Whistleblowing Privacy Policy

Thank you for your commitment to reporting matters to Remazing!

Within this Privacy Policy, you will discover details regarding how Remazing gathers, utilizes, and maintains your personal information concerning our whistleblowing process. This Privacy Policy also provides guidance on how you can exercise your rights in compliance with GDPR.

1. Why We Require Your Personal Data

When you report misconduct or breaches within Remazing’s operations, it may become necessary for Remazing to process your personal data. Trust and ethical business practices are paramount for both Remazing and its clients, which is why we actively foster an environment where individuals, whether affiliated with Remazing or external to it, feel secure and encouraged to report any wrongdoing related to our operations.

2. Types of Personal Data Utilized

We process your personal data, including your name, contact information, and other pertinent details provided in your report, to facilitate the receipt of your report, maintain communication with you throughout the case, and ensure thorough follow-up on the matters you’ve reported. 

Personal data in a whistleblowing report may pertain to you as the reporting individual, the subject under investigation, witnesses, or other individuals mentioned. Please note that divulging information to the accused person at an early stage might jeopardize the investigation, and thus, specific information sharing with the accused may be delayed. Such deferral decisions are made on a case-by-case basis and are duly documented. Depending on your employment status within the company, there may be legal restrictions on who you can include in your report.

3. How Personal Data Is Collected

Personal data is collected directly from the person reporting a misconduct or breach within Remazing’s operations. Additionally, personal data may be collected during the investigation of a breach from other relevant individuals (e.g., witnesses) involved in the relevant whistleblowing case.

4. Utilization of Personal Data

Personal data may only be used when processing is deemed necessary for the purpose of follow-up actions, including:

• Receiving whistleblowing reports
• Communicating with whistleblowers
• Facilitating follow-up actions based on the information provided in a report

Personal data processed for these purposes may also be used to fulfill obligations related to information submission, such as:

• Sharing information with the Police Authority in cases involving suspected crimes
• Submitting reports as evidence in legal proceedings or for the establishment, exercise, or defense of legal claims
• Adherence to legal or regulatory requirements

5. Duration of Personal Data Retention

Personal data that is evidently irrelevant to the handling of a specific report will not be collected, or if inadvertently collected, will be promptly deleted. In follow-up cases, personal data may not be processed for a period exceeding three (3) years after the case’s closure, in compliance with the German Whistleblower Protection Act.

6. Access to Your Personal Data and Data Storage

Access to personal data processed in follow-up cases is limited to individuals identified as recipients of reports, authorized to oversee report follow-up, and provide feedback. Personal data is stored within the European Economic Area (EEA) and is safeguarded with rigorous technical standards and practices.

7. Legal Basis for Personal Data Processing

Remazing processes personal data under Article 6(1)(c) of the GDPR, which stipulates that Remazing has a legal obligation (per the German Whistleblower Protection Act) to receive and manage reports of misconduct, necessitating the processing of certain personal data in relation to the whistleblowing process. 

8. Your Rights

As a data subject, you possess several rights under GDPR. Should you have reported a matter and wish to exercise your rights, kindly contact us either at whistleblow@remazing.eu or Sören Jessen (soeren.jessen@remazing.eu) if the report pertains to the Senior People & Culture Manager.

Your GDPR rights encompass:

• Right to access your personal data: Confirm whether your personal data is being processed and, if so, access that data.
• Right to rectification of personal data: Rectify inaccuracies in your personal data.
• Right to erasure of personal data (right to be forgotten): Request the erasure of your personal data under specific circumstances.
• Right to restriction of processing: Limit the processing of your personal data under certain conditions.
• Right to object to processing: Object to processing based on legitimate interests
• Right to data portability: Request your personal data in a machine-readable format for transmission to another data controller (Please note that this right does not apply to whistleblowing, which is based on legal obligations or Remazing’s legitimate interest).
• Right to lodge a complaint with a supervisory authority: Lodge a complaint regarding our personal data processing with your national supervisory authority, such as the Federal Commissioner for Data Protection and Freedom of Information (BfDI), which serves as the lead supervisory authority for Remazing. Additionally, employees in Remazing’s countries of operation have the right to lodge complaints with their respective national supervisory authorities.

9. Questions and Exercising Your Rights

If you have any questions about this Privacy Policy or how we process personal data, or if you wish to exercise your rights, please don’t hesitate to contact us at either whistleblow@remazing.eu or Sören Jessen (soeren.jessem@remazing.eu) if the report involves the Senior People & Culture Manager. 

Remazing reserves the right to modify this Privacy Policy and will communicate any changes on our website and internally.