Search
Privacy policy whistleblower system of AURORA Kunststoffe
In this Privacy Policy, we, AURORA Kunststoffe GmbH (hereinafter: "we"), would like to inform you about how we process your personal data within the framework of our whistleblower system ("SpeakUp") if you make a report (hereinafter: "whistleblower") via the whistleblower system, if a whistleblower report is made about you or if data about you is processed within the framework of investigations into a whistleblower report.
Controller responsible for the processing:
Responsible for the processing of your personal data is
AURORA Kunststoffe GmbH
Max-Eyth-Straße 14-16
74632 Neuenstein
Tel.: (+49) 7942 9142-0
Fax: (+49) 7942 9142-22
Email: info@aurora-kunststoffe.de
Commercial register: Stuttgart Local Court, HRB 730780
The whistleblower system is operated jointly with the other MOL Group companies, so that employees of all Group companies can submit information via the system. Reports are received by a central office of MOL Nyrt. (H-1117 Budapest, MOL Campus, Dombóvári út 28.), which also coordinates any investigations following a report together with the Group company concerned. You can report information about all MOL Group companies via the whistleblower system. In the context of the whistleblower system, MOL-Nyrt, AURORA Kunststoffe GmbH and the MOL Group company/companies concerned are therefore considered joint controllers (within the meaning of Art 26 GDPR)].
MOL Nyrt., where the MOL Group Ethics Committee is established, is primarily responsible for compliance with the data protection obligations in connection with the receipt of the whistleblower and the coordination of the investigation. In addition, the Group company to which the whistleblower belongs or is affiliated is primarily responsible for compliance with data protection obligations with regard to the personal data of the whistleblower, and with regard to the personal data of the persons affected by a whistleblower and the investigations initiated, the Group company to whose company the whistleblower and the investigations relate. Your data will not be passed on to other Group companies. Irrespective of this, each Group company remains responsible for compliance with data protection obligations.
AURORA Kunststoffe GmbH acts as your point of contact for data protection inquiries using the contact details given above. However, you also have the right to assert your data protection rights against any other Group company insofar as they process personal data about you.
More information about data processing:
We and the joint controllers listed above process your personal data as part of the whistleblower system exclusively for the following purposes:
This section describes which of your personal data we process in the context of our whistleblower system and where it comes from.
» If you submit a report via the whistleblower system:
We only collect and process the personal data that you disclose to us in your whistleblower report or via our queries (including contact details that are sent with the report). If you disclose your identity to us, we may also use other data that we know about you (e.g. from your personnel file if you are an employee of our company) for the purposes of the investigation, insofar as this is necessary for the investigation of the report (e.g. your place of work, your supervisor, your colleagues, etc.).
If you make your report by telephone and/or a personal conversation takes place as a result of your report, this call and/or this conversation will be documented in a call log. With your consent, a retrievable audio recording or a complete and accurate transcript (verbatim record) of the conversation may be created and stored instead. You have the right to check the accuracy of the minutes and transcripts produced.
If you make a false report without having reasonable grounds to believe that it is true, you are not protected as the person making the report and we may collect further information about your identity if we wish to take action against you on the basis of that false report.
» If a reference is made about you:
If a report is made about you that is not obviously false and you are an employee of our company, we will investigate whether you have committed the alleged infringement as a result of this report. We will process the data required for this investigation. For this purpose, we may also use other data that we know about you (e.g. from your personnel file) or interview witnesses about the allegations, insofar as this is necessary for the investigation of the report. We will process special categories of personal data in accordance with Art. 9 para. 1 GDPR (e.g. data concerning health or religion) and/or data relevant under criminal law if this is necessary to fulfill our tasks under the HinSchG (§ 10 S 2 HinSchG) and/or if this is necessary to uncover a criminal offense.
If we receive personal data about you in a report or as part of the investigation that is not necessary for the investigation and possible punishment of the legal violation of which you are accused, we will delete it immediately.
» If we process your data in the course of investigating a tip-off (e.g. if you are questioned as a witness):
If we receive a tip-off about an alleged infringement, we may process personal data about you in the course of investigating the alleged infringement, even if you are neither the person providing the tip-off nor the person accused of the tip-off, if your personal data is contained in evidence provided or collected or if we interview you as a witness. For this purpose, we may also use other data that we know about you (e.g. from your personnel file if you are an employee of our company) to determine whether you are a suitable witness.
