During the use of BKMS® Incident Reporting, a text file (called a \"session cookie\") is saved on your computer containing only the number of your session. This is necessary for technical reasons in order to establish the connection to a security-certified server. The \"session cookie\" does no damage to your computer, it does not access your data and has no relation to the contents of your report. If you close all browser windows after submitting your report, the \"session cookie\" will expire and be automatically deleted.
iTrust: Standing up for integrity together
Our company stands for integrity and responsible conduct. Compliance with laws and regulations is an important part of our managerial responsibility. As a fair business partner, we treat each other responsibly and without prejudice, both within the company and with respect to all external stakeholders of MTU. This is clearly set out in our Code of Conduct for all employees, managers and board members. Observing all applicable laws and regulations is the responsibility of each individual. That is the only way we can remain true to our principles.
“Integrity and responsibility are the fundament of our company. We condemn all forms of white-collar crime and consider compliance with the law the responsibility of all our businesses. Each individual member of our company is responsible to act with integrity and to require others to do the same.”
That is why we have established a secure communication platform for submitting reports in addition to the existing reporting channels involving the managers, HR department, ombudsperson or works council. The whistleblowing system iTrust ("BKMS® Incident Reporting") is open to all MTU employees and other stakeholders to report potentially unlawful conduct or incorrect business practices. It can be used anonymously.
Of course, we prefer communicating about the reported issue openly and would appreciate if you disclosed your identity. We must, however, point out that we may, under certain circumstances, be legally obliged to disclose your identity to third parties (please consult our data protection information for further details). We therefore respect your decision if you do not wish to share your name for the time being. In this case, we ask you to set up a secured postbox which you can use to communicate with us anonymously. Your reports will be handled in strict confidence.
Those who report an actual or perceived malpractice in good faith need not fear any adverse consequences. However, deliberate false reports can lead to disciplinary measures.
iTrust complements the regular reporting channels used at MTU; it does not replace them. Before submitting an anonymous report via iTrust, please consider whether you could contact any of the other specified reporting channels directly and address your suspicion openly.
Help us reveal conduct that can damage the financial standing or reputation of our company or cast doubt on our reliability as a business partner!
Part of a positive and open company culture are adherence to legal, social, and corporal laws.
You might have knowledge of damaging behaviour or risks, which threaten the company. With your report, you can help to reveal financial or reputational damages early on, and secure the lasting success of the company and the continuity of its jobs.
iTrust is an additional channel for submitting reports about criminal or illegal behaviour related to the company or directly related to the employment relationship between the perpetrator and the company. Reports about violations of statutory provisions and MTU-internal regulations (e.g. the MTU code of conduct) will be recorded and forwarded.
You will receive detailed information on the possible categories of a report during the reporting process.
How will my report be processed? What is a postbox and how do I open one?
If you wish to submit a report by name or anonymously, click the "Submit report" button at the top of our introduction page.
The reporting process consists of 4 steps:
First of all, you will be asked to read an information text for the protection of your anonymity and to answer a security query.
On the following page, you will be asked about the category of your report.
On the report page, phrase your information in your own words and select answers to questions about the case. You may use up to 5,000 characters in the free-text field, which corresponds to a full DIN A4 page. You may also attach files up to 5 MB to support your report. Keep in mind that electronic documents may contain information about the author. After submitting your report you receive a reference number as proof that you submitted this report.
Finally, you will be asked to set up your own secured postbox. You will receive feedback from us via this postbox, including answers to questions and information about the progress of your report.
If you already have a secured postbox, you can access it directly via the "Login" button. You have to confirm the security query firstly here as well.
As long as you do not enter or attach any data that could reveal your identity, the BKMS® Incident Reporting protects your anonymity by means of a certified technical solution. However, we want to point out that it would be possible for MTU to draw conclusions about your identity, if you submit your report from a MTU computer.
We assure you that we are only interested in the incident you have reported. Offences need to be detected and damage needs to be avoided.
How do I receive feedback and remain anonymous at the same time?
The overriding principle of the system in use is the protection of the whistleblower. iTrust is an external system and thus not an MTU application and also not a part of the MTU webpage or the MTU intranet. The system’s anonymity protection function is certified by an independent body.
When setting up your secured postbox, please select your own user name and password. Your report is kept anonymous through encryption and other special security procedures. You will never be asked for personal information at any time during the reporting process. Do not submit any information that can be traced back to you. Please do not use a computer provided by your employer.
Via the secured postbox, an investigator will provide you with feedback on what is happening with your information or may pose questions if details need to be clarified - you will also remain anonymous during the dialogue. We are interested in reports to avoid damages, not in you as a whistleblower.
