UK Privacy Statement
The Company takes the protection of personal data very seriously. This Privacy Statement explains what personal information we collect from you when you use the reporting system and how we use it. We ensure compliance with the applicable data protection regulations through both technical and organisational measures.
Responsible entity and data protection officer
Entity responsible for processing personal data is:
Vanguard
4th Floor, The Walbrook Building
25 Walbrook
London
EC2N 8AF
The data protection officer of the Company, can be reached at Geraldine.Collie@Vanguard.co.uk.
The technical implementation of the reporting system is carried out on our behalf by Speakfully.
Personal data
In principle, the reporting system can be used - to the extent permitted by law - without providing personal data. You may, however, voluntarily disclose personal data as part of the whistleblower process, in particular information about your identity, first and last name, country of residence, telephone number or e-mail address.
In principle, we do not request or process categories of personal data, e.g. information on racial and/or ethnic origin, religious and/or ideological convictions, trade union membership or sexual orientation. You are however free to disclose this information in free text fields in the reporting form.
The report you provide may contain the personal data of third parties. The individuals concerned will be informed and given the opportunity to comment on the information. Should this be the case, your identity will remain confidential, as the person concerned will not be given any information about your identity - as far as legally.
Purpose and legal basis of the processing
the reporting system enables you to contact us and report any compliance or legal violations. We process your personally identifiable information (if provided) in order to investigate the reports you make through the reporting system and to investigate suspected breaches of compliance and law. Should we need to come back to you with queries, we will only communicate with you via the reporting system. The confidentiality of the information you provide is our top priority.
Your personal data will be processed in line with your consent given when you report via the reporting system (Art. 6 para. 1 lit. a European General Data Protection Regulation, GDPR).
Furthermore, we process your personal data insofar as this is necessary for the fulfilment of legal obligations. In particular, this includes reports related to criminal, competition and labour law (Art. 6 para. 1 lit. c GDPR).
Finally, your personal data will be processed if this is necessary to safeguard the legitimate interests of the Company or a third party (Art. 6 para. 1 lit. f GDPR). We have a legitimate interest in the processing of personal data to prevent and detect infringements within the Company, to verify the legality of internal processes and to safeguard the integrity of the Company.
If you provide us with specific categories of personal data, we process them on the basis of your consent (Art. 9 para. 2 lit. a GDPR).
In addition, we use your personal data in anonymous form for statistical purposes.
We do not intend to use your personal data for purposes other than those listed above. Otherwise, we will obtain your prior consent.
Technical implementation and security of your data
the reporting system includes an option for anonymous communication via an encrypted connection. When you use the reporting system, your IP address and your current location are not stored at any time. After sending a message, you will receive access data to the reporting system inbox so that you can continue to communicate with us in a secure manner.
We maintain appropriate technical measures to ensure data protection and confidentiality. The data you provide will be stored on a secure Speakfully database. All data stored on the database is encrypted by Speakfully using state-of-the-art technology.
Disclosure of personal data
The Company operates internationally and has locations in various countries within and outside the European Union. The stored data can only be inspected by authorised individuals within the Company. Insofar as this is necessary to fulfil the aforementioned purpose, authorised individuals from our subsidiaries may also be authorised to inspect the data. This would happen, for example, if the investigation of your report is carried out in the country concerned. All individuals authorised to inspect the report are obliged to maintain confidentiality.
In order to fulfil the aforementioned purpose, it may also be necessary for us to transfer your personal data to external bodies such as law firms, criminal or competition authorities, within or outside the European Union.
If we pass on your personal data within the group or externally, a uniform level of data protection is ensured by means of internal data protection regulations and/or corresponding contractual agreements. In all cases, the responsibility for data processing remains with the Company.
Finally, we transfer your personal data to Speakfully, in the U.S., to the extent described above for the technical implementation of the reporting system. For this purpose, we have concluded a data processing agreement with Speakfully to ensure data protection.
Duration of storage
We store personal data only as long as it is necessary for the processing of your report or we have a legitimate interest in the storage of your personal data. In addition, your personal data may be stored if this is required by European or national law to fulfil legal obligations, such as storage obligations. Subsequently, all personal data will be deleted, blocked or anonymised.
Your rights
If you have provided personal data, you have the right to information, correction and deletion of the personal data. You may also restrict the processing or request its transfer to another entity.
Furthermore, you have the right to object to the processing of your personal data at any time for reasons arising from your personal situation.
You have the right to withdraw your consent at any time. The revocation of your consent does not affect the lawfulness of the processing carried out on the basis of your consent until revoked.
You assert these rights by informing the person responsible or our data protection officer mentioned above. If you have asserted the right to correction, deletion or restriction of the processing of the personal data, we are obliged to inform all recipients to whom we have disclosed the personal data relating to you of this correction or deletion of the data or restriction of the processing, unless this proves to be impossible or involves disproportionate effort. Upon request, we will inform you of these recipients.
Finally, without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State of your place of residence, workplace or place of presumed infringement, if you are of the opinion that the processing of your personal data is in breach of the GDPR.
Finally, without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State of your place of residence, workplace or place of presumed infringement, if you are of the opinion that the processing of your personal data is in breach of the GDPR.