In this context, we will only process your personal data to the extent that it is necessary for this investigation. We will process special categories of personal data pursuant to Art. 9 para. 1 GDPR (e.g. data concerning health or religion) as well as data relevant under criminal law if this is necessary to fulfill our tasks under the HinSchG (§ 10 S 2 HinSchG) and/or if this is necessary to uncover a criminal offense.
If we receive personal data about you in a report or as part of the investigation that is not necessary for the investigation and possible punishment of the legal violation under investigation, we will delete it immediately.
This processing of your personal data for the purposes mentioned under point 1 is based on the following legal bases:
The applicable legal basis for data processing for these purposes depends on whether the respective report and the alleged infringement fall within the scope of the German Whistleblower Protection Act (HinSchG).
The scope of the HinSchG applies to reports, i.e. notifications of information from or about persons who are employed by us:
» Data processing for the purposes 1a), 1b), 1d), 1e), 1h):
If the respective report falls within the scope of the HinSchG, then the data processing for these purposes is based on our legal obligation under the HinSchG to process reports of alleged legal violations, to check their validity and to take appropriate follow-up measures (Art. 6 para. 1 lit c GDPR in conjunction with §§ 10, 13 to 18 HinSchG (for criminally relevant data for detection in the event of suspicion based on factual indications additionally in accordance with Section 26 para. 1 sentence 2 BDSG, unless your interest worthy of protection in the exclusion of processing prevails or for prevention in accordance with Section 26 para. 1 sentence 1 BGB).
If special categories of personal data within the meaning of Art. 9 GDPR (e.g. health data) are processed in this context, this data processing is also based on our interest in fulfilling our tasks in accordance with the HinSchG (Art. 9 para. 2 lit g GDPR in conjunction with § 10 S 2 HinSchG).
If the respective information does not fall within the scope of the HinSchG, the data processing for these purposes is based on our legitimate interest in processing information on alleged legal violations, checking its validity and taking appropriate follow-up measures, as we have an interest in preventing legal violations in our company and thus protecting our company, our employees and our customers (Art 6 para 1 lit f GDPR (for data relevant under criminal law additionally in conjunction with § 26 para 1 sentence 2 BDSG4 DSG)). If special categories of personal data within the meaning of Art 9 GDPR (e.g. health data) are processed in this context, this data processing is also based on our legitimate interest in raising and asserting legal claims against any legal violations and their perpetrators and preparing this assertion (Art 9 para 2 lit f GDPR).
» Data processing for the purposes 1c), 1f), 1i):
Data processing for these purposes is based on our legitimate interest in asserting and exercising legal claims in connection with legal violations in our company or defending ourselves against such legal claims in order to remedy legal violations in our company, to compensate for damage caused by these legal claims and thus to protect our company, our employees and our customers (Art 6 para 1 lit f GDPR); for criminally relevant data § 26 para. 1 sentence 2 BDSG, insofar as this serves to uncover criminal offenses and there are factual indications to suspect that you or the data subject have committed a criminal offense in the employment relationship, the processing is necessary and your legitimate interest or the legitimate interest of the data subject in the exclusion of processing does not prevail).
If special categories of personal data within the meaning of Art 9 GDPR are processed in this context (e.g. health data) are processed, this data processing is also based on our legitimate interest in raising and asserting legal claims against any violations of the law and their perpetrators and preparing this assertion (Art. 9 para. 2 lit. f GDPR) and - if the notice falls within the scope of the HinSchG (see the explanations above on purpose 1a) - also on our obligation to fulfill our tasks under the HinSchG (Art. 9 para. 2 lit. g GDPR in conjunction with § 10 S 2 HinSchG).
The personal data is also stored for this purpose and for the aforementioned legitimate interest (see the section "Storage of your personal data" below for more information on this and the retention period).
» Data processing for purpose 1g):
Data processing for this purpose is based on the fact that we have a legitimate interest in detecting criminally relevant legal violations in the event of suspicion based on factual indications (Art. 6 para. 1 lit. f GDPR in conjunction with § 26 para. 1 sentence 2 BDSG, if applicable) or to prevent criminally relevant violations of the law (Art. 6 para. 1 lit. f GDPR, if applicable in conjunction with Section 26 para. 1 sentence 1 BDSG) as well as our interest that this processing is necessary for a task in the public interest, namely the prosecution and punishment of criminal offenses by the competent authorities (Art. 6 para. 1 lit. c GDPR).
