NOTICE/INFORMATION ABOUT THE "LET US KNOW" COMPLIANCE WHISTLEBLOWER SYSTEM – INTERNET
Please read this Data Protection Notice carefully before reporting an incident, and agree to the content of the following information:
The key points at a glance:
- You can send us information without disclosing your identity.
- Communication will then take place using an automatically generated case number and password, which you can use to stay in contact with us via this whistleblower system.
- There is no way that your identity can be traced by any other means, such as via your IP address.
If you do not wish to remain anonymous
- The information provided and your identity will be treated as strictly confidential. This can only be viewed by employees of the National and/or Corporate Compliance Office and, to the extent necessary, by system administrators.
- Your identity is revealed only if Klöckner is legally obliged to do so or this is essential for investigation purposes and/or for enforceability of claims.
- Therefore, it cannot be completely ruled out that your identity will have to be revealed to investigating authorities or in court proceedings at a later date.
- Klöckner guarantees that whistleblowers are in no way placed at a disadvantage as a result of their reporting an incident, unless they have knowingly distributed false information, misused the whistleblower system in any other way or incriminated themselves.
- We ensure that, if you break off entering data, no data on the matter will be stored or submitted.
1. General information
In this Data Protection Notice, we would like to inform you about the processing of your personal data and your rights regarding this processing.
Definitions of terms used in this Data Protection Notice:
- General Data Protection Regulation: The General Data Protection Regulation (GDPR) is a European Union (EU) law governing the protection of personal data. The information provided here serves to fulfill a legal requirement under the GDPR.
- Personal data: Personal data is all information relating to a data subject. A data subject is an identified or identifiable natural person. An identifiable natural person is a person who can be identified by name or other data. Personal data includes contact details, IP address, age and many other items of information.
- Processing: Under Article 4(2) of the GDPR, processing is any operation which is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Controller: Under Article 4(7) of the GDPR, a controller is a natural or legal person which determines the purposes and means of, and thus controls, the processing of personal data.
We, Klöckner & Co SE, Am Silberpalais 1, 47057 Duisburg, Germany, are the controller within the meaning of the GDPR and therefore control the data processing covered in the following. If you have any questions or requests regarding data processing, please contact our Data Protection Officer using the contact details provided in the next paragraph.
d) Data Protection Officer
You can contact our Data Protection Officer at any time using the following E-mail: email@example.com.
2. Information on the process
The “Let us know” Compliance Whistleblower System (“Compliance Whistleblower System”) is a web- and phone-based automated process aimed at preventing business crime and similarly serious misconduct (i.e., violation of human rights or environmental pollution) or conflicts of interest that are damaging to the company. It is a key component of the Compliance Program of Klöckner & Co SE, Am Silberpalais 1, 47057 Duisburg, Germany (“Klöckner”). Klöckner urges employees, suppliers, customers and other business partners to report suspected serious breaches of regulations or conflicts of interest on the part of Klöckner’s employees, suppliers, customers or other business partners.
Serious misconduct and conduct that violates penal provisions or human rights, or conduct that is hugely out of line with the corporate interests of Klöckner, constitute serious breaches of regulations and conflicts of interest. This includes, in particular:
- Violation of human rights
- Banking and financial crime
- Breaches of securities provisions including prohibited insider trading
- Breaches of fair competition and antitrust law
- Falsification and concealment of contracts, reports or records
- Corruption (bribery and granting advantages)
- Money laundering and terrorist financing
- Violations of foreign trade law
- Other criminal offenses that affect company interests, in particular deception, embezzlement, theft and fraud
- Misconduct as regards accounting, internal accounting controls, auditing and drawing up the balance sheet.
- Serious breaches of environmental regulations
- Public procurement breaches
- Product safety and conformity breaches
- Traffic safety breaches
- Radiation protection and nuclear safety breaches
- Public health hazards
- Consumer protection breaches
- Privacy and personal data protection breaches
- Network and information system security breaches
- Conflicts of interest that clearly contradict the performance of duties in the best interests of Klöckner and which may lead to considerable damage to Klöckner’s assets or reputation
Please bear in mind that all disclosures you provide about yourself, about reported employees, suppliers, customers or other business partners of the Klöckner & Co Group or about any other matters that are linked to Klöckner may lead to decisions that could have serious consequences for Klöckner employees and any third parties implicated in the incident you have reported. For this reason, we ask that you only provide us with information that is correct to the best of your knowledge. The information that you provide will be treated as strictly confidential.
