Information on data protection
Hamburger Hafen und Logistik Aktiengesellschaft and its subsidiaries (hereafter “HHLA”, “we”, “us”) ensures compliance with statutory standards as well as internal company guidelines by means of an appropriate compliance management system. This includes, among other aspects, the implementation and operation of a whistleblowing system. This communication channel (BKMS® System) serves for securely and confidentially receiving, processing and managing reports concerning potential compliance violations in connection with HHLA or its supply chains. The processing of personal data within the framework of the BKMS® System is based on the legitimate interest of our company in discovering and preventing abuses and thereby averting damage to HHLA, its employees and business partners.
In compliance with Art. 13 and 14 of the General Data Protection Regulation (GDPR), we would like to inform you here about the collection, processing and use of personal data within the framework of our whistleblowing system when you submit a report via the BKMS®System. We process personal data within the context of our whistleblowing system only in accordance with the applicable data protection laws, which arise from the GDPR as well as national laws and regulations. Please read this information on data protection law carefully before submitting a report.
Controller responsible for data processing
The party responsible for data protection in the whistleblowing system is:
- Hamburger Hafen und Logistik Aktiengesellschaft Bei St. Annen 1 20457 Hamburg
Its subsidiaries
as parties with mutually autonomous responsibility (hereafter collectively referred to as “HHLA”, “we”, “us”).
Our Group data protection officer can be contacted using the address provided above or at datenschutz@hhla.de.
Purpose and legal basis of our whistleblowing system and the associated data processing
HHLA processes your data within the framework of the applicable laws, in particular for the following specific compliance and investigation purposes:
- Evaluation of incoming reports
- Investigation of circumstances involving misconduct
- Compliance with legal obligations
- Prevention of future misconduct
- Averting imminent economic or other damage or negative impacts
The following legal basis applies for the data processing in connection with the use of the whistleblowing system:
- Fulfilment of the employment contract, Art. 88 GDPR in connection with the respectively applicable national laws and regulations (e.g. in Germany § 26 (1)(1) Federal Data Protection Act, BDSG)
- Protection of property and investigation of criminal acts, Art. 88 GDPR in connection with the respectively applicable national laws and regulations (e.g. in Germany § 26 (1)(2) Federal Data Protection Act, BDSG)
- Compliance with statutory obligations, Art. 6 (1)(c) GDPR
- Legitimate interests, Art. 6 (1)(f) GDPR
HHLA has a legitimate interest in the data processing in particular for averting potential damage through the establishment, exercise and defence of legal claims, for continued development of the compliance management system and its structures as well as for supporting persons involved in incoming reports.
The HHLA ensures that data processing on the basis of legitimate interests always takes place in consideration of the statutory requirements, in particular that no overriding legitimate interests and rights of data subjects apply.
Submission of reports and processing of personal data and data categories within the framework of the BKMS® System
Use of the whistleblowing system is voluntary and encompasses only those personal data that are provided by the whistleblower.
Communication between your computer and the whistleblowing system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the whistleblowing system. In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that merely contains the session ID (a session cookie). This cookie is only valid until the end of your online session and expires when you close your browser.
It is possible to set up a secured postbox within the whistleblowing system with an individually chosen pseudonym/ user name and password. This allows you to send reports to the respectively responsible compliance employee of HHLA either by name or in an anonymous, safe way. This system only stores data inside the whistleblowing system, which makes it particularly secure. It is not a form of regular email communication.
When submitting a report or an addition, you can simultaneously send attachments to the responsible compliance employee of HHLA. If you wish to submit an anonymous report, please take note of the following security advice: Files may contain hidden personal data that could jeopardise your anonymity. Please remove all such information before sending a file if you wish to remain anonymous. If you are unable to delete these data or are unsure of how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address provided to you by the examiner via the postbox, citing the reference number received at the end of the reporting process.