We use a whistleblowing platform ("SpeakUp") on our website, which is operated by a provider specializing in this area, to enable whistleblowers to report information securely and easily. This provider and the IT service providers used in this context may be able to access the data provided on the platform as processors, although we have of course taken technical and contractual measures to ensure the highest level of confidentiality, which prevents these providers from accessing your unencrypted data, unless this is essential in individual cases to process a report.
To enable the impartial and effective handling of whistleblowing, whistleblowing within our Group is handled by the specialized MOL Group Ethics Council Team of MOL Nyrt. and investigations are coordinated by this team. For this purpose, personal data from whistleblowing, investigations and follow-up actions are also made available to this team.
As part of an investigation, we may involve specialized forensic and investigative service providers and experts as well as legal representatives who may have access to the personal data required for the investigation.
If the information also concerns other Group companies, the personal data required for the investigation may also be made available to these Group companies for the purpose of the investigation and the taking of follow-up measures.
To the extent necessary for the assertion, exercise or defense of legal claims in connection with a report, the investigation of a report or any violation of the law that may have been uncovered, we may forward your personal data collected in connection with a report, an investigation, follow-up measures taken or violations of the law that have been uncovered to the competent courts and authorities as well as our legal representatives.
We may also transmit information on follow-up measures taken as a result of a notification and the personal data necessarily contained therein to the person providing the notification (see Section 17 (2) HinSchG).
Personal data will not be transferred to third countries outside the European Economic Area (EEA) unless this is absolutely necessary in individual cases for investigations or follow-up measures outside the EEA (Art 49 para 1 lit d, lit e GDPR).
Personal data that is collected in the course of a report, an investigation initiated in response to a report or follow-up measures taken in response to a report, but which is not required for the processing of the report, the investigation or the follow-up measures, will be deleted immediately as soon as we realize that this data is not required for the stated purposes.
The documentation of a report is deleted three years after the procedure has been completed. The documentation may be kept for longer in order to meet the requirements of this Act or other legislation, as long as this is necessary and proportionate (see Section 11 (5) HinSchG).
The submission of whistleblower information (reports or disclosures) is always voluntary.
You can also submit whistleblower information (reports or disclosures) anonymously. Providing personal data that identifies you is voluntary.
Your rights:
You have the right (with the restrictions set out below) (i) to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and copies of the personal data (Art 15 GDPR), (ii) to obtain from us the rectification, completion or erasure of your personal data if they are inaccurate or not processed in accordance with the law (Art 16, 17 GDPR), (iii) in certain circumstances, to obtain from us the right to that we restrict the processing of your personal data (Art 18 GDPR), (iv) under certain circumstances, to receive your data in a structured, commonly used and machine-readable format or to transmit it to a third party (right to data portability, Art 20 GDPR) and (v) under certain circumstances, to object to the processing of your personal data (Art 21 GDPR). If you wish to exercise one or more of these rights, please contact us.
In addition, you have the right to lodge a complaint with the data protection authority (see www.lda.bayern.de) for contact details) if you believe that your data protection rights have been violated.
Controller responsible for the processing:
Responsible for the processing of your personal data is
AURORA Kunststoffe GmbH
Max-Eyth-Straße 14-16
74632 Neuenstein
Tel.: (+49) 7942 9142-0
Fax: (+49) 7942 9142-22
Email: info@aurora-kunststoffe.de
Commercial register: Stuttgart Local Court, HRB 730780
The whistleblower system is operated jointly with the other MOL Group companies, so that employees of all Group companies can submit information via the system. Reports are received by a central office of MOL Nyrt. (H-1117 Budapest, MOL Campus, Dombóvári út 28.), which also coordinates any investigations following a report together with the Group company concerned. You can report information about all MOL Group companies via the whistleblower system. In the context of the whistleblower system, MOL-Nyrt, AURORA Kunststoffe GmbH and the MOL Group company/companies concerned are therefore considered joint controllers (within the meaning of Art 26 GDPR)].
