SPEAK UP LINE - DATA PRIVACY POLICY
It is Hapag-Lloyd’s1 stated policy to comply with internal and external rules and regulations such as Hapag-Lloyd's Global Code of Ethics (https://www.hapag-lloyd.com/en/company/responsibility/compliance/global-code-of-ethics.html), anti-bribery and corruption legislation, competition law, embargo and sanctions regulations. At Hapag-Lloyd we also recognize our responsibility to respect human rights and fulfil our social and environmental obligations and to prevent any kind of human rights violations both within our Group and along our supply chains.
Hapag-Lloyd encourages its employees, suppliers and affected persons in our supply chain to support this approach by reporting any actual or potential non-compliant, unethical or illegal behavior, to the Compliance department, or through the available whistleblowing channels.
Secure reporting channel available in eight languages
Our incident reporting platform Speak Up Line is a protected, secure, and independent reporting channel for employees, customers, consumers, suppliers, and other external stakeholders. The platform is based on BKMS® System technology, which has multiple data security certifications. It is available around the clock in all markets in which Hapag-Lloyd AG and its subsidiaries do business and its use is permitted under local law. Users can submit information on possible wrongdoing in eight languages, remaining anonymous wherever local law permits.
Additional (country-specific) information on the Speak up Line, as well as a description of the reporting process can be found directly on the Speak Up Line platform: https: //www.bkms-system.com/hapag-lloyd
Data Protection Notice
We take data protection and confidentiality very seriously and comply with the applicable national and European data protection provisions. The key aspects of our data storage policy are explained briefly below.
This page provides information about how we process reports submitted to the whistleblowing system and how we ensure they are handled confidentially.
Purpose of the data processing, legal basis, and confidential report handling
The purposes of the data processing are the handling and further investigation of the reports received through the reporting channels, as well as to take any actions that may be required in the light of it.
Every report received is taken seriously and is handled confidentially and in accordance with a standardized process and in accordance with the internal Whistleblower and Non-Retaliation Policy.
When investigating the report, it may be necessary to share reported information with other Hapag-Lloyd AG employees or employees of other Hapag-Lloyd group companies (e.g., if the reports relate to events at Hapag-Lloyd AG subsidiaries). Group companies may be based in countries outside the European Union or the European Economic Area that have different rules on protecting personal data. In this case, we ensure that the data is transferred in line with the applicable data protection regulations. Depending on the data's destination in the case in question, we agree standard data protection clauses, apply binding internal data protection rules, or transfer data only to companies that are located in countries for which the European Commission has issued an adequacy decision, or a Transfer Impact Assessment has been carried out. In addition, we always comply with the relevant data protection laws when processing reports.
We are permitted to process the personal data contained in the reports because we have a legitimate interest in investigating, sanctioning, and preventing misconduct within the company (Art. 6, para. 1f GDPR (General Data Protection Regulation), among other things) and because processing is necessary for compliance with our legal obligations (Art. 6, para. 1c GDPR, among other things) or to assert or defend legal claims.
A Whistleblower who reports in Good Faith will be protected against Retaliation in respect to a report which falls under the scope of internal Whistleblower and Non-Retaliation Policy and under existing law, even if the report afterwards is found to be unsubstantiated. Hapag-Lloyd may apply strict discipline where a Whistleblower abuses the Hapag-Lloyd reporting channels for intentional false allegations, or where a whistleblower intentionally manipulates or withholds facts or evidence.
Type of the collected personal data
Use of the reporting system takes place on a voluntary basis. If you submit a report via the whistleblowing system, we collect the following personal data and information:
- your name, if you choose to reveal your identity
- country in which accident occurred
- whether you are employed at Hapag-Lloyd, external employee, customer, vendor or other (optional)
- the names of persons and other personal data of persons that you name in your report
Using the whistleblowing system
Personal data and information entered into the reporting system are stored in a database operated by EQS Group in a high-security data centre. Only specially trained employees in Hapag-Lloyd have access to the data.
EQS Group and other third parties do not have access to the data. This is ensured in the certified procedure through extensive technical and organisational measures.
All data are stored encrypted with multiple levels of password protection so that access is restricted to a small selection of expressly authorised persons at Hapag-Lloyd.
Communication between your computer and the reporting system takes place over an encrypted connection (SSL (Secure Sockets Layer)). Your IP (Internet Protocol) address will not be stored during your use of the reporting system. To maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that merely contains the session ID (a so-called session cookie). This cookie is only valid until the end of your session and expires when you close your browser.
However, please note that accessing the whistleblowing system may leave traces on your computer. If you use a company computer to access the system you should consider deleting the temporary data (cache) and your browser history afterwards. If your browser offers a "private mode" you should use this for preference, as it saves you having to make deletions manually.
You can also set up a secure postbox with a pseudonym/ username and password of your choice. This allows you to send reports to your Hapag-Lloyd AG case manager anonymously and safely. This system only stores data inside the reporting system, which makes it particularly secure. It is not a form of regular e-mail communication.
Sending attachments
You can also send attachments to Hapag-Lloyd’s reporting hotline when submitting reports or sending additional information. If you would like to submit your report anonymously, please note the following safety advice: Files may contain hidden personal information that could jeopardize your anonymity. Please remove all such information before sending any file. If you are unable to remove this data or are unsure how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address Compliance Department, Hapag-Lloyd Aktiengesellschaft, Ballindamm 25, 20095 Hamburg, citing the reference number received at the end of the reporting process and adding a remark “ANONYMOUS”
Notification of the person accused
As a matter of principle, we are bound by law to inform the person or persons accused that we have received a report on them, unless this endangers further investigations into the report. Your identity as whistleblower will not be revealed as far as is legally possible.
Your rights regarding processing of your personal data
Under German and any applicable European data protection law, you have the right to information and – where the relevant preconditions are met – to access, rectify or erase your personal data and to restrict its processing, as well as the right to data portability, where applicable. You can revoke your consent to your data being stored at any time for reasons relating to your specific situation. In this case, we will immediately examine the extent to which a report still has to be investigated. Your data will not be processed anymore unless this is compulsory and there are legitimate reasons for doing so.
In addition, you have the right to file a complaint with the supervisory authority responsible.
Storage duration
The case handling, follow-up and monitoring is documented in the case-management system by responsible case-handling department. Investigation files will be maintained in accordance with legally defined data retention requirements. After the case is closed, all related data will be immediately deleted or anonymized. If there is a strong indication that a case could be relevant in the future or new information could be added, report can be stored up to two years after reporting. After two years the data will be either deleted or anonymized. Whenever local laws or regulations have different requirements regarding the data retention, the local requirements must be followed.
Responsible departments and data security
The department responsible for the data protection within the whistleblowing system and acting as the data controller is Hapag-Lloyd AG, Compliance Department, Ballindamm 25, 20095 Hamburg, Germany. You can contact our data protection officer at the above-mentioned post address or via dataprotection@hlag.com.
The whistleblowing system is operated in Hapag-Lloyd AG´s name and on its behalf by a German company that specializes in this area, EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin. In this capacity, it acts as a service provider on the instructions of the data controller within the meaning of the GDPR. The data in the whistleblowing system is stored using comprehensive technical and organizational measures. It is specially encrypted in such a way that EQS Group GmbH cannot view it and only specified persons at Hapag-Lloyd AG have access to it.
Version: 26.04.2023