The Grant Thornton Germany Whistleblowing System

Using this system, whistleblowers may report incidences of non-compliance confidentially, or anonymously if desired. The disclosure is sent directly to our Legal & Compliance staff. At the same time, the whistleblower system enables the whistleblower and Legal & Compliance staff to communicate, while ensuring the whistleblower remains anonymous. The Grant Thornton Germany whistleblower system is available in German and English. 

Report

Apart from the online whistleblower system, written reports may also be handed in to:

Grant Thornton AG
Wirtschaftsprüfungsgesellschaft
Legal & Compliance / confidential 
Johannstraße 39
40476 Düsseldorf

The following email address may also be used for disclosures: compliance@de.gt.com

The Legal & Compliance contacts are also available for a personal conversation on prior arrangement, including by video or voice call if desired.

Alternatively, the following external reporting bodies can also be used for complaints: 

Hinweisgeberstelle des Bundesamtes für Justiz (BfJ)

Hinweisgeberstelle der Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin)

Hinweisgebersystem des Bundeskartellamts

You can find more information on the digital whistleblower system and the complaints procedure behind it in this policy. 

1. Purpose of this investigations policy 

This investigations policy regulates the investigation that follows when a disclosure is received. Grant Thornton Germany also considers its whistleblower system as an early warning system to become aware of potential risks within its own area of business or its supply chain.

The whistleblower system fulfils both the requirements of the Whistleblower Protection Act [Hinweisgeberschutzgesetz – HinSchG] and the complaints procedure pursuant to the Supply Chain Due Diligence Act.

The validity of the complaints procedure is reviewed annually and on particular events. Adjustments to the policy and any preventive or remedial measures are made as needed.

2. Confidentiality and protection of whistleblowers

Disclosures are processed by the responsible Legal & Compliance contact at Grant Thornton AG Wirtschaftsprüfungsgesellschaft (“internal reporting point”). The internal reporting point fulfils its responsibilities impartially, independently, free from instruction and is obliged to keep confidentiality and observe the rights of the whistleblowers and other affected persons.

Disclosures are always investigated, discussed and examined in strict confidentiality. This does not apply, however, if a report is submitted with gross negligence or that is intentionally false or if statutory duties to provide information to authorities or courts must be complied with.

The digital whistleblower system allows communication with whistleblowers via an anonymous mailbox. The system does not store technical data that allow conclusions to be drawn about whistleblowers (IP address, location data, device specifications, etc.). Whistleblowers’ personal data are only collected if the whistleblowers enter these data in the digital whistleblower system. If whistleblowers disclose their identity or name other persons in their disclosure, this information is treated confidentially in further processing and following up of the disclosure.

 3. Investigation procedure 

 3.1 Receiving a report 

When a report is received, this is recorded in the digital whistleblower system and forwarded to the internal reporting point. After submitting the report, the whistleblower is shown an ID and a Password on the screen. This information should be kept in a safe place because it will be needed later to log into the digital whistleblower system. 

Whistleblowers are notified immediately that their report has been received, and within seven days at the latest.

3.2 Processing the report 

The internal reporting point will consider the report, examine whether it comes within the scope of use of the digital whistleblower system, ask any questions, investigate the matter and take any follow-up measures.

3.3 Potential measures

Follow-up measures that the internal reporting point may take include carrying out internal inquiries and contacting persons and entities concerned, referring the whistleblowers to other responsible bodies, concluding the investigation owing to a lack of evidence or for other reasons or for the purpose of passing further inquiries on to either: a) a department responsible for internal investigations or b) a responsible authority.  

If the internal reporting point is convinced that misconduct has taken place, a proposal for further action is developed, including preventive and remedial measures. Whistleblowers are included in this process as much as possible and necessary. 

3.4 Response to whistleblowers

A response will be given to whistleblowers three months at the latest after confirmation of receiving the report. This includes notification of planned follow-up measures as well as those already taken and the reasons for these or a notification giving reasons why action is not being taken.

Whistleblowers may only be notified if this does not affect internal investigations or inquiries and does not affect the rights of persons who are the subject of a report or are named in the report.

3.5 Conclusion of the investigation

Whistleblowers will be informed when the investigation has been concluded.  

The time taken to process an investigation varies by the complexity of the matter and can therefore take a few days or several months.