MOL Nyrt., where the MOL Group Ethics Committee is established, is primarily responsible for compliance with the data protection obligations in connection with the receipt of the whistleblower and the coordination of the investigation. In addition, the Group company to which the whistleblower belongs or is affiliated is primarily responsible for compliance with data protection obligations with regard to the personal data of the whistleblower, and with regard to the personal data of the persons affected by a whistleblower and the investigations initiated, the Group company to whose company the whistleblower and the investigations relate. Your data will not be passed on to other Group companies. Irrespective of this, each Group company remains responsible for compliance with data protection obligations.
AURORA Kunststoffe GmbH acts as your point of contact for data protection inquiries using the contact details given above. However, you also have the right to assert your data protection rights against any other Group company insofar as they process personal data about you.
More information about data processing:
1. Purpose of data processing:
We and the joint controllers listed above process your personal data as part of the whistleblower system exclusively for the following purposes:
- To process, review and investigate your notice and any allegations of infringement contained therein and to take appropriate follow-up action;
- To give you feedback on your report, its handling and any follow-up action taken as a result of your report;
- If necessary: For the assertion, exercise or defense of legal claims in connection with your notification and any infringement of rights uncovered by it (this includes legal claims against you as the person making the notification if the notification you made is demonstrably false and you had no reason to believe that it was true);
- To process, review and investigate the notice and any allegations of infringement made against you;
- If necessary: To take appropriate follow-up measures as a result of a proven infringement and to inform the whistleblower about the follow-up measures taken;
- If necessary: To assert, exercise or defend legal claims in connection with a detected infringement committed by you; this also includes any employment law measures if you are employed by us;
- If necessary: Filing of a criminal complaint against you due to a criminal violation of the law by you that was uncovered via the notice;
» If we process your data in the course of investigating a report for other reasons (e.g. if you are questioned as a witness):
- To investigate the allegations contained in a notice by examining evidence containing your personal data or by interviewing you as a witness;
- If necessary: To assert, exercise or defend legal claims in connection with a tip-off, the investigation of a tip-off, any violation of the law discovered as a result or any follow-up action taken as a result, if evidence containing your personal data or your testimony is required for this purpose.
» If you submit a report via the whistleblower system:
» If a reference is made about you:
2. Processed data & origin of personal data:
This section describes which of your personal data we process in the context of our whistleblower system and where it comes from.
» If you submit a report via the whistleblower system:
We only collect and process the personal data that you disclose to us in your whistleblower report or via our queries (including contact details that are sent with the report). If you disclose your identity to us, we may also use other data that we know about you (e.g. from your personnel file if you are an employee of our company) for the purposes of the investigation, insofar as this is necessary for the investigation of the report (e.g. your place of work, your supervisor, your colleagues, etc.).
If you make your report by telephone and/or a personal conversation takes place as a result of your report, this call and/or this conversation will be documented in a call log. With your consent, a retrievable audio recording or a complete and accurate transcript (verbatim record) of the conversation may be created and stored instead. You have the right to check the accuracy of the minutes and transcripts produced.
If you make a false report without having reasonable grounds to believe that it is true, you are not protected as the person making the report and we may collect further information about your identity if we wish to take action against you on the basis of that false report.
» If a reference is made about you:
If a report is made about you that is not obviously false and you are an employee of our company, we will investigate whether you have committed the alleged infringement as a result of this report. We will process the data required for this investigation. For this purpose, we may also use other data that we know about you (e.g. from your personnel file) or interview witnesses about the allegations, insofar as this is necessary for the investigation of the report. We will process special categories of personal data in accordance with Art. 9 para. 1 GDPR (e.g. data concerning health or religion) and/or data relevant under criminal law if this is necessary to fulfill our tasks under the HinSchG (§ 10 S 2 HinSchG) and/or if this is necessary to uncover a criminal offense.
If we receive personal data about you in a report or as part of the investigation that is not necessary for the investigation and possible punishment of the legal violation of which you are accused, we will delete it immediately.
» If we process your data in the course of investigating a tip-off (e.g. if you are questioned as a witness):
If we receive a tip-off about an alleged infringement, we may process personal data about you in the course of investigating the alleged infringement, even if you are neither the person providing the tip-off nor the person accused of the tip-off, if your personal data is contained in evidence provided or collected or if we interview you as a witness. For this purpose, we may also use other data that we know about you (e.g. from your personnel file if you are an employee of our company) to determine whether you are a suitable witness.
