Privacy policy for the reporting system

I. Introduction

Safety plays a central role in the field of activity of SCHROTH Safety Products GmbH (hereinafter referred to as "SCHROTH", "we", "us" or "our"). Incidents, events, observations and technical faults can have serious consequences, which is why an effective reporting system is essential. The implementation of such a reporting system not only offers the opportunity to systematically record and analyze incidents, but also promotes a transparent corporate culture in which employees and third parties are encouraged to actively contribute to improving safety. They can submit their reports anonymously or by name. This creates a comprehensive picture of the security situation in the company, which is crucial for identifying risks and deriving preventative measures. In addition, a transparent reporting system contributes to compliance with legal requirements and regulations and supports the continuous improvement of processes and procedures.  

For reasons of better readability, the simultaneous use of the language forms male, female and diverse (m/f/d) is dispensed with. All personal designations apply equally to all genders.

II. Messages

1. Who can provide information?
Any person (internal or external) can report security-related incidents, events, technical faults, observations or suggestions for improvement.

2. Where can a report be submitted?

Reporting system from SCHROTH
You can submit your reports by text message via an online registration form on our website.

3. Can reports also be submitted anonymously?
An anonymous report, i.e. without providing personal data, is generally possible via our reporting system.

4. Which messages can be reported?
Safety-related incidents/events, such as accidents and serious incidents, near misses, technical faults and failures, observations as well as concerns and suggestions for improvement can be reported. These reports help the responsible departments to take the right measures to maintain safety and thus strengthen the overall safety system.

5. What details should be reported?

• Description of the facts.
• When did the incident take place?
• Location of the incident or event.
• Other details on the facts of the case.

You can also upload supporting documents.

6. What happens after the notification is received
Once your report has been received, it is recorded and validated. This includes checking that the information is complete, correct and relevant. The report is categorized according to the type and severity of the incident. Critical or urgent incidents are given high priority.

Safety officers or specialized teams analyze the cause and possible effects of the incident. The analysis often includes interviews with affected persons, technical investigations and the assessment of environmental factors.

Once the investigation has been completed, specific risk mitigation measures are defined. These can include technical corrections, training measures, process adjustments or recommendations. The measures include both short-term and long-term solutions to prevent similar incidents.

In order to promote an open safety culture, feedback is given on reports where possible. Employees or external parties learn what measures have been taken and how they contribute to improving safety.

The results and measures are documented and reports are prepared for internal audits. The implemented measures are constantly monitored in order to evaluate their effectiveness.

III. Data protection information on the reporting system

In connection with the reports, we take the protection of your personal data (hereinafter referred to as "data") very seriously. We treat your data - insofar as it is processed as part of your report - confidentially.

Below we inform you in accordance with Art. 13 and 14 of the EU General Data Protection Regulation (GDPR) about the processing of your data as part of our reporting system. We will only process your data in accordance with the applicable data protection regulations. These requirements result in particular from the GDPR and the German Federal Data Protection Act (BDSG). This data protection information supplements our general data protection information for employees and website visitors.

1. Who is responsible and data protection officer
The responsible body is SCHROTH Safety Products GmbH, Im Ohl 14, 59757 Arnsberg.

You can contact our external data protection officer on all data protection issues as follows:

Dirk-Michael Mülot
Expert office Mülot GmbH
Grüner Weg 80
48268 Greven
Germany
E-mail: datenschutz@svb-muelot.de

2. What data is processed?
In principle, you can submit your reports anonymously, i.e. without providing any data. However, you can voluntarily disclose your data, including details of your first and last name, your address, your telephone number, your e-mail address and your report. If you provide this or other data voluntarily, we will process it.

Special categories of personal data, such as information on ethnic origin, religious and/or ideological beliefs, trade union membership or sexual orientation, are not requested or processed by us. However, you can voluntarily provide such special categories of personal data.

The notification you submit may also contain data from third parties to whom you refer in your notification. These data subjects could comment on the information. In this case, we will inform the persons concerned about the report or the submitted report. Your confidentiality is also guaranteed in this case, as the person concerned will - as far as legally possible - not receive any information about your identity and your information will be used in such a way that your anonymity is not jeopardized.

