Privacy
Privacy policy
1 Purpose of data processing
1.1 In accordance with our obligation under the German Whistleblower Protection Act (HinSchG) and the German Supply Chain Due Diligence Act (LkSG), we have set up an internal digital reporting office for complaints and reports (hereinafter "reporting portal"). This is part of our compliance management system.
1.2 Employees, customers, business partners or other whistleblowers can use this system to report suspected violations of laws and internal rules, human rights and environmental risks and breaches of human rights and environmental obligations in a secure and confidential manner. This is intended to promote the detection and prevention of material breaches of rules, risks, and violations and to avert significant risks and damage.
2 Responsibility
2.1 The controller responsible for the processing of your personal data is SCHOTT AG, Compliance & Security, Hattenbergstrasse 10, 55122 Mainz, compliance.office@schott.com (hereinafter "SCHOTT")
2.2 As part of the processing of reports and follow-up measures to be taken, it may be necessary to provide information on a reported incident to legal advisors or competent authorities
2.3 If you have any questions about data protection, please contact our data protection officer at info.datenschutz@schott.com.
3 Technical infrastructure
3.1 The reporting portal is operated with the whistleblower system software AdvoWhistle from the technology service provider iComply GmbH, Grosse Langgasse 1A, 55116 Mainz, Germany.
3.2 Personal data and information entered into the reporting portal is stored in a database operated by the technical service provider in an ISO/IEC 27001-certified data center. Access to the data is only possible for expressly authorized processors. End-to-end encryption of all data, multi-level password protection, technical and organizational measures and regular certifications ensure that technical service providers, the data center operator and other third parties have no access to the data.
4 Legal basis
4.1 The legal basis for the processing of information that falls within the scope of the Whistleblower Protection Act is the legal obligation pursuant to Art. 6 para. 1 c) GDPR in conjunction with Section 10 of the Whistleblower Protection Act (HinSchG).
4.2 The legal basis for the processing of information relating to breaches of internal rules is the overriding legitimate interest in the detection and prevention of material breaches of rules and the associated prevention of risks and damage in accordance with Art. 6 para. 1 f) GDPR.
4.3 If a report concerns violations of money laundering regulations, the processing of personal data is based on Art. 6 para. 1 c) GDPR in conjunction with Section 11a of the German Anti-Money Laundering Law (GwG).
4.4 If a report relates to violations of banking supervisory regulations such as the German Banking Act (KWG) and ordinances based on it as well as other provisions, compliance with which is monitored by the German Federal Financial Supervisory Authority (BaFin) as part of financial market supervision (e.g. CRR Regulation, Market Abuse Regulation, SSM Regulation, PRIIPS Regulation, Prospectus Regulation), the German Securities Trading Act (WpHG) and regulations based on it, the processing of personal data within the framework of this whistleblower system is based on Art. 6 para. 1 c) GDPR in conjunction with the financial supervisory regulations.
4.5 If a report concerns human rights or environmental risks or the violation of human rights or environmental obligations, the processing of personal data is based on Art. 6 para. 1 c GDPR in conjunction with Section 8 LkSG.
5 Use of the reporting portal
5.1 The use of the reporting portal is voluntary. When submitting a report, SCHOTT collects the following personal data and information:
(a) Whistleblower: name (if you disclose your identity), contact details (if you provide them)
(b) Persons affected by incidents: First and last name, information about incidents and suspected violations of the law and rules
(c) Witnesses and/or third parties named in the notice (e.g. customers, suppliers, colleagues or business partners): first and last name, contact details
5.2 File attachments can be transmitted when submitting information and sending supplements. If anonymity is to be maintained, hidden personal data must be removed before sending. If this is not possible, only the text from these files can be copied into the digital notification form, for example, or printouts of these files can be sent to the postal address of the person responsible.
6 Confidentiality
A small group of explicitly authorized persons is responsible for receiving and handling all incoming reports, which they always treat confidentially. These persons check the facts of the case and, if necessary, carry out further case-related clarification of the facts. Every person who has access to the data is obliged to maintain full confidentiality.
7 Rights of data subjects
7.1 Persons whose personal data is processed (data subjects) have the right, upon request and free of charge, to obtain information about the personal data stored about them, its origin and recipients and the purpose of the data processing. If we process your data on the basis of our legitimate interest, you have the right to object to the processing on legitimate grounds relating to your particular situation (right to object).
7.2 In addition, data subjects have the right to rectification of inaccurate personal data, the right to erasure of personal data, the right to restriction of processing of personal data and the right to data portability.
7.3 Data subjects also have the right to lodge a complaint with a supervisory authority. Data subjects can contact the supervisory authority of their usual place of residence or workplace for this purpose.
8 Data retention period
8.1 The documentation of reports and the personal data contained therein are generally deleted three years after the conclusion of the procedure. The documentation may be stored for longer in individual cases to fulfill the requirements of the Whistleblower Protection Act (HinSchG) or other legal provisions, as long as this is necessary and proportionate. A final assessment is also stored for documentation purposes.
8.2 If a report concerns human rights or environmental risks or the violation of human rights or environmental obligations, the processing of personal data is based on Art. 6 para. 1 c GDPR in conjunction with Section 8 LkSG.