In this context, we will only process your personal data to the extent that it is necessary for this investigation. We will process special categories of personal data pursuant to Art. 9 para. 1 GDPR (e.g. data concerning health or religion) as well as data relevant under criminal law if this is necessary to fulfill our tasks under the HinSchG (§ 10 S 2 HinSchG) and/or if this is necessary to uncover a criminal offense.
If we receive personal data about you in a report or as part of the investigation that is not necessary for the investigation and possible punishment of the legal violation under investigation, we will delete it immediately.
3. Legal basis for the processing of your personal data:
This processing of your personal data for the purposes mentioned under point 1 is based on the following legal bases:
The applicable legal basis for data processing for these purposes depends on whether the respective report and the alleged infringement fall within the scope of the German Whistleblower Protection Act (HinSchG).
The scope of the HinSchG applies to reports, i.e. notifications of information from or about persons who are employed by us:
- VViolations that are punishable by law,
- Violations that are subject to a fine if the violated regulation serves to protect life, limb or health or to protect the rights of employees or their representative bodies,
- other violations of federal and state legislation and directly applicable legal acts of the European Union and the European Atomic Energy Community
- on combating money laundering and terrorist financing, including in particular the Money Laundering Act and Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EU) No 1781/2006 (OJ L 141, 5.6.2015, p. 1), as amended by Regulation (EU) 2019/2175 (OJ L 334, 27.12.2019, p. 1), as amended,
- with specifications for product safety and conformity,
- with road safety requirements relating to road infrastructure safety management, safety requirements in road tunnels and admission to the profession of road haulage operator or road passenger transport operator (bus and coach operator),
- with specifications for ensuring railroad operational safety,
- laying down requirements for maritime safety concerning European Union rules on the recognition of ship inspection and survey organizations, carrier liability and insurance for the carriage of passengers by sea, approval of marine equipment, maritime safety inspection, training of seafarers, registration of persons on passenger ships in maritime transport and European Union rules and procedures for the safe loading and unloading of bulk carriers,,
- with requirements for civil aviation safety in terms of averting dangers to operational and technical safety and in terms of air traffic control,,
- with specifications for the safe transportation of dangerous goods by road, rail and inland waterway,
- with specifications for environmental protection,
- with specifications on radiation protection and nuclear safety,
- o promote the use of energy from renewable sources and energy efficiency,
- on food and feed safety, on organic production and labelling of organic products, on the protection of geographical indications for agricultural products and foodstuffs, including wine, aromatized wine products and spirits, and traditional specialities guaranteed, on the placing on the market and use of plant protection products, and on animal health and welfare as regards the protection of farmed animals, the protection of animals at the time of killing, the keeping of wild animals in zoos, the protection of animals used for scientific purposes, and the transport of animals and related operations,
- on quality and safety standards for organs and substances of human origin, human and veterinary medicinal products, medical devices and cross-border patient care,
- for the manufacture, presentation and sale of tobacco and related products,
- on the regulation of consumer rights and consumer protection in connection with contracts between traders and consumers as well as the protection of consumers in the area of payment accounts and financial services, price indications and unfair commercial practices,
- to protect privacy in electronic communications, to protect the confidentiality of communications, to protect personal data in the electronic communications sector, to protect the privacy of users' terminal equipment and of information stored in such terminal equipment, to protect against unreasonable harassment by advertising via telephone calls, automatic calling machines, fax machines or electronic mail as well as via caller identification and suppression and for inclusion in subscriber directories,
- on the protection of personal data within the scope of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1; L 314, 22.11.2016, p. 72; L 127, 23.5.2018, p. 2; L 74, 4.3.2021, p. 35) in accordance with Article 2 thereof,
- on security in information technology within the meaning of Section 2 (2) of the BSI Act by providers of digital services within the meaning of Section 2 (12) of the BSI Act,
- to regulate the rights of shareholders of stock corporations,
- for the audit of public interest entities in accordance with Section 316a S 2 of the German Commercial Code,
