Data Protection Information
Steigenberger Hotels GmbH (hereafter "StHG") ensures compliance with applicable laws by means of a compliance organisation adapted to the business model, legally sound processes and measures for violation prevention and response. With the DH Speak-Up Line, you can securely submit reports of compliance or data protection violations to the competent Governance, Risk & Compliance department, either anonymously or by name. Your privacy is very important to us, and you should always feel safe when you access the DH Speak-Up Line. You have the option of selecting a pseudonym/user name and password to set up a secured postbox for further communication after submitting a compliance or data protection report. In this respect, we inform you pursuant to Art. 13 of the EU General Data Protection Regulation (GDPR) of the associated processing of your personal data provided via the DH Speak-Up Line in your compliance or data protection report (https://www.bkms-system.com/grc-speakup).
StHG will process your data only within the context of the whistleblowing system and in accordance with the applicable data protection provisions. These provisions arise in particular from the GDPR and the German Data Protection Act (BDSG). This data protection information contains explanations of the data processing associated with the whistleblowing system.
Who is the responsible person or entity?
The responsible person or entity of this instance of BKMS® Incident Reporting in accordance with the EU General Data Protection Regulation is
Steigenberger Hotels GmbH
Attn.: Governance, Risk & Compliance
Lyoner Strasse 25
60528 Frankfurt am Main
Telephone +49 69 66564-01
Fax +49 69 66564-888
How can you contact the Data Protection Officer?
You can contact our Data Protection Officer as follows:
Bernd Liedke-Deutscher, LL.M.
TÜV Informationstechnik GmbH
TÜV NORD GROUP
Fachstelle für Datenschutz, IT Security, Business Security & Privacy
Langemarckstr. 20, 45141 Essen
Tel./mobile: +49 201 8999-462
What personal data of yours do we process?
Use of the DH Speak-Up Line for compliance or data protection reporting is voluntary. When using the system, you have the opportunity to enter personal data concerning yourself or third parties and that falls into the following data categories:
- Communication data (e.g. name, telephone, email, address)
- Employee data of StHG employees or employees of its wholly owned subsidiaries
- The names and other personal data of persons whom you list in your report, if applicable.
Providing full answers to the questions asked within the context of the report helps us to process your report. If you provide us with incomplete data, we may not be able to process your report, or at least not as quickly.
In order to maintain the connection between your computer and the DH Speak-Up Line, a cookie is stored on your computer that merely contains the session ID (a so-called session cookie). This cookie is only valid until the end of your session and expires when you close your browser.
For what purpose do we process your data (processing purpose) and on what legal basis?
The objective of the DH Speak-Up Line is to provide you with a communication channel so you can report compliance or data protection issues. The goal is also to ensure that your report is processed by StHG in accordance with the processes of the compliance management system as an implementation of corporate and regulatory provisions.
Most notably, we process your personal data for the following purposes:
- Investigation of malpractice: Reports submitted via the DH Speak-Up Line can assist with uncovering and investigating possible violations of employment obligations or criminal acts by employees of StHG and its wholly owned subsidiaries as well as other malpractice within the company; for instance, this could involve uncovering and preventing fraud, corruption, tax crimes, anti-trust violations, money laundering or other business crimes.
- Conflicts of interest: Reports can be submitted via the DH Speak-Up Line to reveal possible conflicts of interest, which could lead to a violation of laws or other rules.
- Preventing future malpractice: Reports via the DH Speak-Up Line are also typically intended to prevent or at least hinder future violations of employment obligations or criminal acts by employees of StHG or its wholly owned subsidiaries.
- Exercising rights: Reports submitted via the DH Speak-Up Line can also serve to compensate for or prevent potential financial or other damage or disadvantages to StHG or its wholly owned subsidiaries, aiding in an effective legal defence or the exercising and assertion of rights. For instance, StHG or one of its wholly owned subsidiaries may engage in compliance measures to prepare for court proceedings associated with labour law or other legal disputes on the basis of reports.
- Exonerating employees: StHG also takes appropriate compliance measures to investigate possible accusations against unjustly accused employees of StHG or its wholly owned subsidiaries and to exonerate them.
- Complying with legal obligations: StHG and its wholly owned subsidiaries are subject to extensive supervisory and compliance obligations by law. These arise from, among other sources, §§ 130, 30 Regulatory Offences Act (Ordnungswidrigkeitengesetz, OWiG) and §§ 93, 111 Companies Act (Aktiengesetz, AktG). Compliance measures arising through the whistleblowing system typically serve for complying with these statutory obligations of StHG and its wholly owned subsidiaries.
