Information about data protection
The following section contains information about the collection, processing and use of personal data in the context of the whistleblowing system. Please read this privacy information carefully before submitting a report.
Purpose of the whistleblowing system
The whistleblowing system (BKMS® Incident Reporting) is used to accept and process information relating to (alleged) violations of legislation or breaches of internal regulations to the detriment of the Volkswagen Group in a secure and confidential way.
The processing of personal data within the BKMS® Incident Reporting is based on the legitimate interest of Volkswagen AG in the detection and prevention of grievances and the associated prevention of damage and liability risks for the Volkswagen Group (Art. 6 Para. 1 lit. f DSGVO in conjunction with Sections 30, 130 OWiG). Point 4.1.3 of the German Corporate Governance Code also requires the establishment of a whistleblowing system in order to give employees and third parties the appropriate opportunity to provide protected information on legal infringements within the company.
If a report received concerns an employee of Volkswagen AG, the processing also serves to prevent criminal offences or other legal infringements in connection with the employment relationship (§ 26 Para. 1 BDSG).
Responsible office and data security
The office responsible for the data protection aspect of the whistleblowing system is Volkswagen AG, Berliner Ring 2, 38440 Wolfsburg. The whistleblowing system is operated by a specialised company, Business Keeper AG, Bayreuther Str. 35, 10789 Berlin, Germany, on behalf of Volkswagen AG.
Personal data and information entered in the whistleblowing system are stored in a database operated by Business Keeper AG in a high-security data centre. Only Volkswagen AG can access the data. Business Keeper AG and other third parties do not have access to the data. This is ensured by a certified procedure involving comprehensive technical and organisational measures.
All data are encrypted and stored behind multi-level password protection, which means that access is restricted to a very small group of persons authorised expressly by Volkswagen AG.
Volkswagen AG has appointed a data protection officer. Affected parties can contact the data protection officer of Volkswagen AG directly:
Datenschutzbeauftragter der Volkswagen AG
Berliner Ring 2
Confidential handling of reports
Incoming information is handled by a small group of expressly authorised and specially trained employees of Volkswagen AG's Group Compliance department, and is always treated confidentially. The employees of Group Compliance check the facts of the matter and may conduct a further case-related investigation.
In certain cases, Volkswagen AG is obliged by data protection legislation to inform the suspect of the charges made against them. This is a legal requirement in cases where it can be objectively established that the disclosure of information to the suspect can no longer have an adverse effect on the whistleblowing investigation in question. As far as is legally possible, your identity as a whistleblower will not be disclosed and steps will also be taken to ensure that no conclusions can be drawn as to your identity as the whistleblower.
Confidentiality cannot be guaranteed if you deliberately submit false information with the aim of discrediting a person (denunciation).
During the processing of a report or the conducting of a special investigation, it may become necessary to forward reports to additional employees of Volkswagen AG or subsidiaries of the Volkswagen Group and their employees, e.g. if the reports refer to activities in subsidiaries of the Volkswagen Group. If necessary for clarification, data may be transferred to subsidiaries of the Volkswagen Group in a country outside the European Union or the European Economic Area on the basis of appropriate data protection guarantees to protect those affected. Unless a specific adequacy decision has been taken by the EU Commission for the respective country outside the EU or the EEA, the above-mentioned guarantees are the standard contractual clauses of the European Commission. Data subjects have the right to obtain from Volkswagen AG a copy of the appropriate or appropriate guarantees for the transfer of personal data to third countries.
We always ensure that the applicable data protection regulations are complied with when sharing reports.
Other possible categories of recipients include law enforcement authorities, antitrust authorities, other administrative authorities, courts and international law and auditing firms commissioned by the Volkswagen Group if required to do so by law or data protection law.
All persons who receive access to the data are obligated to maintain confidentiality.
Duration of storage of personal data
Personal data will be kept for as long as it is required for clarification and final assessment or if the company has a legitimate interest or if it is required by law. This data is then deleted in accordance with legal requirements. The duration of storage depends in particular on the severity of the suspicion and the reported possible breach of duty.
Rights of the data subject
Pursuant to European data protection legislation, you and the persons named in the report have a right of information, rectification, erasure, restriction of processing and objection to processing of your personal data. If the right to object to the processing of the personal data is invoked, the necessity of the stored data for the examination of a report will be evaluated immediately. Data that are no longer required will be deleted immediately. Further information and the possibility to assert your rights can be found under:
You also have the right to lodge a complaint with the supervisory authority.
Die Landesbeauftragte für den Datenschutz Niedersachsen
Using the whistleblowing system
Type of personal data collected
The whistleblowing system is used on a voluntary basis. We collect the following personal data and information when you submit a report via the whistleblowing system:
- Your name, should you disclose your identity
- Whether you are employee of Volkswagen AG
- Where applicable, the names of persons and other personal data of the persons named in your report.
The communication between your computer and the reporting system is carried out via an encrypted connection (SSL). The IP address of your computer is not stored while using the whistleblowing portal. To maintain the connection between your computer and the BKMS® Incident Reporting, a cookie which contains only the session ID is stored on your computer. The cookie is only valid until the end of your session and becomes invalid when you close the browser.
You have the option of using a self-chosen pseudonym/ user name and password to set up a secured postbox in the whistleblowing system. This allows you to send secure messages to the relevant employees of Volkswagen AG, by name or anonymously. This system only stores data inside the whistleblowing system, which makes it particularly secure. It is not a form of regular email communication.
Notes on sending attachments
When submitting a report or supplementary information, you have the option of sending attachments to the relevant Volkswagen AG employees. If you want to submit a report anonymously, please observe the following security information: Files may contain hidden personal data which might endanger your anonymity. Remove these data before submission. If you are unable to remove these data or are unsure of how to do so, copy the text of the attachment into your report text or send the printed document anonymously to the address contained in the footer, quoting the reference number that you receive at the end of the reporting process.
Version dated: 25.05.2018