Please note that it is often required by law that the persons who are the subject of a report must be notified and heard. During the investigation, these persons have the opportunity to present their views on the report. The data subject may have a right to information under applicable laws that could compel us to disclose your identity. Government agencies may also have similar rights of access or seizure that result in the disclosure of your identity. This may be the case in particular if the person concerned claims that the information provided against them is intentionally or grossly negligently untrue and then decides to press charges.

3. For what purposes is your data processed?
We process your data within the framework of the applicable laws, in particular for

• Ensuring security and meeting legal and regulatory requirements and compliance,
• Safety analysis and risk assessment,
• Clarification of incidents/events,
• Prevention of future incidents,
• Exercise of rights,
• Relief for employees,
• Implementation of duties to cooperate.

In addition, the purposes listed in the general data protection information for employees and website visitors may also be considered as possible purposes of data processing.

4. What is the legal basis for processing your data?
The collection, processing and disclosure of your data in the context of the notifications is carried out in accordance with the applicable data protection laws, including the GDPR and the BDSG.

Implementation of legal obligations: If the notification falls within the scope of certain regulations and laws, the legal basis for the processing of your data in connection with this notification is Art. 6 para. 1 lit. c) GDPR.

Safeguarding legitimate interests: In all other cases, the processing of your data in relation to a (potential) incident is based on our legitimate interest in investigating incidents, receiving incident reports and processing them in accordance with our standards and values (Art. 6 para. 1 lit. f) GDPR).

Consent: In addition, data may be processed on the basis of Art. 6 para. 1 lit. a) GDPR if the reporting person has given consent.

Processing of special categories of personal data: If, in exceptional cases, special categories of personal data are processed (sensitive data), the legal basis for the processing is Art. 9 GDPR and Section 22 BDSG.

We do not intend to use your data for purposes other than those mentioned above.

5. Who are the recipients of your data?
Initially, only authorized persons gain knowledge of the data transmitted by the person making the notification. Appropriate authorization systems and appropriate technical and organizational measures ensure that only the responsible persons have access to this data. The person from the specialist department responsible for processing the incidents internally and the representative are expressly obliged to maintain confidentiality.

Other recipients may be other companies in the SCHROTH Group. An exchange of data between the individual SCHROTH companies may therefore be necessary in order to process the incidents.

In order to fulfill the aforementioned purpose, it may also be necessary for us to transfer your data to third parties, such as law firms, authorities such as criminal, regulatory or competition authorities within or outside the EU/EEA.

Your data will only be transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary for the clarification of facts. In such a case, we ensure that the standard contractual clauses of the EU Commission are concluded with the recipient of the data and that all relevant additional guarantees are guaranteed. Otherwise, we do not transfer your data to countries outside the EU or the EEA or to international organizations.

6. How long will your data be stored?
Your data will be stored in accordance with the relevant laws, but at least for a period of 5 years to ensure thorough analysis and traceability In certain cases and for certain documents, a longer period may be appropriate, in particular if judicial or administrative proceedings are pending in connection with the reported incident or if it is a serious incident/event. Data may also be stored if this is required by European or national legislation to fulfill legal obligations, such as retention obligations. All data will then be deleted, blocked or anonymized.

7. What data protection rights do you have?
If we process your personal data, you have the right to the following to the extent permitted by law under the GDPR

• Information, in particular about stored data and processing purposes (Art. 15 GDPR),
• Correction of incorrect or completion of incomplete data (Art. 16 GDPR),
• Deletion of data that is no longer required (Art. 17 GDPR),
• Restriction of processing (Art. 18 GDPR),
• Objection to the processing (Art. 21 GDPR),
• data transfer, provided that processing is based on consent or is carried out for the performance of a contract or by automated means (Art. 20 GDPR), and
• Revocation of a consent given by you (Art. 7 para. 3 sentence 1 GDPR).
• Right to lodge a complaint with the supervisory authority (for SCHROTH: Landesbeauftragte für Datenschutz und Informationsfreiheit, Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf, Tel.: 0211/38424-0, E-Mail: poststelle@ldi.nrw.de)