Date privacy notice
Syntegon respects your privacy
The protection of your privacy throughout the course of processing personally identifiable information, like the security of all business data, is a very important concern for us that we take into consideration in all of our business processes. We process personal data confidentially and only in accordance with statutory regulations.
Controller
The controller as defined by the European General Data Protection Regulation ("GDPR") for the BKMS® System used for your compliance report is Syntegon Technology GmbH, Stuttgarter Str. 130, 71332 Waiblingen as the parent company (hereinafter referred to as "Syntegon GmbH", "we" or "us").
Our contact details for compliance are:
- Syntegon Technology GmbH
- Corporate Legal and Compliance
- Stuttgarter Str. 130
- 71332 Waiblingen
- GERMANY
- Email: Compliance.management@syntegon.com
Our contact details for data privacy are:
- Syntegon Technology GmbH
- Corporate Information Security and Privacy
- Stuttgarter Str. 130
- 71332 Waiblingen
- GERMANY
- Email: DPO@syntegon.com
Processing of personal data
The term personal data means all information related to an identified or identifiable natural person, thus – for example – names, addresses, telephone numbers, email addresses, contractual master data, contract accounting and payment data, insofar as this is an expression of a natural person's identity.
We process personal data only when there is either a statutory legal basis to do so or you have given your consent to the processing of personal data.
Processed categories of data
The use of the BKMS® System for a compliance or data protection report or data subject request is voluntary. When you use the system, we will ask you to provide data related to the following data categories:
- Communication data (e.g. name, telephone, email, address)
- Employee data of Syntegon employees and
- Where applicable, names of persons and other personal data relating to the persons you name in your notification
If you answer all the questions asked in the context of the compliance or data protection report or the data subject request completely, this will help us to process your report. If you provide incomplete data, we might not be able to process your report or might be able to process it only with delay.
Purposes of processing and legal bases
The aim of the BKMS® System is to provide a communication channel for your compliance or data protection report and to ensure that your report is handled by Syntegon GmbH in accordance with the processes of the Compliance Management System as implementation corporate and regulatory law and the legal provisions on data protection law.
Your personal data is processed for the following purposes, in particular:
- Compliance report: Indications and tracking of reports concerning a potential violation of the compliance requirement. You can report such violations to the responsible Syntegon department using your name or anonymously and securely via the BKMS® System.
Legal basis: Legitimate interest of Syntegon Technology GmbH to prosecute criminal offences, to enforce civil claims, for the further progress or the termination of an employment relationship or rather to detect criminal offences related to the employment relationship and to avoid violations of requirements of OWiG (Article 6 (1) f) GDPR , Section 24 (1) German Data Protection Act (BDSG); Article 88 GDPR, Section 26 (1) BDSG and Sections 30, 130 (OWiG).
- Compliance management: Central administration and allocation of group-wide compliance issues.
Legal basis: Legitimate interest of Syntegon GmbH in obtaining a central overview of compliance reports as part of the governance function (Article 6 (1) f) GDPR) and for exercising and defending our rights.
- Data protection report: Reports and investigations of reports that involve a potential data protection violation (Art. 33 GDPR). With the BKMS® System, you can send reports to the responsible employee of Syntegon either by name or in an anonymous, safe way.
Legal basis: The processing is necessary for compliance with a legal obligation to which the controller is subject (Art. 6(1)(c) GDPR).
- Data subject request: Tracking concerning a submitted request from a data subject and access to it (Art. 12 - 21 GDPR). Anonymous submission of data subject requests is not possible since we must determine your identity without a doubt in such cases.
Legal basis: The processing is necessary for compliance with a legal obligation to which the controller is subject (Art. 6(1)(c) GDPR).
- Data protection management: Central management and processing of data protection incidents with group-wide relevance.
Legal basis: Legitimate interest of Syntegon Technology GmbH to obtain a central overview of data subject request and data protection reports (Art. 6(1)(f) GDPR) as well as the assertion and defence of our rights.
Storage of log files/ use of cookies
In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that contains only the session ID (a session cookie). This cookie is valid only until the end of your session and will be invalid when you close your browser.
It is possible to set up a postbox for further communication within the BKMS® System that is secured with an individually chosen pseudonym/ user name and password after making the compliance report.
Transfer of data to Syntegon employees, to potentially suspected persons and to other controllers
When processing a compliance report, it is necessary to share the report in whole or in part with the Syntegon GmbH employees responsible for working on it or employees of those subsidiaries that are affected by the report. Your information is made available only to those employees who need to have it in order to handle your report.
If you provide your identity in the compliance report, we are due to GDPR obliged to inform potentially suspected persons about your identity as source of the personal data received (Article 14 (3) a) GDPR). If there is a serious risk that providing this information would jeopardize our ability to conduct an effective investigation of the allegation or to collect necessary evidence, the needed information of the suspected person can be postponed as long as that risk exists (Article 14 (5) b) GDPR).
Your personal data shall only be transferred to other controllers to the extent this is necessary to satisfy further legal obligations.
In addition, data can be transferred to other controllers (e.g. authorities) if we should be required to do so due to statutory regulations or enforceable orders issued by authorities or courts.
Service provider (general)
Syntegon GmbH has commissioned the company EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin (the "Service Provider") to operate the system for compliance reports on behalf of Syntegon GmbH; the data entered into this system are stored in a database operated by EQS Group GmbH in a high-security data center located in the European Union.
