is:
- Ms Helga Schorr
- MTU Aero Engines AG
- Dachauer Straße 665
- 80995 Munich
- GERMANY
- Email: MTU.DSB@mtu.de
§3 What are personal data?
Personal data are pieces of information about the personal or material circumstances of a specific or identifiable natural person (i.e. the data subject). This includes the person's name, address, telephone number, date of birth and email address, for instance. Information that cannot be linked to a specific individual (or only linked to a specific individual with disproportionate efforts), e.g. anonymised information, do not constitute personal data.
§4 General notes on data processing
a) Scope
We only collect and use personal data of users of iTrust to the extent that is necessary for processing a report.
Your personal data are not used for any other purposes, in particular, advertising purposes. We will never disclose your personal data to any third parties without your consent, except in the situations described below or if we are legally obliged to do so.
If necessary, we may share personal data with companies that are affiliated with MTU Aero Engines AG as per Section 15ff AktG for the purposes listed in Section 5.
We may also share personal data with courts of law, supervisory authorities (especially aviation safety authorities) or legal advisors in order to comply with the law or assert, exercise or defend against legal claims if necessary.
b) Legal foundation
iTrust serves the purpose of securely and confidentially receiving, processing and managing reports concerning criminal or illegal conduct and human rights violations in connection with our business activities. The processing of personal data within the framework of iTrust is based on the legitimate interest of our company in discovering and preventing abuses and thereby averting damage to MTU, its employees and business partners. We further have a legitimate interest in processing personal data to secure the legality of our company's business. The legal basis for our processing of personal data is Article 6(1)(f) of the GDPR (General Data Protection Regulation). In cases where we are obliged to process personal data in order to comply with a legal obligation to which our company is subject, Section 6 Paragraph 1(c) GDPR shall provide the legal foundation.
c) Data erasure and storage period
Your personal data will be erased or blocked as soon as the original purpose of their storage ceases to apply. In cases where the European or national legislator requires further storage through Union directives, laws or other regulations to which the data controller is subject, the data may be stored beyond that point in time. Personal data are also blocked or erased if the statutory storage period stipulated by any of the specified standards expires, unless the continued storage of the data is required to conclude or fulfil a contract.
§5 Purpose of data processing
Within the scope of the reporting procedure, we primarily process personal data for the following purposes:
- Risk management to prevent and investigate conduct that violates the terms of a contract or the law,
- Compliance with legal requirements (especially those of aviation law, tax law, commercial law and export control law);
- Asserting and exercising legal claims (in or out of court).
§6 Categories of personal data
All use of iTrust is entirely voluntary. When you submit a report via iTrust, we collect the following personal data and information:
- personal master data, e.g. your name, surname, business address, telephone or fax number and business email address, provided that you choose to disclose your identity,
- whether you are employed at MTU, and
- the names and other personal data of people whom you list in your report, if applicable.
§7 Security measures in place to protect data stored in our systems
The BKMS® System is operated by a specialised company, EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin in Germany, on behalf of MTU.
Personal data and information entered into the whistleblowing system are stored in a database operated by EQS Group GmbH in a high security data centre. Only MTU can see the data. EQS Group GmbH and other third parties do not have access to the data. This is ensured in the certified procedure through extensive technical and organisational measures.
All data are stored encrypted with multiple levels of password protection so that access is restricted to a very small selection of expressly authorised people at MTU.
§8 Confidential handling of reports
Incoming reports are received by a small selection of expressly authorised and specially trained employees of the compliance organisation of MTU and always handled confidentially. The employees of the MTU compliance organisation evaluate the matter and perform any further investigation required by the specific case.
While processing a report or conducting a special investigation, it may be necessary to share reports with additional employees of MTU or employees of other group companies, e.g. if the reports refer to incidents in subsidiaries. The latter may be based in countries outside the European Union or the European Economic Area with different regulations about the protection of personal data. We will always ensure that the applicable data protection regulations are complied with when sharing reports.
All persons who receive access to the data are obligated to maintain confidentiality.
§9 Information about the accused
We are legally obligated to inform accused parties of any reports received against them as soon as the disclosure of this information no longer jeopardises the investigation. Your identity as a whistleblower will not be disclosed unless we are legally obliged to do so.
§10 Use of the whistleblowing portal
Communication between your computer and the whistleblowing system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the whistleblowing system. In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that merely contains the session ID (a so-called session cookie). This cookie is only valid until the end of your session and expires when you close your browser.
It is possible to set up a postbox within the whistleblowing system that is secured with an individually chosen pseudonym/user name and password. This allows you to send reports to the respectively responsible employee at MTU either by name or in an anonymous, safe way. This system only stores data inside the whistleblowing system, making it particularly secure. It is not a form of regular e-mail communication.