- Compliance with statutory data protection regulations: Reports via the DH Speak-Up Line can also aid in the implementation of and compliance with statutory data protection regulations.
StHG justifies permissible data processing in connection with the whistleblowing system based on the following legal principles:
- Consent (Art. 6 (1)(a) GDPR in connection with § 26 paragraph 2 BDSG): The sharing of information in the whistleblowing system is voluntary. Reports can also be submitted anonymously.
- Implementation of the employment relationship (§ 26 paragraph 1, sentence 1 BDSG): Data processing in connection with the whistleblowing system may be necessary, among other purposes, for justifying, implementing or ending the employment relationship with an involved employee. Compliance measures for uncovering violations of employment obligations that do not constitute crimes can be justified according to § 26 paragraph 1, sentence 1 BDSG. Compliance measures may also be necessary for concluding employment relationships, for instance within the context of disputes in labour court with the respective employee.
- Investigation of crimes (§ 26, paragraph 1, sentence 2 BDSG): If reports serve for uncovering possible crimes within the context of employment relationships, this may be justified according to § 26 paragraph 1, sentence 2 BDSG. However, StHG will only use § 26 paragraph 1, sentence 2 BDSG as the basis for the corresponding data processing if actual, documented reasons exist to suspect a crime in the employment relationship and the interests of the employee in question do not take precedence.
- Compliance with statutory obligations (Art. 6 (1)(c) GDPR): The StHG and its wholly owned subsidiaries are subject to extensive supervisory and compliance obligations by law. The compliance measures taken by StHG and its wholly owned subsidiaries on the basis of reports serve, among other purposes, for complying with these legal obligations.
- Works agreements (Art. 88 (1) GDPR, § 26 paragraph 4 BDSG): StHG may also process your data on the basis of applicable works agreements and the protocol note to the collective works agreement "Use of IT Systems" from September 1989, which regulate the specific implementation of compliance measures.
- Protection of legitimate interests (Art. 6 (1)(f) GDPR): StHG may also process your data to protect its own legitimate interests or those of a third party. Such legitimate interests may include:
- Legal defence: Protecting the company from damages. The data processing also serves the legitimate interests of StHG or its wholly owned subsidiaries in the establishment, defence and exercise of legal claims.
- Improving compliance structures: Reports can also serve for improving the internal compliance structures of StHG or its wholly owned subsidiaries. For example, StHG or a wholly owned subsidiary can use reports to uncover and remedy possible weaknesses in its internal compliance organisation. This is also a legitimate interest of StHG.
- Supporting accused employees: Reports can also be used to exonerate accused employees. This generally involves the legitimate interest of a third party.
- Implementing foreign laws: In addition to national and Union law requirements, StHG and its wholly owned subsidiaries are also subject to extensive compliance regulations of countries outside the EU. These include, for example, anti-corruption and competition regulations according to US law. The implementation of such foreign laws is also fundamentally considered a legitimate interest.
StHG will ensure that compliance measures based on reports are not implemented if opposing legitimate interests and rights of the employee involved take precedence.
No automated decision-making or profiling takes place within the whistleblowing system.
Disclosure of data to StHG employees, to any of the potentially accused persons and to other responsible parties
In the course of processing a compliance or data protection issue, it is necessary to pass on the report in whole or in part to the employees responsible for the processing at StHG. Your information will only be made available to those employees who definitely require the information to process your report. We may also be required to disclose your data to the works council and/or other bodies representing employee interests in accordance with the applicable works council constitution and data protection laws. For example, this may be the case if specific compliance measures require the prior approval of the works council.
Of course, we prefer communicating about the reported issue openly and would appreciate you disclosing your identity. This ensures uncomplicated, direct and confidential exchange. The whistleblower has an overriding legitimate interest in avoiding sanctions/reprisals (at the workplace), which justifies keeping the source of information confidential pursuant to § 29 paragraph 1 BDSG, so that in this case the obligation to inform any accused or involved person can be omitted. In other words, data of the whistleblower is not disclosed to the involved person under any circumstances.
Your personal data will only be transmitted by us to other responsible persons if it is necessary to fulfil further legal obligations.
In addition, data may be shared with other competent parties (e.g. courts or public authorities) insofar as we are obligated to do so on the basis of statutory provisions or enforceable decisions by public authorities or courts.
Service Provider (general)
StHG has commissioned Business Keeper GmbH, Bayreuther Str. 35, 10789 Berlin (hereinafter the “Service Provider”) to operate the compliance whistleblowing system on behalf of StHG and to store the data in a database operated by Business Keeper GmbH in a high-security data centre within the European Union.