Syntegon GmbH has selected the Service Provider with care and monitors it on a regular basis, particularly its careful handling and securing of the data it stores. Only selected Syntegon employees have access to the data (see above "Transfer of data to Syntegon employees and to other controllers"). The Service Provider has no access to the data. This is ensured by a certified procedure utilizing extensive technical and organizational measures.
Syntegon GmbH has imposed an obligation on the Service Provider to keep the data confidential and to comply with the statutory regulations.
Transfer to recipients outside the EU and/ or the EEA
We can transfer personal data also to Syntegon legal entities or authorities located outside the European Union or the European Economic Area in third countries. In such cases, we make sure prior to the transfer either that the data recipient provides an appropriate level of data protection (e.g. due to a adequacy decision by the European Commission for the respective country or due to an agreement on EU standard data protection clauses with the recipient) or that you have consented to the transfer.
You can obtain a list of the recipients in third countries and a copy of the specifically agreed provisions securing the appropriate level of data protection from us. To request a list, please use the statements made in the Contact section.
Duration of storage; retention periods
Compliance:
We generally store your data for as long as necessary to clarify the compliance incident related to your report.
Upon completion of the processing of the compliance report, we will erase your personal data except for data that we need to continue to store and process to assert and defend our rights.
Erasure of personal data, which we continue to store and process for the assertion and defence of our rights, is based on the expiry of the maximum limitation period for administrative offences and criminal acts or for the assertion of civil claims (§§ 31 paragraph 2, 33 paragraph 3 OWiG [German Administrative Offence Act]; §§ 78 paragraph 3, 78 c paragraph 3 StGB [German Penal Code]; and §§ 195 et seq. BGB [Germinal Civil Code]).
Data protection:
We generally store your data for as long as necessary to clarify the data protection incident or to process your request.
Upon completion of the processing of the data protection report or data subject request, we will erase your personal data except for data that we need to continue to store and process to assert and defend our rights.
Erasure of personal data, which we continue to store and process for the assertion and defence of our rights, is based on the expiry of the maximum limitation period for administrative offences (§§ 31 paragraph 2, 33 paragraph 3 OWiG [German Administrative Offence Act]). The data will be erased no later than six years after completion of the processing of the data protection report or data subject request.
Security
Our employees and our service providers have an obligation to keep our dealings confidential and to comply with the applicable data protection regulations.
Any incoming reports are received by a small selection of explicitly authorized and especially trained Syntegon employees and are always handled confidentially. The Syntegon employees examine the facts and perform any further investigation required by the specific case. All of these persons who are given access to the data are required to maintain confidentiality.
We implement all necessary technical and organizational measures to warrant an appropriate level of security and to protect your data that are administrated by us especially against the risks of unintended or unlawful destruction, manipulation, loss, change or unauthorized disclosure or unauthorized access. Our security measures are regularly improved in accordance with technological developments. The communication between your computer and the BKMS® System for the report of a violation of the compliance requirement takes place via an encrypted connection (TLS).
Right to information and access
You have the right to obtain information from us about whether or not your data is being processed and, if this is the case, to access your personal information that we process.
Right of rectification and erasure/ deletion
You can demand that we rectify inaccurate data and complete or erase your data if the statutory requirements are met. This does not apply to any data required for payroll and accounting purposes or subject to a statutory retention duty. If access to such data is not required, however, the processing of such data is restricted (see below).
Restriction of processing
You can demand that we restrict the processing of your data if the statutory requirements are met.
Objection to data processing
In addition, you have the right to object to the data processing by us at any time, on grounds relating on your particular situation, as long as this processing is carried out on the legal basis of "legitimate interest". We will then terminate the processing of your data unless we are able – in accordance with the statutory requirements – to demonstrate compelling legitimate grounds for further processing which override your rights or for the establishment, exercise or defense of legal claims (Article 21 GDPR).
Right to lodge complaint with supervisory authority
You have the right to lodge a complaint with a data protection authority. In this context, you may approach the data protection authority competent for your place of residence or your German state or the data protection authority competent for us. The latter is:
Der Landesbeauftragte für Datenschutz und Informationsfreiheit
- Street address:
- Lautenschlagerstraße 20
- 70173 Stuttgart
- Postal address:
- Post Office Box 10 29 32
- 70025 Stuttgart
- Tel.: 0711/615541-0
- FAX: 0711/615541-15
- E-Mail:poststelle@lfdi.bwl.de
Report submission via telephone
Your anonymity will also be protected by the BKMS® System when you submit your report via telephone. Neither our organisation nor EQS will have access to your telephone number. Your description of the incident will be recorded in the BKMS® System. Afterwards, the encrypted sound file is transcribed by the responsible employee. If you have set up a secured postbox at the end of the report submission by telephone, you can receive feedback in the form of a voice recording by the responsible employee, and you can add information to your report, if necessary. Alternatively, you can access your secured postbox via the web application, review feedback, and make additions in written form. To protect the confidentiality of your report or addition, you can neither listen to it on your telephone nor in the web-based secured postbox.
Changes to the Data Protection Notice
We reserve the right to change our security and data protection measures. In such cases, we will also adjust our information on data protection notice accordingly. Therefore, please take note of the latest version of our data protection notice, as this is subject to changes.
Contact
You can contact us at the address provided in the "Controller" section.
Effective date: 04 December 2019