Data protection information for persons involved in reporting misconduct and/or irregularities that contravene applicable law and/or our Code of Conduct.
We take the protection of your personal data seriously. We treat it confidentially and in accordance with the statutory data protection regulations (GDPR).
We may process your personal data in order to investigate misconduct and/or abuses that contravene applicable law and/or our code of conduct within the INDUS Group or at other stakeholders, e.g. in the event of complaints due to violations of legal positions protected by the Supply Chain Due Diligence Act (LkSG), in order to investigate and clarify these. This may be the case in particular if we list you as a participant or witness in this context.
The legal basis for the processing of your personal data is, in particular, legal obligations under the Whistleblower Protection Act (Art. 6. (1) (c) GDPR in conjunction with Art. 17 of Directive (EU) 2019/1937 (‘EU Whistleblower Directive’) and any other national regulations (e.g. with regard to matters relevant to criminal, competition and labour law) for the implementation of the EU Whistleblower Directive. In accordance with the Whistleblower Directive and the national regulations for its implementation, we are legally obliged to provide a whistleblower system. If a report received concerns an employee of INDUS or one of its affiliates, the processing also serves to prevent criminal offences or other legal violations in connection with the employment relationship. This is based on Art. 6 para. 1 lit. f GDPR. Insofar as the aforementioned special categories of personal data are or become part of the reports or subsequent investigation proceedings, we process them on the basis of Art. 9 (2) lit. b GDPR in conjunction with Art. 9 (2) lit. f) GDPR and applicable national regulations.
The processing of personal data is also carried out on the basis of our legitimate interest (also in relation to third parties) in accordance with Art. 6 (1) sentence 1 lit. f) GDPR in conjunction with any applicable provisions of national laws on the prevention and detection of criminal offences, breaches of duty and other violations, as well as our legitimate interest in averting damage and liability risks for our company. We have a legitimate interest in processing personal data for the prevention and detection of violations within our company, for reviewing the legality of internal processes and for maintaining the integrity of our company. In particular, reference is made in this regard to the prevention and defence against administrative offences and criminal offences within the meaning of Sections 30 and 130 of the OWiG (German Administrative Offences Act).
Personal data is also processed within the framework of a whistleblower system (complaints procedure) on the basis of Section 8 of the Supply Chain Due Diligence Act (LkSG), among other things. The complaints procedure enables individuals to report human rights and environmental risks as well as violations of human rights or environmental obligations that have arisen as a result of the economic activities of a company in its own business area or of a direct supplier.
The personal data that we may process about you in this context may originate from whistleblowers (e.g. an employee or business partner of INDUS or an INDUS affiliate) or from our own investigations (e.g. by evaluating IT system logs).
This may include identification data (e.g. names, personnel numbers, IP addresses) and data describing behaviour during a specific period of time.
Information used for identification purposes (e.g. names, personnel number, IP address) and information describing behaviour during a specific period of time may be processed.
We keep personal data confidential, but may need to pass it on to internal and external parties (e.g. experts) for further investigation.
Other recipients may include authorities and other bodies, insofar as this is necessary for criminal prosecution or to safeguard legal interests. In addition, service providers who provide or maintain our IT infrastructure may be able to view the data under certain circumstances; however, they are separately bound to confidentiality.
Personal data will be stored for as long as it is necessary for the above-mentioned purposes or as long as required by statutory retention periods.
As a data subject, you have the following rights, provided that the legal requirements for this are met:
If data processing is based on a balancing of legitimate interests, you have the right to object to this processing of data. To do so, you must have legitimate reasons arising from your particular situation.
You also have the right to complain to the data protection supervisory authority about the data processing.
We promise to examine the case carefully. Decisions are not made automatically, but are carefully examined and weighed up on a case-by-case basis.
The operator of the whistleblower system is responsible for data processing:
INDUS Holding AG
Kölner Straße 32
D-51429 Bergisch Gladbach
Phone: +49 (0)2204/40 00-0
Email: indus@indus.de
The INDUS data protection officer can be contacted at:
fox-on Datenschutz GmbH
Pollerhofstr. 33a
D-51789 Lindlar
Email: dsb+indus@fox-on.com