Whistleblowing Privacy Information Notice

If you have any questions about how we use your personal data or this Privacy Policy in general, please contact us at dpo@deugro-group.com . You can also write to us:

ATTN: Compliance – Data Protection
DEHOCO AG
Churerstrasse 78
8808, Pfaeffikon, Switzerland

If we are unable to resolve your concerns, you also have the right to contact your local data protection authority.

The processing of personal data related to the receipt and management of whistleblowing reports is carried out in accordance with the relevant regulatory provisions and the specific procedure adopted by the Company. The processing in the context of whistleblowing includes, in particular, the purpose of:

• acquiring reports of alleged violations concerning national or EU regulations that harm the public interest or the integrity of public administration (Articles 2 of German Whistleblower Protection Act – HinSchG );
• acquiring reports of alleged violations (behaviors, acts or omissions) concerning applicable national or international laws, or deugro group policies and procedures, that harm the integrity of the Company or of deugro – group;
• conducting investigations to verify the validity of the reports;
• adopting appropriate corrective measures and taking necessary disciplinary and/or judicial actions;
• making communications required by law Article 17.1.1 of German Whistleblower Protection Act – HinSchG.

The processing of personal data for this purpose finds its legal basis in Article 6, paragraph 1, letter c) pursuant to which the processing is necessary for compliance with a legal obligation to which the controller is subject and Article 6, paragraph 1, letter f) for which the processing is necessary to pursuit the legitimate interest of the Data Controller or a third party. All personal data collected in this context are strictly functional and necessary for the purposes provided by German Whistleblower Protection Act – HinSchG, as well as for any internal control needs, risk monitoring, defense of a right in court, or other legitimate interests of the Controller.

Regarding the processing of special categories of personal data, these are processed based on Article 9, paragraph 2, letter b) of the GDPR, which states that processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law and, for personal data relating to criminal convictions and offenses. Personal data are also processed based on the explicit consent of the whistleblower (Articles 6, paragraph 1, letter a) and Article 9, paragraph 2, letter a), exclusively for the purpose of making the report known where necessary for the defense of the accused, including in disciplinary proceedings (Articles 8.1 and 9 of German Whistleblower Protection Act – HinSchG).

Personal data are contained in the report and any attached documents and may refer to:

• the whistleblower (reporting person) who submits the report;
• individuals to whom the alleged unlawful behavior is attributed and/or other individuals mentioned in the report or whose identity can be inferred;
• the subjects such as the “facilitator,” i.e., the individual operating within the same work context who assists the whistleblower.

The personal data processed are generally “ordinary” (name, surname, job role, etc.). However, in the context of reports, data falling within the so-called “special categories of personal data” under Article 9 of the GDPR (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation) and the so-called “judicial data” under Article 10 of the GDPR (such as data relating to criminal convictions and offenses) may be provided. In general, the whistleblower is invited not to provide such categories of data about themselves or third parties unless strictly necessary for the report.

Personal data, including those falling within special categories or judicial data, are processed in compliance with the principles of minimization, relevance, and non-excessiveness, for the purpose of conducting the necessary investigative activities to verify the validity of the facts reported and for the adoption of the consequent measures provided by the procedure or German Whistleblower Protection Act – HinSchG.

Personal data will be processed using IT and paper supports that ensure their security and confidentiality.

Personal data are provided by the reporting person according to the methods illustrated in the specific procedure adopted by deugro or are acquired from third parties (e.g. witnesses) or from publicly accessible sources as part of the preliminary checks that deugro is required to carry out in compliance with the procedure and the applicable legislation.

With reference to the Purposes of processing listed above, the provision of personal data is optional. Failure to provide them, however, could jeopardize the successful outcome of the investigation, without prejudice to the possibility of also making anonymous reports as provided for and under the conditions established by the legislation and the specific procedure adopted by the Company.

Personal data will be communicated to the subjects responsible for managing the report according to the specific procedure adopted by the Company, and therefore to the staff responsible for managing the internal report – Compliance Team, including the “Local Ethics Officers.”

Without prejudice to communications made in execution of the above procedure and legal obligations, personal data may be communicated, in compliance with the Privacy Legislation:

• to the supervisory body (Bundesamt fur Justiz – BfJ) established in compliance with German Whistleblower Protection Act – HinSchG ;
• to the reported subjects under the conditions provided by German Whistleblower Protection Act – HinSchG. Notwithstanding the statutory notification obligations, personal data of the whistleblower may only be disclosed to the reported person if this is necessary within the framework of the Whistleblower Protection Act (HinSchG), in particular for the defense of the person concerned or on the basis of an official or court order. Disclosure is subject to the provisions of the GDPR and the confidentiality obligation pursuant to Article 8 HinSchG;
• to the Judicial Authority, administrative authority, or other public entity authorized to request them in cases explicitly provided by law;
• to external consultants and third parties with technical functions (e.g., IT platform provider);
• to companies belonging to the Controller’s corporate group, including DEHOCO (Deutschland) GmbH, which are entrusted with technical and organizational tasks necessary for managing the report. These transfers of personal data are in line with Recital No. 48 of the GDPR, which states that “Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data. The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected.”