StHG has carefully selected the service provider and monitors it regularly, in particular, its careful handling and safeguarding of the stored data. Access to the data is only possible for selected employees of StHG (see above under “Disclosure of data to StHG employees and to other responsible persons”). The service provider has no access to the data. This is guaranteed by a certified procedure through comprehensive technical and organisational measures.
The service provider has been obligated by StHG to maintain confidentiality and to comply with legal requirements.
We may also make use of other service providers, such as law offices or auditing firms. We will take appropriate measures to ensure that these service providers process your data only within the scope of the applicable data protection law requirements if such disclosure is absolutely necessary.
Disclosure to recipients outside of the EU or the EEA
We will not under any circumstances provide your personal data to legal entities or authorities located outside the EU or EEA in so-called third countries.
How long do we store your data?
Data collected within the whistleblowing system and based on subsequent compliance measures will be saved or erased by StHG in accordance with the applicable data protection law requirements, in particular Art. 17 GDPR. StHG will then erase your data, provided it is no longer required for the reasons listed in this data protection information. This is generally the case after processing of the compliance or data protection report is complete. However, statutory archiving regulations or legitimate interests of StHG or its wholly owned subsidiaries can justify longer retention of your data. For example, StHG may continue to retain your data during ongoing legal disputes resulting from possible compliance measures or data protection reports.
Erasure of personal data, which we continue to store and process for the assertion and defence of our rights, is based on the expiry of the maximum limitation period for administrative offences and criminal acts or for the assertion of civil claims (§§ 31 paragraph 2, 33 paragraph 3 OWiG [German Administrative Offence Act]; §§ 78 paragraph 3, 78 c paragraph 3 StGB [German Penal Code]; and §§ 195 et seq. BGB [Germinal Civil Code]).
What security measures have we implemented?
Our employees and the service providers commissioned by us are bound to confidentiality and compliance with the provisions of the applicable data protection regulations.
Incoming reports are received by a small selection of expressly authorised and specially trained employees of StHG and always handled confidentially. StHG employees evaluate the matter and perform any further investigation required by the specific case. All persons who receive access to the data are obligated to maintain confidentiality.
We will take all necessary technical and organisational measures to ensure an appropriate level of protection and particularly to protect your data managed by us against the risks of unintentional or unlawful destruction, manipulation, loss, alteration, and/or unauthorised disclosure or access. Our security measures are regularly improved in line with technological developments. Communication between your computer and the DH Speak-Up Line regarding compliance or data protection reports takes place over an encrypted connection (TLS).
What data protection rights do you have?
Right of access
You are entitled to ask the controller whether any of your personal data are being processed and receive confirmation.
You also have the right to request information about any disclosure of your personal data to recipients in a third country or to an international organisation. In this context, you can demand to be informed about the appropriate safeguards as per Article 46 GDPR.
Right to rectification
You have the right to rectification and/or completion of your data by the responsible person or entiy in cases where your personal data are incorrect or incomplete. The responsible person or entity is obligated to carry out the rectification promptly.
Right to restriction of processing
Under the conditions regulated in the GDPR, you can request that the processing of your personal data be restricted.
Right to erasure
You can demand that the responsible person or entity erase your personal data immediately, and the responsible person or entity will be obligated to do so provided that no legally defined exception applies.
Right to data portability
You have the right to receive the personal data which you have provided to a responsible person or entity for processing based on consent or a contract with you in a structured, commonly used and machine-readable format. You also have the right, under the conditions regulated in the GDPR, to transmit those data to another responsible person or entity – insofar as this is technically feasible – without hindrance from the controller to which the personal data have been provided. This must not affect the rights and freedoms of others.
Right to withdraw consent
You have the right to withdraw your consent at any time after submitting the report. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. All personal data saved based on the consent provided will then be erased unless another legal justification for continued storage exists.
Exercising your rights
To exercise your above rights, contact us using the contact information provided in item 1 or 2.
For faster processing, we request that whistleblowers wishing to make use of their right to object to processing contact us informally via the secured postbox.
Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 (1)(e) or (f) GDPR, including profiling based on those provisions.
To withdraw your consent, please contact us using the contact information provided in item 1 or 2 or make informal use of your secured postbox and inform your report examiner.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular, in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR. To make it easier for you to exercise your rights, the address of the corresponding supervisory authority is provided here:
Hessischer Beauftragter für Datenschutz und Informationsfreiheit
65021 Wiesbaden, Germany
Is sharing of your personal data required?
You can securely submit compliance or data protection reports via the DH Speak-Up Line either by name or anonymously. The sharing of your personal data is not required either by law or by agreement.