Privacy Notice
We take data protection and confidentiality very seriously and adhere to the provisions of the EU General Data Protection Regulation (EU-GDPR) as well as applicable national data protection regulations. In the following, we explain what information and if applicable personal data we process when you submit a report. Please read this privacy notice carefully before submitting a report.
Who is responsible?
This Privacy Notice applies for the data processing carried out by:
Deutsche Post AG
Global Compliance Office
Charles-de-Gaulle-Straße 20
53250 Bonn
Germany
gco@dpdhl.com
If you have queries with regard to the processing of your personal data, please contact the Data Protection Officer:
Deutsche Post AG
Global Data Protection
53250 Bonn
Germany
datenschutz@dpdhl.com
What personal data are processed?
Deutsche Post AG maintains an Incident Reporting System for the DPDHL (Deutsche Post AG and its group companies). Use of the Incident Reporting System takes place on a voluntary basis. If you submit a report via the Incident Reporting System, we collect the following personal data and information:
- your name, if you choose to reveal your identity,
- whether you are employed at DPDHL, and
- the names of persons and other personal data of persons that you name in your report.
In the event you submit a report via telephone, your voice will be recorded. At the beginning of each telephone call, you will also be requested to give consent that your spoken word will be recorded as an sound file. Also, for this form of submitted reports, the above listed types of personal data are collected through transcribing.
Why we collect personal data and what is the legal basis?
The Incident Reporting System (BKMS® System) serves the purpose of securely and confidentially receiving, processing and managing reports regarding violations of the compliance rules of DPDHL. It is particularly intended to receive reports on violations against law or the DPDHL Code of Conduct and therein mentioned further policies, guidelines and regulations such as the DPDHL Human Rights Policy Statement or DPDHL Anti-Corruption and Business Ethics Policy. We only process your data for specific purposes and where we have a legal basis to do so. If you wish to report data breaches or make other data protection notifications, please follow DPDHL’s internal process for reporting data breaches or contact your Data Protection Official or Data Protection Officer. You can find the contact details here.
Visiting our website
The BKMS® System is designed to guarantee anonymity of its users in accordance to the EU Whistleblowing directive. Data which is required to establish the communication between your computer and the Incident Reporting, such as IP addresses, will not be stored on the BKMS® System and will only be used on infrastructure level for the duration of a session. Furthermore, a cookie is stored on your computer that merely contains the session ID (a so-called null cookie). This cookie is only valid until the end of your session and expires when you close your browser. The cookie only contains the session id name JSESSIONID with a random generated value which is required to create the session (no further information that could lead to an identification of the whistleblower). The creation of sessions is widely used and best practice in a client-server architecture. If you log out or if the timeout limit is reached, the cookie becomes invalid, and the session be invalidated (closed). This is done by setting the session value in the cookie itself to "zero" (an undefined state). At this point the session can no longer be opened again. For the mentioned purposes we have a legitimate interest in processing your data, which is based on Art 6 (1) f) GDPR.
Anonymous or personal report submission
Regardless of which communication channel you use, you can submit your report anonymously or on a personal basis. Should you deliberately choose to do so or deliberately reveal your identity, we would like to inform you that we will keep your identity confidential during all internal or extrajudicial steps of the procedure. Please be informed, as a basic principle we are bound by law to inform the accused persons that we have received a report concerning them, unless this threatens further investigations into the report. In doing so, your identity as whistleblower is not revealed as far as is legally possible. In the event of not anonymously submitted reports, statutory claims for information by those affected by a report can result in the obligation to disclose the identity of the reporter. If you consciously and intentionally decide to disclose your identity in the context of the report, the data processing is based on your consent pursuant to Art. 6 (1) a) GDPR. You can revoke your consent, but only up to one month after the notification.
Report submission via the web based BKMS® System, secured postbox or other communication channels
The processing of personal data in the Incident Reporting System via BKMS® System, the secured postbox or other communication channels is based on the legitimate interests of our company to detect and prevent misconduct and thus avoid damage to DPDHL, its employees and customers. Article 6 (1) f) GDPR serves as legal basis for this data processing via the available communication channels.
It is possible to set up a secured postbox within BKMS® System that is secured with an individually chosen pseudonym/ user name and password. In order to achieve the utmost level of anonymity, you have to choose a pseudonym that does not allow to draw conclusions on your identity. This allows you to send supplements to your report and to communicate on the reported matter with the responsible employee at DPDHL. You can also choose to remain identifiable by name. The secured postbox system only stores data inside the Incident Reporting System, which makes it particularly secure. It is not a form of regular e-mail communication. Personal data will be deleted from the secured postbox according to the general deletion concept described in the section “How long do we keep personal data?”. Following closure of a reported matter the secured postbox will be entirely deleted after 180 days without usage.
When submitting a report or an addition, you can simultaneously supplement the information with attachments. If you wish to submit an anonymous report, please take note of the following security advice: Files can contain hidden personal data that could compromise your anonymity. Remove this data before sending. If you are unable to remove this data or are unsure how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the initial reporting process.It is also possible to submit reports via other channels (e.g., letter, email, etc.). Such reports will be manually transferred into the BKMS® System for further processing.
