Privacy Policy
SERB takes legal compliance and ethics very seriously.
Purpose of the whistleblowing system
The whistleblowing system (BKMS® System) serves the purpose of securely and confidentially receiving, processing and managing reports regarding violations of applicable laws or internal rules of the SERB Group.
The SERB Group comprises SERB (8 avenue Beaumont, L-219 Luxembourg, Luxembourg), STARK INTERNATIONAL LUX (8 avenue Beaumont, L-219 Luxembourg, Luxembourg), SERB HOLDING FRANCE (40 avenue George V, 75008 Paris, France) and the other SERB entities as listed here: https://serb.eu/#our-presence (hereafter also: “SERB”).
The whistleblowing system is open to all current or former, permanent or temporary employees of SERB (“employees”), SERB's customers, suppliers, consultant, as well as third parties contractually linked to any SERB entity (all together referred to as a “Whistleblower”), to the extent the report is provided in good faith.
Good faith on the part of a Whistleblower means a lack of malice, willingness to harm and any absence of a counterpart or compensation of any kind. Hence, the Whistleblower must have reasonable grounds to believe in the truthfulness of the statements reported in his/her report.
It is therefore important to remember that any abusive or bad faith use of the whistleblowing system may expose its author to civil and/or criminal prosecution.
Thus, any Whistleblower who acts in good faith, in a disinterested manner and who has personally had knowledge or personally observed:
- A fact which he considers to constitute:
- A crime or a misdemeanour,
- A serious and manifest violation of an international commitment regularly ratified or approved by a country in which SERB operates,
- A serious and manifest violation of a unilateral act of an international organization formulated on the basis of an international commitment regularly ratified,
- A serious and manifest violation of the law or regulation,
- A threat or serious prejudice to the public interest,
- The existence of conducts or situations contrary to the Code of Conduct (available at www.serb.eu) that may notably constitute corruption or influence peddling
May bring this information to the SERB's attention by filing a report in the BKMS® System.
The report may not, however, relate to matters covered by national defence secrecy, medical secrecy or the secrecy of relations between a lawyer and his client.
No disciplinary action or discriminatory measures shall be taken against a Whistleblower who has reported a fact, even if the reported facts prove to be unfounded or does not give rise to any consequences, provided that the Whistleblower acted in good faith.
Please note that the whistleblowing system is only one of the means available to report the abovementioned facts. In particular, you can reach our Chief Compliance Officer at:
- Serb
- Chief compliance Officer (Confidential)
- 8 rue Beaumont
- RCS: B180.885
- L-1219 Luxembourg
- dpo@serb.eu
No action shall be taken against an employee who did not use the whistleblowing system while reporting.
Report examination and follow-up
Personal data and information entered into the whistleblowing system are stored in a database operated by EQS Group GmbH in a high-security data centre. Only SERB has access to the data. EQS Group GmbH and other third parties do not have access to the data. This is ensured in the certified procedure through extensive technical and organisational measures.
All data are stored encrypted with multiple levels of password protection so that access is restricted to a very small selection of expressly authorised persons at SERB.
Incoming reports are received by a small selection of expressly authorised and specially trained employees of the Compliance department of SERB specifically created to handle and process such reports within the group, involving the Chief Compliance Officer, the Senior Legal Counsel, and the General Secretary. The employees of the Compliance department of SERB will evaluate the matter and perform any further investigation required by the specific case.
In case the Whistleblower provided its contact details on the BKMS® System, the Chief Compliance Officer will inform the Whistleblower of the receipt of the report by means of a response within a maximum of 10 calendar days, and will indicate the foreseeable reasonable period of time required to examine the admissibility of the report and in which he will be informed of the action taken on the report.
Any person implicated in the whistleblowing system (the “concerned person”) will be informed of the acts attributed to him or her under the conditions set out below, notably in order to be able to make use of his rights, including the rights of defence.
The Chief Compliance Officer will meet the concerned person at a place and under conditions that guarantee maximum discretion. The latter will then be invited to hand over any useful documents. Minutes of the meeting will be drawn up in which the Chief Compliance Officer will decide:
- Not to process the report, or
- To follow up the report by initiating all necessary legal proceedings through the Director General.
Alternatively, this information of the concerned person may be provided electronically or by regular mail.
During the processing of a report or an investigation, it may be necessary to give access to all or some of the data in the platform BKMS® System to employees specifically authorised by the Chief Compliance Officer, and if necessary outside of the European Union or the European Economic Area. Such data transfer will be handled pursuant to Article 45 to 50 of the EU-GDPR.
Notwithstanding the above, the Chief Compliance Officer may decide, if he has reliable and materially verifiable information at his disposal, to take precautionary measures, in particular to prevent the destruction of evidence relating to the alert before informing the concerned person.
It is recalled that any concerned person is presumed innocent until the allegations against him/her are established.
The Chief Compliance Officer will inform the Whistleblower of his decision via the BKMS® System, ensuring the strictest confidentiality. To the extent that the Whistleblower wishes to contest the decision not to follow up on the report, it will be his responsibility to refer the matter to the Chief Executive Officer.
The concerned persons will not be informed of the name of the Whistleblower.
Confidential handling of reports
Anonymous reports are to be avoided and will only be dealt with exceptionally if the seriousness of the facts mentioned is established and the factual elements are sufficiently detailed. If the Whistleblower making the report indicates his/her wish to remain anonymous, he/she should be aware that a special procedure and additional precautions apply to the examination of any anonymous report and that this may have consequences for the complaint or the alleged offence, which may therefore not be fully investigated.
Incoming reports are always handled confidentially by the Compliance department of SERB.
Within the framework of processing of a report or the conduction of a special investigation, it may become necessary to share reports with additional employees of SERB, e.g. if the reports refer to incidents in subsidiaries. The latter may be based in countries outside the European Union or the European Economic Area with different regulations concerning the privacy of personal data. We always ensure that appropriate safeguards are entered into in compliance with the GDPR where required, and that the applicable data privacy regulations are complied with when sharing reports.
All persons who receive access to the data are obligated to maintain confidentiality.
Use of the whistleblowing system
Communication between your computer and the whistleblowing system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the whistleblowing system. In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that merely contains the session ID (a so-called null cookie). This cookie is only valid until the end of your session and expires when you close your browser.
It is possible to set up a postbox within the whistleblowing system that is secured with an individually chosen pseudonym/ user name and password. This allows you to send reports to the responsible employee at SERB either by name or in an anonymous, safe way. This system only stores data inside the whistleblowing system, which makes it particularly secure. It is not a form of regular e-mail communication.
Note on sending attachments
When submitting a report or an addition, you can simultaneously send attachments to the responsible employee of SERB.
Please keep in mind that the information that you are reporting or that is mentioned in your attachments must remain factual and directly linked with the object of the report.
Data protection
If you submit a report via the whistleblowing system, we collect the following personal data and information:
- Your name, if you choose to reveal your identity,
- Whether you are employed at SERB, and
- The names of persons and other personal data of persons that you name in your report or that are mentioned in your attachments.
In the course of the report examination, we only process personal data that are relevant and necessary in view of the investigation and processing of the report purposes, i.e.:
- Your identity, function and contact details;
- The identity, function and contact details of the concerned person;
- The identity, function and contact details of the persons involved in the collection or processing of the report;
- The facts reported,
- The information gathered in the course of the investigation;
- The results of the investigation and
- The action to be taken as a result of the investigation.
The processing activities of personal data for the purposes herein are based on the legitimate interests of our company to detect and prevent misconduct in violation of applicable laws and of our internal rules and thus avoid damage to SERB, its employees, suppliers, customers. Article 6 (1) (f) EU-GDPR serves as legal basis for this data processing.
Personal data is retained for as long as necessary to clarify the situation and perform an evaluation of the report or a legitimate interest of the company exists, or it is required by law.
- Any reported data that is deemed to fall outside the scope of this whistleblowing system is erased or anonymised without delay.
- Where a report does not give rise to any consequence from SERB, reported data are erased or anonymised within 2 months as from the closure of the verification and investigation operations.
- Where a report triggers disciplinary or judicial proceedings against a concerned person or the Whistleblower for abusive reporting and gives rise to a decision, the personal data are retained until the end of the limitation period of potential recourses against such decision.
After the report processing is concluded, this data is deleted in accordance with the statutory requirements.
Where personal data is transferred to SERB entities that are located outside the European Economic Area, we always ensure that appropriate safeguards are entered into in compliance with the GDPR where required, and that the applicable data privacy regulations are complied with when sharing reports. According to the EU-GDPR, the Whistleblower and the concerned persons named in the report have the right of access, rectification, erasure, limitation, and a right of objection to the processing activities. The Whistleblower and the concerned persons also have the right in France to define instructions about what will happen to their data after their death.
The Whistleblower and the concerned persons also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their residence, of their workplace or of the place where the alleged infringement occurred, if they consider that the processing of their personal data violates applicable data protection law.
Version: April 2020