During the use of BKMS® System, a text file (called a “session cookie”) is saved on your computer containing only the number of your session. This is necessary for technical reasons in order to establish the connection to a security-certified server. The “session cookie” does no damage to your computer, it does not access your data and has no relation to the contents of your report. If you close all browser windows after submitting your report, the “session cookie” will expire and be automatically deleted.
Dear whistleblower,
We would like to inform you that our whistleblowing system is now accessible via the following link:
RCS: B180.885
8 rue Beaumont
L-1219 Luxembourg
Phone: +33 (0) 1 73 03 20 00
Email: dpo@serb.eu
SERB takes legal compliance and ethics very seriously.
The whistleblowing system (BKMS® System) serves the purpose of securely and confidentially receiving, processing and managing reports regarding violations of applicable laws or internal rules of the SERB Group.
The SERB Group comprises SERB (8 avenue Beaumont, L-219 Luxembourg, Luxembourg), STARK INTERNATIONAL LUX (8 avenue Beaumont, L-219 Luxembourg, Luxembourg), SERB HOLDING FRANCE (40 avenue George V, 75008 Paris, France) and the other SERB entities as listed here: https://serb.eu/#our-presence (hereafter also: “SERB”).
The whistleblowing system is open to all current or former, permanent or temporary employees of SERB (“employees”), SERB's customers, suppliers, consultant, as well as third parties contractually linked to any SERB entity (all together referred to as a “Whistleblower”), to the extent the report is provided in good faith.
Good faith on the part of a Whistleblower means a lack of malice, willingness to harm and any absence of a counterpart or compensation of any kind. Hence, the Whistleblower must have reasonable grounds to believe in the truthfulness of the statements reported in his/her report.
It is therefore important to remember that any abusive or bad faith use of the whistleblowing system may expose its author to civil and/or criminal prosecution.
Thus, any Whistleblower who acts in good faith, in a disinterested manner and who has personally had knowledge or personally observed:
May bring this information to the SERB's attention by filing a report in the BKMS® System.
The report may not, however, relate to matters covered by national defence secrecy, medical secrecy or the secrecy of relations between a lawyer and his client.
No disciplinary action or discriminatory measures shall be taken against a Whistleblower who has reported a fact, even if the reported facts prove to be unfounded or does not give rise to any consequences, provided that the Whistleblower acted in good faith.
Please note that the whistleblowing system is only one of the means available to report the abovementioned facts. In particular, you can reach our Chief Compliance Officer at:
No action shall be taken against an employee who did not use the whistleblowing system while reporting.
Personal data and information entered into the whistleblowing system are stored in a database operated by EQS Group GmbH in a high-security data centre. Only SERB has access to the data. EQS Group GmbH and other third parties do not have access to the data. This is ensured in the certified procedure through extensive technical and organisational measures.
All data are stored encrypted with multiple levels of password protection so that access is restricted to a very small selection of expressly authorised persons at SERB.
Incoming reports are received by a small selection of expressly authorised and specially trained employees of the Compliance department of SERB specifically created to handle and process such reports within the group, involving the Chief Compliance Officer, the Senior Legal Counsel, and the General Secretary. The employees of the Compliance department of SERB will evaluate the matter and perform any further investigation required by the specific case.
In case the Whistleblower provided its contact details on the BKMS® System, the Chief Compliance Officer will inform the Whistleblower of the receipt of the report by means of a response within a maximum of 10 calendar days, and will indicate the foreseeable reasonable period of time required to examine the admissibility of the report and in which he will be informed of the action taken on the report.
Any person implicated in the whistleblowing system (the “concerned person”) will be informed of the acts attributed to him or her under the conditions set out below, notably in order to be able to make use of his rights, including the rights of defence.
The Chief Compliance Officer will meet the concerned person at a place and under conditions that guarantee maximum discretion. The latter will then be invited to hand over any useful documents. Minutes of the meeting will be drawn up in which the Chief Compliance Officer will decide:
Alternatively, this information of the concerned person may be provided electronically or by regular mail.
During the processing of a report or an investigation, it may be necessary to give access to all or some of the data in the platform BKMS® System to employees specifically authorised by the Chief Compliance Officer, and if necessary outside of the European Union or the European Economic Area. Such data transfer will be handled pursuant to Article 45 to 50 of the EU-GDPR.
Notwithstanding the above, the Chief Compliance Officer may decide, if he has reliable and materially verifiable information at his disposal, to take precautionary measures, in particular to prevent the destruction of evidence relating to the alert before informing the concerned person.
It is recalled that any concerned person is presumed innocent until the allegations against him/her are established.
The Chief Compliance Officer will inform the Whistleblower of his decision via the BKMS® System, ensuring the strictest confidentiality. To the extent that the Whistleblower wishes to contest the decision not to follow up on the report, it will be his responsibility to refer the matter to the Chief Executive Officer.
The concerned persons will not be informed of the name of the Whistleblower.
Anonymous reports are to be avoided and will only be dealt with exceptionally if the seriousness of the facts mentioned is established and the factual elements are sufficiently detailed. If the Whistleblower making the report indicates his/her wish to remain anonymous, he/she should be aware that a special procedure and additional precautions apply to the examination of any anonymous report and that this may have consequences for the complaint or the alleged offence, which may therefore not be fully investigated.
