Data Protection Notice
To facilitate the reporting of potential compliance violations and to ensure effective follow up, Münchener Rückversicherungs-Gesellschaft Aktiengesellschaft in Munich (hereinafter referred to as “Munich Re”) has implemented this secure and confidential whistleblowing portal which also meets the requirements laid out in the EU Whistleblowing Directive (Directive (EU) 2019/1937). For this reason, the portal receives and processes information regarding legal infringements securely and confidentially. Use of the whistleblowing portal is voluntary.
The whistleblowing portal is operated by Business Keeper GmbH, Bayreuther Str. 35, 10789 Berlin, Germany on behalf of Munich Re. Communication between your computer and the whistleblower portal is encrypted (SSL). Data entered into the whistleblower system are encrypted, password-protected, and stored in a database operated by Business Keeper, which is located in a high-security data centre in Germany. Business Keeper GmbH cannot access the data.
Who is responsible for processing the data?
1) For reports directed to Group Compliance and Legal (GCL) the responsible controller is
Münchener Rückversicherungs-Gesellschaft Aktiengesellschaft in München
Königinstr. 107
80802 Munich
Phone: +49 (89) 38 91- 22 55
Fax: +49 (89) 39 91 7 22 55
E-mail: group.whistleblowing@munichre.com
Please contact Munich Re's Data Protection Officer if you have any questions about this notice. The Officer can be contacted via post addressed to the “Data Protection Officer” at the address above, or via e-mail at datenschutz@munichre.com.
2) For reports directed to the group wide Munich Re Ombudsperson the responsible controller is
BDO AG Wirtschaftsprüfungsgesellschaft
Fuhlentwiete 12
20355 Hamburg
Germany
Phone: +49 (40 33 47 53 74 35
E-mail: ombudsmann.mr@bdo.de
3) For reports to the respective compliance function(s) at specific local entities the responsible controller is the respective local entity
What categories of data do we use, and where does the data come from?
Use of the whistleblowing portal is voluntary. If you choose to provide it, we collect the following personal data and information, when you submit a report:
- Your first and last name and contact data
- Whether you are employed at Munich Re
- The names and other personal data of persons you name in your report.
Your computer's IP address is not recorded during or after use of the whistleblowing portal. In order to maintain the connection between your computer and the whistleblowing portal, a cookie is stored on your computer, which contains only the session ID (a so-called session cookie). This cookie is only valid until the end of your session and expires when you close your browser. Nonetheless, traces of your visit to the whistleblowing portal may be left on your computer. Therefore, if you visit the whistleblowing portal from a company computer, you should consider deleting in particular the temporary data (cache) in your browser.
You have the option to set up a secure mailbox in the whistleblowing portal using a pseudonym/user name and password, which you can select yourself. This way you can exchange messages and files anonymously and securely with the compliance function handling your report. This system of communication is not like normal e-mail exchange; the data is only saved in the whistleblowing portal and is therefore specially protected.
For what purposes and on what legal basis do we process your data?
We process your personal data in compliance with the EU General Data Protection Regulation (GDPR) and all other applicable laws, e.g. the German Federal Data Protection Act (BDSG).
The purpose of data processing is Munich Re’s obligation, enshrined inter alia in Section 23 (6) of the German Insurance Supervision Act to provide a process that enables employees and third parties, while maintaining the confidentiality of their identity, to report potential or actual violations of relevant laws and regulations. It is a legitimate interest of Munich Re to reveal, process, suppress and sanction violations of the law and severe breaches of duty of employees group wide in an effective manner with a high level of confidentiality to avert damage and liability risk. The entity to which you direct your report will process personal data confidentially, such as names and other data related to the communication and its content, and for the sole purpose of receiving and processing the abovementioned information securely and confidentially. As you enter information into the whistleblowing system, the system will ask for your consent. This consent provides the legal basis for the processing of your personal data in accordance with Article 6(1)(a) of the GDPR. If you should withdraw your consent, the processing can be based on Article 6(1)(f) of the GDPR and national regulations implementing the EU Whistleblower Directive, if your personal data is necessary in individual cases to protect overriding or compelling the above-mentioned legitimate interests of Munich Re.
Will data be passed on?
When you share your name in the whistleblowing portal, we ensure your identity as the whistleblower is treated confidentially.
Only a very limited number of expressly authorised persons from within the respective compliance function handling your report (based on your selection of who you want to report to) have access to the data you provide. Depending on the report's content, certain expressly authorised persons from within the internal audit department, with the Data Protection Officer and individually authorised persons in subsidiary companies may receive access to the data on a case-by-case basis, if it is necessary to process a particular information. If these subsidiaries are headquartered in countries outside of the European Union or the European Economic Area, suitable or appropriate data protection guarantees will be ensured. Unless there is a specific adequacy decision of the EU Commission for the respective third country, these safeguards are provided in particular by binding corporate rules on data protection or standard contractual clauses of the European Commission. In exceptional cases we might use derogations from these safeguards provided in Art. 49 of the GDPR, e.g. if the transfer is necessary for the establishment, exercise or defence of legal claims.
Investigations of information reported are highly confidential. Each person with access to the data is obliged to treat it confidentially. Principally, your name or any circumstances which could expose your identity as whistleblower are not revealed. However, in certain exceptional cases, we may be required to provide your name, e.g. as required by law.
If an initial suspicion is confirmed, the information may be passed on to another internal department to initiate sanctions, or to a governmental law enforcement authority.
Information of the person(s) affected by the whistleblowing
In certain cases we are legally obliged to inform those affected that we have received information about them. This can only be done once the act of informing them no longer jeopardises the investigation of the information received. Additionally the person affected might have an right to access data referring to him or her. No direct or indirect information about the identity of the whistleblower, in so far as permitted by law, is revealed in the process.
How long will your data be stored?
We store personal data related to the information for as long as it is required for the investigation and, in addition, as long as relevant statutory, contractual or statutory retention periods obliges us to store the personal data. Following this period, in accordance with the country-specific legal requirements information received is either deleted or anonymized, i.e. any reference to your identity as the whistleblower is finally and irreversibly erased.
Right to withdraw consent and to object
You have the right to withdraw your consent for the future and object to the processing of your personal data without disadvantages at any time. We will then stop the processing, unless based on Art. 6 (1) f and Art. 21 of the GDPR (data processing on the basis of legitimate interests) we have compelling legitimate interests to do so, the data is processed for the establishment, exercise or defence of legal claims or national regulations implementing the EU Whistleblower Directive permit us to continue to process it.
The withdrawal and the objection can be made free of formal requirements and should be addressed to the aforementioned entity to which you directed your report.
What further rights do users of the whistleblowing portal have?
In addition to your right to be informed about the processing of your personal data, subject to the legal requirements you have a right to obtain from us information under Art. 15 of the GDPR, the right to rectification under Art. 16 of the GDPR, the right to deletion under Art. 17 of the GDPR, the right to restriction of processing under Art. 18 of the GDPR, and the right to data portability under Art. 20 of the GDPR. Upon request, we will make the data that you provided available in a structured, accessible and machine-readable format. Please contact the aforementioned entity to which you directed your report to exercise these rights.
In addition, there is a right to complain to a data protection supervisory authority of your choice (Article 77 of the GDPR in conjunction with Section 19 of the BDSG).The authority responsible for Munich Re is:
Bayerisches Landesamt für Datenschutzaufsicht
Promenade 18
91522 Ansbach
Telefon: 0981/180093-0
Telefax: 0981/180093-800
E-mail: poststelle@lda.bayern.de
Internet: https://www.lda.bayern.de/de/kontakt.html
Information up to date as of February 2023