Privacy statement for the use of whistleblowing systems at Merck
Thank you for your interest in the processing of personal data by Merck KGaA, Darmstadt, Germany. We take data protection and confidentiality very seriously and adhere to the current national and European data protection regulations.
This privacy statement explains how we process your data if we have obtained it from you or through someone else as part of our whistleblowing system (Compliance Hotline) or, for example, through a sent email, fax or letter or as part of a transcript of a personal or telephone conversation.
Data controller and data protection officer
Data controller within the meaning of Article 4(7) of the European General Data Protection Regulation (“GDPR”):
- Merck KGaA, Darmstadt, Germany
- Frankfurter Straße 250
- 64293 Darmstadt
Our data protection officers can be reached at:
- Merck KGaA, Darmstadt, Germany
- Konzern-Datenschutzbeauftragter
- Frankfurter Straße 250
- 64293 Darmstadt
- privacy@merckkgaa-darmstadt-germany.com
Subject of data protection and personal reference to your data
Personal data is the subject of the data protection. As per Art. 4(1) GDPR, this refers to any information relating to an identified or identifiable natural person. This can be your name in particular, but also, for example, a documented behaviour that is associated with your person.
We process your personal data within the framework of the whistleblowing system if you provide us with a tip-off and give us your name or if a reference to your person results from a tip-off from a third party. The latter may occur if you are accused of misconduct or your person is merely mentioned by the whistleblower in connection with the alleged misconduct of another person.
Processed data categories
When using the whistleblowing system, we process your name, if it is given to us, as well as the content of the respective whistleblowing. Depending on the chosen communication channel, we may also store data relating to this medium (your email address, fax number etc.).
If we receive the information from another company in the Group of companies, we also store the origin of the data.
Processing purposes
We process your data for the prevention and clarification of possible violations of applicable laws, our code of conduct or other policies applicable to us (see section 10 of this privacy statement).
Legal basis
Processing of personal data by internal employees
Data processing with regard to the prosecution of potential criminal offences by internal employees in the employment context is carried out on the basis of section 26(1)(2) of the German Federal Data Protection Act (“BDSG”) and in the case of other misconduct (such as potential violations of an applicable code of conduct) on the basis of Art. 6(1)(f) GDPR. The clarification and prevention of potential violations of applicable laws, our code of conduct or other policies applicable to us constitutes our legitimate interest in processing your personal data.
Processing the personal data of third parties
If you are not an employee of ours and you either use the whistleblowing system or your person is named in the context of whistleblowing by a third party, the processing of your personal data is based on Art. 6(1)(f) GDPR.
The clarification and prevention of illegal and/ or business-damaging conduct also constitutes our legitimate interest in processing your personal data.
Processing personal data in the event of cooperation with public authorities
In exceptional cases, we may be obliged to cooperate with authorities (for example in the prosecution of criminal offences). The legal basis for the related data processing is Art. 6(1)(c) GDPR.
If, in the absence of such an obligation, we cooperate with authorities in order to clarify potential criminal acts, this is done on the basis of Art. 6(1)(e) GDPR. The data processing operations serve the public interest in the prosecution and detection of criminal offences.
No obligation to provide data and option of anonymity
You are not obligated to provide us with personal data. In this case, however, we may not be able to investigate the misconduct adequately or at all.
The whistleblowing system gives you the option to whistleblow anonymously or non-anonymously. Please consider carefully before revealing your identity whether you would like to provide the corresponding information anonymously. Please also bear in mind that conclusions about your person can be drawn not only from your name, but also in other ways. This may be the case, for example, if only you can be considered as a witness to an event, for example due to your position in the company, your physical presence or a separate access authorisation.
If you are an employee of one of the companies in the Group, you will find more information about the option of submitting your data anonymously on the intranet.
Origin of the data and measures to guarantee anonymity
We receive your personal data from whistleblowers insofar as this results from the respective whistleblowing. In addition, we receive personal data in connection with tips received by companies of the Group companies, from these companies.
