Data Protection Information
We want to protect you, as a whistleblower, effectively and offer you a secured communication platform for submitting reports. Reports can be submitted with disclosure of your name, under a pseudonym, or anonymously.
Responsible Party
The responsible party according to the European Data Protection Regulation (GDPR) is ECE Group GmbH & Co. KG, Heegbarg 30 22391, Hamburg.
Personal data entered into the BKMS® whistleblowing system is stored on behalf of ECE Group GmbH & Co. KG (hereinafter referred to as ECE) in a database operated outside ECE by EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin. Access to the information provided is only permitted to employees of the Compliance and Data Protection Department of its service subsidiary, ECE Group Services GmbH & Co. KG, and is excluded for third parties, in particular for the EQS Group GmbH. All data are stored with encryption and password protection in a safe location in Germany, externally to ECE. The communication relating to submitted reports is carried out with strict confidentiality.
Only employees of the Compliance and Data Protection Department authorised by ECE have access to this data. In exceptional cases, it may be necessary to pass on information to other employees of ECE or other ECE companies in the course of processing a report or in the course of an investigation, e.g. if the information relates to processes in other ECE companies.
We always ensure that the relevant data protection regulations are observed when passing on information.
Type of personal data collected
Use of the BKMS® whistleblowing system takes place on a voluntary basis. If you submit a report via the whistleblowing system, we collect the following personal data and information:
- your name, if you choose to reveal your identity,
- whether you are employed at ECE and, if yes, in which ECE company you are employed
- the names and other personal data of persons whom you list in your report, if applicable.
Legal basis
ECE makes confidential use of the personal data, such as name and other communication data and content, exclusively for the purpose of receiving and processing reports on specific criminal acts as well as serious legal violations, such as white-collar crime, corruption and human rights and data protection violations, via a secure and confidential channel.
Insofar as we obtain your consent for the processing of personal data, this serves as the legal basis according to Article 6 paragraph 1 point a) GDPR. In other cases, the processing serves in accordance with Article 6 paragraph 1 point f) GDPR for pursuing the predominant legitimate interests of ECE in investigating criminal acts as well as statutory violations in connection with the ECE group and thereby protecting the group and its employees from possible damages, and this predominant legitimate interest is the legal basis.
Sharing of data
Only ECE is able to view these data. Access to the data is restricted to a very small set of explicitly authorized and specially trained persons of the ECE compliance organisation or the group data protection organisation. Depending on the content of the report and the progress of the investigation, a very restricted number of additional authorized persons, in particular within the compliance and security organisations of the respectively involved subsidiaries of ECE, may receive access to these data, for example if the reports refer to activities within the subsidiaries. The latter may be based in countries outside the European Union or the European Economic Area. A transfer of your personal data to these so-called third countries will only take place if the European Commission has decided that an adequate level of data protection exists in this third country (Art. 45 DSGVO) or suitable guarantees are provided (e.g. standard data protection clauses adopted by the Commission or the supervisory authority in a specific procedure) and enforceable rights and effective legal remedies are available.
In the event of a corresponding legal obligation or data protection law necessity for the whistleblowing, other conceivable categories of recipients include law enforcement authorities, antitrust authorities, other administrative authorities, courts and international law firms and auditing firms commissioned by the ECE Group.
All persons who receive access to the data are obligated to maintain confidentiality. Within the scope of criminal proceedings, personal data may have to be disclosed to governmental investigation authorities in accordance with statutory obligations.
Retention period of personal data
Personal data are only retained for as long as necessary to clarify the situation and perform a concluding evaluation of the case. After the report processing is concluded, the data are deleted in accordance with the statutory requirements.
Use of the BKMS® whistleblowing system
Communication between your computer or smartphone and the BKMS® whistleblowing system takes place over an encrypted connection (SSL). The IP address of your computer or smartphone will not be stored during your use of the whistleblowing system. In order to maintain the connection between your computer or smartphone and the BKMS® whistleblowing system, a cookie is stored on your computer that merely contains the session ID (a so-called session cookie). This cookie is only valid until the end of your session and expires when you close your browser.
It is possible to set up a postbox within the BKMS® whistleblowing system that is secured with an individually chosen pseudonym/user name and password. The postbox allows you to submit reports under your name or anonymously and communicate with employees of the ECE Compliance and Data Protection Department. This system only stores data inside the BKMS® whistleblowing system, which makes it particularly secure. It is not a form of regular e-mail communication.
Note on sending attachments
During the submission of your report or an addition, you can send attachments to the employees of the ECE Compliance and Data Protection Department. If you wish to submit an anonymous report, please take note of the following security advice:
files can contain hidden personal data that could put your anonymity at risk. Remove these data before sending messages. If it is not possible to remove these data or you are uncertain about how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the report submission process.
You as whistleblower and the persons named in the report have a right of access, rectification, erasure and restriction of processing (blocking) regarding your personal data as well as a right to object to the processing of your personal data.
Data protection rights
According to the applicable laws and the information below, you have the right to access your personal data and to request the correction, erasure or portability (e.g. transfer of your personal data to another service provider) of your personal data processed by us as well as to demand the restriction of the processing.
You have the right to submit a complaint regarding our data processing. Please submit this to:
Hamburg Representative for Data Protection and Freedom of Information
Klosterwall 6
20095 HamburgTo exercise your rights, it is also sufficient to send a letter or email to the controller at the following address:
ECE Group GmbH & Co. KG
-Compliance (Whistleblowing System)-
Heegbarg 30
22391 Hamburg, Germanyor
compliance@ece.com
Additional information on data protection at ECE can be obtained on our intranet page.