What information will be registered?
The system shall only be used to report serious compliance violations (of the HELLA Code of Conduct, applicable laws and internal rules), such as, criminal activities (including theft, fraud, corruption, cartels) and, violations in areas of work safety, human rights & environment, labor law (including discrimination, harassment), etc.
If reports on less significant matters, such as, dissatisfaction with wages, difficulties with collaborations and violations of smoking and alcohol policies are received, this information will be deleted immediately.
“Organization” refers to the organization that receives the report. In the following, the term "organization" refers to a company of the HELLA Group.
We process your data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and all applicable laws. The Whistleblowing System serves to receive and process reports about (presumed) serious compliance violations, i.e. violations of the HELLA Code of Conduct, applicable laws and HELLA internal rules in a safe and confidential way. It aims at detecting and terminating illegal conduct in the Group. If you submit a report with your personal data (e.g. name, contact data), this is done voluntarily and on the basis of your consent pursuant to Art. 6 I lit. a GDPR.
The registration of reports takes place anonymously via the system. The only thing that is registered is the report itself. There is no log made as to the IP address or machine ID of the computer on which the report is made.
Correction of registered information
If you realize that you have provided incomplete or incorrect information, just make a new report in the system in which you refer to the previous report and describe what should be corrected.
If you have decided to create a secure post box, in connection with the creation of a report, you can make the correction by logging in to the system using your case number and the password you have created.
Transfers of registered information
The information registered in the system is generally not transferred to a third party outside of the organization. However, in the following circumstances, the information may be passed on:
- Transfer to an external attorney or auditor in connection with the case processing of the report.
- If the report results in a lawsuit.
- If required by law.
Your personal details (name, email and telephone number)
The use of the Whistleblowing System is on a voluntary basis. If you provide personal details, be aware that the organization can use your personal details when investigating the case, and also during any subsequent lawsuit.
The organization guarantees that your personal data protection rights will be respected without limitations and will only be used as described above.
The organization will not share your personal details with third parties outside of the organization except for the cases described above in the section ”Transfer of registered information”.
The data you share to the system is encrypted and stored multi-level password-protected, the access is limited to a narrow circle of expressly authorized employees.
Deletion of registered data
Registered data may only be retained for as long as there is a need for it.
When there no longer is a need for retaining the registered information, the information is deleted.
The reporting system is hosted by EQS Group A/S, an independent party guaranteeing the system’s security and anonymity.
EQS Group A/S has taken the necessary technical and organizational measures to prevent personal data from being accidentally or unlawfully destroyed, lost or damaged and to prevent any unauthorized disclosure or misuse of the personal data. The processing of personal data is subject to strict controls and procedures and in compliance with good practices in the field.
All data is transmitted and stored encrypted. No unencrypted information is sent over the open internet.
If a report is made from a computer on the organization’s network, there is a risk that the visited webpages will be logged in the browser’s history and/or the organization’s log. This risk can be eliminated by submitting the report from a computer which is not connected to the organization’s network.
If you upload documents, you should be aware that the documents can contain metadata which can compromise your identity. Therefore, you should ensure that any identifying metadata is removed from a document before it is uploaded.
It is optional to make either an anonymous report or a report containing personal data. If a person reporting chooses not to remain anonymous, the reporting person’s identity will be known to the persons that handle the case. In this case the reporting person risks being called as a witness in any lawsuit, and the reporting person’s anonymity thus can be lost.
Be aware that if you choose to give further information when submitting the report from which you can directly or indirectly be identified, the organization will also process this information when handling the case. This also applies if you have chosen to remain anonymous.
What is the legal basis for the organisation’s processing of information in the system?
The legal basis for the processing of your information is as follows:
- The processing is necessary for the purpose of pursuing a legitimate interest of handling illegalities and this interest clearly exceeds the interests of the registered person, cf. the European Data Protection Regulation article 6, number 1, letter f.
- The processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity. cf. the European Data Protection Regulation article 9, number 2, letter f.
- The processing is necessary for compliance with a legal obligation to which the organization is subject. cf. the European Data Protection Regulation article 6, number 1, letter c.
- The processing is based on the German Whistleblower Protection Act, Sec. 10 (and corresponding provisions of the local whistleblower protection laws of the other EU countries – all based on the EU Whistleblowing Directive 2019/1937).
According to the European Data Protection Regulation you have a number of rights. If you want to exercise these rights, you must contact the organization.
The right to see information
You have the right to see what personal data and what other kind of information the organization processes about you. However, this right may never violate other persons’ rights or freedom rights.
The right of correction
You have the right to have false personal data about you corrected.
The right of deletion
In special cases, you have the right to request that information about you be deleted before the end of the normal retention period.
You can revoke your consent at any time with effect for the future by notifying us via firstname.lastname@example.org
The right of restriction
In special cases you have the right to have the processing of your personal data restricted. If you have the right to have the processing restricted, the organization is only allowed to process the information – except storing it – with your consent or to establish, exercise or defend legal claims or to protect a person or a vital public interest.
The right of objection
In special cases you have the right to object to the organization’s otherwise legitimate processing.
Contact details Data Protection Officer
For suggestions and complaints regarding the processing of your personal data, you can contact the organization’s Data Protection Officer by e-mail or letter.
Data Protection Officer
HELLA GmbH & Co. KGaA
Rixbecker Str. 75
D-59552 Lippstadt, Germany
Status: October 2023
If you want to complain about the processing of your personal data, you are entitled to contact our Data Protection Officer or submit a complaint to the supervisory authority responsible.