MTU Aero Engines AG Dachauer Straße 665 80995 Munich GERMANY
Reiner Winkler (Chief Executive Officer, CEO) Michael Schreyögg (Member of the Executive Board, Chief Program Officer) Peter Kameritsch (Member of the Executive Board, Chief Financial Officer and Chief Information Officer) Lars Wagner (Member of the Executive Board, Chief Operating Officer)
Amtsgericht München, Nr. HRB 157206
VAT registration number
DE 81 44 00 965
MTU Aero Engines AG (hereinafter referred to as “MTU”) takes the protection of personal data very seriously. We process personal data in full compliance with all applicable legal regulations on data protection and data security. Please read this data protection information carefully before submitting a report.
§1 Controller and scope
The controller, as defined in the European General Data Protection Regulation (“GDPR”), the German Federal Data Protection Act (“BDSG”) and other data protection regulations, is:
MTU Aero Engines AG
Dachauer Straße 665
§2 Data protection officer
The data protection officer of the controller is:
Ms Helga Schorr
MTU Aero Engines AG
Dachauer Straße 665
§3 What are personal data?
Personal data are pieces of information about the personal or material circumstances of a specific or identifiable natural person (i.e. the data subject). This includes the person’s name, address, telephone number, date of birth and email address, for instance. Information that cannot be linked to a specific individual (or only linked to a specific individual with disproportionate efforts), e.g. anonymised information, do not constitute personal data.
§4 General notes on data processing
We only collect and use personal data of users of iTrust to the extent that is necessary for processing a report.
Your personal data are not used for any other purposes, in particular, advertising purposes. We will never disclose your personal data to any third parties without your consent, except in the situations described below or if we are legally obliged to do so.
If necessary, we may share personal data with companies that are affiliated with MTU Aero Engines AG as per Section 15ff AktG for the purposes listed in Section 5. We may also share personal data with courts of law, supervisory authorities (especially aviation safety authorities) or legal advisors in order to comply with the law or assert, exercise or defend against legal claims if necessary.
b) Legal foundation
iTrust serves the purpose of securly and confidentially receiving, processing and managing reports concerning criminal or illegal conduct that stands in relation with our company. The processing of personal data within the framework of iTrust is based on the legitimate interest of our company in discovering and preventing abuses and thereby averting damage to MTU, its employees and business partners. We further have a legitimate interest in processing personal data to secure the legality of our company’s business. The legal basis for our processing of personal data is Article 6(1)(f) of the GDPR (General Data Protection Regulation). In cases where we are obliged to process personal data in order to comply with a legal obligation to which our company is subject, Section 6 Paragraph 1(c) GDPR shall provide the legal foundation.
c) Data erasure and storage period
Your personal data will be erased or blocked as soon as the original purpose of their storage ceases to apply. In cases where the European or national legislator requires further storage through Union directives, laws or other regulations to which the data controller is subject, the data may be stored beyond that point in time. Personal data are also blocked or erased if the statutory storage period stipulated by any of the specified standards expires, unless the continued storage of the data is required to conclude or fulfil a contract.
§5 Purpose of data processing
Within the scope of the reporting procedure, we primarily process personal data for the following purposes:
Risk management to prevent and investigate conduct that violates the terms of a contract or the law,
Compliance with legal requirements (especially those of aviation law, tax law, commercial law and export control law);
Asserting and exercising legal claims (in or out of court).
§6 Categories of personal data
All use of iTrust is entirely voluntary. When you submit a report via iTrust, we collect the following personal data and information:
personal master data, e.g. your name, surname, business address, telephone or fax number and business email address, provided that you choose to disclose your identity,
whether you are employed at MTU, and
the names and other personal data of people whom you list in your report, if applicable.
§7 Security measures in place to protect data stored in our systems
The BKMS® Incident Reporting is operated by a specialised company, Business Keeper AG, Bayreuther Str. 35, 10789 Berlin in Germany, on behalf of MTU.
Personal data and information entered into the whistleblowing system are stored in a database operated by Business Keeper AG in a high security data centre. Only MTU can see the data. Business Keeper AG and other third parties do not have access to the data. This is ensured in the certified procedure through extensive technical and organisational measures.
All data are stored encrypted with multiple levels of password protection so that access is restricted to a very small selection of expressly authorised people at MTU.
§8 Confidential handling of reports
Incoming reports are received by a small selection of expressly authorised and specially trained employees of the compliance organisation of MTU and always handled confidentially. The employees of the MTU compliance organisation evaluate the matter and perform any further investigation required by the specific case.
While processing a report or conducting a special investigation, it may be necessary to share reports with additional employees of MTU or employees of other group companies, e.g. if the reports refer to incidents in subsidiaries. The latter may be based in countries outside the European Union or the European Economic Area with different regulations about the protection of personal data. We will always ensure that the applicable data protection regulations are complied with when sharing reports.
All persons who receive access to the data are obligated to maintain confidentiality.
§9 Information about the accused
We are legally obligated to inform accused parties of any reports received against them as soon as the disclosure of this information no longer jeopardises the investigation. Your identity as a whistleblower will not be disclosed unless we are legally obliged to do so.
