Information on data protection
This data protection information describes how BAUHAUS processes personal data in the operation of the whistleblowing system and the processing of reports and sets out which data protection rights you have and how you can contact us about this and with questions about data protection.
I. Controller and its data protection officer
Which BAUHAUS company is the controller of the data processing pursuant to Art. 4 (7) GDPR depends on which company is selected by a whistleblower. The company selected by the whistleblower is the addressee of the report and also the controller of the data.
This company is referred to below as “we” or “us” or “BAUHAUS” from the perspective of the controller responsible for the data processing.
The whistleblower system is operated by EQS Group AG, Karlstraße 47, 80333 Munich on behalf of BAUHAUS. The data is stored in encrypted form. EQS has no access to unencrypted data. Reports are automatically forwarded by the system to the responsible compliance department of the respective BAUHAUS company.
For special enquiries for Germany, you are also welcome to contact the data protection officer directly by sending an email to datenschutzbeauftragter@bauhaus.info. The topics and content discussed in this way are kept confidential. For general questions about data protection and exercising your rights as a data subject, please contact the internal data protection office at BAUHAUS, along with detailed information about your enquiry, at datenschutz@bauhaus.info.
II. Cookies
Communication between your computer and the whistleblowing system takes place via an SSL-encrypted connection. The IP address is not stored during use of the whistleblowing system. In order to maintain the connection between your computer and the system, a cookie is saved that only contains the session ID. This is only valid until the end of your session, and it is deleted upon closing the browser. The cookie is required for operation of the web-based reporting form, which is why it is set automatically by us.
III. Data processing and purposes
The specific data processing that takes place depends largely on which information BAUHAUS receives in the future in the form of reports. The data processing that is performed with the help of the whistleblowing system serves for securely and confidentially receiving, processing and managing reports of (suspected) violations of the law or significant violations of compliance regulations. Personal data and other information that you provide to us via the whistleblowing system is stored in a database operated by EQS Group AG in a high-security data centre. Only the internal reporting office of the company selected by the whistleblower is able to view the data. This is ensured in the certified solution by extensive technical and organisational measures.
Which data we process with the help of the whistleblowing system depends largely on the reports that are sent to us in each individual case. Whistleblowers must always indicate the country to which a report is submitted and what type of suspected violation is being reported (such as corruption). In the form for submitting a report, whistleblowers are also asked to describe the suspected violation and to share information that may be useful for the investigation. If shared by the whistleblower in the individual case, we also collect the name of the whistleblower and additional contact details, names of persons mentioned in the reports and information about their participation in a suspected violation as well as affiliation with a BAUHAUS company. We also collect a reference number associated with every report that is submitted. If you set up a postbox in the whistleblowing system, the selected pseudonym and the selected password in hashed form as well as an ID associated with the postbox are processed.
Personal data that is obviously not relevant for the processing of a specific report is deleted immediately. We also black out personal data, insofar as necessary, to protect the identity of whistleblowers and to protect persons named in reports (for example, before internal forwarding for processing of a report).
IV. Notification of the accused
We are legally obliged according to Art. 14 GDPR to inform accused parties of any reports received about them as soon as the disclosure of this information no longer jeopardises the investigation. Your identity as a whistleblower will not be disclosed unless we are legally bound to do so.
V. Confidential handling and forwarding of reports
Incoming reports are received by a small number of expressly authorised persons and always handled confidentially. After receiving a report, we evaluate the report and the matter it describes and carry out any further investigation that may be required by the specific case. While processing a report or conducting an investigation, it may be necessary to share reports with employees of BAUHAUS, including employees of affiliated companies, law firms, consulting firms or, in special cases, criminal justice authorities. If necessary for the processing of a report or investigation of the matter, we may have texts translated. All persons who receive access to the data are contractually or legally obliged to maintain confidentiality.