Thank you for visiting the Grant Thornton group of companies¹ (“GT” or “we”) webpage on the use of our whistleblower system. We consider the security and protection of data when using our website to be very important. We would therefore like to let you know what kind of personal data we collect when you visit our website and what purposes we use them for .

I. Name and address of the controller
The controller within the meaning of the EU General Data Protection Regulation (“GDPR”) and of other national data protection legislation (in Germany, the Federal Data Protection Act [Bundesdatenschutzgesetz], “BDSG”) of the Member States and of other data protection regulations is:

Main controller 

Grant Thornton AG
Wirtschaftsprüfungsgesellschaft
Johannstraße 39
40476 Düsseldorf

Tel: +49 211 9524 0
Email: request@de.gt.com    

You can find detailed contact information on the subsidiary controller Grant Thornton Rechtsanwaltsgesellschaft mbH at Grant Thornton Rechtsanwaltsgesellschaft mbH.

II. Data protection officer contact information

CONCEPTEC GmbH
Thorsten Werning (certified DPO)
Bleichstraße 5
45468 Mülheim an der Ruhr

Tel: (0208) 69609-0
Fax: (0208) 69609-190

Email: Datenschutzbeauftragter@de.gt.com
www.CONCEPTEC.de
www.kompetenzzentrum-datenschutz.de 

III. General information on data processing
Personal data means any information which can be used to learn personal or factual circumstances about you (e.g. name, address, telephone number, date of birth or email address). Data that do not allow us to deduce information about your person (or only with disproportionate effort), e.g. anonymised information, are not personal data. The processing of personal data (e.g. collection, recording, consultation, use, storage or transmission) always requires a legal basis or your consent. Processed personal data are erased as soon as the purpose of the processing has been achieved and no legally prescribed retention duties must be observed.

IV. Data collection through use of the whistleblower system
1. Description and scope of data processing

Using our reporting procedure, disclosures can be made anonymously. To make a disclosure on our whistleblower portal all that is needed is to state the place, time and background to be reported in the description of your concern. Your report will be sent in an encrypted and pseudonymised format, i.e. it is not assigned to a user and your metadata are removed. You can, however, voluntarily disclose personal data about your person as part of the reporting process. If you do not disclose any data about your person, the case processors will have no way to relate it to you.

When you have registered (selecting your own user name and password), we only process such personal data in using our whistleblower system as you, the whistleblower, provide to us when making the disclosure. This may include named persons, address information or information on personal circumstances. Furthermore, the whistleblower system does not process any personal data that the whistleblower does not consciously provide to us.

These data are not combined with other sources of data. The registration data (user name and password) are also not linked to an email address, so it is not possible to reset the password you have selected.

2. Purpose of data processing and legal bases

We have implemented a whistleblower system in order to comply with laws, regulations and internal policies and to be able to rapidly identify, process and eliminate misconduct without reasonable delay.

Establishing the whistleblower system is to fulfil our legal duties under Art. 6(1)(c) of the GDPR in conjunction with Directive (EU) 2019/1937 (the “EU Whistleblower Directive”) and to implement internal compliance measures to detect breaches of duties under employment law (Section 26(1) sentence 1 BDSG) and to detect crimes (Section 26(1) sentence 2 BDSG). We otherwise base the processing of personal data on our legitimate interest of appropriately preventing and combating corruption under Art. 6(1)(f) of the GDPR. By submitting the report form, whistleblowers declare their consent to the processing of the data (Art. 6(1)(a) GDPR).

3. Storage duration

Personal data that we receive via our whistleblower system are stored for the duration necessary to investigate and conclusively assess the disclosure. After investigations have been concluded, the personal data are erased within an appropriate period of one month as a rule in compliance with the statutory regulations. If court and/or disciplinary proceedings are initiated, they may be stored until conclusion of the proceedings or until the deadlines for legal remedies expire. Personal data related to disclosures that are baseless will be erased without reasonable delay.

Based on our storage and documentation duties, we store your information (outside our whistleblower system) on servers at a high-security server centre in Germany that is certified under ISO-27701.

If an allegation made in a disclosure cannot be proven, all personal data within the case are anonymised.

4. Recipients of personal data

Your personal data will only be disclosed in compliance with the duty to keep confidentiality of Section 50 of the Public Accountant Act [Wirtschaftsprüferordnung – WPO] and only as permitted by a legal basis. Within the Grant Thornton group of companies, only authorised staff receive access to your data, in order to investigate the allegations in your disclosure. Your personal data are not disclosed in any other way.

