The whistleblower system at BDO

The whistleblower system at BDO

For BDO, risk management and compliance mean adherence to the human rights, all statutory regulations and professional standards, the relevant codes of conduct (BDO Code of Conduct, IDW and IESBA Code of Ethics) and the company's internal guidelines. BDO is aware of its special social responsibility. An effective risk management and compliance system is therefore a top priority for BDO. In order to meet this requirement, any misconduct must be identified at an early stage and remedied immediately. 

BDO has therefore set up a whistleblower system, which both BDO employees and externals can use to submit reports. 

It guarantees the best possible protection for whistleblowers, those affected and other parties involved. The whistleblower system also offers the option of anonymous reporting and communication.

The following reporting channels are available for submitting a report.

BDO employees and external parties can submit a report confidentially via the digital whistleblower system. If desired, these reports can also be submitted anonymously. BDO's digital whistleblower system is available in German and English. 

The Head of Risk & Compliance is also willing to receive reports personally. He can be contacted as follows: 
Mr. André Grasedieck
Phone: +49 (0) 40 30 29 30
andre.grasedieck@bdo.de

Postal address: 
BDO AG Wirtschaftsprüfungsgesellschaft
Risk & Compliance
André Grasedieck 
Fuhlentwiete 12
20355 Hamburg

The Head of Risk & Compliance is also available for a personal meeting by prior arrangement. 

Further information on the digital whistleblower system and the processes behind it can be found in these rules of procedure. 

1. Purpose of the Rules of Procedure 

These rules of procedure govern the procedure following a report received. BDO also uses the whistleblower system as an early warning system to become aware of potential risks in its own business area or supply chain. 

The whistleblower system fulfills both the requirements of the Hinweisgeberschutzgesetz ("HinSchG") and the requirements relating to the complaints procedure under the Lieferkettensorgfaltspflichtengesetz ("LkSG").

The effectiveness of the procedure is reviewed annually and on an ad hoc basis. If necessary, adjustments are made to the procedure or to the preventive and corrective measures taken.

2. Confidentiality and protection of whistleblowers

Reports are processed by the Head of Risk & Compliance and the Head of Corporate Legal at BDO ("internal reporting channel"). In performing its duties, the internal reporting channel is impartial, independent, not bound by instructions and obliged to maintain confidentiality and to safeguard the rights of the whistleblowers and other affected parties. 

The clarification of the facts, discussion and examination of the information received is always strictly confidential. However, this does not apply in particular if a report is submitted in a grossly negligent or intentionally false manner, or if statutory duties to provide information to authorities or courts must be observed.

The digital whistleblower system enables communication with the whistleblower via an anonymous mailbox. Technical data that allows conclusions to be drawn about the whistleblower (IP address, location data, device specifications, etc.) are not stored by the system. Personal data of the whistleblower is only collected if the whistleblower provides this data in the digital whistleblower system. If the whistleblower discloses his identity or names of other persons in their report, this information will be treated confidentially during the further processing and follow-up of the report. 

3. Procedure  

3.1 Receipt of the notification 

Once a report has been received, it is documented in the digital whistleblower system and forwarded to the internal reporting channel. 

After submitting their report, the whistleblower is shown a multi-digit code. This code must be kept in a safe place, as the code is required to log into the digital whistleblower system later and view the feedback. 

The whistleblower will be informed immediately, at the latest within seven days, about the receipt of his report.

3.2 Processing the notification 

The internal reporting channel deals with the submitted report, checks whether it falls within the scope of the digital whistleblower system, asks questions if necessary, clarifies the facts and takes follow-up action if necessary. 

3.3 Possible measures

As follow-up measures, the internal reporting channel may in particular conduct internal investigations and contact the persons and units concerned, refer the whistleblower to other competent bodies, close the proceedings for lack of evidence or for other reasons or hand them over for further investigation to either a) a department responsible for internal investigations or b) a competent authority.

If the internal reporting channel comes to the conclusion that a violation has occurred, a proposal for further action, including preventive and corrective measures, is drawn up. Where possible and necessary, the whistleblower is involved in this process. 

3.4 Feedback to the whistleblower

The whistleblower will receive feedback no later than three months after confirmation of receipt of the report. This includes notification of planned and already taken follow-up measures as well as the reasons for these or, if applicable, a reasoned notification that the case will not be pursued.

Feedback may only be provided to the whistleblower if this does not affect internal inquiries or investigations and the rights of the persons who are the subject of a report or who are named in the report are not impaired.

3.5 Conclusion of the procedure

Once the procedure has been completed, the whistleblower will be informed.  

The processing time of a procedure varies depending on the complexity of the matter and can therefore take anywhere from a few days to several months. 