In the context of any criminal proceedings that may be initiated, the identity of the whistleblower will be kept confidential in the manner and within the limits provided by Article 68 of the StPO -German Code of Criminal Procedure and Article 8 of the German Whistleblower Protection Act – HinSchG ; in the context of proceedings before the Court of Auditors, the identity of the whistleblower will not be revealed until the conclusion of the investigative phase; in the context of disciplinary proceedings, the identity of the whistleblower will not be revealed in all cases where the disciplinary charge is based on findings distinct and additional to the report, even if consequent to it, while it may be revealed where the following three conditions are met together: (1) the charge is based, in whole or in part, on the report, (2) knowledge of the whistleblower’s identity is indispensable for the defense of the accused, and (3) the whistleblower has given explicit consent to the disclosure of their identity.

All subjects, except those operating as autonomous controllers, have been expressly authorized to process such data pursuant to Articles 15, 29 and 32, paragraph 4, of Regulation (EU) 2016/679  as well as, for external subjects operating as Data Processors, a specific contract has been signed that precisely regulates the processing entrusted to them and the obligations regarding data protection and security of processing pursuant to Article 28 of the GDPR.

For certain processing activities, the Controller may transfer personal data to external parties located in countries that do not belong to the European Union (EU) or the European Economic Area (EEA) (hereinafter, “Third Countries”). The legitimacy of such transfer is carried out in compliance with the appropriate and suitable safeguards for the transfer itself and in particular in compliance with the general principle for the transfer under Article 44 of the GDPR, the existence of an adequacy decision by the European Commission pursuant to Article 45 of the GDPR, adequate safeguards pursuant to Article 46 of the GDPR – including the standard data protection clauses adopted by the Commission according to the examination procedure referred to in Article 93, paragraph 2 of the GDPR (SCC) – and in the presence of one of the specific derogations provided for in Article 49 of the GDPR, including the explicit consent to the transfer by the data subject. Some third Countries have been authorized by the European Commission as they provide protection similar to that of EU legislation in data protection matters and, therefore, no additional legal safeguards are necessary. In the case of foreign Countries that have not obtained such authorization, appropriate safeguards will be adopted pursuant to art. 46 GDPR. The list of Third Countries also containing the appropriate guarantees adopted by the Data Controller for the transfer will be updated from time to time and/or available upon request. Please contact us using the details in “How to contact us” if you wish to view this list and a copy of the specific safeguards applied to the export of data.

The personal data processed for the purposes indicated above will be retained for the time necessary to handle the report and in any case no longer than three years from the date of communication of the final outcome of the reporting procedure, except for the initiation of legal or disciplinary proceedings following the report itself. In this case, the data will be retained for the entire duration of the procedure, until its conclusion and the expiry of the terms for exercising appeal actions, in accordance with the provisions of art. 11 paragraph 5 of German Whistleblower Protection Act – HinSchG and art. 5, paragraph 1 of the GDPR.

You have the following rights with respect to your Personal Data that we process, subject to conditions set out in the applicable laws:

• to request access to your Personal Data (commonly known as a “data subject access request”) and to certain additional information about our processing of your Personal Data that this Information Notice is designed to address;
• to request the correction of any inaccurate or incomplete Personal Data;
• to request the erasure of your Personal Data in presence of one of the grounds referred to in Article 17 of the GDPR;
• to request the restriction of the processing of your Personal Data in cases required by applicable law, and specifically Article 18 of the GDPR;
• to object to our processing of your Personal Data;
• to withdraw any consent you have given;
• under certain circumstances to demand data portability;
• to lodge a complaint with your local data protection supervisory authority; please see our Website Privacy Policy for more information on Supervisory Authorities.
• to contest certain automated decisions we make about you that have legal or otherwise similarly-significant consequences. We do not carry out such automated decision-making but, if we do, we will make it clear where such decisions are being made.

To exercise your rights, please contact us using the contact details listed in the section “How to Contact Us.”

Please note that, pursuant to Article 8 (2) of the German Whistleblower Protection Act – HinSchG, the rights referred to in Articles 15 to 22 of the GDPR may be exercised within the limits of the provisions of Article 29 (1), of the German Federal Data Protection Act (BDSG). According to these provisions, these rights cannot be exercised if their fulfillment would impair the confidentiality of the identity of the whistleblower, as required under the German Whistleblower Protection Act – HinSchG which implements Directive (EU) 2019/1937 on the protection of persons reporting violations of Union law.

The restriction aims to prevent actual and concrete harm resulting from the disclosure of the whistleblower’s identity due to the employment relationship or functions performed.

In such cases, the rights of the data subject may also be exercised through the competent Supervisory Authority (Data Protection Authority) in accordance with Article 60 of the German Federal Data Protection (BDSG). In this case, the Supervisory Authority shall inform the data subject that it has carried out all the necessary checks or that it has carried out a review, as well as the right of the data subject to lodge a judicial appeal.