5. Right to withdrawal of consent (Art. 7(3) GDPR)

You can find information on how to exercise withdrawal of the consent you have given in Section VI.7.

I. Technically necessary data collection on the website
1. Description and scope of data processing

Every time our website is accessed, our system automatically collects data and information from the system of the accessing computer. These include:

• account data and user name
• IP address
• browser type and browser version
• transient cookies: language setting and session ID

2. Purpose of data processing and legal bases

The temporary storage by the system of technically necessary log files, transient cookies and the IP address is necessary to allow the website to be provided to your computer. To do this your IP address must be stored for the duration of the session.

Log files are stored to ensure the functionality of the website. The data also allow us to safeguard the security of our IT systems.

The legal basis for the storage of the technically necessary log files, transient cookies and IP address is based on our legitimate interest pursuant to Art. 6(1)(f) of the GDPR.

3. Storage duration

The log files and IP address are stored for such time as is necessary to achieve legitimate purposes. Transient cookies are automatically erased when you close your browser. This particularly includes session cookies. These store a session ID which allows different queries from your browser to be attributed to the same session. In this way, your computer can be recognised again when you return to our website.

4. Maintaining your anonymity

If you have decided to make an anonymous disclosure, the whistleblower system does not provide any way for the log files to jeopardise your anonymity using data from the database or your IP address.

I. Rights of data subjects
We would like to inform you of your rights as a data subject as follows:

1. Right of access under Art. 15 GDPR

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed.

2. Right to rectification under Art. 16 GDPR

You have a right vis-à-vis the controller to rectification and/or to have incomplete personal data completed if the processed personal data concerning you are inaccurate or incomplete. The controller is to rectify them without unreasonable delay.

3. Right to erasure under Art. 17 GDPR

You have the right to obtain from the controller the erasure of personal data concerning you without unreasonable delay and the controller is obliged to erase personal data without unreasonable delay unless one of the exceptions laid down by the GDPR applies or other statutory retention duties require us to keep the relevant data.

4. Right to restriction of processing under Art. 18 GDPR

You may obtain from the controller restriction of processing of the personal data concerning you under the following conditions laid down by the GDPR.

5. Right to data portability under Art. 20 GDPR

You have the right to receive the personal data concerning you which you provided to the controller in a structured, commonly used and machine-readable format and which is based on consent or on a contract with you. Based on the conditions laid down by the GDPR, you also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

In exercising this right, you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This may not adversely affect the rights and freedoms of others.

6. Right to object under Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.

Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.

7. Right to withdraw consent under Art. 7(3) GDPR

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. In this case, all personal data stored based on consent shall be erased unless another legal basis for continued storage exists under the law.

To withdraw your consent please see the contact information under Section II.

I. Duty to provide data
When using our whistleblower system, you only need to provide the information necessary to process and follow up your disclosure. If you do not supply the information necessary to resolve the allegations properly, we will probably not be able to resolve the issue.

II. Profiling/Profile creation
We do not process your data in an automated manner to evaluate certain personal aspects (“profiling” pursuant to Art. 4(4) GDPR). We do not use profiling.

III. Automated individual decision-making
We do not use automated decision-making pursuant to Art. 22 of the GDPR.

IV. Right to lodge a complaint
In the case of infringements against data protection regulations, data subjects have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedies.

Our data protection supervision authority

Landesbeauftragte für Datenschutz und Informationsfreiheit
Nordrhein-Westfalen
Postfach 20 04 44
40102 Düsseldorf

Tel: +49 (0)211 38424-0
Fax: +49 (0)211 38424-999
Email: poststelle@ldi.nrw.de 

www.ldi.nrw.de 

You can find the contact information of other data protection supervisory authorities in Germany by following this link:

https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html 

Further information
We value the trust you place in us. We therefore intend to be available to you at all times to answer your questions about the processing of your personal data. If you have any questions that this privacy policy has not been able to answer or if you would like more information on any point, please contact our data protection officer at the following email address: 

Datenschutzbeauftragter@de.gt.com

We reserve the right to amend this privacy policy from time to time upon further development of data protection legislation or technological or organisational changes and will notify you of all major changes that will have an effect on the use of your personal data. This privacy policy was updated in October 2024.
 
¹This includes the following controllers: Grant Thornton AG and Grant Thornton Rechtsanwaltsgesellschaft mbh.