1. Controller responsible for data collection
BayWa AG
Arabellastr. 4
81925 Munich
Email: info1 (at) baywa.de
Tel: +49 89/9222-0
is the Controller within the meaning of the EU-General Data Protection Regulation (hereinafter GDPR). Should you have any questions pertaining to data processing, your rights or the data privacy statement, the BayWa Data Protection Officer will be at your disposal. You may reach him at: datenschutzbeauftragter (at) baywa.de.
2. Which data are processed when you access the whistleblower system?
In this Notice, we would like to inform you about which of your data is collected when visiting the whistleblower system, the purposes for which it is processed, the legal basis for data processing, the options you have for managing the collection and processing of the data yourself and when the data is erased.
2.1 Data you provide to us
As a rule you can use this website without having to provide personal information to us. In principle, active use of the whistleblower system is also possible without having to provide personal data. However, you can attach documents or images to your notification, which may contain information or meta data relating to you personally. If you wish to avoid this, you have to remove such information before transferring data files.
If you allow a response to a notification, we generate personal registration information for you. This registration information enables you to supplement the notification you make and to view any responses, but it does not enable us to relate the information to you personally. Detailed information on the whistleblower system can be found in No. 5 of this Notice under “Using the Whistleblower System”.
2.2 Data we obtain when you use our services
Some data is obtained automatically and for technical reasons as soon as you access this website. The following information is collected temporarily in the working memory of the server and deleted automatically as soon as you close the website window:
- Your IP address
- The website from which you arrived at our website
- The webpages on which you click
- The time and date at which a webpage is accessed
- The name of your internet service provider
- Your browser type and version
- The operating system of your device
2.3 Purposes of Data Processing
Temporary processing of this data is required to enable delivery of the website to your computer and to ensure its functionality.
2.4 Legal Basis
We process the data temporarily on the basis of legitimate interests (Art. 6(1)(f) GDPR). Our legitimate interest is to enable the technical functionality of the website. We definitely do not use the data collected for the purpose of drawing conclusions as to your identity, nor will we compare the data with notifications received. The above-mentioned data will be deleted as soon as you close the website window because it is then no longer required in order to achieve the purpose for which it was collected. We also use web-cookies when our website is accessed. Further information can be found in No. 3 of this Notice.
2.5 Storage Duration and Control Options
The data are only temporarily available in the RAM and are not stored permanently. As soon as you close the whistleblowing system's website, this data is erased from the server's main memory, and access to this log data is not possible.
2.6 Transfer of Data
As a matter of principle, we do not transfer personal data to third parties. Insofar data is transferred to third parties in an individual case, corresponding information is provided within this Notice. By means of appropriate measures and regular controls, we ensure that the data we collect cannot be viewed or retrieved remotely by unauthorized persons.
3. Cookies
‘Cookies’ are small files automatically created by your browser and stored on your end device (laptop, tablet, smartphone, etc.). Cookies are used to store information that arises in connection with the specific end device used. This does not mean that we can thereby identify you directly. Cookies are used to make our website more user-friendly for you. A distinction is made between the types of cookies below.
3.1 Types of cookies
On this page we solely use technically necessary cookies, which are required to identify your browser-session. In this cookie a distinct identifier is placed, to make the whistleblower-system available throughout the various sites within. These cookies will be deleted automatically when closing the browser window (session-cookie).
3.2 Use of cookies on our website
The data processed by the cookies required for operation of a website are necessary in order to safeguard our legitimate interests in accordance with Art. 6(1)(f) GDPR.
You have full control over the use of cookies and in your browser are able to delete cookies, deactivate the storage of cookies completely or selectively accept certain cookies. Please use the help function of your browser in order to learn how to change these settings. This can result in limitations on the functionality of our website.
3.3 We deploy following Cookies:
(1) cookieconsent_status
Purpose: Saves the state of the cookie notification window to display or hide it.
Storage Duration: 1 Year
(2) PHPSESSID
Purpose: Retains the state of the user for all page requests.
Storage Duration: Session
(3) fe_typo_user
Purpose: Retains the state of the user for all page requests.
Storage Duration: Session
4. What data is processed when you submit a notification or a query?
This section provides information about the data collected and processed when you establish contact with us, the purposes for which the data is processed, by which recipients the data is processed, the legal basis on which the data-processing takes place, and when the data will be erased.
4.1 Data collected
We collect and process the data you provide as well as your query. All data you provide to us is transferred in encoded form between your browser and our server.
4.2 Purposes of data-processing
The data is processed by employees of the compliance department solely on the basis and exclusively for the purpose of handling your query.
4.3 Legal basis
The Whistleblower Protection Act of 31 May 2023 entered into force on 2 July 2023. This establishes a legal obligation to set up a whistleblower system. The legal basis for processing personal data is Art. 6 para. 1 letter c GDPR in conjunction with Article 10 of the Whistleblower Protection Act. The standard also comprises processing special categories of personal data from Art. 9 GDPR.
We process the data on the basis of legitimate interests (Art. 6(1)(f) GDPR). Our legitimate interest lies in offering you a highly protected communication channel that enables the receipt of queries and notifications about alleged or actual compliance misconduct.