Controller

For data collection and processing,

  • BDO AG Wirtschaftsprüfungsgesellschaft,
  • BDO Oldenburg GmbH & Co KG Wirtschaftsprüfungsgesellschaft,
  • BDO DPI AG Wirtschaftsprüfungsgesellschaft
  • BDO Recovery & Capital Advisors GmbH Wirtschaftsprüfungsgesellschaft or
  • BDO Restructuring GmbH
  • BDO Concunia GmbH Wirtschaftsprüfungsgesellschaft
  • VICO Research & Consulting GmbH
  • BDO DIGITAL GmbH
  • BDO Cyber Security GmbH

are responsible to their respective business partners (clients, prospective clients, suppliers) as well as to their respective website visitors. The following information applies to all of these companies alike, which for convenience will hereinafter collectively be referred to as "BDO".  

Contact details of our Data Protection Officer 

You can contact our data protection officer as follows:

Peter Suhren
FIRST PRIVACY GmbH
Konsul-Smidt-Str. 88
28217 Bremen
Phone: +49 421 69 66 32 80
office@first-privacy.com 

Introduction and general information on data processing 

The reporting channel was set up on the basis of the applicable statutory regulations, in particular Section 14 (2) HinSchG, Section 8 LkSG, Section 6 (5) GwG and Section 55b (2) No. 7 WPO. 

The use of the Portal may involve the processing of personal data, the protection of which is extremely important to us. Therefore, we treat personal data confidentially and comply with the statutory provisions on data protection, in particular the European Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). 

This privacy policy is intended to inform you about the nature, scope and purpose of the collection and use of personal data by us as the aforementioned responsible party. 

A. Scope of the processing of personal data 

As a matter of principle, we only collect personal data whose processing is either required by law, contractually agreed, necessary for the conclusion and performance of the contract or voluntarily provided to us on the basis of consent. 

B. Legal basis for the processing of personal data 

1. Data processing based on consent 

Only in the event that we decide in individual cases, with your prior express consent, to record a report made by telephone, will the processing of personal data be based on consent in accordance with Art. 6 (1) (a) GDPR. 

2. Data processing for the protection of legitimate interests 

We process personal data in accordance with Art. 6 para. 1 (f) GDPR to protect legitimate interests, such as in particular the interest in following up information on rule violations and carrying out investigations, if the further requirements of Art. 6 (1) (f) GDPR are met, i.e. if our interests in data processing or the interests of a third party outweigh the interests or fundamental rights and freedoms of the data subject(s) in individual cases. 

Furthermore, we use the personal data if and insofar as this is necessary to protect legitimate legal interests, e.g. for the defense and enforcement of claims. In this respect, data processing is also based on Art. 6 (1) (f) GDPR. 

If and to the extent necessary, we process personal data to enable the detection of criminal offences committed by employees if there are factual indications (Art. 6 para. 1 lit. f GDPR, Section 26 para. 1 sentence 2 BDSG). 

3. Data processing for the fulfilment of legal obligations 

If and to the extent necessary, we process personal data in order to be able to comply with any statutory obligations. In this case, data processing based on Art. 6 (1) (c) GDPR. These obligations may arise from Section 10 HinSchG, Section 8 LkSG, Section 6 (5) GwG and Section 55b (2) no. 7 WPO when the respective scope of application is opened. 

4. processing of personal data for the protection of vital interests 

In the event that your vital interests or those of another natural person require the processing of personal data, Art. 6 (1) (d) GDPR serves as the legal basis. 

C. Data deletion and storage duration 

Within the digital whistleblowing system, the report and the associated communication are deleted three months after the conclusion of the procedure. Notwithstanding this, the internal reporting channel documents the process in a read-only and access-protected manner elsewhere for two years after the conclusion of the procedure . This retention period is required by law.  

A different storage period applies to the deletion of log files in connection with visits to the Portal (see section E). 

D. Security through the use of TLS/SSL 

We use the latest secure technologies, in particular the so-called "Transport Layer Security" (TLS) transmission (previously also known as "Secure Socket Layer" (SSL) transmission). All information and data transmitted using these secure methods is encrypted before it is sent to us. We would like to point out that encryption using these technical methods only works if the corresponding technical default settings have also been initiated on your side. 

E. Provision of the portal 

The digital whistleblowing system is provided on a contractual basis by BDO in Denmark and is based on the open source software "GlobaLeaks". BDO in Denmark provides technical support for the system. The colleagues at BDO in Denmark also have no access to the content of the actual reports and cannot trace the sender. 

The processing of the data takes place exclusively in the territory of the Federal Republic of Germany, in a member state of the European Union (EU) or in a signatory state to the Agreement on the European Economic Area (EEA). 

F. User data input 

As a user of the portal, you can can choose to, 

  • to submit a completely anonymous report;
  • to add personal information to your report;
  • whether you wish to provide personal data of participants and/or witnesses;
  • whether you want to upload documents to your message. 

1. Anonymous report 

If you submit an anonymous report, you merely state which company your report concerns and the content of your report. In this case, we do not collect any personal data relating to you, such as your name, telephone number or e-mail address. 

2. Personal data and disclosure 

In addition to the above information, you can provide us with your name, your position in the company, your e-mail address and your telephone number so that we can contact you if we have any questions about your report. The provision of this personal data is voluntary.  

The collection and storage of this personal data is based on your consent in accordance with Art. 6 (1) (a) GDPR, which you give us when you provide the relevant information in your notification. 

