Privacy policy
DZ BANK AG (also referred to as simply DZ BANK) takes data protection and confidentiality very seriously and adheres to the provisions of the General Data Protection Regulation (GDPR) as well as current national data protection regulations. This privacy policy offers you an overview of the processing of your personal data by DZ BANK within the framework of the whistleblowing system and informs you of your rights as a data subject in accordance with data protection law. Please read this information on data protection law carefully before submitting a report.
Who is responsible for data processing and who can you contact?
DZ BANK AG
Deutsche Zentral-Genossenschaftsbank, Frankfurt am Main
Platz der Republik
60325 Frankfurt am Main, Germany
Telephone: +49 69 7447-01
Fax: +49 69 7447-1685
Email: mail@dzbank.de
You can contact our company Data Protection Officer at the address above and by
telephone: +49 69 7447-94101
fax: +49 69 427267-0539
email: datenschutz@dzbank.de
This system is used for reports and violations of human rights and environmental protection under the Supply Chain Due Diligence Act (SCDDA) and is operated by a specialised company, EQS Group AG, Karlstrasse 47, D-80333 Munich in Bavaria, Germany, on our behalf.
Personal data and information entered into this system are stored in a database of a high security data centre operated by EQS Group AG. Only expressly authorised persons at DZ BANK can see the data. EQS Group AG and other third parties do not have access to the data. This is ensured in the certified procedure through extensive technical and organisational measures.
All data are stored encrypted with multiple levels of password protection according to a system of permissions so that access is restricted to a very small selection of expressly authorised persons at DZ BANK.
Purpose and legal foundation of the reporting process
The electronic reporting process (BKMS® System) serves to securely and confidentially receive, process and manage reports concerning compliance and legal violations. We will process your personal data if it is necessary to fulfil legal obligations. This includes, in particular, reports of criminal, competition and labour law issues (Article 6 (1) (c) GDPR).
Furthermore, your personal data will be processed if it is necessary for the protection of the legitimate interests of the organisation or a third party (Article 6 (1) (f) GDPR). We have a legitimate interest in the processing of personal data for preventing and discovering violations within the organisation, for checking the lawfulness of internal processes and protecting the integrity of the organisation.
Type of personal data collected
Use of the system is voluntary. If you submit a report via the system, we collect the following personal data and information:
- your name, if you choose to reveal your identity, as well as other personal data you send when you submit the report
- whether you are employed at our organisation, and
- the names and other personal data of persons whom you list in your report, if applicable.
Confidential handling of reports
Incoming reports are received by a small selection of expressly authorised and specially trained employees in Compliance and always handled confidentially. The Compliance employees evaluate the matter and carry out any further investigation that may be required by the specific case.
While processing a report or conducting a special investigation, it may be necessary to share reports with additional employees of our organisation or employees of other group companies, e.g. if the reports refer to incidents in subsidiaries. These subsidiaries may be based in countries outside the European Union or the European Economic Area with different regulations concerning the protection of personal data. We always ensure that the applicable data protection regulations are complied with when sharing reports.
All persons who receive access to the data are obligated to maintain confidentiality.
Information about the accused party
We are legally obliged to inform accused parties of any reports received against them as soon as the disclosure of this information no longer jeopardises the investigation. Your identity as a whistleblower will not be disclosed unless we are legally bound to do so.
Rights of the data subjects
Every data subject has the right of access as per Art. 15 GDPR, the right to rectification as per Art. 16 GDPR, the right to erasure ("right to be forgotten") as per Art. 17 GDPR, the right to restriction of processing (blocking) as per Art. 18 GDPR, the right to data portability as per Art. 20 GDPR and the right to object as per Art. 21 GDPR. Furthermore, data subjects have the right to lodge a complaint with a data protection supervisory authority according to Art. 77 GDPR.
Profiling
DZ BANK does not engage in any profiling.
Retention period for personal data
The documentation of the reports is retained for seven years according to section 10 (1) SCDDA if the report was processed within the scope of the reporting process or in the involved departments of DZ BANK. The retention period begins on 31 December of the year in which the process has been concluded. Your personal data need to be processed for the purposes of DZ BANK’s legitimate interests.
Documentation of the reports is immediately erased if the process is discontinued after an initial review.
Only in an exceptional case can longer retention periods arise if longer-term storage is necessary based on legal actions and the data are required as evidence or if overriding statutory regulations require storage of the data beyond the seven-year period.
Use of the electronic reporting process
Communication between your computer and the system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the whistleblowing system. In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that merely contains the session ID (a session cookie). This cookie is only valid until the end of your session and expires when you close your browser. The legal basis for the temporary storage of these data and log files is Art. 6 (1) (f) GDPR (legitimate interest).
It is possible to set up a postbox within the system that is secured with an individually chosen pseudonym/ user name and password. This allows you to send reports to the respectively responsible employee either by name or in an anonymous, safe way. This process only stores data in the BKMS® System, which makes it particularly secure. It is not a form of regular email communication.
Note on sending attachments
Files may contain hidden personal data that could jeopardise your anonymity. Please remove all such information before sending a file. If you are unable to remove such data or are uncertain about how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the reporting process.
Version: January 2024