Use of the Klöckner Compliance Whistleblower System is voluntary and reports can be submitted anonymously. However, please be aware that we can only accept and process reports once you confirm that you have read and taken note of this Data Protection Notice and have given your express consent for the information you provide to be processed.
You can choose whether your matter is to be forwarded solely to the management of a specific Klöckner & Co subsidiary in the country concerned and/or to the Klöckner & Co SE Corporate Compliance Office in Germany.
We request that you first give your consent. Once you have done this, you will be taken to the reporting form and will have access to country-specific toll-free numbers that you can use to report a matter by phone. If you do not wish to give your consent for the disclosures you make as regards personal data and information to be processed, please close this start page. In this case, you will not be able to report an incident via the Compliance Whistleblower System.
Apart from the option of using our Compliance Whistleblower System, you can also contact the Klöckner & Co SE Corporate Compliance Office directly. Its contact details can be found on our corporate website.
You can also request a personal meeting with a member of management at the Klöckner & Co subsidiary concerned and/or with a representative of the Klöckner & Co SE Corporate Compliance Office.
We will confirm receipt of your reporting an incident within seven days, provided that you have given us your contact details when using the whistleblower system. The incident you reported will be followed up on as quickly as possible and with due care and attention. We will keep you informed about the outcome of our investigation using the communication options available in the whistleblower system.
If you wish to remain anonymous, you can still stay in contact with us by using our whistleblower system and providing your case number and password. You will receive a case number and password when you finish reporting an incident. Depending on how you communicate with us, these will either be displayed on the screen or provided to you on the phone by an employee of our service provider.
If you wish to contact us about the matter again at a later date or ask about the status, you can do so via either the web- or the phone-based whistleblower system, providing your case number and password.
We guarantee that, if you break off entering data, no data on the matter will be stored or submitted. There is no way that your identity can be traced by any other means, such as via your IP address.
3. Informationen on data processing
a) Data categories
If you report an incident via the Compliance Whistleblower System, we will save the following personal data and other information if you have entered that data or provided it to us by phone and have given your express consent for us to continue using it:
- Your name and contact details, unless you wish to remain anonymous;
- Details of the Klöckner company affected
- Whether you are employed by Klöckner;
- Name(s) and personal data of person(s) you have specified in your reporting of an incident (such as job title[s] and contact details);
- Description of the non-compliant conduct, including details of the time and place it took place, and
- Description of the situation upon which the incident reported is based;
- Details regarding whether the management in question is aware of the non-compliant conduct;
- Any questions you may have.
b) Purposes of processing
Klöckner will observe the data protection regulations in force, in particular the rights of the whistleblower and the accused. Information acquired by means of incidents reported will be used solely for the purposes of investigating and taking action against serious breaches of regulations or conflicts of interest.
Where the option of reporting an incident anonymously has not been used, information provided by a whistleblower and his/her identity will be treated as strictly confidential. The identity is revealed only if Klöckner is legally obliged to do so or this is necessary for investigation purposes and/or for enforceability of claims. Therefore, it cannot be completely ruled out that your identity will have to be revealed to investigating authorities or in court proceedings at a later date. Klöckner guarantees that a whistleblower is in no way placed at a disadvantage as a result of his/her reporting an incident, unless he/she has knowingly distributed false information, misused the whistleblower system in any other unauthorized way or incriminated himself/herself.
In order to protect their rights, people whose identity you disclose via the Compliance Whistleblower System will be informed of the reported incident received and the accusations made as soon as this no longer compromises investigations.
Aside from the incident itself, personal data and information will be saved in the Compliance Whistleblower System database while the incident reported is processed further. These can only be accessed, firstly, by Compliance Office employees at the Klöckner & Co Subsidiary to which the incident has been reported, secondly – provided consent has been given – by Corporate Compliance Office employees at Klöckner & Co SE, Germany, and thirdly – if necessary for technical reasons – by system administrators. All of these individuals are formally obliged to observe the requirements of the GDPR as well as all other applicable data protection regulations and to maintain confidentiality. This obligation also applies to employees of other internal or external bodies, insofar as their involvement is required for the purpose of clarification.
c) Legal basis of processing
As a rule, processing is performed on the basis of Article 6(1)(a) (consent), in some cases on the basis of Article 6(1)(c) for compliance with a legal obligation to which we are party (compliance with a legal obligation) and occasionally on the basis of Article 6(1)(f) of the GDPR for the purposes of our legitimate interests, except where such interests are overridden by the legitimate interests or fundamental rights of the data subject(s) (for the purposes of legitimate interests).
