Privacy policy
We take data protection and confidentiality very seriously and adhere to the provisions of the EU General Data Protection Regulation (GDPR) as well as current national data protection regulations. Please read this privacy policy carefully before submitting a report in our whistleblowing platform Tell us! (hereinafter “whistleblowing platform”).
With the whistleblowing platform, we offer the opportunity to report specific evidence of violations to statutory provisions or the Code of Conduct of the Lorenz Group.
1. Controller
The data controller for the whistleblowing platform is Lorenz Snack-World Holding GmbH, Adelheidstr. 4/5, 30171 Hannover, Germany (hereinafter “Lorenz”), which receives and processes reports for the group companies of the Lorenz Group as an independent and confidential reporting office.
For the sake of clarity, it is noted that the original responsibility for remedying and following up an identified violation always remains with the respective group company.
2. Contact details of the data protection organisation
The contact details for the data protection organisation of Lorenz are: datenschutz@lbsnacks.de
3. Purposes of the data processing
The whistleblowing platform serves for securely and confidentially receiving, processing and managing reports concerning violations of statutory provisions and the Code of Conduct of the Lorenz group.
The whistleblowing platform is administered by a specialised company, EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin, Germany. This company may use personal data as a so-called processor only to fulfil the tasks it has assumed and is obligated to comply with the relevant data protection provisions.
The data entered in the whistleblowing platform is stored in a database operated by EQS Group GmbH in a high-security data centre in Germany. Only authorised persons at Lorenz can view the data. EQS Group GmbH and other third parties do not have access to the data stored in the whistleblowing platform. This is ensured in a certified procedure through extensive technical and organisational measures.
All data is stored encrypted with multiple levels of password protection so that access is restricted to a very small selection of expressly authorised persons at Lorenz.
4. Legal basis of the data processing
The legal basis for this processing of personal data is Article 6(1)(c) GDPR in conjunction with section 10 German Whistleblower Protection Act (HinSchG) or, for group companies in the Lorenz Group who are not subject to a statutory obligation to implement a whistleblowing platform, Article 6(1)(f) GDPR (legitimate interest). Our legitimate interest in this respect is the detection, cessation and prevention of illegal and irregular conduct at or against Lorenz group companies and the associated prevention of damage to our company, our employees, consumers, customers, service providers and suppliers.
If, in individual cases, we need to obtain your express consent for the processing of information, e.g. pursuant to Section 9(3) HinSchG, then Article 6(1)(a) GDPR and Section 26(2) German Federal Data Protection Act (BDSG) are the relevant legal bases.
5. Type of personal data collected
Use of the whistleblowing platform is voluntary. If you submit a report via the whistleblowing platform, we collect the personal data submitted by you. This includes, but is not limited to,
- your name, if you choose to reveal your identity,
- whether or not you are employed by a Lorenz group company
- the names and other personal data of persons named by you in your report, if applicable.
6. Processing and confidential handling of reports
Incoming reports are received by a small selection of expressly authorised and specially trained Tell us!-Officers at Lorenz and are always handled in confidence. Upon receipt of a report, the Tell us!-Officers of Lorenz initially evaluate if the matter requires an in-depth investigation and, if so, carry out any further investigation that may be required by the specific case.
7. Categories of recipients
Lorenz’s Tell us! officers may also involve external investigative specialists in the investigation, such as lawyers, auditors or forensic experts who are bound by contractual or legal confidentiality obligations by Lorenz to keep the information disclosed confidential.
Depending on how your report is processed, the following additional recipients may come into consideration if necessary in the course of processing, in the case of a corresponding legal obligation or in the context of the legitimate interest of Lorenz:
- Other group companies in the Lorenz Group;
- Criminal justice authorities.
