Data Protection Notice
We take the issue of data protection and confidentiality very seriously and follow the provisions of the EU General Data Protection Regulation (EU-GDPR) as well as applicable national data protection regulations. Please read this data protection notice carefully before submitting a notice.
Person responsible and data protection officer
The person responsible for the use of the whistleblowing system (BKMS® system) and the associated processing of personal data is basically SSI SCHÄFER GMBH & CO KG (we, us). The whistleblowing via the BKMS® system is therefore initially made to SSI SCHÄFER GMBH & CO KG as the responsible party. If personal data of another company of the SSI SCHÄFER Group is affected by a report, then this respective company of the SSI SCHÄFER Group may, depending on the degree of its participation in the individual case, be regarded as a further independently responsible party, in addition to SSI SCHÄFER GMBH & CO KG, for the implementation of an investigation procedure and a related processing of personal data.
SSI SCHÄFER GMBH & CO KG has appointed a Data Protection Officer. Inquiries regarding data protection at SSI SCHÄFER Group and SSI SCHÄFER GMBH & CO KG can be sent to datenschutzbeauftragter@ssi-schaefer.com.
Purpose of the whistleblower system and legal basis
The purpose of the BKMS® system is to receive, process, investigate and manage violations of the law, as described in more detail in the BKMS® system, and violations of the Code of Conduct of the SSI SCHÄFER Group as well as the Code of Conduct for Business Partners of the SSI SCHÄFER Group, in a secure and confidential manner.
You are free to submit reports anonymously. Please note that an anonymous report may limit our ability to investigate and resolve a report.
If you wish to remain anonymous, do not provide any personal information such as your name or your relationship to the parties involved. In particular, do not provide any information in the free text fields that could lead to conclusions about you.
If you make an anonymous report, the processing of personal data within the framework of the BKMS® system is based on the legitimate interest of our company in the detection and prevention of wrongdoing and thus in the prevention of damage to the SSI SCHÄFER Group, its employees, customers and suppliers. The legal basis of this processing of personal data is Article 6 para. 1 lit. f EU-GDPR.
In addition, SSI SCHÄFER GMBH & CO KG may be legally obliged to provide information on compliance violations by its employees, customers and suppliers to certain authorities, in particular government authorities in Germany and abroad, such as investigating authorities or courts. The legal basis of this processing of personal data is Article 6 (1) lit. c EU- GDPR in connection with the respective legal basis in national or European law. In the case of non-European entities, the legal basis is Article 6 (1) (f) EU- GDPR in connection with the respective legal obligation for SSI SCHÄFER GMBH & CO KG.
If you wish to submit your report by naming your identity, we will process your personal data in accordance with this Data Protection Notice and the Declaration of Consent under Data Protection Law with your consent. In this case, it is necessary that you actively give us your consent when stating your name.
We process special categories of personal data only insofar as you have given us your express consent for this in accordance with Art. 9 (2) lit. a EU- GDPR or this is necessary for the assertion, exercise or defense of legal claims, cf. Art. 9 (2) lit. f EU- GDPR. Special categories of personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, health data, or data concerning sex life or sexual orientation.
Consequences of a report
Information may result in the initiation of internal and official investigation procedures and other adverse consequences for the persons concerned. Therefore, only provide us with information that you believe to be accurate to the best of your knowledge. Knowingly disseminating false information is a criminal offense in Germany and many other countries.
Categories of personal data collected
Use of the whistleblower system is on a voluntary basis. When you submit a report via the BKMS® system, we collect the following personal data and information, insofar as you provide it:
- Subject,
- Your first and last name,
- Selected reporting category,
- The facts you report about suspected misconduct in a free text field, including questions:
- How and where (country, location, SSI Schaefer Group company involved) the suspected misconduct occurred and how you learned of the suspected misconduct,
- the identity, function and contact details of persons allegedly involved in the suspected misconduct; and
- Identity, function, and contact information of persons who could provide information about the suspected misconduct.
- Whether you have already reported the incident elsewhere,
- Whether managers are involved in the incident,
- Whether the incident is ongoing, and
- Data you provide through the upload function.
Internal and external recipients
Incoming information is received by a narrow circle of expressly authorized and specially trained employees from the Group Compliance team of SSI SCHÄFER GMBH & CO KG and is always treated confidentially. The Group Compliance team examines the facts and, if necessary, carries out further case-related clarification of the facts.