The Compliance Hotline whistleblowing system is operated by a carefully selected and specialised company, EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin in Germany, on behalf of the Group of companies. If a whistleblower provides information via the Compliance Hotline by telephone or via a postbox specially set up there, this data is stored in encrypted form in a database operated by EQS Group GmbH in a high-security data centre. Only the company can decrypt and view the data. Neither EQS Group GmbH nor other third parties have access to interpretable data. This is ensured in the certified procedure through extensive technical and organisational measures.
All data is stored encrypted with multiple levels of password protection so that access is restricted to a very small selection of expressly authorised persons at the company.
EQS Group GmbH may process the data exclusively for the purposes specified by us and in accordance with our instructions and has furthermore been contractually obligated by us to treat your data exclusively in accordance with the applicable data protection laws.
EQS Group GmbH may use other service providers bound by instructions to provide the services described. In this case, EQS Group GmbH will in turn strictly obligate the service providers to maintain the confidentiality of personal data and regularly monitor it.
Recipient of the data and third country transfers
We disclose your personal data without your consent in the cases permitted by law. This kind of data transfer may be legally permissible in particular if the processing is necessary for the fulfilment of a legal obligation and/ or is necessary for the investigation of a criminal offence, for example due to corresponding requests for surrender by authorities.
In addition, we can enter personal data in encrypted form into BKMS® System as described (in particular via the postbox) in order to communicate with the whistleblower for queries and to transmit information to other companies in the Group companies in order to process the information received there and/ or relating to them.
To ensure the protection of your personal rights, the company will only transfer your data to countries outside the European Economic Area if an appropriate level of data protection equivalent to the GDPR is ensured. If this is not the case, the company will use one of the mechanisms set out in Art. 44 et seq. GDPR, in particular the conclusion of standard data protection clauses of the Commission pursuant to Art. 46(2)(c) GDPR. You can view these at https://eur-lex.europa.eu/legal-content/ EN/ ALL/?uri=celex%3A32004D0915 at any time.
Storage period
Your personal data will be stored for as long as is necessary to clarify the information. Personal data that is not relevant for the processing of the information will generally be deleted immediately. Relevant information may be stored for as long as is necessary for evidentiary purposes, to carry out necessary measures and to initiate legal action or legal defence. In addition, legal retention periods may require longer storage. As a rule, data on information is deleted or anonymised after three years after the conclusion of the procedure, unless the data is required for one of the above-mentioned purposes.
Your rights as a data subject
Right of access
You have the right to receive access to personal data concerning you that we process, on request at any time within the scope of Art. 15 GDPR under the limitations of section 34 BDSG. Your claim is limited in particular if the information is contrary to the overriding interest of a third party – such as a whistleblower (section 29(1)(2) BDSG).
Right to rectification
You have the right, in accordance with Art. 16 GDPR, to ask us to rectify the personal data concerning you without undue delay insofar as it is incorrect.
Right to erasure
You have the right to ask us to erase the personal data concerning you under the requirements set out in Art. 17 GDPR. These requirements exist in particular if the respective processing purpose has been achieved or otherwise ceases to apply, as well as if we process your data unlawfully, if you successfully object to the data processing (cf. section 11.5) and in cases of the existence of an obligation to erase on the basis of EU law or the law of an EU member state to which we are subject.
This right is subject to the restrictions of section 35 BDSG, according to which the right to erasure can be disregarded in particular if, in the case of non-automated data processing, where the effort to erase the data is disproportionately high and your interest in the erasure is regarded as low.
Right to restriction of processing
In accordance with Art. 18 GDPR, you can ask that we only process your personal data in a restricted manner. This right exists in particular if the accuracy of the personal data is disputed, if you request limited processing instead of erasure under the requirements of a justified request for erasure (section 11.3); or, in the event that the data is no longer required for the purposes pursued by us, but you require the data to assert, exercise or defend legal claims, as well as if the success of an objection is still disputed.
Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you, which is carried out either in the public interest or for the purposes of safeguarding our legitimate interests. We will then stop the processing of your personal data, unless we can prove compelling legitimate reasons for the processing which outweigh your interests, rights and freedoms or if the processing serves the assertion, exercise or defence of legal claims.
Exercising these rights
If you wish to exercise these rights, please contact us, for example by email at: privacy@merckkgaa-darmstadt-germany.com.
Right of appeal
You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes applicable data protection law.