SCOPE
Proell (hereinafter referred to as “Company”, “We”, “Us”, “Our”), is obligated under EU Directive 2019/1937 to provide its employees, contractors, consultants and business partners with secure channels and procedures for the reporting of misconduct. In order to ensure our company is compliant with the Directive and all requirements outlined therein, we have entered into a contract with DISS-CO GmbH, Winterhuder Weg 29, 22085 Hamburg (hereinafter referred to as "DISS-CO") which has developed an Internet based web platform “SMART INTEGRITY PLATFORM” operated by DISS-CO (together with the DISS-CO's website, web services, development tools and other services, including training and support services, shall hereafter collectively be referred to as “SIP”).
Using SIP, a breach to the code of conduct can be reported, investigated and documented in compliance with the Whistleblowing Directive.
In this Privacy Notice we explain how and why personal data is processed in SIP, how we protect it and how long we keep it when you use this whistleblowing tool.
Proell will determine the purposes and means of processing your personal data in relation to the Whistleblower Tool. We have established the relevant responsibilities between us and DISS-CO in relation to this Whistleblower Tool in a separate agreement. Therefore, we act as controllers of the processing while DISS-CO acts as a processor. You can always contact us to get further information about the nature of this agreement.
PURPOSES OF PROCESSING OF PERSONAL DATA
In relation to the Whistleblower Tool, personal data is processed for the purpose of initial reporting and investigation of alleged breaches of our Company's Code of Conduct as well as breaches in terms of the Whistleblower Policy, and the subsequent review of such reports and reporting of their respective outcomes to the Management, and potentially the relevant authorities.
Our company points out that there are usual channels of information, which enable the employees to report any irregularities, particularly to their boss or to the personnel department.
The Whistle Blower System SIP was established as part of the internal complaint process to give people the opportunity to make reports when the usual reporting channels/other reporting channels cannot be used or are considered to be inadequate in the given situation.
Moreover, the use of SIP and the procedure for reporting irregularities in general is optional, and the failure to use them shall have no consequences for employees or external persons working for/with/in the name of the company.
Nevertheless, a person who abuses this procedure (e.g. report maliciously to harass, in bad faith, or with the intention of personal gain) may face disciplinary action and legal sanctions.
On the contrary, a person who uses this procedure in good faith shall not face disciplinary action even if the reported facts prove to be inaccurate or have no follow-up actions. Steps necessary and appropriate to protect the whistleblower will be taken when and as long as the report is made in good faith and in accordance with this procedure, primarily to protect the person from retaliatory action, criticism, or disciplinary proceedings.
LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
In connection with the use of the SIP we will mainly process your personal data on one of the following legal bases:
Because it is necessary in order to comply with a legal obligation, as systems for the reporting of irregularities are required in the country where our company is located.
For the purposes of our legitimate interests, in particular in order to monitor the compliance with our vision and values. In this regard, we will always decide from case to case whether our interests do not overshadow the interests, fundamental rights and freedom of the concerned person.
If we are legally required to obtain your free, informed, specific and unambiguous consent for the processing of your personal data for certain purposes, we will process your data for these purposes only to the extent that we have received such consent from you. All personal data that is not needed will be filtered and will not be further processed.
We collect your personal data
We will only process personal data that is strictly necessary for the purposes described above. We may obtain this data in connection with the use of the SIP. In particular, we may obtain this data because you provide it to us (e.g. by submitting a report as a whistleblower), because others provide it to us (e.g. because you appear in a report as the person against whom an accusation has been made) or because it is generated through the use of the platform (e.g. because you appear as a witness or third party in the investigation of a report).
Processing of your personal data
We may collect the following categories of personal data:
For the purposes aforementioned, we may collect and process the following personal data as part of the whistleblowing process:
• Identity, professional position and contact details of the whistleblower;
• Identity, position and contact details of the person(s) mentioned in the report;
• Identity, function and contact details of the persons involved in the reception or handling of the report;
• Reported facts;
• Information gathered in the investigation of the reported matter;
• Report of the investigation measures;
• Outcome of the report.
