DATA PROTECTION POLICY
Saudi Steel Pipe Company (SSP) takes the protection of personal data very seriously, making reasonable efforts to ensure that they are handled confidentially. To this end, SSP complies with the applicable legislation, including the provisions of the European Union General Data Protection Regulation (GDPR) and other similar regulations applicable to the different countries in which SSP operates. Before submitting a report through this platform, please read this information carefully in order to understand the Data Protection Policy that will be applied by SSP in coordination with its service provider Business Keeper GmbH, in order to process reports of irregularities through this BKMS® Incident Reporting platform.
Purpose and legal basis of the irregularities reporting system
The BKMS® Incident Reporting system serves to securely and confidentially receive, process and manage reports about violations of the law or the internal norms of SSP. The processing of personal data within the scope of the BKMS® Incident Reporting system is based on the legitimate interest of our company in preventing and investigating, where applicable, irregular and/or illegal conduct in order to avoid damage to SSP, its subsidiaries, employees, suppliers and customers. As a general rule, the legal basis for processing personal data in this system shall be the legitimate interest of SSP and the consent provided by each individual at the time of reporting irregularities.
Responsibility for the processing of personal data within BKMS® Incident Reporting system
The parties responsible for data protection within the whistleblowing system (BKMS® Incident Reporting) shall be SSP and its subsidiaries, who have entrusted the operation of the irregularities reporting system (BKMS® Incident Reporting) to a specialized company, named Business Keeper GmbH, with registered office at Bayreuther Str. 35, 10789, Berlin, Germany and who will comply with SSP’s instructions to receive the reports.
Personal data and information entered in the BKMS® Incident Reporting system are stored in a database operated by Business Keeper GmbH in a highly secure data center. Only SSP can see the data entered by each user when submitting a report. Business Keeper GmbH and other third parties do not have access to the data. This is guaranteed by the procedure implemented by Business Keeper GmbH which is certified through extensive technical and organizational measures.
All data will be stored encrypted with various levels of password protection so that access is restricted to a group of persons defined by SSP.
Type of personal data collected
Use of the irregularities reporting system is voluntary. If the user sends a report through the irregularities reporting system, we will collect, among other data that the user chooses to provide, the following personal data:
- Your name, if you choose to disclose your identity
- If you are an employee of SSP or submit the report in another capacity (depending on whether or not you choose to disclose this information), and
- The names and other personal data of the persons you mention in your report when explaining the facts or the event involving an irregularity, if applicable.
Confidential handling of reports
Reports will only be accessed by staff authorised by SSP who have specific training to appropriately process and handle reports of irregularities. Reports will always be treated as confidential. Only staff authorised by the Internal Audit Department of SSP (and other departments if decided by the head of the Internal Audit department) will access the reports to evaluate the case and carry out necessary investigations as applicable. In the same way, SSP’s lawyers and legal advisors may access the information where necessary.
When processing a report or conducting a special investigation, it may be necessary to share reports with other specialized SSP employees, or with other subsidiary or affiliated companies of SSP (for example, when reports refer to incidents that affect more than one company of the economic group to which SSP belongs). The subsidiary companies of the SSP Group (including affiliated companies of SSP with whom it may be necessary to share information) may be located in countries outside SSP the European Union or the European Economic Area, and/or in countries which are not recognised by the European Commission as countries with adequate personal data protection legislation and which, therefore, have insufficient and inadequate data protection regulations. When sharing reports, SSP will provide the means to ensure compliance with the applicable regulations and the provisions of its internal policies and procedures on personal data protection, even in countries that lack of adequate legislation.
Informing the accused
In some countries, SSP may be obliged to inform the accused persons that SSP has received a report about them. It is important that the system users know that SSP will only disclose information on reported persons if there is a legal obligation to do so (for example, to guarantee the rights of defense of the accused persons or to ensure that investigation processes are properly conducted).
Rights of the data subject
In accordance with the legislation on access rights applicable in each country, the reporting person, as well as the persons mentioned in a report, may have the right of access, consultation, rectification, erasure, restriction of processing, as well as the right to object to the processing of personal data concerning them. The reporting persons may also have the right to lodge queries and complaints with the competent personal data authorities in the relevant jurisdiction. SSP and, where appropriate, Business Keeper GmbH will provide the means by which the rights of access available to reporting persons can be exercised in accordance with the provisions of the applicable law in each case.
Personal data retention period
Personal data will be stored for the time required to clarify the situation and conduct an investigation and assessment of the case, as appropriate, or as long as it is required by law or there is a legitimate interest of SSP in its retention.
Use of the irregularities reporting system
The connection between the device from which a report is made and the irregularities reporting system is established through an encrypted connection (SSL). Your IP address will not be stored when you use the irregularities reporting system. To maintain the connection between your device and BKMS® Incident Reporting, a cookie will be stored in your device containing only the session ID (a so-called session cookie). This cookie is only valid until the end of the session and will expire when the user closes their browser.
In the irregularities reporting system (BKMS® Incident Reporting), the user has the option of setting up a secured postbox using a user name/pseudonym and a password which can be chosen freely. This allows the user to send reports to SSP in a secure way, and anonymously if the user wishes. This system only stores data within the irregularities reporting system (BKMS® Incident Reporting), in a secure environment.
Submitting reports via telephone
When you report an irregularity via telephone, your anonymity will also be protected by BKMS® Incident Reporting. Neither SSP nor Business Keeper GmbH will have access to the phone numbers from which the report is made. The description of the incident or the report will be recorded in BKMS® Incident Reporting and the encrypted sound file will be transcribed by the responsible SSP employee. If the user sets up a secured postbox after submitting the report via telephone, they can receive messages in the form of voice recordings from the responsible employee of SSP and may add information to their report if necessary. The user will also log in to their secured postbox via the web application, review the report and add additional written information.
Note on sending additional reports and attachments
When a user decides to attach additional information or files or documents to a report that has already been submitted, the system will allow them to do so in order to provide supporting information for the report. It is important for reporting persons that prefer to remain anonymous to bear in mind that the files or documents sent as attachments may contain personal data (hidden as metadata or only visible as document properties). It is recommended to delete this information before sending any document or file as an attachment or to take steps to anonymise the documents, files or additions that they want to provide.
Version: May 2, 2022