VI. Information on the ability to submit anonymous reports
If you wish to protect your anonymity when submitting a report, the whistleblowing system protects you on a technical level. Please make sure that the information you enter in the reporting form and any uploaded documents does not contain any references to your identity. If you use the postbox function, information relating to you is generally no longer anonymous but rather pseudonymous.
VII. Information on sending attachments
When submitting a report or sending an addition to a previous report, you can upload attachments to the system. If you wish to submit an anonymous report, please take note of the security advice.
VIII. Information on the option of setting up a postbox
After submitting a report, you have the option of setting up an electronic postbox within the whistleblowing system that is secured with an individually chosen pseudonym and password. The password is saved as a hash; the postbox is encrypted and has an associated ID. If the login information is lost, there is no way to restore it. Whistleblowers can use the postbox to view information about the processing status, provide additional information, upload files and read or print out reports. If you do not wish to share your name with us, please ensure that your pseudonym and any information shared with us does not allow your identity to be deduced and that you do not share your name in the course of the communication with us.
IX. Legal basis
We base our processing of personal data as described in this data protection information on our legitimate interest in discovering and preventing malpractice and thereby averting material and immaterial damage to and liability risks for BAUHAUS (Art. 6 (1)(f) GDPR and, in the case of a German BAUHAUS company, in connection with Sections 30, 130 Code of Administrative Offences (OWiG)). If the processing of special categories of personal data is required for this purpose, we perform such data processing on the additional basis of Art. 9 (2)(f) GDPR. If a report that is received concerns an employee of BAUHAUS, the processing also serves to prevent criminal acts or other legal violations in connection with the employment relationship and in Germany additionally on the basis of Section 26 (1)(2) German Federal Data Protection Act (BDSG).
In the course of an investigation into a suspected violation and subsequent resolution, BAUHAUS processes data in individual cases in order to exercise and defend our interests, rights and claims based on our legitimate interests in exercising and defending our interests, rights and claims in accordance with Art. 6 (1)(f) GDPR. If the processing of special categories of personal data is required for the assertion, exercising or defence of legal claims, we perform such data processing on the additional basis of Art. 9 (2)(f) GDPR.
We also process personal data via the whistleblowing system on the basis of legal obligations, Art. 6 (1)(c) GDPR (in connection with Directive (EU) 2019/1937 and corresponding (future) national implementations). For example, we are obliged to erase data if we no longer have a legal basis for its storage.
If you as whistleblower are located outside of the EU/ EEA at the time of report submission, data transmission will inevitably take place within the course of your report submission. Such data transmission takes place in this case on the basis of Art. 49 (1)(d) GDPR.
X. Third-party sources
We generally receive information from a whistleblower about persons who are suspected to have committed a violation. In such cases, the source of the data as defined by Art. 14 (2)(f) GDPR is the whistleblower. In can also be necessary to collect data from the BAUHAUS company where a person suspected of committing a reported violation is employed or from other BAUHAUS companies. If relevant and necessary in the individual case, we also use publicly available data.
XI. Storage duration
Exactly how long the data will be stored cannot be generally determined since an evaluation of the individual case is required to establish this. Personal data is retained for as long as necessary to clarify the situation and perform a final assessment of a report in the individual case or for as long as an overriding legitimate interest exists on the part of BAUHAUS or retention is required by law. Personal data that is obviously not relevant for the processing of a specific report is deleted immediately. We also black out personal data to protect the identity of whistleblowers and to protect persons named in reports (for example, before internal forwarding for processing of a report, insofar as such data is not required for the processing).
XII. Rights of the data subject
As data subject, you have the following data protection rights, contingent on fulfilment of the respectively applicable prerequisites:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
You also have a right to object (Art. 21 GDPR), insofar as we carry out data processing on the basis of Art. 6 (1)(f) GDPR. Please note that, in the case of data processing for purposes other than direct advertising, reasons must be specified that arise from your particular situation. You can inform us of your objection by sending an email to our data protection officer in Germany (datenschutzbeauftragter@bauhaus.info). This will be forwarded to the respective office.
Version from December 2021