If your data is transferred to a company outside the European Union (EU) or the European Economic Area (EEA) and there is no adequacy decision by the EU Commission pursuant to Art. 45 (1) GDPR for the respective third country, you consent to the transfer of your personal data to the respective third country pursuant to Art. 49 (1) (a) GDPR. In this context, we would like to point out that in some third countries (e.g. India, China) it can be assumed that the level of data protection is not comparable to that in the EU and your data may be exposed to access by authorities and secret services there. 

Your consent can be revoked at any time. Please send the revocation to our email address Menschenrechtsbeauftragter@bdo.de. Please note, however, that the legality of the data processing is not affected by the revocation until it is received. 

3. Concretization of your information and naming of parties involved and witnesses 

In addition, you can name other persons who have knowledge of the incident to be reported and list those involved and witnesses. Depending on the scope of the information you provide, their name, company, relationship to the company and their contact and address data will be stored and transmitted.  

The processing and transfer of personal data of participants and witnesses is based on Art. 6 (1) (c) GDPR. Companies are legally obliged by the HinSchG, the LkSG, the GWG and the WPO to set up reporting channels. According to Section 10 HinSchG and Section 8 LkSG, Section 6 (5) GwG and Section 55b (2) No. 7 WPO, the processing of personal data is permitted insofar as this is necessary to fulfil the tasks of the reporting offices. Our tasks as a reporting office include, among other things, the examination of the report, its assessment and the subsequent recommendation to the company we represent. This may require the processing of personal data of other parties involved and of witnesses. 

The data processing by the company represented by us and, if applicable, the company concerned is based on Art. 6 (1) (f) GDPR. The legitimate interest results from the avoidance of legal consequences (e.g. through criminal prosecution), claims for damages and other damages (including damage to image). 

In the event of a threatened violation of internal company guidelines, data processing on the basis of Art. 6 (1) (f) GDPR only takes place if this violation is likely to result in damage. 

We will only transfer the personal data of participants and/or witnesses to companies outside the EU/EEA if we are authorized to do so pursuant to Art. 44 et seq. GDPR. In all other cases, we will not transfer this data to companies in third countries.  

4. Uploaded documents 

Documents uploaded by you to the Portal may also contain personal data. This may include personal data relating to you as well as data relating to parties involved or witnesses. 

If you wish to submit an anonymous report, we recommend that you make the personal data contained in uploaded documents unrecognizable in advance (e.g. by redaction). Please note that personal data is not only data that directly identifies a natural person (e.g. by name), but also data that makes a natural person identifiable only through the addition of further, not necessarily personal information. 

If you have at the same time provided further information about yourself and have thus consented to data processing and disclosure, the processing/transfer of your personal data, which may also be contained in uploaded documents, also falls under Art. 6 (1) (a) GDPR (see section F, 2.). If the uploaded documents contain personal data of participants and/or witnesses, the data processing and transfer is based on Art. 6 (1) (c) GDPR or Art. 6 (1) (f) GDPR (see section F, 3.). 

G. Data recipient 

In addition to companies to which your personal data is transferred with your consent, your data may also be transferred to external service providers (e.g. companies that destroy or archive data, cloud providers). We only transfer your data to third parties if a data protection-related transfer authorization exists. 

The transfer of data to third parties is based either on the fulfilment of legal obligations, on legitimate interests or on the basis of any consent given. If the external service provider acts as a processor, the data transfer takes place within the framework of a data processing agreement. 

If a data transfer to processors in countries outside the EU/EEA should be necessary, this will take place on the basis of the EU standard contractual clauses or to countries with regard to which an EU adequacy decision is available.  

H. Your rights as a data subject 

Data subjects have the right to obtain information from each data controller about their personal data and to have inaccurate data corrected or deleted for any of the reasons stated in Art. 17 of the General Data Protection Regulation, e.g., if data are no longer required for the purposes for which they were collected. Furthermore, data subjects have a right to restricted data processing if one of the conditions specified in Art. 18 of the General Data Protection Regulation is satisfied and, in the cases defined in Art. 20 of the General Data Protection Regulation, a right to data portability. If data are collected on the basis of Art. 6 para. 1 lit. f (data processing to protect legitimate interests), the data subject has the right to object to the processing of such data at any time for reasons related his or her particular situation. We will then no longer process such personal data unless it can be shown that there are compelling, legally protected reasons for processing such personal data that outweigh the interests, rights and freedoms of the data subject, or such data are processed to prosecute, exercise, or defend legal rights or claims. Consent may be revoked at any time without thereby affecting the lawfulness of any data processing that has taken place prior to revocation. If consent is revoked, we will stop processing the data involved. 

I. Right to Lodge Complaint 

Each data subject has the right to lodge a complaint with a supervisory authority if he or she believes that the processing of his or her personal data violates data protection law. The right to lodge a complaint may be exercised in particular before a supervisory authority in the EU member state in which the data subject resides or at the place where the alleged violation occurred. In Hamburg this is the Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Str. 22, 20459 Hamburg.

Status: December 2023