§10 Use of the whistleblowing portal
Communication between your computer and the whistleblowing system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the whistleblowing system. In order to maintain the connection between your computer and the BKMS® Incident Reporting, a cookie is stored on your computer that merely contains the session ID (a so-called session cookie). This cookie is only valid until the end of your session and expires when you close your browser.
It is possible to set up a postbox within the whistleblowing system that is secured with an individually chosen pseudonym/user name and password. This allows you to send reports to the respectively responsible employee at MTU either by name or in an anonymous, safe way. This system only stores data inside the whistleblowing system, making it particularly secure. It is not a form of regular e-mail communication.
§11 Note on sending attachments
When submitting a report or an addition, you can simultaneously send attachments to the responsible MTU employee. If you wish to submit an anonymous report, please take note of the following security advice: files can contain hidden personal data that could put your anonymity at risk. Remove this data before sending. If you are unable to remove this data or are uncertain about how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the reporting process.
§12 Rights of the data subject
If we process your personal data, you may be entitled to certain rights. This may includude the following rights:
1. Right of access
You can ask the controller whether any of your personal data are being processed and receive confirmation.
If your data have been processed, you can request the following information from the controller:
the purpose of processing your personal data,
the categories of personal data that are being processed,
the recipients or categories of recipients to whom you have disclosed or will disclose the personal data in question,
the intended storage period of your personal data or, if no concrete information about the storage period is available, criteria for determining the storage period,
the existence of a right to rectification or erasure of your personal data, a right to restriction of processing by the controller or a right to objection to the processing of your data,
the existence of a right to lodge a complaint with a supervisory authority,
all available information about the source of the data in cases where the data were not collected directly from the data subject.
You have the right to request information about any disclosure of your personal data to recipients in a third country or to an international organisation. In this context, you can demand to be informed about the appropriate safeguards as per Article 46 GDPR.
2. Right to rectification
You have the right to rectification and/or completion of your data by the controller in cases where your personal data are incorrect or incomplete. The controller is obliged to carry out the rectification promptly.
3. Right to restriction of processing
If the following conditions are given, you can request that the processing of your personal data be restricted:
if you object to the correctness of your personal data for a certain period of time,
if your data have been processed illegitimately, but you opt to have the use of your personal data restricted rather than requesting their erasure,
if the data controller no longer requires your personal data for processing purposes, but your require them to assert, exercise or defend against legal claims, or
if you have objected to the processing of your personal data as per Article 21 Paragraph 1 GDPR and it is yet to be determined whether the legitimate interest of the data controller outweighs your reasons for objection.
If the processing of your personal data has been restricted, your data may be processed only with your consent – with the exception of their storage – or for asserting, exercising or defending against legal claims, for protecting the rights of another natural or legal person or for reasons of an important public interest of the European Union or one of its member states.
If any of the aforementioned reasons applies and the restriction has been circumvented accordingly, the data controller will inform you before lifting the restriction.
4. Right to erasure
a) Obligation to erase
You can demand that the data controller erase your personal data immediately, and the data controller will be obliged to do so provided that one of the following reasons applies:
your personal data are no longer required for the purpose for which they have been collected or otherwise processed.
You withdraw your consent on which the data processing was based as per Section 6 Paragraph 1(a) or Section 9 Paragraph 2(a) GDPR, and there is no other legal foundation that justifies the processing.
You object to the data processing in accordance with Section 21 Paragraph 1 GDPR, and the controller has no overriding legitimate interest in processing the data, or you object to the data processing in accordance with Section 21 Paragraph 2 GDPR.
Your personal data are being processed illegitimately.
The erasure of your personal data is required to comply with a legal obligation under Union law or the law of the member states governing the data controller.
Your personal data were collected with respect to offers of information society services as per Section 8 Paragraph 1 GDPR.
b) Disclosure of information to third parties
Where the controller has made the personal data public and is obliged pursuant to Section 17 Paragraph 1 GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to erasure does not apply if processing is necessary
to exercise the right to free speech and information,
to comply with a legal obligation that requires the data to be processed under Union law or the law of the member states governing the controller or if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
for reasons of public interest in the field of public health as per Section 9 Paragraph 2(h) and Section 9 Paragraph 3 GDPR;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes as per Section 89 Paragraph 1 GDPR, provided that the right specified under a) is likely to render impossible or seriously impair the achievement of the specific purposes of the data processing, or
for the establishment, exercising or defence against legal claims.
5. Right to be informed
If you have exercised your right to rectification, erasure or restriction towards the controller, the controller is obliged to inform all recipients to whom your personal data have been disclosed about the restriction or erasure of the data or the restriction of their processing unless this is impossible or only possible with disproportionate effort.
You have the right to be informed about those recipients by the controller.
6. Right to data portability
You have the right to receive the personal data which your have provided to a controller in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where
the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR, and
the processing is carried out by automated means.
In exercising your right to data portability, you also have the right to have the personal data transmitted directly from one controller to another where technically feasible. This must not affect the rights and freedoms of others.
The right to data portability does not apply if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to withdraw consent
You have the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
8. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.