The BKMS® system is operated by a company specializing in this area, EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin in Germany, on behalf of SSI SCHÄFER GMBH & CO KG. Only SSI SCHÄFER GMBH & CO KG is allowed to view the data. EQS Group GmbH and other third parties have no access to the data.
SSI SCHÄFER GMBH & CO KG will take appropriate measures to maintain confidentiality and will make every effort to keep your identity secret. In the course of processing a report or in the course of an internal or official investigation in connection with your report, it may be necessary to pass on personal data to other bodies. This includes other bodies within the SSI SCHAEFER Group, e.g. if the report relates to processes in subsidiaries, but also investigating authorities and courts or external consultants such as lawyers. The recipients may also be based in countries outside the European Union or the European Economic Area, in which different regulations for the protection of personal data may exist. In such a case, SSI SCHÄFER GMBH & CO KG will ensure that the legally required safeguards for the protection of your personal data are met before your personal data is disclosed.
Informing the accused person and others affected by the investigation
We are generally required by law to inform the accused person and others affected by the investigation that we have received a report about them as soon as this information no longer jeopardizes the follow-up of the report. We will attempt to protect your identity as a whistleblower- to the extent permitted by law. Nevertheless, it is our duty to inform you that we may be legally obligated to disclose your identity to the suspect or others affected by the investigation.
Data subject rights
In accordance with and within the framework of the EU-GDPR and national data protection law, you have the right to information, correction, deletion and restriction of processing as well as the right to data portability. In addition, you have the right to lodge a complaint with a supervisory authority, e.g. the State Commissioner for Data Protection and Information Security of North Rhine-Westphalia as the competent data protection authority for SSI SCHÄFER GMBH & CO KG.
Insofar as we process your data on the basis of our legitimate interest pursuant to Article 6 (1) (f) EU-GDPR, you have the right to object to the processing of your personal data in accordance with and within the scope of the EU-GDPR and national data protection law for reasons arising from your particular situation.
If the right to object is exercised, we will no longer process your personal data; unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the assertion, exercise or defense of legal claims.
Insofar as you consent to the processing of your personal data, you have the right to revoke your consent to the processing of your personal data at any time with effect for the future.
Retention of personal data
Information will be retained for as long as is necessary for processing and investigating the information, for as long as the company has a legitimate interest in doing so, or for as long as is required by law. Subsequently, reports are deleted or anonymized, i.e. the reference to your identity as a whistleblower and to the persons named in the report are permanently and irreversibly removed.
This means that your personal data will usually be deleted within two months after the investigation of the alleged facts has been completed, unless further legal proceedings or disciplinary measures are initiated against the suspect or you as a whistleblower in the case of knowingly false allegations, or further storage of the personal data is required to comply with legal retention obligations. Personal data relating to reports that turn out to be unfounded will be deleted immediately, subject to legal retention requirements.
Security measures
Personal data and information entered into the whistleblower system are stored in a database operated by EQS Group GmbH in a high-security computer center. Only SSI SCHÄFER GMBH & CO KG is allowed to view the data. EQS Group GmbH and other third parties have no access to the data. This is guaranteed in the certified procedure by comprehensive technical and organizational measures. All data is stored in encrypted form and with multi-level password protection, so that access is restricted to a very narrow circle of recipients of expressly authorized persons at SSI SCHÄFER GMBH & CO KG.
Communication between your computer and the whistleblower system takes place via an encrypted connection (SSL). The IP address of your computer is not stored during the use of the whistleblower portal. To maintain the connection between your computer and the BKMS® system, a cookie is stored on your computer that only contains the session ID (so-called zero cookie). The cookie is only valid until the end of your session and becomes invalid when you close your browser.
You have the option of setting up a protected mailbox in the whistleblower system with a pseudonym/username and password of your own choice. In this way, you can send a secure report to the responsible person from the Group Compliance team, either by name or anonymously. With this system, the data is stored exclusively in the whistleblower system and is therefore particularly secure; it is not an ordinary e-mail communication.
Notes on sending attachments
When submitting a notice or sending an addendum, you have the option of sending attachments to the responsible person from the Group Compliance team. If you wish to submit a report anonymously, please note the following security advice: Files may contain hidden personal data that could jeopardize your anonymity. Remove this data before sending. If you are unable to remove this data or are unsure, copy the text of your attachment to your report text or send the printed document anonymously to the address listed in the footer using the reference number you receive at the end of the reporting process.