Report submission via telephone
Your anonymity will also be protected by the BKMS® System when you submit your report via telephone. Neither DPDHL nor EQS Group will have access to your telephone number and will not identify you by your voice. Your description of the incident will be recorded in the BKMS® System. We would like to point out that the report submission via telephone only works if you have consented to the recording of your spoken word. Afterwards, the encrypted sound file is transcribed by the responsible DPDHL employee. The legal basis to record and transcribe your report submission is based on your consent according to Art 6 (1) a) GDPR. The report submission via telephone is voluntary. You are invited to submit your report via the other offered communication channels, if you do not wish to be recorded. The sound file will be deleted immediately after the processing of your report has been finished.
If you have set up a secured postbox at the end of the report submission by telephone, you can receive feedback in the form of a voice recording by the responsible employee of DPDHL, and you can add information to your report, if necessary. Alternatively, you can access your secured postbox via the web application, review feedback, and make additions in written form. To protect the confidentiality of your report or addition, you can neither listen to it on your telephone nor in the web-based secured postbox.
How long do we keep personal data?
Personal data is retained for as long as necessary to clarify the situation and perform an evaluation of the report or other (?) legitimate interest of the company exists, or it is required by law. After the report processing is concluded, this data is deleted in accordance with the statutory requirements. If the reported concern is considered unfounded and does not lead to an investigation, we will promptly delete the personal information we received from that report. If an investigation is launched, the personal information will be deleted within two months following close of the investigation, unless a longer retention period is necessary to complete other procedures, in particular disciplinary or legal action, or otherwise permitted by local law.
How do we secure personal data?
Communication between your computer and the Incident Reporting System takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the reporting system.
Will personal data be passed on?
Incoming reports are received by a small selection of expressly authorized and specially trained employees of the Compliance or the Human Resources functions of DPDHL and are always handled confidentially. The before mentioned employees of the Compliance or the Human Resources functions of DPDHL will evaluate the matter and perform any further investigation required by the specific case. During the processing of a report or the conduction of a special investigation, it may become necessary to share reports with additional employees of DPDHL, e.g., if the reports refer to incidents in subsidiaries or requires additional expertise. Employees of DPDHL may be based in countries outside the European Union or the European Economic Area with different regulations concerning the privacy of personal data. We always ensure that the applicable data protection regulations are complied with when sharing reports. All persons who receive access to the data are obligated to maintain confidentiality.
The transfer of the reports to the mentioned employees of other group companies is made only for the purpose of uncovering unlawful conduct or violations of the DPDHL Code of Conduct and therein mentioned further policies, guidelines, and regulations. The transfer of the reports is necessary to protect the legitimate interests of Deutsche Post AG and the group companies affected by the report to comply with the legal and internal company policies. As legal basis serves Art 6 (1) f) GDPR.
Unless required by applicable law, your personal data will not be revealed to any external parties. If required by applicable law, information on the identity of the reporting employee may need to be disclosed to the relevant authorities involved in an investigation or subsequent judicial proceedings.
External service providers that process data on our behalf are contractually obliged to maintain strict confidentiality as per Art 28 GDPR. The service providers follow our instructions which are guaranteed by technical and organizational measures, as well as by means of checks and controls.
Your data is only transferred outside the European Economic Area (EEA) to other DPDHL companies, external service providers or public authorities when permitted by applicable data protection law. In such cases, we will make sure that appropriate safeguards are in place to ensure the transfer of your data (e.g., our binding corporate rules, standard contractual clauses).
The DPDHL Data Privacy Policy regulates our group-wide standards for the processing of your data.
What rights do you and other data subjects have?
According to European data protection law, you and the persons named in the report have the following rights:
- Right to access information: You can request information about your personal data processed.
- Right of rectification: You have the right to request a correction of any inaccurate data about yourself.
- Right to object: You have the right to object to processing.
- Right to withdraw your consent: You have the right to withdraw your consent.
- Right to data portability: You have the right to port your data to another company.
- Right to erasure/be forgotten: You have the right, in certain circumstances, to request a deletion of your data.
- Right to restrict processing: You have the right to request a limitation in the way your data is used.
- Right related to automated decision-making including profiling: You have the right to request a review of automated processing. At this moment no automated decision making takes place.
- Right to lodge a complaint: You have the right to lodge a complaint with the competent data protection supervisory authority.
If the right of objection is claimed for data processing based on our legitimate interests, we will immediately examine whether your objection is effective. If this is the case, we will no longer process the data.
You can direct your request based on the above rights or any other questions about this Privacy Notice to the contact details mentioned above.
Changes to this Privacy Notice
We reserve the right to change this Privacy Notice from time to time according to the changes in our services, the processing of your data or in the applicable law. We therefore recommend visiting our Privacy Notice periodically.
Status: 01.10.2021
