Speak Up – Information about data protection and consent
Please read this policy carefully and contact us should you have any questions (datenschutzbeauftragter@boehringer-ingelheim.com). This portal is operated for Boehringer Ingelheim International GmbH1, Binger Strasse 173, 55216 Ingelheim am Rhein.
Technical protection of the whistleblower system:
Technical maintenance of the “Speak Up” whistleblower system is performed by EQS Group GmbH, an independent operator located in 10789 Berlin, Bayreuther Str. 35 (subsequently "EQS AG") acting as commissioned data processor for Boehringer Ingelheim International. The data is provided on protected servers of Telekom Deutschland GmbH in Germany. Only Boehringer Ingelheim is responsible for controlling and processing the content of the reports.
Personal data that is entered in the whistleblower system is stored in a database operated by EQS AG in Germany. All data is encrypted, password-protected and stored at a secure location so that access to the content of the data electronically stored in “Speak Up” is limited to a narrow circle of authorized persons in the Compliance function of the Boehringer Ingelheim group of companies. EQS AG cannot view the content of the data electronically stored in this database.
As long as you do not enter data which makes it possible to draw conclusions about your identity, this whistleblower system protects your anonymity automatically using a certified technical solution which is protected through numerous technical and organizational measures.
Processing and sharing your report within Boehringer Ingelheim:
Once your report has been received, the dedicated Case Examiner within the Compliance function creates a case in the case management system. The Case Examiner can add more information on the case in the system and can check whether a further investigation is required.
An investigation can be conducted by internal or external investigation specialists. External specialists such as attorneys, auditors or forensic experts whom we engage are bound to Boehringer Ingelheim by contractual or legal confidentiality and data protection / privacy obligations to keep confidential the information provided by you and comply with applicable data protection / privacy laws.
The information in your report may also be given to the management responsible within Boehringer Ingelheim group, which also has to correct the shortcomings and implement corrective measures that may have been discovered during processing of the report. More, information of your report might be shared in established local, regional or corporate Investigation Committees representing typically HR, Compliance, Internal Audit, Legal and Business functions. Management of the function where the incident occurred might also join respective committee meetings.
If the content of your report does not fall under any of the specific compliance categories, we will forward your report to the responsible Boehringer Ingelheim department provided we deem this to be necessary and appropriate.
Please let us know if you do not want us to share your personal data, particularly your name, with persons outside the Boehringer Ingelheim Compliance Department (unless this is necessary for safeguarding the legitimate interests of Boehringer Ingelheim).
Access of government agencies:
Boehringer Ingelheim may also be required by law to provide certain government agencies, including, without limitation, government investigative agencies or courts with information about compliance violations. If we are obligated to provide information, as well as in the event of confiscations, we are not able to withhold the information provided by you.
In some instances, Boehringer Ingelheim is not obligated to share personal data with government agencies, but has the legal right to do so voluntarily.
Please let us know if you do not want us to voluntarily share your personal data, including, without limitation, your name, with government agencies (unless this is necessary to safeguard the legitimate interests of Boehringer Ingelheim).
Sharing information with other countries:
Personal information that you may have provided in your report, might automatically be transferred (based on your report of the country where the incident occurred) to other EU/EEA countries or countries outside the EU/EEA where the confidential treatment of personal data is not guaranteed by law to the same extent as it is in Germany. This applies particularly to countries which are not considered to have an adequate level of data protection as provided for in the EU/EEA provisions. Within Boehringer Ingelheim group, however, an adequate level of data protection is guaranteed through binding internal data protection guidelines and the Boehringer Ingelheim Group Data Transfer Agreement, also in countries other than Germany and outside the EU/EEA.
Notification of affected parties:
It is frequently required by law that the persons about which a report on indications of a compliance violation has been received have to be notified and heard. In the course of the investigation, these persons will have the opportunity to present their view about the report.
Please let us know if you do not want us to give your name as the whistleblower. Please note that the person affected may have legal rights according to applicable data protection / privacy laws to information which may require us to disclose your name. Government agencies may also have similar rights to information or confiscation which will result in disclosure of your name. This may be the case in particular if the person affected claims that the information brought forward against him/her is knowingly or negligently untrue and decides to file charges.
Storing personal data:
The personal information you provided will be retained for 5 years after investigating and resolving the compliance report including the remediation of any shortcomings discovered and the handling of any ensuing litigation. Your personal data will be retained even longer if this is required due to legal, regulatory or contractual obligations to retain records or if it is permitted by law. Your personal data will be deleted as soon as this is required by law.
Consent and voluntary nature:
As you enter information into the whistleblowing system, the system will ask for your consent to the collection, processing and use of your personal data included in the information as described above. Please note that you can only proceed to the report form after you have clicked on the data processing consent box.
If you do not want Boehringer Ingelheim to collect, process and use your personal data as described in this policy, you may submit your report anonymously. The disclosure of your personal data is voluntary, as is the use of the whistleblower system.
We would, however, appreciate it, if you could give us your name. Many investigations can be conducted more quickly and efficiently if the name of the whistleblower is known, since the person handling the report can get in touch with the whistleblower directly to clarify any information in the report.
By using this whistleblower system, you agree that your personal data, to the extent provided by you, will be collected, processed and used as described above.
Your data protection rights and contact:
You can request information which personal data we store about you. In justified cases, you may also request the deletion, correction or limitation of the processing of your data. If your personal data is transferred to a country outside the EU that does not provide adequate protection, you may request a copy of the contract that provides adequate protection of personal data. Where you provided consent for the use of your personal data, you can withdraw your consent at any time with future effect.
If you have any questions about our use of personal data, this data protection declaration or would like to exercise your rights, you can contact us at any time or you can contact our data protection officer directly:
- Boehringer Ingelheim International GmbH
- – Data Protection Officer –
- Binger Straße 173
- 55216 Ingelheim am Rhein
- Germany
- E-mail: datenschutz@boehringer-ingelheim.com
1 Boehringer Ingelheim International GmbH, headquarters: Ingelheim, Germany; Court of Registration: Mainz, HRB 21063. Further information can be found at www.boehringer-ingelheim.com