Legal information on the use of the internal whistleblowing system

bc GmbH has implemented an internal whistleblower system to detect and prevent violations of applicable law as well as company policies based on the EU Directive 2019/1937 on the protection of persons who report a violation of Union law.

As a matter of principle, reporting via the whistleblower system should only be the last of all possible communication channels. Priority should always be given to the direct route to the manager or the HR department, or for business partners and external whistleblowers, to the contact person in the company or the management. If this is not possible for valid reasons, the reporting system is another option for reporting violations or misconduct.

The reporting system was set up by CYBERLEGIS RA-GmbH for bc GmbH and is also maintained by the law firm. All employees of the law firm are bound to professional secrecy and do not work according to instructions. Employees who are not bound to secrecy by professional law are contractually bound to secrecy.

This reporting system is available to employees, customers, suppliers and business partners. Reports can be made in writing or verbally:

Phone: +49 (0)89 2441760 76

E-Mail: bike-components@whistleblowing-cyberlegis.io

By mail: CYBERLEGIS RA-GmbH, Whistleblowing, Maximilianstraße 13, 80539 Munich, Germany

bc GmbH has no access to these reports. In the first step, the reports are processed exclusively by CYBERLEGIS RA-GmbH.

All detailed information about the whistleblowing system operated by CYBERLEGIS RA-GmbH can be found here:

Privacy policy of CYBERLEGIS in connection with whistleblowers

Data protection is a matter of trust. Your trust is a core value for CYBERLEGIS ("CYBERLEGIS" and/or "we" and/or "us"). This privacy policy ("Privacy Policy") is based on the EU General Data Protection Regulation ("GDPR") - even if the GDPR does not apply. This ensures a high level of protection for individuals whose personal data CYBERLEGIS processes in connection with whistleblowers and the use of CYBERLEGIS as an internal reporting office in accordance with the Whistleblower Protection Act. This privacy policy therefore applies to you as a whistleblower and your personal data.

We may change this privacy policy at any time. For your use of the CYBERLEGIS internal reporting system and your reports as a whistleblower, the version in effect at the time of your report will apply.

1.      About us

CYBERLEGIS is the controller of your personal data in accordance with this privacy policy. If you have any questions in connection with the processing of your personal data, you can contact CYBERLEGIS, Managing Director Robert Niedermeier, directly at the e-mail address compliance@cyberlegis.io or in writing at the address CYBERLEGIS Rechtsanwaltsgesellschaft mbH, Maximilianstrasse 13, 80539 Munich. The general privacy policy of CYBERLEGIS at https://cyberlegis.legal/privacy-policy/ describes further processing operations of CYBERLEGIS.

2.      Personal data processed by us

In principle, the whistleblower system internal hotline can be used - to the extent permitted by law - without providing your personal data. However, you can voluntarily disclose your personal data as part of a whistleblowing procedure. This applies in particular to information about your identity, such as your first and last name, country of residence, telephone number and e-mail address.

In principle, we do not request or process any special categories of personal data (so-called sensitive data or particularly sensitive personal data), such as information about your ancestry or ethnic origin, your religious and/or ideological beliefs, your membership in trade unions or your sexual orientation. However, you may voluntarily disclose such special categories of personal data when contacting us.

Your statement may also contain personal data of third parties to which you refer. The data subjects will be given the opportunity to comment on this information. In this case, we will inform the data subjects about the declaration. In doing so, however, we will ensure confidentiality, as the data subject will not receive any information about your identity - to the extent permitted by law. Your information will therefore be used while maintaining your anonymity.

3.      Purpose and legal basis of processing

You can contact us via the internal whistleblower system to report compliance or legal violations. We process your personal data to review your report via the whistleblower system and to investigate suspected compliance or legal violations. In this context, we may have questions for you. For this purpose, we will communicate with you exclusively via the whistleblower system internal reporting office - unless you have expressly consented to other forms of communication. The confidentiality of the information you provide is our highest priority and is therefore guaranteed.

Your personal data will be processed in accordance with and on the basis of your consent when making a report via the whistleblowing system internal hotline - (Article Ab. 1, letter a GDPR). Furthermore, we process your personal data to the extent necessary to comply with our legal obligations. This relates in particular to the reporting of matters relevant under criminal law, competition law and employment law (Article 6, Ab. 1, Letter c GDPR). Your personal data will also be processed if this is necessary to safeguard the legitimate interests of CYBERLEGIS, our client or a third party (Article 6, Ab. 1, Letter f GDPR). We have a legitimate interest in processing personal data to prevent and detect breaches within our client's companies, to check the lawfulness of internal procedures and to protect their integrity.

If you provide us with special categories of personal data (e.g. sensitive data), we process them on the basis of your consent (Article 9, Paragraph 2, Letter a GDPR).

We intend to use your personal data only for the purposes stated above. Otherwise, we will obtain your prior consent.

 

4.      Technical execution and security of your data

The whistleblower system internal hotline offers the possibility of anonymous communication. Your

CYBERLEGIS takes appropriate technical and organizational measures to ensure data protection and confidentiality and continuously adapts them to the advancing technical development. The data you provide is also stored in a specially secured database, ensuring client separation. CYBERLEGIS encrypts all data stored in the database according to the latest state of the art.

5.      Disclosure of personal data

CYBERLEGIS is an internationally active law firm operating in various countries within and outside the European Union. All legal regulations for compliance with the GDPR are adhered to by CYBERLEGIS according to the state of the art.

The stored data can only be processed by specially authorized persons within CYBERLEGIS. All persons authorized to review data expressly undertake to maintain confidentiality.

In order to fulfill the above purpose, it may be necessary for us to share your personal data with external entities inside and outside the European Union, such as law firms or law enforcement or competition authorities.

If we share your personal data within the Group or externally, internal data protection regulations and/or corresponding contractual agreements ensure a consistent level of data protection. In any case, CYBERLEGIS remains responsible for the data processing.

Finally, we disclose your personal data to our client - internal reporting office within the scope of technical execution to the extent described above. If you have any questions regarding the processing of your data, please contact CYBERLEGIS at compliance@cyberlegis.io.

6.      Duration of storage

We store personal data as long as this is necessary for the processing of your message or as long as we have a legitimate interest in storing your personal data. Storage may also take place in order to comply with legal obligations, such as storage obligations, if this is provided for under European or national laws. All personal data will then be deleted, blocked or anonymized.

7.      Your rights

If you have provided us with your personal data, you have the right to information, rectification and erasure with regard to this personal data. You may also restrict the processing or request that it be transferred to another controller. Furthermore, you are entitled at any time to refuse the processing of your personal data for reasons related to your particular situation. You are entitled to revoke your consent at any time. If you revoke your consent, this will not affect the lawfulness of the processing carried out until then on the basis of the consent.

You exercise these rights by notifying the CYBERLEGIS data protection team at compliance@cyberlegis.io. If you exercise your right to rectification, erasure or restriction of your personal data, we are obliged to inform all recipients to whom we have disclosed your personal data about this rectification, erasure or restriction of processing, unless this is impracticable or involves an unreasonable effort. CYBERLEGIS will inform you of these recipients upon request.

Finally, if you consider that the processing of your personal data infringes the GDPR, you are entitled, without prejudice to any other administrative or judicial remedy, to lodge a complaint with a supervisory authority, in particular in the member state or federal state of your residence, workplace or the alleged infringement.

 

Version: 19.12.2023