If you, as a whistleblower, submit a notice via the EMCO homepage, you must give your consent to the processing of your data in advance by ticking the box at the end of the data protection notice. Please read the data protection notices below very carefully before submitting a whistleblower report.
In the following we would like to inform you about the collection, processing and use of personal data in the context of the whistleblower system if you submit a report by phone, letter, form on the EMCO website or appear in person. Therefore, please read these data protection notices very carefully before you submit a report.
I. Purpose of the whistleblower system and data processing
The whistleblower system is used to receive and process reports of (suspected) legal or serious internal rule violations in a secure and confidential way.
The processing of personal data in the context of the whistleblower system is based on EMCO's legitimate interest in the detection and prevention of grievances and the associated averting of damage and liability risks for EMCO (Art. 6 Para. 1 lit. f GDPR). In addition, the EU Whistleblower Directive requires the establishment of a whistleblower system in order to give employees and third parties the opportunity to provide protected information about legal violations in the company.
If the received information concerns an EMCO employee, the processing also serves to prevent criminal offenses or other legal violations in connection with the employment relationship.
The processing of your identification data takes place on the basis of a consent to be given (Art. 6 Para. 1 lit. a GDPR). As a rule, the consent can only be withdrawn within one month of receipt of the report, as EMCO is obliged in certain cases under Article 14 (3) (a) GDPR to inform the accused of the allegations made against them and the investigations carried out within one month to inform. This also includes the storage, the type of data, the purpose of the processing, the identity of the person responsible and - if legally required - the reporting party, so that it is no longer possible to cease data processing or delete the identification data. The withdrawal period can be shortened; E.g. if the type of report requires the immediate involvement of an authority or a court; because as soon as a disclosure to the authority or the court has been made, the identification data are in the procedural files of EMCO as well as the authority or the court.
II. Processing of your personal data
The data submitted to the whistleblower system is encrypted and stored with multiple levels of password protection, so that access is restricted to a very small group of expressly authorized EMCO employees. These authorized employees check the reported facts and, if necessary, carry out further case-related clarification of the facts; all data will be always treated confidentially. However, if you knowingly post false information with the aim of discrediting a person (denunciation), confidentiality cannot be guaranteed.
In certain cases, EMCO is obliged under data protection law to inform the accused person of the allegations made against them. This is required by law if it is objectively certain that the provision of information to the accused person can no longer impair the specific information clarification at all. Your identity as a reporter will not be disclosed - as far as legally possible - and it will also be ensured that no conclusions can be drawn about your identity.
As part of the processing of reports or an investigation, it may be necessary to pass on information to other EMCO employees or employees of EMCO subsidiaries, e. g. if the references relate to processes in subsidiaries of EMCO.
If it is necessary for the clarification, a transfer to a subsidiary of EMCO in a country outside the European Union or the European Economic Area can be made on the basis of suitable or appropriate data protection guarantees to protect those affected. Please note that not all third countries have an adequate level of data protection recognized by the European Commission. For data transfers to third countries in which there is no adequate level of data protection, we ensure that the recipient either has an adequate level of data protection (e.g. adequacy decision by the EU Commission or agreement of socalled EU standard contractual clauses of the European Union with the recipient) or express consent of our users.
We always make sure that the relevant data protection regulations are complied with when forwarding information. If there is a corresponding legal obligation or a requirement under data protection law for the clarification of the information, law enforcement authorities, antitrust authorities, other administrative authorities, courts and international law and auditing firms commissioned by EMCO come into question as further possible recipient categories. Anyone who has access to the data is obliged to maintain confidentiality.
Personal data will be kept for as long as the clarification and final assessment requires, a legitimate interest of the company or a legal requirement exists. This data will be then deleted in accordance with the legal requirements. The duration of the storage depends in particular on the severity of the suspicion and the reported possible breach of duty.
III. Your rights
According to European data protection law, you and the persons named in the report have the right to information, correction, deletion, restriction of processing and, in certain cases, the right to data transfer. You can also object to the processing of your personal data for reasons that arise from your particular situation, provided that the data processing is carried out in the public interest or on the basis of a weighing of interests. The objection can be made informally and should, if possible, be sent to the contact details listed in this data protection notice.
If the right of objection is exercised, we will immediately check to what extent the stored data is still required, in particular for processing a report. Data that is no longer required will be deleted immediately. You can also revoke your consent at any time. In this context, please note the information under "Purpose of the whistleblower system and data processing". You also have the right to lodge a complaint with the Austrian data protection authority of the Republic of Austria under the following link: (www.dsb.gv.at).
IV. Your contact person
Our legal department is at your disposal at any time as your contact for data protection-related issues:
Salzburger Straße 80