When you submit a report via the whistleblowing system, we may process the following personal data and information:
- Information about the specific situation, e.g. the time, circumstances, persons and other information in connection with the reports submitted by whistleblowers
- Operational information, such as area of activity, work location, possible supervisory position and professional contact information
- Operational documents and records, such as travel expense accounting, working time records, contracts, service records, invoices and communication records (e.g. email, chat messages)
- Personal information, such as name, private address, private telephone number, private email address
- Special categories of personal data, Art. 9 GDPR, when a report submitted by a whistleblower contains such data. HHLA will only process such data in consideration of and in compliance with the applicable data protection regulations, in particular in accordance with Art. 9 (2) GDPR.
No automated decisions or profiling measures as defined by Art. 22 GDPR take place within the framework of investigative measures.
Storage period
HHLA retains the data collected within the scope of the investigation in accordance with the applicable provisions of data protection law.
Personal data will be stored for as long as necessary for the aforementioned purposes or as required by law. If the underlying justifications or any statutory retention or documentation obligations cease to apply, these data will be erased in accordance with the statutory provisions. In particular, the duration of the storage may be determined by the severity of the suspicion, the type of the reported potential compliance violation and the complexity of the situation.
Confidential handling of reports and sharing with third parties
In general, we do not share your data with third parties. Sharing takes place only if the data are specifically intended for sharing, if you have expressly consented to this in advance during the submission or if we are obliged or entitled to do so on the basis of statutory provisions.
Incoming reports are received by a small selection of expressly authorised and specially trained employees in the compliance organisation of HHLA and are always handled confidentially. The employees of the compliance organisation of HHLA evaluate the matter and perform any further investigation required by the specific case.
While processing a report or conducting a special investigation, it may be necessary to share reports with additional employees of HHLA or employees of other group companies, e.g. if the reports refer to incidents in subsidiaries. These subsidiaries may be based in countries outside the European Union or the European Economic Area with different regulations concerning the protection of personal data. We always ensure that the applicable data protection regulations are complied with when sharing reports.
All persons who receive access to the data are obligated to maintain confidentiality.
We are legally obligated to inform accused parties of any reports received against them as soon as the disclosure of this information no longer jeopardises the investigation. Your identity as a whistleblower will not be disclosed unless we are legally bound to do so.
The whistleblowing system is operated on behalf of HHLA by the specialised processor, EQS Group AG, Bayreuther Str. 35, 10789 Berlin, Germany, which is obligated to follow the instructions of HHLA (Art. 28 GDPR).
Personal data and information entered into the whistleblowing system are stored in a database operated by EQS Group AG in a high-security data centre. EQS Group AG and other third parties do not have access to the data. This is ensured in the certified procedure through extensive technical and organisational measures. All data are stored encrypted with multiple levels of password protection according to a system of permissions so that access is restricted to a very small selection of expressly authorised persons in the compliance organisation of HHLA.
In individual cases, other statutory obligations to share data may exist; however, these are not general in nature and arise only within the context of the specific case. This includes cooperation with investigative authorities and sharing of data in this context, always in consideration of data protection law.
Your rights as a data subject
You have the following rights on the basis of the applicable data protection laws:
- The right to receive information on the processing of your personal data in accordance with Art. 15 GDPR.
- The right to rectification or erasure, including the “right to be forgotten” in accordance with Art. 16, 17 GDPR.
- The right to request restriction of processing in accordance with Art. 18 GDPR.
- The right to data portability in accordance with Art. 20 GDPR.
- The right not to be subject to a decision based on automated processing which produces legal effects or significantly affects you in accordance with Art. 22 GDPR.
- The right to object to the processing, including profiling, on grounds relating to your particular situation in accordance with Art. 6 (1)(f), 21 GDPR.
The right to appeal to the competent supervisory authority. The right to appeal can be exercised, in particular, with a supervisory authority in the Member State of your habitual residence, place of work or the place of the alleged infringement. The competent supervisory authority in Hamburg is:
The Officer for Data Protection and Freedom of Information of the Free and Hanseatic City of Hamburg, Ludwig-Erhard-Str 22, 20459 Hamburg, email: mailbox@datenschutz.hamburg.de.
All rights of the data subject, with the exception of the right to appeal to the supervisory authority, can be exercised with respect to the Group data protection officer or the competent data protection officer of the relevant company. For this purpose, please address your request to the contact person listed below.
Contact information of the data protection officer:
You have the right to contact our data protection officer at any time (datenschutz@hhla.de).