- for accounting, including the bookkeeping of companies that are capital market-oriented within the meaning of Section 264d of the German Commercial Code, credit institutions within the meaning of Section 340 (1) of the German Commercial Code, - financial services institutions within the meaning of Section 340 (4) sentence 1 of the German Commercial Code, securities institutions within the meaning of Section 340 (4a) sentence 1 of the Commercial Code, institutions within the meaning of Section 340 (5) sentence 1 of the Commercial Code, insurance undertakings within the meaning of Section 341 (1) of the Commercial Code and pension funds within the meaning of Section 341 (4) sentence 1 of the Commercial Code,,
- Violations of federal and uniformly applicable regulations for contracting authorities on the procedure for awarding public contracts and concessions and on legal protection in these procedures once the relevant EU thresholds have been reached,
- Violations covered by Section 4d para. 1 sentence 1 of the Financial Services Supervision Act, unless otherwise stated in Section 4 para. 1 sentence 1,,
- Violations of tax laws applicable to corporations and commercial partnerships,
- Violations in the form of agreements aimed at improperly obtaining a tax advantage that runs counter to the objective or purpose of the tax law applicable to corporations and commercial partnerships,
- Violations of Articles 101 and 102 of the Treaty on the Functioning of the European Union and violations of the legal provisions referred to in Section 81 (2) (1), (2) (a) and (5) and (3) of the Act against Restraints of Competition,
- Violations of the provisions of Regulation (EU) 2022/1925 of the European Parliament and of the Council of September 14, 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (OJ L 265, 12.10.2022, p. 1),
- Statements made by civil servants that constitute a breach of the duty of loyalty to the constitution,
- breaches of the protection of the European Union's financial interests within the meaning of Article 325 of the Treaty on the Functioning of the European Union,
- Violations of internal market regulations within the meaning of Article 26(2) of the Treaty on the Functioning of the European Union, including European Union regulations on competition and state aid that go beyond paragraph 1(8).
Further information on the scope of application of the HinSchG can be found in §§ 1 and 2 HinSchG.
» Data processing for the purposes 1a), 1b), 1d), 1e), 1h):
If the respective report falls within the scope of the HinSchG, then the data processing for these purposes is based on our legal obligation under the HinSchG to process reports of alleged legal violations, to check their validity and to take appropriate follow-up measures (Art. 6 para. 1 lit c GDPR in conjunction with §§ 10, 13 to 18 HinSchG (for criminally relevant data for detection in the event of suspicion based on factual indications additionally in accordance with Section 26 para. 1 sentence 2 BDSG, unless your interest worthy of protection in the exclusion of processing prevails or for prevention in accordance with Section 26 para. 1 sentence 1 BGB).
If special categories of personal data within the meaning of Art. 9 GDPR (e.g. health data) are processed in this context, this data processing is also based on our interest in fulfilling our tasks in accordance with the HinSchG (Art. 9 para. 2 lit g GDPR in conjunction with § 10 S 2 HinSchG).
If the respective information does not fall within the scope of the HinSchG, the data processing for these purposes is based on our legitimate interest in processing information on alleged legal violations, checking its validity and taking appropriate follow-up measures, as we have an interest in preventing legal violations in our company and thus protecting our company, our employees and our customers (Art 6 para 1 lit f GDPR (for data relevant under criminal law additionally in conjunction with § 26 para 1 sentence 2 BDSG4 DSG)). If special categories of personal data within the meaning of Art 9 GDPR (e.g. health data) are processed in this context, this data processing is also based on our legitimate interest in raising and asserting legal claims against any legal violations and their perpetrators and preparing this assertion (Art 9 para 2 lit f GDPR).
» Data processing for the purposes 1c), 1f), 1i):
Data processing for these purposes is based on our legitimate interest in asserting and exercising legal claims in connection with legal violations in our company or defending ourselves against such legal claims in order to remedy legal violations in our company, to compensate for damage caused by these legal claims and thus to protect our company, our employees and our customers (Art 6 para 1 lit f GDPR); for criminally relevant data § 26 para. 1 sentence 2 BDSG, insofar as this serves to uncover criminal offenses and there are factual indications to suspect that you or the data subject have committed a criminal offense in the employment relationship, the processing is necessary and your legitimate interest or the legitimate interest of the data subject in the exclusion of processing does not prevail).