Incoming reports are always handled confidentially by the Compliance department of SERB.
Within the framework of processing of a report or the conduction of a special investigation, it may become necessary to share reports with additional employees of SERB, e.g. if the reports refer to incidents in subsidiaries. The latter may be based in countries outside the European Union or the European Economic Area with different regulations concerning the privacy of personal data. We always ensure that appropriate safeguards are entered into in compliance with the GDPR where required, and that the applicable data privacy regulations are complied with when sharing reports.
All persons who receive access to the data are obligated to maintain confidentiality.
Communication between your computer and the whistleblowing system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the whistleblowing system. In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that merely contains the session ID (a so-called null cookie). This cookie is only valid until the end of your session and expires when you close your browser.
It is possible to set up a postbox within the whistleblowing system that is secured with an individually chosen pseudonym/ user name and password. This allows you to send reports to the responsible employee at SERB either by name or in an anonymous, safe way. This system only stores data inside the whistleblowing system, which makes it particularly secure. It is not a form of regular e-mail communication.
When submitting a report or an addition, you can simultaneously send attachments to the responsible employee of SERB.
Please keep in mind that the information that you are reporting or that is mentioned in your attachments must remain factual and directly linked with the object of the report.
If you submit a report via the whistleblowing system, we collect the following personal data and information:
In the course of the report examination, we only process personal data that are relevant and necessary in view of the investigation and processing of the report purposes, i.e.:
The processing activities of personal data for the purposes herein are based on the legitimate interests of our company to detect and prevent misconduct in violation of applicable laws and of our internal rules and thus avoid damage to SERB, its employees, suppliers, customers. Article 6 (1) (f) EU-GDPR serves as legal basis for this data processing.
Personal data is retained for as long as necessary to clarify the situation and perform an evaluation of the report or a legitimate interest of the company exists, or it is required by law.
After the report processing is concluded, this data is deleted in accordance with the statutory requirements.
Where personal data is transferred to SERB entities that are located outside the European Economic Area, we always ensure that appropriate safeguards are entered into in compliance with the GDPR where required, and that the applicable data privacy regulations are complied with when sharing reports. According to the EU-GDPR, the Whistleblower and the concerned persons named in the report have the right of access, rectification, erasure, limitation, and a right of objection to the processing activities. The Whistleblower and the concerned persons also have the right in France to define instructions about what will happen to their data after their death.
The Whistleblower and the concerned persons also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their residence, of their workplace or of the place where the alleged infringement occurred, if they consider that the processing of their personal data violates applicable data protection law.
Version: April 2020
SERB (8 avenue Beaumont, L-219 Luxembourg, Luxembourg), STARK INTERNATIONAL LUX (8 avenue Beaumont, L-219 Luxembourg, Luxembourg), SERB HOLDING FRANCE (40 avenue George V, 75008 Paris, France) and the other SERB entities as listed at https://serb.eu/#our-presence (“SERB”, “us”, “our”), act as joint controllers for the processing of your personal data for the purpose of securely and confidentially receiving, processing and managing reports regarding violations of applicable laws or internal rules of SERB.
Your data is processed on the basis of SERB's legitimate interest to detect and prevent misconduct in violation of applicable laws and of SERB internal rules and thus avoid damage to SERB, its employees, its suppliers or its customers.
In this context, SERB complies with the French legislation (the Informatique et Libertés law n°78-17) and the European legislation (the General Data Protection Regulation n°2016-679 or “GDPR”). In particular, SERB takes appropriate technical and organizational measures to ensure a level of security which is appropriate in view of the risks associated with your personal data.
Such data is collected directly from you via the form you fill, the report you make and the documents that you attach to your report.
You are not required to fill the identification fields when filing your report. If you would like to remain anonymous, please make sure that the documents attached to the report do not contain any hidden personal data. Please note that anonymous reports are subject to a special procedure and to additional precautions. In particular, anonymous reports will only be dealt with and processed through the system if the seriousness of the facts mentioned is established and the factual elements are sufficiently detailed.
Your data is kept for the time necessary for the purposes mentioned above:
Your personal data can only be accessed by the sole members of the Compliance department of SERB specifically created to handle and process the reports within the group. Where the report concerns another entity of the group, your personal data can be communicated to duly habilitated employees of such entity.
Where personal data is transferred to SERB entities that are located outside the European Economic Area, we always ensure that appropriate safeguards are entered into in compliance with the GDPR where required, and that the applicable data privacy regulations are complied with when sharing reports.
We may also be required to share your personal data with government and administrative entities authorized to access or to obtain your personal data in compliance with applicable legislation, and to competent courts and tribunals in the event of a litigation.
You have the right to access, rectify and delete your personal data, the right to object to or limit the processing of your personal data, the right to the portability of personal data and the right to define directives concerning the use of your personal data after your death. You can perform your rights at any time by sending an email to our DPO at dpo@serb.eu.
You have the right to introduce a complaint with the competent supervisory authority: Commission nationale de l'informatique et des libertés - 3 Place de Fontenoy - TSA 80715 - 75334 Paris CEDEX 07.