d) Voluntary provision of data
Use of the Klöckner “Let us know” Compliance Whistleblower System is voluntary. However, please be aware that we can only accept and process reports once you confirm that you have read and taken note of this Data Protection Notice and have given your express consent for the information you provide to be processed.
e) Storage period
The personal data saved will only be stored for as long as it is required to process the reporting of an incident and, if necessary, introduce sanctions or enforce claims; for as long as it is required in connection with criminal prosecution measures or proceedings (e.g. joint plaintiff); or for as long as the data has to be stored by rights. Otherwise, the personal data will be erased no later than two months after investigations have been completed.
f) Recipients of personal data
Personal data provided to us via the Klöckner “Let us know” Compliance Whistleblower System can normally only be viewed by Compliance Organization employees at the Klöckner & Co subsidiary to which the incident has been reported and/or – provided consent has been given – by Corporate Compliance Office employees at Klöckner & Co SE, Germany.
In exceptional instances, it may be necessary to involve other trusted parties such as the Data Protection Officer or the Works Council, the body representing executive staff and similar bodies.
g) Transfer to third countries
The website you are forwarded to after submitting your consent is operated by our service provider
345 7th Avenue
New York, NY 10001
This company is headquartered in the USA, meaning that it is not directly subject to European data protection law, but to US law. In this regard, US law is not equivalent to European law in every detail. Therefore, it cannot be completely ruled out that government authorities, especially US authorities, may access your data in a way that would be excessive by a German or European understanding of the law. Furthermore, it cannot be ruled out that legal redress against such access cannot be granted or cannot be granted to the same extent as it would be in Germany or to a US citizen.
Provided you agree to these data protection notifications below, you also agree to your data being forwarded to the service provider for processing of your reported incident and to said service provider collecting, processing and using it in the US.
4. What happens if I am affected by a reported incident myself, or if I am under suspicion?
If you yourself are affected by an incident reported through the Compliance Whistleblower System, the appropriate office within the Klöckner & Co organization will contact you in this regard as soon as this no longer compromises investigations:
- The accusations that have been made against you;
- The people or departments who are able to obtain information or reports on these accusations;
- How you can exercise your right to obtain information on data saved about you personally and, if applicable, to have it corrected, erased or blocked.
- If the transmission of any of this information impinges upon the rights of other parties, we will only transmit this information if we are legally obliged to do so.
5. Your rights
As a data subject, you can exercise your rights under the GDPR at any time by sending an informal message to our Data Protection Officer (see under heading 1. d) above for contact details). Your rights are as follows:
- The right to be provided information about the data processing and a copy of the processed data (right of access, Article 15 of the GDPR),
- The right to obtain rectification of incorrect data or to have incomplete data completed (right to rectification, Article 16 of the GDPR);
- The right to obtain erasure of personal data and, where personal data has been made public, to have other controllers informed about the request for erasure (right to erasure, Article 17 of the GDPR);
- The right to obtain restriction of processing (right to restriction of processing, Article 18 of the GDPR);
- The right to receive the personal data concerning the data subject in a structured, commonly used and machine-readable format and to transmit that data to another controller (right to data portability, Article 20 of the GDPR);
- The right to object to data processing in order to prevent it (right to object, Article 21 of the GDPR);
- The right to withdraw, at any time, consent that you have given in order to prevent data processing on the basis of your consent. Revoking consent has no bearing on the lawfulness of processing on the basis of the consent before the revocation (right of withdrawal, Article 7 of the GDPR);
- The right to lodge a complaint with a supervisory authority if you consider that the processing of personal data infringes the GDPR (right to lodge a complaint with a supervisory authority, Article 77 of the GDPR).
6. Consent and revocation of consent
Data is processed for the following specific purposes:
- Use of the Klöckner “Let us know” Compliance Whistleblower System
- For details regarding the categories of data processed and the purposes of processing, please see sections 3.a) and 3.b).
- Alternatively, incidents may be reported anonymously.
- Data transfer to service providers in the USA (third-country transfer).
- By giving consent, you also consent to your data being processed by sub-service providers in the USA.
- The European Court of Justice has ruled that, by EU standards, the USA has inadequate levels of data protection. In particular, there is a risk that your data may be processed by US authorities for monitoring and surveillance purposes, potentially without any legal remedy. For further details, please see the data protection notice in section 3.g).
SPECIAL NOTES ON REVOCATION OF CONSENT
It is not normally possible to revoke consent after reporting an incident, as we are required to follow up on the matter and also to notify the accused individual about the allegations made against them as well as about the investigations conducted. This also includes the consent to third-country transfer.
You may download the content of this data protection information and declaration of consent here: