BKMS® Whistleblower portal privacy policy
A. Your personal data with Berenberg
1. Who is responsible for processing my personal data and whom can I contact?
Joh. Berenberg, Gossler & Co. KG (hereinafter »Berenberg«)
Neuer Jungfernstieg 20
20354 Hamburg
Phone: +49 40 350 60-0
Fax: +49 40 350 60-900
E-Mail: info@berenberg.de
You can contact our company data protection officer at:
Joh. Berenberg, Gossler & Co. KG
Data Protection Officer
Neuer Jungfernstieg 20
20354 Hamburg
Phone: +49 40 350 60-7950
E-Mail: datenschutz@berenberg.de
2. To whom is this privacy policy addressed?
To the users of the BKMS® whistleblowing system provided by Berenberg as well as potentially implicated persons (https://www.bkms-system.net/BERENBERG).
BKMS® is a whistleblower system in accordance with Directive (EU) 2019/1937 and the Act for Better Protection of Whistleblowers (Whistleblower Protection Act - HinSchG) as well as for complaints and reports under the Act on Corporate Due Diligence to Prevent Human Rights Violations in Supply Chains (Supply Chain Due Diligence Act - LKSG).
3. What data is collected and processed?
The following data may be collected and processed via the BKMS® system
- IP address (the IP address is not stored for the purpose of reporting notices; it is only used for technical reasons to display the website)
- Country (country selection is based on the content, which may differ depending on the country)
- Language version of the website
- Name of the whistleblower (voluntary information)
- Content of the notice (the notice – including any attachments – may contain further personal data)
- Materials collected in connection with the review of the notice
- Responses to the notice, if the whistleblower uses the protected mailbox
The data is transmitted to the server via an encrypted connection (SSL). The IP address of the computer is not stored during use of the whistleblowing system. In order to maintain the connection between the computer and the BKMS® system, a cookie is stored on the whistleblower's computer which is necessary for technical purposes, containing the session ID (so-called session cookie) only. The cookie is only valid until the end of your session and becomes invalid when the browser is closed.
It is possible to set up a protected mailbox in the whistleblower system with a pseudonym/username and password of your choice. In this way, reports can be securely sent to Berenberg by name or anonymously. In this system, the data is stored exclusively in the whistleblower system and is therefore particularly secure; it is not a normal e-mail communication.
When submitting a report or amending a report, you can also send attachments to the responsible employee. If you wish to submit an anonymous report, please note the following security advice: files may contain hidden personal data that could jeopardize your anonymity. Therefore, please delete or redact this data before submitting. If you are unable to delete such data or do not know exactly how to do so, copy the text of your attachment into the text of your report or send the printed document anonymously to the address given in the footer, stating the reference number that you will receive after completing the reporting procedure.
4. Why do we process your data? (Purpose and legal basis of the whistleblower system)
The purpose of the BKMS® whistleblower system is to receive, process and manage reports of violations in a secure and confidential manner.
The legal basis for processing by Berenberg is Art. 6 (1)(c) GDPR in conjunction with
- Section 10 HinSchG for information under the Whistleblower Protection Act and
- Section 8 LkSG for complaints and information under the Act on Corporate Due Diligence Obligations in Supply Chains.
5. Who receives your data?
- Incoming information is received, reviewed and, if necessary, used for further case-related clarification of the facts by a narrow circle of expressly authorised, specially trained employees at Berenberg who are required to maintain confidentiality.
- As part of the processing of a report or a special investigation, it may be necessary to disclose reports to other Berenberg employees and external service providers (in particular mandated lawyers and forensic experts). In addition, it may be necessary for Berenberg to submit reports to investigative and supervisory authorities in order to fulfill its statutory auditing and reporting obligations.
- Insofar as Berenberg is legally required to do so, Berenberg will inform the accused persons in accordance with the legal requirements that a report has been made about them. Your identity as a whistleblower will not be disclosed in accordance with §§ 8, 9 HinSchG.
6. How long will your data be stored?
Your data will be stored for as long as is necessary to clarify the situation and carry out an assessment. This data will be deleted in accordance with legal requirements after processing has been completed. The legal requirements result from
- Section 11 HinSchG for reports under the Whistleblower Protection Act: at least three years after completion of the procedure and
- Section 10 LKSG for complaints and information under the Supply Chain Due Diligence Act: at least seven years.
7. Is data transferred to a third country or an international organisation?
The whistleblower system is operated by our specialised processor, EQS AG, Karlstraße 47, 80333 Munich, Germany. If EQS AG uses other service providers, it is obligated to ensure compliance with the requirements of the GDPR in this respect; this also applies to the transfer of personal data to third countries.
Personal data entered in the whistleblower system is stored in a database operated by EQS Group AG in a data centre. Only Berenberg has access to the data. The data is stored in encrypted form so that EQS Group AG and other third parties cannot access the data. All data is encrypted and stored with multi-level password protection, so that access is limited to an extremely small group of expressly authorised persons at Berenberg and is only passed on within Berenberg in the context of processing reports.
When processing a report or a special investigation, it may also be necessary to disclose reports to employees of other Group companies, e.g. if the report relates to incidents in subsidiaries. The latter may be based in countries outside of the European Union or the European Economic Area with different regulations on the protection of personal data. We always ensure that the applicable data protection regulations are complied with when forwarding reports.
8. What data protection rights do you have?
Every data subject has the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR and the right to data portability under Art. 20 GDPR. With regard to the right of access and the right to erasure, the restrictions apply in accordance with the provisions of the GDPR (including but not limited to Art. 14 (5) GDPR) and the provisions of the BDSG (German Federal Data Protection Act).
In addition, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR, Section 19 BDSG).
9. Is there an obligation for you to provide the data?
The whistleblower system is used on a voluntary basis.
10. To what extent is there automated decision-making in individual cases?
There is no automated decision-making.
11. To what extent is your data used for profiling (scoring)?
There is no profiling (scoring).