Information on Data Privacy
Our goal at Exyte Group is to provide an online environment that is safe and simple to use and takes account of the rights, protection, and expectations of our informants (“Informants”), suspects (“Suspects”) and others involved.
We adhere to the provisions of the EU General Data Protection Regulation (EU-GDPR) as well as current national data privacy regulations.
Please read this data privacy information carefully before submitting a report.
Following we will explain in detail how we protect your identity and personal data, which personal data you provide to us and how we handle such personal data (if any).
We will also provide you with further information as required by the applicable laws and for your convenience.
Controller of Personal Data
The responsible data controller for data submitted over this website through BKMS® System (“reporting system”) is
Exyte Management GmbH
Löwentorstraße 42
70376 Stuttgart, Germany
("Exyte", “we” or “us”).
Exyte and its affiliates are part of the Exyte Group of Companies (“Exyte Group”).
The reporting system is operated by EQS Group GmbH (“EQS Group”), Bayreuther Str. 35, 10789 Berlin, in Germany, on behalf of Exyte as data processer.
For this purpose, Exyte and EQS Group concluded a data processing agreement according to article 28 of the General Data Protection Regulation (“GDPR”). EQS Group implemented technical and organizational measures to prevent access of EQS Group to data which are provided through the Reporting System.
Personal data and information entered into the reporting system are stored in a database operated by EQS Group in a high-security data centre.
Only Exyte has access to the data. EQS Group and other third parties do not have access to the data. This is ensured in the certified procedure through extensive technical and organisational measures.
All data is stored encrypted.
Though Exyte is the Controller, only a limited amount of personnel from the compliance department of Exyte will have access to data, which is submitted through BKMS® System.
Purpose of the reporting system and legal basis
The reporting system serves the purpose of securely and confidentially receiving, processing and managing reports regarding violations of laws, regulations and the compliance rules of Exyte.
If you are an Informant and you choose to stay anonymous, we do not process any personal data about you.
If you decide to provide us with your identity – e.g., personal data, we process your personal data based on your consent according to Art. 6 Para. 1 lit. a. General Data Processing Regulation (2016/679) (“GDPR”) .
You have the right to revoke such consent at any time, in which case we will delete your personal data or anonymize indications to your identity. Processing of your personal data before your revocation of your consent remains legal.
Should you reveal your identity, we will treat your personal data as confidential. However, based on data protection laws we are generally obligated to reveal the processing of data including you as the source to the accused person within one month upon registration of the report (Art. 14 para 3 lit a GDPR). We will extend such period as long as there is a risk that such information may impair our ability to investigate or collect proof. We will not provide your identity to the accused if your legitimate interest of remaining anonymous outweighs the interest of the accused to receive above information.
Not providing your identity or personal data or revoking your consent will not result in any disadvantage for you.
For other data subjects than informants the processing of personal data is based on the legitimate interests of Exyte to detect and prevent misconduct and thus avoid damage to Exyte, its employees and customers. Article 6 para. 1 lit f GDPR serves as legal basis for this data processing.
Investigation regarding criminal conduct of German employees is based on Art. 88 para 1 GDPR i.c.w. Art. 26 para I sent. 2 German Federal Data Protection Law (“BDSG”).
Further we may process personal data to prevent criminal conduct or to defend against or assert legal claims according to Art 24 para 1 No 1 BDSG.
Information to be provided over the reporting system
The reporting system is established to record and follow-up serious allegations.
It is not targeted at registering minor irregularities.
For this purpose we established certain categories for reporting in the reporting system. However, if the violation does not fit into one of the categories, but you consider that the infringement is serious enough to warrant an investigation, you may submit the report under “Other Misconduct of Similar Level of Severity”. In such cases, please substantiate the seriousness of the violation.
Type of the collected personal data
Use of the reporting system takes place on a voluntary basis.
If you submit a report via the reporting system and decide to provide us with your identity, we collect the following personal data and information:
- your name,
- whether you are employed at Exyte, and
- the names of persons and other personal data of persons that you name in your report, as well as
- other personal data and information you include in your report.
Additional note on sending attachments
When submitting a report or an addition to a report, you can simultaneously send attachments to the responsible compliance officer at Exyte. If you wish to submit an anonymous report, please take note of the following security advice:
Files can contain hidden personal data (e.g., meta data) that could compromise your anonymity. Please remove this data before sending.
Confidential handling of reports and data transfer
Incoming reports are received by a small selection of expressly authorised and specially trained employees of the Compliance department of Exyte and are always handled confidentially. The employees of the Compliance department of Exyte will evaluate the matter and conduct further investigation required at the specific case.