If you register to use SIP as a whistleblower, you will be asked to provide us with the following personal data (only those marked with an (*) are mandatory):
• Your SIP sign-in details (*);
• Language (*);
• Whether you are an employee of the company or an external;
• Whether you wish to remain anonymous (*);
• Your contact details (name, email address, phone number) in confidential reports;
• Any optional information that you record about the incident and yourself.
We treat personal data confidentially
We grant no one access to your personal data except for yourself:
• DISS-CO as the party managing the SIP but with no access to the contents of the reports;
• The following data processor, with whom we have entered into contractual obligations and who is considered a data processor to ensure that your personal data is kept in accordance with the applicable laws; and
• Or the authorised person responsible for the investigation of reports, whose participation is strictly limited to a need-to-know basis and who has been specifically trained and is subject to a confidentiality obligation.
We also reserve the right to disclose your personal data if required by law or if we believe that disclosure is necessary to protect our rights and/or comply with a court order, court process, a request from a regulatory authority or any other process of law served upon us.
All your personal data falls under the Data Protection Principles of the GDPR.
We adhere to retention periods.
We commit to keeping your personal data only for as long as necessary for the purpose described in the purposes above. We generally adhere to the periods prescribed by the GDPR.
We retain personal data only for as long as necessary for the purposes for which we have collected them. Therefore, depending on the information included in the report and the type of handling of the case, we will apply different retention periods:
•If a court or disciplinary procedure is initiated, the data transmitted will be stored until the final conclusion of this procedure, and only if it is necessary for us to retain that information;
• If no court or disciplinary proceedings are initiated, the data transmitted will not be kept for more than three years after the investigation is completed.
• If a longer retention period is provided for, access to personal data will still be restricted (see security measures below).
Your data is safe and secure with us!
We impose strict technical and organizational measures to ensure a security level that is appropriate to the risks associated with the processing and the type of personal data received. We have taken the security measures listed below to effectively protect your personal data from unauthorized access, unlawful processing, accidental loss, destruction and damage both online and offline.
You can obtain a list of our technical and organizational measures for protecting your data upon request.
We also refer to the technical-organizational measures of the DISS-CO and the Smart Integrity Platform.
Although we take reasonable security measures, our liability is limited to circumstances that are under our control.
Your rights
You have the following rights under certain circumstances under data protection laws with respect to your personal data:
Requesting access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to confirm that we are lawfully processing it.
We evaluate the right to access of the individual and any restrictions; we carry out a case-by-case assessment for each case taking into account the status of the requester and the current state of the investigation, the scope and sensitivity of the information held (and the associated risks of disclosure), and the information provided, and we will document the reasons for any decision to restrict an individual’s right to access.
Requesting the correction of your personal data that we hold about you via the communication module on the Smart Integrity Platform. Please note that all submissions are logged for security and cannot be manipulated.
Requesting the deletion of your personal data that we hold about you or the restriction of the manner in which we use that personal data if you believe that there is no lawful reason (anymore) for us to process it;
Withdrawing your consent to the processing of your personal data by us (where the processing is based on your consent);
Requesting the restriction of the processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) where you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where we no longer need to hold the data but are required to keep it in order for you to reclaim, exercise or defend legal rights; or (d) where you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Requesting the transfer of your personal data to you or to a third party. We will provide you with your personal data in a structured, commonly-used, machine-readable format. Note that this right only applies to automated data which you initially provided consent for us to use or where we used the data to perform a contract with you.
Automated individual decision-making (including profiling). You have the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects concerning or significantly affects you in a similar manner. Generally, we do not process your personal data on the basis of an automated individual decision-making.
You may withdraw your consent whenever we may be relying on your consent to process your personal data. However, this will not affect the lawfulness of the processing that has taken place before the withdrawal of your consent. If you withdraw your consent, we may not be able to fulfill the purpose for which we have collected your data. We will inform you of this if it applies when you withdraw your consent (for example if you have used SIP as a tipster and the investigation is still ongoing).
If you want to exercise any of the above rights, please contact the data protection officer of Proell GmbH.
Contact
We hope that this privacy statement explains the key points to answer your questions and give you a good feeling while using SIP. However, we are more than happy to provide further assistance if you wish. Please contact us at privacy (at) proell.de or +49-9141-906-20.
Date: 08.11.2023