Insofar as your report concerns a group company in the Lorenz Group based outside the European Union (EU) or the European Economic Area (EEA), we will always ensure that the relevant data protection provisions of the GDPR are adhered to when passing on personal data. In general, we only pass on reports containing personal data to our group companies based outside the EU/EEA if this is necessary for the assertion, exercise or defence of legal claims (Article 49(1)(e) GDPR) or if we have received your express consent to do so (Article 49(1)(a) GDPR). The latter applies in particular to the transmission of data that could reveal your identity as a whistleblower and which we are only permitted to transmit to our group companies in accordance with section 9(3) HinSchG if this is necessary for follow-up measures and you have previously consented to the transmission.
8. Informing the accused party
In accordance with the applicable data protection laws, we are generally obligated to inform accused parties of any reports received against them as soon as the disclosure of this information no longer jeopardises the investigation. In this context, we also ensure that your identity as a whistleblower is only disclosed if we are authorised to do so in individual cases in accordance with section 9 HinSchG.
9. Retention period of personal data
Personal data will be retained as long as necessary for investigating and resolving the relevant report including the remediation of any shortcomings discovered and the handling of any ensuing litigation. In this respect, we draw your attention to the fact that in accordance with section 11(5) HinSchG, we are obligated to retain documentation relating to the report in question for a period of three years. Once this period has expired, personal data will be erased unless we are obligated to retain the data for a longer period due to legal, official or contractual retention obligations.
10. Rights of the data subjects
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:
- Right of access: You have the right to request information as to whether personal data concerning you is being processed; if this is the case, you have the right to access information about this personal data and to the information set out in detail in Article 15 GDPR.
- Right to rectification: You have the right to request the rectification of inaccurate personal data concerning you and, if necessary, the completion of incomplete personal data without undue delay (Article 16 GDPR).
- Right to restriction of processing: You have the right to request a restriction of processing if one of the conditions listed in Article 18 GDPR applies, e.g. if you have objected to the processing, you may request that the objection be upheld for the duration of the investigation.
- Right to erasure: You have the right to request that personal data concerning you is erased without delay, provided that one of the reasons set out in detail in Article 17 GDPR applies, e.g. if the data is no longer required for the purposes pursued and the statutory retention provisions do not prevent erasure.
- Right to data portability: Pursuant to Article 20 GDPR, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, in order to be able to transfer it either yourself or, if technically feasible, via us to a third party.
- Right to object: You have the right to object to the processing of personal data concerning you at any time on grounds relating to your particular situation within the framework of the requirements of Article 21 GDPR.
- Right to withdraw consent: You have the right to withdraw consent given to us at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
- Rights regarding automated decisions: We do not use automated decisions in individual cases or profiling. If we do, we are required by law to make arrangements for you to influence the decision (Article 22 GDPR).
- Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular, in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes data protection provisions.
We draw your attention to the fact that the above rights of the data subject may be limited by EU law or applicable national law.
To exercise the above rights, please contact our data protection organisation at datenschutz@lbsnacks.de.
11. Use of the whistleblowing system
Communication between your end device and the whistleblowing platform takes place via an encrypted connection (SSL). Your IP address is not stored during your use of the whistleblowing system. To maintain the connection between your end device and BKMS® Incident Reporting, a cookie is stored on your device that contains only the session ID (so-called null cookie). This cookie is only valid until the end of your session and expires when you close your browser.
You can set up a secured postbox within the whistleblowing platform with an individually chosen pseudonym/ user name and password. This allows you to send reports to the responsible Tell us!-Officers at Lorenz either by name or in an anonymous, safe way. This system only stores data inside the whistleblowing platform, which makes it particularly secure. It is not a form of regular email communication.
12. Note on sending attachments
When submitting a report or an addition, you can simultaneously send attachments to the responsible Tell us!-Officers of Lorenz. If you wish to submit an anonymous report, please take note of the following security advice:
Files may contain hidden personal data that could jeopardise your anonymity. Remove such data before sending anything. If you are unable to remove this data or are uncertain, copy the text of the attachment into your report text or send the printed document anonymously to the address of the report recipient (see below) with specification of the reference number that you receive at the end of the report process:
Lorenz Snack-World Holding GmbH
Tell us!-Officers
Adelheidstr. 4/5
D-30171 Hannover, Germany
Version: June 2023
