SIMONSWERK HALO

Data Privacy Notice

Preamble

This privacy policy describes what data we collect about you when using this whistleblowing system, what we need this data for and to whom we pass this data on. It also includes your rights in relation to your data and the contacts you can contact for further information or inquiries.

Responsible data controller per Art. 4 No. 7 GDPR

Deloitte GmbH Wirtschaftspruefungsgesellschaft
Rosenheimer Platz 4
81669 Munich

Data Protection Officer

The data protection officer of the controller is

Deloitte GmbH Wirtschaftspruefungsgesellschaft
Attn. Data Protection Officer
Rosenheimer Platz 4
81669 Munich

privacy@deloitte.de

Scope, nature, and purposes of processing

We use the information you provide in the context of the whistleblower system to review and document reports, to assist our clients with their investigation (including disclosure to our clients, external lawyers, auditors, or other professionals bound by professional secrecy), and if necessary, to disclosure to government authorities (such as the police, public prosecutor's office or courts).

We guarantee that all whistleblowers will be treated confidentially.

The submission of information is voluntary.

Legal basis for processing

When operating the whistleblower system, Deloitte processes personal data in the client's legitimate interest, Art. 6 para. 1 lit. f GDPR.

The interest of clients lies in the fulfillment of legal obligations (e.g., from Directive (EU) 2019/1937 and national legislation) or the protection of business interests (e.g., the detection and prevention of malpractice).

Data categories

We process the following categories of personal data in particular in context with the whistleblower system:

For all disclosures:

Names of persons involved
Names of all witnesses (if provided)
Date, time, and location of the incident(s)
Details of possible evidence
Frequency of the incident(s)
Information about the incident
Information on whether the incident has already been reported to the company and, if so, to whom
Relationship of the whistleblower to the company
Information contained in attachments to the report (optional)

In case the following data is provided on a voluntary basis:

Name
Department
E-mail address
Phone number
Other information

Duration of storage of personal data

Personal data will be stored for as long as necessary for clarification and final assessment or as long as there is a legitimate interest on the client's part or as required by law. The duration of storage depends, in particular, on the severity of the suspicion, the reported possible breach of duty, and national laws.

Categories of recipients of data and transfer to third countries

In the context of the whistleblower system, personal data may also be transferred to third parties, as specified below. In this respect, data may be transferred to other European and non-European countries, and your personal data may be stored outside the EU:

To authorities, courts, or other bodies

In the context of processing reports, transmitting information, case results, and documents to authorities, courts, or other public or private bodies (including abroad for foreign reference) may also be necessary. The same applies to cases in which the client is obliged to hand over/disclose personal data per a statutory, official, or court order.

To Deloitte internal service providers and external IT service providers

As a service provider, in individual cases, Deloitte uses other German or foreign Deloitte network companies as network-internal IT service providers, which provide services for the operation, maintenance, and care of the IT systems and applications used by the Deloitte network companies. These companies are only used with access rights to personal data if this has been agreed in the order agreements with our clients or is legally permissible in individual cases without consent.

Insofar as access is provided by a network company outside the European Economic Area, an appropriate level of data protection is guaranteed by using standard contractual clauses of the EU Commission within the meaning of Art. 46 para. 2 lit. c GDPR.

Cookies

The whistleblower system only uses strictly necessary cookies to ensure the security of the platform.

Your rights

You can assert a number of rights in regard to your personal data. In particular, you have the right to

access, Art. 15 GDPR
rectification, Art. 16 GDPR
erasure (“right to be forgotten“), Art. 17 GDPR
restriction of processing, Art. 18 GDPR
data portability Art. 20 GDPR
right to object, Art. 21 GDPR
to withdraw consent

You can revoke your consent to the processing of your personal data at any time without giving reasons at kontakt@deloitte.de (if such processing is based on consent). Please note that the consent you have withdrawn does not affect the lawfulness of processing in the past but only has effect for the future.

Please contact kontakt@deloitte.de to exercise your rights.

to lodge a complaint with a supervisory authority, Art. 77 GDPR

The responsible authority is the Bavarian State Office for Data Protection Supervision in Ansbach.

Last update of this privacy policy is on 12.12.2023.

© 2024. See Terms of Use and Privacy Notice for more information.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities. DTTL (also referred to as “Deloitte Global”) and each of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.