Data Privacy Information for the Whistleblowing System Tell ams OSRAM
ams OSRAM takes data privacy and confidentiality very seriously and adheres to the current national and European data protection regulations. Please read the following information carefully before submitting a report.
Information about the whistleblowing system Tell ams OSRAM
Tell ams OSRAM, the whistleblowing system of ams OSRAM, is available to all ams OSRAM employees as well as any third party, such as customers and business partners to report compliance violations (e.g., relating to antitrust and anti-corruption), data privacy violations (“data breaches”), as well as human rights and environmental risks, concerns and violations.
Technical protection of the whistleblowing system Tell ams OSRAM
The technical infrastructure of Tell ams OSRAM includes databases and websites that are provided by EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin. The EQS Group GmbH is contractually bound to maintain strict confidentiality and complies with all applicable data privacy requirements. All data is encrypted, password-protected and stored at a secure location so that access to the content of the data electronically stored in Tell ams OSRAM is limited to a narrow circle of authorized persons of ams OSRAM. EQS Group GmbH cannot view the content of the data electronically stored in this database.
Additional reporting channels
Besides Tell ams OSRAM, the following reporting channels may be used to report a violation, risk or concern in connection to ams OSRAM:
- Your supervisor at ams OSRAM;
- Compliance Organization of ams OSRAM (compliance@ams-osram.com or any employee of ams OSRAM Compliance department);
- HR Organization (for human rights violations affecting the ams OSRAM workforce: humanrights@ams-osram.com);
- Procurement Excellence (for human rights and environmental violations affecting ams OSRAM suppliers: supplier-management@ams-osram.com);
- Any other local channel at ams OSRAM.
Name and contact details of the controller
Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in member states of the European Union as well as other applicable provisions related to data privacy is:
OSRAM GmbH
Marcel-Breuer-Straße 4
80807 Munich
GermanyWhat personal data and information will be collected and processed?
When offences and incidents are reported, following personal data will be collected and processed:
- personal data of the person submitting a report (e.g. name, position/function and contact details), unless the person chooses to report the violation anonymously
- personal data of the individuals concerned by an incident (i.e. as included in the description of an individual's actions)
The appropriate department will process the data to review reports, conduct investigations of reported incidents, mitigate deficiencies and resolve the incident.
While conducting investigations or mitigating deficiencies, it may be required to share information with other stakeholders. For example, the ams OSRAM legal department, ams OSRAM management team, other ams OSRAM entities or external advisors (e.g. lawyers). We may also be required to inform the appropriate regulator or the affected individuals of the incident.
Purpose and legal basis for data processing
Personal data are solely used for the purpose of processing information concerning reports of potential wrongdoing in a secure and confidential manner.
Art. 6 (1) lit. a) GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose.
In all other cases, processing operations could be based on Article 6 (1) lit. f) GDPR, if processing is necessary for the purposes of the legitimate interests pursued by our company, which is addressing company-related crimes and violations of the law, as well as human rights and environmental risks, concerns and violations (regarding both ams OSRAM and its suppliers) and, therefore, protecting the company and its employees from potential damages of such incidents.
Processing your report within ams OSRAM
Once you submit your report via Tell ams OSRAM, ams OSRAM Compliance department will make a first review and check on plausibility of alleged facts. Depending on the subject matter of your report, Compliance itself (Investigation Team) will further handle your report (for all compliance-related reported incidents) or assign it to the responsible department for further processing, e.g. Data Privacy (for all reported data privacy incidents), HR (for all human rights incidents related to ams OSRAM employees/ own business) or Procurement (for human rights and environmental issues related to direct and indirect suppliers).
The responsible department will review the substance of the allegations, to determine if sufficient information is available to permit an internal investigation. If the allegations are both, plausible and of substance, there is an initial suspicion of wrongdoing requiring further investigation.
The group of employees responsible for checking the plausibility of the allegation and further handling the report will be kept as small as possible (in the sense of the "need-to-know principle"). Information will not be exchanged between the above-mentioned departments unless exceptional circumstances require such exchange to investigate a particular incident.
Duty of confidentiality, notification of affected parties & access of government agencies
ams OSRAM will process your report with strict confidentiality. ams OSRAM will not reveal your identity as whistleblower unless we are required to do so by law.
In some cases, the person about whom a report of potential misconduct has been received (“person affected”), has the legal rights to information, which may require us to disclose key information about your report. This may be particularly the case if the person affected claims that the information brought forward against him/her is knowingly or negligently untrue and decides to file charges. You should therefore give us only information which you assume to be correct to the best of your knowledge.
ams OSRAM may also be required by law to provide certain government agencies, including government investigative agencies or courts, with information about reports of potential misconduct. In this case, we might be obliged to provide key information about your report.
Data recipients and transfers of data outside of the EU/EEA
Personal information that you may have provided in your report, may be transferred to countries outside the EU/EEA, which could not be considered to have an adequate level of data protection as provided for in the EU provisions. In such cases, we ensure that an adequate level of protection for your data is guaranteed, such as by means of agreements with our contractual partners (based on the EU Standard contractual clauses), or we ask you for your explicit consent. We also may share personal information with our affiliates outside of EU/EEA based on the ams OSRAM Binding Corporate Rules.
How long will personal data be retained?
Personal data and information provided will be retained as long as necessary to process a report and, if required, to impose sanctions or to comply with statutory retention periods. Reports are subsequently deleted or anonymized, i.e., any links to your identity as a whistleblower and to persons named in the report will be removed permanently and irreversibly. In case a report proves to be unfounded, the report and any personal data included herein will be deleted immediately.
Data subject rights
Data subjects within the meaning of the GDPR have the following rights in relation to their personal data:
- Right of confirmation
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right of restriction of processing
- Right to data portability
- Right to object
- Right to lodge a complaint with a supervisory authority at any time.
To exercise the above rights, you may contact ams OSRAM Data Privacy Team at privacy@ams-osram.com.