§11 Note on sending attachments
When submitting a report or an addition, you can simultaneously send attachments to the responsible MTU employee. If you wish to submit an anonymous report, please take note of the following security advice: files can contain hidden personal data that could put your anonymity at risk. Remove this data before sending. If you are unable to remove this data or are uncertain about how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the reporting process.
§12 Rights of the data subject
If we process your personal data, you may be entitled to certain rights. This may include the following rights:
1. Right of access
You can ask the controller whether any of your personal data are being processed and receive confirmation.
If your data have been processed, you can request the following information from the controller:
- the purpose of processing your personal data,
- the categories of personal data that are being processed,
- the recipients or categories of recipients to whom you have disclosed or will disclose the personal data in question,
- the intended storage period of your personal data or, if no concrete information about the storage period is available, criteria for determining the storage period,
- the existence of a right to rectification or erasure of your personal data, a right to restriction of processing by the controller or a right to objection to the processing of your data,
- the existence of a right to lodge a complaint with a supervisory authority,
- all available information about the source of the data in cases where the data were not collected directly from the data subject.
You have the right to request information about any disclosure of your personal data to recipients in a third country or to an international organisation. In this context, you can demand to be informed about the appropriate safeguards as per Article 46 GDPR.
2. Right to rectification
You have the right to rectification and/or completion of your data by the controller in cases where your personal data are incorrect or incomplete. The controller is obliged to carry out the rectification promptly.
3. Right to restriction of processing
If the following conditions are given, you can request that the processing of your personal data be restricted:
- if you object to the correctness of your personal data for a certain period of time,
- if your data have been processed illegitimately, but you opt to have the use of your personal data restricted rather than requesting their erasure,
- if the data controller no longer requires your personal data for processing purposes, but your require them to assert, exercise or defend against legal claims, or
- if you have objected to the processing of your personal data as per Article 21 Paragraph 1 GDPR and it is yet to be determined whether the legitimate interest of the data controller outweighs your reasons for objection.
If the processing of your personal data has been restricted, your data may be processed only with your consent – with the exception of their storage – or for asserting, exercising or defending against legal claims, for protecting the rights of another natural or legal person or for reasons of an important public interest of the European Union or one of its member states.
If any of the aforementioned reasons applies and the restriction has been circumvented accordingly, the data controller will inform you before lifting the restriction.
4. Right to erasure
a) Obligation to erase
You can demand that the data controller erase your personal data immediately, and the data controller will be obliged to do so provided that one of the following reasons applies:
- your personal data are no longer required for the purpose for which they have been collected or otherwise processed.
- You withdraw your consent on which the data processing was based as per Section 6 Paragraph 1(a) or Section 9 Paragraph 2(a) GDPR, and there is no other legal foundation that justifies the processing.
- You object to the data processing in accordance with Section 21 Paragraph 1 GDPR, and the controller has no overriding legitimate interest in processing the data, or you object to the data processing in accordance with Section 21 Paragraph 2 GDPR.
- Your personal data are being processed illegitimately.
- The erasure of your personal data is required to comply with a legal obligation under Union law or the law of the member states governing the data controller.
- Your personal data were collected with respect to offers of information society services as per Section 8 Paragraph 1 GDPR.
b) Disclosure of information to third parties
Where the controller has made the personal data public and is obliged pursuant to Section 17 Paragraph 1 GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
c) Exceptions
The right to erasure does not apply if processing is necessary
- to exercise the right to free speech and information,
- to comply with a legal obligation that requires the data to be processed under Union law or the law of the member states governing the controller or if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
- for reasons of public interest in the field of public health as per Section 9 Paragraph 2(h) and Section 9 Paragraph 3 GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes as per Section 89 Paragraph 1 GDPR, provided that the right specified under a) is likely to render impossible or seriously impair the achievement of the specific purposes of the data processing, or
- for the establishment, exercising or defence against legal claims.
5. Right to be informed
If you have exercised your right to rectification, erasure or restriction towards the controller, the controller is obliged to inform all recipients to whom your personal data have been disclosed about the restriction or erasure of the data or the restriction of their processing unless this is impossible or only possible with disproportionate effort.
You have the right to be informed about those recipients by the controller.
6. Right to data portability
You have the right to receive the personal data which you have provided to a controller in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where
- the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR, and
- the processing is carried out by automated means.
In exercising your right to data portability, you also have the right to have the personal data transmitted directly from one controller to another where technically feasible. This must not affect the rights and freedoms of others.
The right to data portability does not apply if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to withdraw consent
You have the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
8. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.