We may share your report with the regional compliance organization, which employees are employed at a different Exyte entity of the Exyte Group. These compliance officers only reports to the Corporate Compliance Department and are subject to confidentiality obligations, also to keep information from the employing entity.
During the processing of a report the investigation, it may become necessary to share information including personal data with additional employees of Exyte and Exyte Group or employees of other group companies which are subject to or engaged by the Compliance Department, e.g., if the reports refer to incidents in subsidiaries. The latter may be based in countries outside the European Union or the European Economic Area with different regulations concerning the privacy of personal data.
We always ensure that the applicable data privacy regulations are complied with when sharing data and that required safeguards according to the data privacy regulations are taken, if necessary.
Please contact Exyte as the controller or the data protection officer to receive a full list of entities, in which the Exyte compliance department maintains compliance officers or other entities in the Exyte group or information about safeguards.
Upon completion of the investigation with the result of a criminal conduct or a serious misdemeanour we may transfer data to the responsible authorities for further investigation.
If you submit your report in a language that the compliance officer does not speak, we may use a sub-processor for translation purposes. Such sub-processors are subject to confidentiality and our instructions.
All persons who receive access to your personal data are obligated to maintain confidentiality.
Information to subjects of the investigation
As a basic principle we conduct our investigations as transparent as possible and legally required and will inform the accused as required by the applicable data protection laws. We may especially refrain from informing involved persons if the success of the investigation could be endangered by revealing the investigation.
If you are accused, we will always give you the opportunity to provide your version of events and point of view before taking any legal steps or providing information to authorities, unless the success of the investigation could be endangered by revealing the investigation.
Retention period of personal data
Personal data is retained for as long as necessary to clarify the incidents and perform an evaluation of the report or a legitimate interest of the company exists, or it is required by law. Upon completion of the investigation, we may retain personal data for the time of a legal proceedings, statutes of limitations or based on other laws.
Moreover, results of and consequences taken due to investigations may be stored as long as required subject to applicable laws, especially labour law, in order to assert Exyte´s legal claims.
Use of the reporting system
Communication between your computer and the reporting system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the reporting system. In order to maintain the connection between your computer and BKMS® System, a cookie is stored on your computer that merely contains the session ID (a so-called null cookie). This cookie is only valid until the end of your session and expires when you close your browser.
It is possible to set up a postbox within the reporting system that is secured with an individually chosen pseudonym/ user name and password. This allows you to send replies to the responsible employee at Exyte either by name or in an anonymous, safe way. This system only stores data inside the reporting system, which makes communication especially secure.
Report submission via telephone
Your anonymity will also be protected when you submit your report via telephone. Neither Exyte nor EQS Group will have access to your telephone number. Your description of the incident will be recorded in BKMS® System.
Afterwards, the encrypted sound file is transcribed by the responsible Exyte employee into writing and the sound file is deleted. If you have set up a secured postbox at the end of the report submission by telephone, you can receive feedback in the form of a voice recording by the responsible employee of Exyte, and you can add information to your report, if necessary.
Alternatively, you can access your secured postbox via the web application, review feedback, and make additions in written form. To protect the confidentiality of your report or addition, you can neither listen to it on your telephone nor in the web-based secured post-box.
Your rights
Upon request we will inform you whether Exyte stores any personal data about you, and if yes, which.
Under the statutory conditions you may have the right to demand that Exyte rectifies, restricts processing of, or erases these personal data.
You further have the right to object against processing of your personal data, which is processed based on Article 6 para. 1 lit. f GDPR, in which case we will only proceed processing, if our legitimate interest to process your data overrides your interest, rights or freedoms to stop processing your personal data or for the exercise or defence of legal claims.
You also have the right to receive from us the personal data concerning you which you have provided to us, in a structured, commonly used, and machine-readable format. You have the right to transmit (or have transmitted) those personal data to another controller.
You also have the right to lodge a complaint with the competent supervisory authority for data protection matters. For Exyte Management GmbH, the competent authority is the “Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg“ in Baden-Württemberg, Germany.
Contact
For general questions or suggestions with regard to data protection, please contact the Exyte Data Protection Team at privacy@exyte.net and ethics@exyte.net.
The responsible data controller and other German entities appointed a Data Protection Officer.
If you have any concerns, complaints, or suggestions with regard to the processing of your personal data, please contact our Data Protection Officer at
Exyte Management GmbH
Data Protection Officer
Compliance
Löwentorstraße 42
70376 Stuttgart
Germany
Email: privacy@exyte.net
Version: 08/2021