Privacy Policy (BKMS)
We take the protection of personal data very seriously and always process it in compliance
with applicable national and European data privacy provisions, in particular the General Data
Protection Regulation (GDPR). With this privacy policy, we aim to fully inform you about how,
why and to what extent we process personal data, and what your rights are as a data subject.
Please read this Privacy Policy carefully before making a disclosure. We want to actively
protect you as a whistleblower. Our whistleblowing system (BKMS® system) provides you
with a secure communication platform through which to make disclosures. Disclosures can
be made using your own name or anonymously. You can set up a postbox within the
whistleblowing system that is secured with an individually chosen pseudonym/username and
password. This allows you to receive feedback and stay anonymous during the following
communication if you so wish. Data is only stored in the whistleblowing system, and it is
therefore particularly protected; no conventional e-mail communication is involved.
You also have the option of sending attachments through the whistleblowing system. Please
note that files may contain hidden personal data that could jeopardize your anonymity.
Data controller and general information
Your data is processed by The Stepstone Group GmbH, Völklinger Str. 1, 40219 Düsseldorf
(Germany), phone: +49 211 93493-0, e-Mail: datenschutz@stepstone.de (service provider
within the meaning of the German Telemedia Act (TMG) and controller within the meaning
of the General Data Protection Regulation (GDPR)). When we use terms such as “we” or “us”,
this is who we are referring to. The whistleblowing system is operated on Stepstone's behalf
in Germany by EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin – a company that specializes
in this – under a commissioned processing arrangement.
Collection and processing of personal data
Personal data and information entered into the whistleblowing system is stored in a database
at a high-security data center. Only Stepstone can view this data. EQS Group GmbH and
other third parties have no access to the data. As part of a certified procedure, this is
ensured by means of comprehensive technical and organizational measures.
All data is encrypted and password-protected at multiple levels when stored. Access is
therefore restricted to a very small number of recipients who are expressly authorized by
Stepstone.
When dealing with a disclosure or carrying out a special investigation, it may be necessary to
make disclosures available to other Stepstone employees or employees of other Group
companies, if the disclosures relate to activities in subsidiaries, for example. The latter may also be based in countries outside the European Union or the European Economic Area,
where different rules concerning the protec,on of personal data may apply. We always take
care to ensure compliance with applicable data privacy provisions when sharing disclosures.
Every individual that has access to the data is under a duty of confidentiality.
Type of personal data collected
Use of the whistleblowing system is voluntary. If you make a disclosure through the
whistleblowing system, we collect the following personal data and information: your name (if
you reveal your identity), whether you are an employee of Stepstone and, where applicable,
the names of individuals and other personal data of individuals that you mention in your
disclosure.
Legal basis and purpose of the whistleblowing system
The purpose of the whistleblowing system (BKMS® Incident Reporting) is to receive, deal with
and manage disclosures concerning compliance breaches at Stepstone in a secure and
confidential manner. In the context of the BKMS® system, the processing of personal data is
supported by our company's legitimate interest in uncovering and preventing corruption,
fraud, and other anomalies and thus in preventing damage to Stepstone, employees, and
customers.
Sharing your data with third parties
Insofar as we are required to do so by law or are permitted to do so under data protection
law, we will transmit personal data to public authorities such as the police or public
prosecution service (Article 6 (1) point (c) GDPR). This data is shared based on our legitimate
interest in preventing misuse, prosecuting criminal acts, and securing, establishing, and
enforcing legal claims, unless outweighed by your rights and interests in the protection of
your personal data, Article 6 (1) point (f) GDPR.
Storage duration
We store personal data only for as long as it is required to clarify and definitively assess the
disclosure, or we are otherwise entitled or obligated to do so.
Session cookie
Communication between your computer and the whistleblowing system is via an encrypted
connection (TLS). Your computer's IP address is not stored during or aper use of the
whistleblowing portal. To maintain the connection between your computer and the BKMS®
system, a null cookie is stored on your computer, which contains only the session ID. The
cookie is valid only until the end of your session and becomes invalid when you close your
browser.
Contact details and your rights
Should you have any queries or comments on data privacy or wish to exercise your rights as a
data subject, please contact our data protection officer at any time:
The Stepstone Group GmbH
Datenschutz
Völklinger Str. 1
40219 Düsseldorf
datenschutz@stepstone.de
Right to access information and rectification
Provided there are no legal grounds to the contrary, you can obtain informa,on from us as to
whether personal data rela,ng to you is processed by us and the specific data that we have
stored about you. You can also have errors in your data corrected and missing informa,on
completed.
Erasure, restriction of processing and ‘right to be forgotten'
You can obtain the erasure of your personal data and the restriction of its processing. Please
note that retention obligations are laid down in law and because of this we may not be able
to completely erase your data in every case. In such cases, your data will be labelled to the effect that future processing should be restricted.
Objection to data processing
There is no general right of objection where data is processed based on a legitimate interest
(Article 6 (1) point (f) GDPR), Article 21(1), second sentence, GDPR).
Right of complaint
You also have the right to lodge a complaint with the competent supervisory authority and
the option of seeking legal remedies. The supervisory authority with whom the complaint
was lodged will notify the complainant about the status and result of their complaint,
including the option of seeking a judicial remedy.
Existence of automated decision-making processes
We do not perform any automated decision-making or profiling.
Last revised: June 2024