4.4. Storage Duration
We store your data for as long as we require it for the specific processing purpose or to comply with statutory retention periods.
5. Using the whistleblower system
Using the whistleblower system, you can submit anonymous notifications on various issues such as corruption, money laundering or fraud. You can use the system without providing personal data.
We only process data that you actively and voluntarily provide to us. You do not have to provide your name or contact data – your notification will nevertheless be verified and processed. You can draw up your notification in various text boxes. Kindly ensure that you do not enter any personal data you do wish to divulge (especially your identity).
The data you provide is transmitted and stored in fully encoded form within the whistleblower system. The person from BayWa AG processing the case is the first person able to access and decode the notification.
For technical reasons, carefully selected service providers have access to the system within the context of operating and servicing it. These service providers are definitely unable to gain access to the data.
It you allow responses and queries, you will receive a user ID and have to determine a password that enables you to view responses and answer questions. When providing responses or asking questions, we receive statistical data from the system about details of the notification and any amendments to it.
Depending on the notification, data can be communicated if public authorities become or have to become involved in an official investigation.
If your notification concerns a supervised subsidiary, the data may also be passed on to this subsidiary – if this is necessary for dealing with the matter.
The legal basis for the processing of such data is either your consent according to Art. 6(1)(a) GDPR, if you allow responses, or our legitimate interest in such queries and notifications according to Art. 1(6)(f) GDPR.
6. Your rights and how you can exercise them
You are entitled to the following rights and may exercise them free of charge. However, kindly note that where anonymous notifications are concerned there are usually limits on the exercise of these rights since we are unable to verify your identity and compare it with the person who provided the notification. Since we are able to conduct an effective verification of identity where a request for the provision of information is submitted, it will be necessary for you to provide information about your identity and about the notification you filed through a different channel. In addition, it might not be possible to provide information on personal data concerning you personally if you are named or accused in a notification, since this could conflict with the interests of others. The same applies to the other rights such as the right to object, the right of correction and the so-called right to be forgotten.
6.1 Revocation of Consent
You may revoke any consent you may have given to the processing of your personal data at any time with effect for the future. Please note that the revocation has no effect on the lawfulness of previous data processing and that it does not extend to data processing for which there is a legal ground for permission and which may therefore be processed without your consent.
6.2 Other Rights of Data Subjects
In addition, pursuant to Articles 15 to 21 and 77 GDPR, you are entitled to the following rights of data subjects provided the legal requirements are met:
6.2.1 Information
You may at any time request that we provide you with information about which of your personal data we process and how we process it, and that we provide you with a copy of the personal data we have stored about you, Art. 15 GDPR.
6.2.2 Rectification
You may request the rectification of incorrect personal data and the completion of incomplete personal data, Art. 16 GDPR.
6.2.3 Erasure
Erasure of your personal data: Please note that the erasure does not include data that we require for the performance and execution of contracts and for the assertion, exercise and defence of legal claims, as well as data for which legal, supervisory or contractual obligations to retain data apply, Art. 17 GDPR.
6.2.4 Restriction of processing
You may request the restriction of the processing under certain circumstances, e.g. if you believe that your data is incorrect, if the processing is unlawful or if you have objected to the processing. As a result, your data may only be processed to a very limited extent without your consent, e.g. to assert, exercise and defend legal claims or to protect the rights of other natural and legal persons, Art. 18 GDPR.
6.2.5 Objection to Data-Processing
When we process your personal data within the context of a balancing of interests on the basis of our overriding legitimate interest, you are entitled to object to such processing at any time, on grounds relating to your personal situation, with effect for the future.
If you exercise your right to object, we shall cease processing of the relevant data. However, further processing remains reserved if we are able to demonstrate compelling grounds for the processing that merit protection and that override your interests, rights and freedoms, or if the processing serves to establish, exercise or defend legal claims. You are entitled to object at any time to data processing based on a legitimate interest, on grounds relating to your particular situation, Art. 21 GDPR.
6.2.6 Data portability
You are entitled to receive the data you provided to us and that we processed on the basis of your consent or in performance of a contract, in a commonly used, machine-readable format, and to require the transmission of such data to third parties insofar as technically feasible, Art. 20 GDPR.
6.2.7 Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority or our company if you have a reason for a complaint. If you wish to assert rights vis-à-vis our company, please reach out to the contacts listed at the start of this Data Privacy Notice.
The supervisory authority for us is
Bavarian State Office for Data Protection Supervision
Promenade 18
91522 Ansbach
Germany
7. Period of storage
We will save your information for up to two months after our investigations have been completed. Once this time has been reached, your data will be completely anonymized and only further processed in the form of statistical data. In principle, it is possible that data relating to a notification will be stored longer for example by law enforcement authorities - we do not have any influence on this matter though.
9. Data security
We use the popular SSL (Secure Socket Layer) method in combination with the highest encryption level supported by your browser.
A whole key or closed padlock icon in your browser’s upper status bar indicates whether individual pages of our web presence are transmitted in encrypted form.
Generally, we use suitable technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction and unauthorised third-party access. We continuously improve our security measures in line with technological advancements.
Last updated: May 2023