Privacy policy
We take data privacy and confidentiality very seriously and comply with the provisions of the EU General Data Protection Regulation (GDPR) and the applicable national data protection regulations. Please read this Data Privacy Statement carefully before submitting a report to our Tell us! Whistleblowing Portal (hereinafter referred to as the "Whistleblowing Portal").
The Whistleblowing Portal offers the opportunity to report specific indications of violations of legal provisions and/or the Lorenz Group's Code of Conduct. The Whistleblowing Portal also serves as a reporting office within the meaning of the German Whistleblower Protection Act (Hinweisgeberschutzgesetz – HinSchG) and a complaints office within the meaning of the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz – LkSG) (hereinafter collectively referred to as the "Reporting Office").
1. Responsible
The controller for the Whistleblowing Portal is Lorenz Holding GmbH, Lister Damm 2, D - 30163 Hanover, Germany (hereinafter referred to as "Lorenz"), which receives and processes reports for the companies of the Lorenz Group as an independent and confidential Reporting Office.
For the sake of clarity, it is noted that the primary responsibility for remedying and following up on any identified violations always remains with the respective group company.
2. Contact details of the data protection organisation
The contact details of the Lorenz data protection organisation are: datenschutz@lbsnacks.de
3. Purposes of data processing
The Whistleblowing Portal serves to receive, process and manage reports of violations of legal provisions and/or the Lorenz Group's Code of Conduct in a secure and confidential manner.
The Whistleblowing Portal is technically supported by a specialised company, EQS Group GmbH, Karlstraße 47, 80333 Munich, Germany. As a so-called “processor”, this company may only use personal data to fulfil the tasks it has undertaken and is obliged to comply with the relevant data protection regulations.
The data entered in the Whistleblowing Portal is stored in a database operated by EQS Group GmbH in a high-security data centre in the European Union. All data stored in the database is encrypted using state-of-the-art technology. Only authorised persons at Lorenz are able to access the data. EQS Group GmbH and other third parties have no access to the data stored in the Whistleblowing Portal. This is ensured by a certified procedure involving comprehensive technical and organisational measures.
All data is encrypted and stored with multi-level password protection, so that access is restricted to a very small group of expressly authorised persons at Lorenz.
4. Legal basis for data processing
The legal basis for the processing of personal data is generally Art. 6 (1)(c) GDPR in conjunction with Sec. 10, 12 HinSchG and Sec. 8 LkSG.
The legal basis for companies within the Lorenz Group that are not subject to any legal obligation to implement a Reporting Office is Art. 6 (1)(f) GDPR (legitimate interest). Our legitimate interest lies in the detection, cessation and prevention of illegal and irregular behaviour at or against companies of the Lorenz Group and the associated prevention of damage to our company, our employees, consumers, customers, service providers and suppliers.
If we need to obtain your express consent in individual cases when processing reports (e.g. in accordance with Section 9 (3) HinSchG, the relevant legal bases are Art. 6 (1)(a) GDPR and Sec. 26 (2) of the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).
5. Type of personal data collected
Use of the Whistleblowing Portal is voluntary. If you submit a report via the Whistleblowing Portal, we will collect the personal data you provide. This includes, in particular,
your name, if you disclose your identity,
whether you are employed by a Lorenz Group company, and
where applicable, the names of individuals and other personal data relating to the individuals you mention in your report.
6. Processing and confidential treatment of reports
Incoming reports are received by a small group of expressly authorised and specially trained Tell us! officers at Lorenz and are always treated confidentially. Upon receipt of a report, the Tell us! officers at Lorenz first check whether an in-depth investigation is necessary and, if necessary, conduct a further case-related investigation.
7. Categories of recipients
Lorenz's Tell us! officers may also involve external investigation specialists in the investigation, such as solicitors, auditors or forensic experts, who are bound by contractual or statutory confidentiality obligations to Lorenz to keep the information disclosed confidential.
Depending on the outcome of the processing of your report, the following additional recipients may be considered if necessary in the course of processing, if there is a corresponding legal obligation or in the context of Lorenz's legitimate interest:
Other companies within the Lorenz Group;
Law enforcement authorities.