If special categories of personal data within the meaning of Art 9 GDPR are processed in this context (e.g. health data) are processed, this data processing is also based on our legitimate interest in raising and asserting legal claims against any violations of the law and their perpetrators and preparing this assertion (Art. 9 para. 2 lit. f GDPR) and - if the notice falls within the scope of the HinSchG (see the explanations above on purpose 1a) - also on our obligation to fulfill our tasks under the HinSchG (Art. 9 para. 2 lit. g GDPR in conjunction with § 10 S 2 HinSchG).
The personal data is also stored for this purpose and for the aforementioned legitimate interest (see the section "Storage of your personal data" below for more information on this and the retention period).
» Data processing for purpose 1g):
Data processing for this purpose is based on the fact that we have a legitimate interest in detecting criminally relevant legal violations in the event of suspicion based on factual indications (Art. 6 para. 1 lit. f GDPR in conjunction with § 26 para. 1 sentence 2 BDSG, if applicable) or to prevent criminally relevant violations of the law (Art. 6 para. 1 lit. f GDPR, if applicable in conjunction with Section 26 para. 1 sentence 1 BDSG) as well as our interest that this processing is necessary for a task in the public interest, namely the prosecution and punishment of criminal offenses by the competent authorities (Art. 6 para. 1 lit. c GDPR).
4. Forwarding your personal data to third parties:
We use a whistleblowing platform ("SpeakUp") on our website, which is operated by a provider specializing in this area, to enable whistleblowers to report information securely and easily. This provider and the IT service providers used in this context may be able to access the data provided on the platform as processors, although we have of course taken technical and contractual measures to ensure the highest level of confidentiality, which prevents these providers from accessing your unencrypted data, unless this is essential in individual cases to process a report.
To enable the impartial and effective handling of whistleblowing, whistleblowing within our Group is handled by the specialized MOL Group Ethics Council Team of MOL Nyrt. and investigations are coordinated by this team. For this purpose, personal data from whistleblowing, investigations and follow-up actions are also made available to this team.
As part of an investigation, we may involve specialized forensic and investigative service providers and experts as well as legal representatives who may have access to the personal data required for the investigation.
If the information also concerns other Group companies, the personal data required for the investigation may also be made available to these Group companies for the purpose of the investigation and the taking of follow-up measures.
To the extent necessary for the assertion, exercise or defense of legal claims in connection with a report, the investigation of a report or any violation of the law that may have been uncovered, we may forward your personal data collected in connection with a report, an investigation, follow-up measures taken or violations of the law that have been uncovered to the competent courts and authorities as well as our legal representatives.
We may also transmit information on follow-up measures taken as a result of a notification and the personal data necessarily contained therein to the person providing the notification (see Section 17 (2) HinSchG).
Personal data will not be transferred to third countries outside the European Economic Area (EEA) unless this is absolutely necessary in individual cases for investigations or follow-up measures outside the EEA (Art 49 para 1 lit d, lit e GDPR).
5. Retention of your personal data:
Personal data that is collected in the course of a report, an investigation initiated in response to a report or follow-up measures taken in response to a report, but which is not required for the processing of the report, the investigation or the follow-up measures, will be deleted immediately as soon as we realize that this data is not required for the stated purposes.
The documentation of a report is deleted three years after the procedure has been completed. The documentation may be kept for longer in order to meet the requirements of this Act or other legislation, as long as this is necessary and proportionate (see Section 11 (5) HinSchG).
6. Voluntary nature of the provision of personal data:
The submission of whistleblower information (reports or disclosures) is always voluntary.
You can also submit whistleblower information (reports or disclosures) anonymously. Providing personal data that identifies you is voluntary.
Your rights:
You have the right (with the restrictions set out below) (i) to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and copies of the personal data (Art 15 GDPR), (ii) to obtain from us the rectification, completion or erasure of your personal data if they are inaccurate or not processed in accordance with the law (Art 16, 17 GDPR), (iii) in certain circumstances, to obtain from us the right to that we restrict the processing of your personal data (Art 18 GDPR), (iv) under certain circumstances, to receive your data in a structured, commonly used and machine-readable format or to transmit it to a third party (right to data portability, Art 20 GDPR) and (v) under certain circumstances, to object to the processing of your personal data (Art 21 GDPR). If you wish to exercise one or more of these rights, please contact us.
In addition, you have the right to lodge a complaint with the data protection authority (see www.lda.bayern.de) for contact details) if you believe that your data protection rights have been violated.
