Privacy Statement
We take data protection and confidentiality very seriously and comply with the applicable national and European data protection provisions. Below we will briefly explain the key aspects of our data storage policy.
This page provides information on how we handle reports that you submitted through the whistleblowing system and explains how we ensure that the confidentiality of your report will be ensured.
Purpose of the data processing, legal basis and confidential report handling
The purpose of the data processing is to handle and further investigate the reports received via the whistleblowing system and to take any measures which are required in view of it.
Incoming reports are received by specially trained employees of the Corporate Compliance Management department at tesa SE and are always handled confidentially. These employees examine the case, investigate it further and, in the event of reasonable suspicion, can pass it on to the appropriate law enforcement agency or internal department if necessary (e.g. the Executive Board in material cases or the HR Department for initiating sanctions against the person accused). Reports in the categories manipulation of accounting and financial reporting as well as money laundering, antitrust law infringements, data protection infringements, tax offences and customs infringements, discrimination and harassment and environmental protection and human rights will be forwarded to the responsible in-house department for examination and investigation.
When investigating reports, it may be necessary to forward reports to other tesa SE employees or to employees of other tesa SE group companies, e.g. if the reports relate to incidents taking place in tesa SE subsidiaries. Group companies may be based in countries outside the European Union or the European Economic Area with different regulations concerning the protection of personal data. In this case, we ensure that the data transmission is in line with the applicable data protection regulations. Depending on the data's destination in the case in question, we agree corresponding standard data protection clauses, apply binding internal data protection rules, or transfer data only to companies which are EU-U.S. Privacy Shield-certified or located in countries for which the EU Commission has issued an adequacy decision. We always ensure that the applicable data protection laws are complied with when processing reports. We are permitted to process the personal data contained in the reports because we have a legitimate interest in investigating, sanctioning, and preventing misconduct within the company (Art. 6, para. 1f GDPR, among other things) and because the processing is necessary to fulfil our legal obligations (Art. 6, para. 1c GDPR, among other things) or to assert or defend legal claims (Art. 9, para. 2f GDPR).
The use of the whistleblowing system in good faith will not have any adverse consequences for whistleblowers. In the event of misuse, such as the deliberate submission of false reports with the intent of discrediting an individual, we reserve the right to take action against the whistleblower.
Notification of the person accused
In principle, we are legally obliged to inform accused persons that we have received a report on them, as soon as the disclosure of this information no longer jeopardises the investigation. Your identity as a whistleblower will not be revealed - as far as legally permissible.
Using the whistleblowing system
Communication between your computer and the whistleblowing system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the whistleblowing system. In order to maintain the connection between your computer and BKMS® System, a cookie is stored on your computer. This cookie only contains your session ID. The cookie is only valid until the end of your session and expires upon logout or closing the browser.
Your visit to the whistleblowing system may leave traces on your computer, however. If you are accessing the whistleblower system from a company computer, you might want to clear the temporary files (cache) and browser history afterwards. Some browsers also offer a so-called ‘private mode’. This mode is preferable: no temporary data are stored, and you do not need to delete anything manually.
It is possible to set up a secured postbox within the whistleblowing system with an individually chosen pseudonym/user name and password. This allows you to send reports to the responsible tesa SE Case Manager in an anonymous, safe way. This system only stores data inside the whistleblowing system, which makes it particularly secure. It is not a form of regular e-mail communication.
Sending attachments
When submitting a report or sending additional information, you can also send attachments to the responsible tesa SE Case Manager. If you wish to submit an anonymous report, please note the following security advice: Files may contain hidden personal data that could jeopardise your anonymity. Please remove all such information before sending a file. If you are unable to remove such information or you are not sure how to do this, please copy the text from your attachment into the report text or send a printed copy of the document anonymously to the Case Manager by using the address shown in the footer and the reference number provided at the end of the reporting process.
Your rights regarding the processing of your personal data
Under German and all applicable European data protection legislation, you have a right of information and, insofar as the respective preconditions have been met, to access, rectification, erasure and restriction of processing of your personal data and potentially also to data portability. You may revoke your consent of your data being stored at any time for reasons relating to your specific situation. In this case, the necessity of the stored data for the investigation of a report will be evaluated immediately. The data will no longer be processed unless there are compelling reasons in need of protection for the further processing.
You also have the right to file a complaint with the supervisory authority responsible.
Storage period
We store reports for as long as they are required for prosecution/ for as long as we have a legitimate interest in their storage or until we come to the conclusion that the report is unfounded. After that, reports will be deleted or anonymised, i.e. any links to your identity as a whistleblower and to persons named in the report will be removed permanently and irreversibly.
Responsible authority and data security
The department responsible for data protection in the whistleblowing system is tesa SE, Corporate Compliance Management, Hugo-Kirchberg-Strasse 1, 22848 Norderstedt, Germany. It is represented by the Executive Board.
Our data protection officer can be contacted using the address provided above or at dataprotection@tesa.com.
The whistleblowing system is operated on behalf and in the name of tesa SE by a German company that specializes in this area: EQS Group GmbH, Karlstraße 47, D-80333 München, Germany. In this capacity, it acts as a service provider on the instructions of the data controller within the meaning of the GDPR. All data in the whistleblowing system is secured by extensive technical and organisational measures and encrypted to ensure that EQS Group GmbH does not have access to the data, and only specific authorised persons within tesa SE can access it.