If your report concerns a company of the Lorenz Group based outside the European Union (EU) or the European Economic Area (EEA), we always ensure that the relevant data protection provisions of the GDPR are complied with when passing on personal data. As a rule, we only pass on reports containing personal data to our group companies based outside the EU/EEA if this is necessary for the assertion, exercise or defence of legal claims (Art. 49 (1)(e) GDPR) or if we have obtained your express consent to do so (Art. 49 (1)(a) GDPR).
8. Notification of the accused person
Under the applicable data protection laws, we are generally obliged to inform the accused persons that we have received a report about them as soon as this information no longer jeopardises the follow-up of the report, for example. In this context, we also ensure that your identity as a whistleblower is only disclosed if we are legally authorised to do so in individual cases (e.g. pursuant to Sec. 9 HinSchG).
9. Retention period for personal data
Personal data from the Whistleblowing Portal is generally deleted within two months of the conclusion of the respective investigation, unless it needs to be further processed for other purposes, e.g. to fulfil retention obligations (e.g. Sec. 11 (5) HinSchG) or to exercise, assert or defend legal claims.
10. Rights of data subjects
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:
Right to information: You have the right to request information about whether personal data concerning you is being processed; if this is the case, you have the right to information about this personal data and to the information specified in detail in Art. 15 GDPR.
Right to rectification: You have the right to request the immediate rectification of inaccurate personal data concerning you and, where applicable, the completion of incomplete personal data (Art. 16 GDPR).
Right to restriction of processing: You have the right to request the restriction of processing if one of the conditions listed in Art. 18 GDPR is met, e.g. if you have lodged an objection to the processing, for the duration of the examination of whether the objection can be upheld.
Right to erasure: You have the right to request that personal data concerning you be erased without delay if one of the reasons listed in detail in Art. 17 GDPR applies, e.g. if the data is no longer required for the purposes pursued and the statutory retention regulations do not prevent erasure.
Right to data portability: Pursuant to Art. 20 GDPR, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, in order to be able to transfer it either yourself or – if technically feasible – through us to a third party.
Right to object: You have the right to object to the processing of personal data concerning you at any time for reasons arising from your particular situation, subject to the conditions set out in Art. 21 GDPR.
Right to revoke the data privacy consent declaration: You have the right to revoke a data privacy consent declaration given to us at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.
Rights in the case of automated decisions: We do not carry out any automated decisions in individual cases or profiling. Otherwise, we are obliged by law to take precautions to ensure that you can influence the decision (Art. 22 GDPR).
Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes data protection regulations.
Please note that the above rights of data subjects may be restricted by EU law or applicable national law.
To exercise the above rights, please contact our data protection organisation at datenschutz@lbsnacks.de.
11. Use of the Whistleblowing Portal
Communication between your device and the Whistleblowing Portal takes place via an encrypted connection (SSL). Your IP address is not stored while you are using the Whistleblowing Portal. To maintain the connection between your device and EQS Incident Reporting, a cookie is stored on your device that only contains the session ID (a so-called zero cookie). The cookie is only valid until the end of your session and becomes invalid when you close your browser.
You have the option of setting up a secure mailbox in the Whistleblowing Portal using a pseudonym/username and password of your choice. This allows you to send reports to the responsible Tell us! representative at Lorenz either anonymously or securely using your name. With this system, the data is stored exclusively in the Whistleblowing Portal and is therefore particularly secure; it is not a normal e-mail communication.
12. Information on sending attachments
When submitting a report or sending a supplement, you have the option of sending attachments to the responsible Tell us! representative at Lorenz. If you wish to submit a report anonymously, please note the following security information:
Files may contain hidden personal data that could compromise your anonymity. Remove this data before sending. If you are unable to remove this data or are unsure, copy the text of the attachment into your report or send the printed document anonymously, quoting the reference number you receive at the end of the reporting process, to the address below:
Lorenz Holding GmbH
Tell us! representative
Lister Damm 2
D - 30163 Hanover
Status: November 2025