Data Privacy
Data Protection Information in accordance with Art. 13 and Art. 14 of the General Data Protection Regulation (GDPR)
Information on confidentiality in accordance with the Whistleblower Protection Act (HinSchG)
1. Name and contact details of the controller, Data Protection, contact point of the joint controllers
1.1. The internal reporting centre is operated by Hannover Rück SE, Karl-Wiechert-Allee 50, 30625 Hannover, and E+S Rückversicherung AG, ibid., as joint controllers within the meaning of Art. 26 GDPR.
1.2. You can contact our Data Protection Officer by post at the above address with the addition - Data Protection Officer - or by e-mail via our data protection group mailbox at datenschutz[at]hannover-re.com.
1.3. The Data Protection Officer is also the point of contact for data subject rights within the meaning of Art. 26 para. 2 sentence 2 GDPR and for questions of joint responsibility.
2. Purpose of data processing
2.1. Fulfilment of obligations in accordance with the whistleblower protection system. Receipt and further processing of the report to initiate any necessary follow-up measures.
2.2. In addition, further purposes arise from individual standards of the Whistleblower Protection Act, including Section 11 (documentation and storage of the report), Section 17 (procedure for internal reports) and Section 18 (follow-up measures by internal reporting centres).
3. Categories of affected persons
3.1. Employees of the Hannover Re Group, but also business partners or other third parties may be potentially affected by a report ("reported person").
3.2. However, persons who are named in the report, e.g. as witnesses ("persons involved"), may also be affected by a report.
4. Categories of Personal Data that are processed
4.1. The Personal Data of the notifying party (name, address, date of birth, telephone number, e-mail address) will be processed if this has been provided by the notifying party or the Personal Data of other persons concerned, insofar as this data is required for processing in accordance with the legal requirements.
4.2. The subject of the report can be information about criminal offences, such as disregarding the right to sexual self-determination, or information relating to violations of regulations subject to fines that relate to the protection of life, limb or health or the protection of employees' rights. Furthermore, violations of German law, but also of directly applicable European Union law, can be the subject of a report. This includes, in particular, areas of law such as money laundering, terrorist financing, environmental protection requirements, consumer protection regulations, IT security requirements, data protection regulations, but also violations of internal compliance guidelines or the General Equal Treatment Act, if and to the extent that they affect the company or are related to it.
5. Legal basis(s) of the processing
The legal basis for the processing of Personal Data is Art. 6 para. 1 lit. c) GDPR and Section 10 HinSchG. If Personal Data is processed on the basis of a legitimate interest, the legal basis is Art. 6 para. 1 lit. f) GDPR.
6. Intention to transfer to a third country or an international organisation
Transfers to third countries or international organisations are not envisaged.
7. Duration of storage or criteria for determining this duration
7.1. Data that is processed in the context of reports is generally stored for the duration of the respective internal investigation procedure, alternatively until the conclusion of any subsequent (official) procedures in the active database or, in the case of consent, until it is revoked. The storage period may be extended if the data is required for the assertion, exercise or defence against legal claims; the necessity of the storage period is determined on a case-by-case basis.
7.2. Otherwise, the data is stored in accordance with the statutory regulations to which the company is subject. This includes, in particular, the storage of data collected as part of the internal reporting procedure; the storage period here is three years after completion of the reporting procedure, Section 11 (5) HinSchG. In addition, data may be stored for a period of up to ten years in accordance with Article 6 para. 1 sentence 1 lit. c GDPR due to retention and documentation obligations under tax and commercial law (e.g. from the German Commercial Code (HGB), German Criminal Code (StGB) or German Fiscal Code (AO)) or storage based on the provisions of the German Civil Code (BGB).
8. Consequences of not providing Personal Data
You are not obliged to provide Personal Data. You only need to provide the data that is required to carry out the procedure or that the company is legally obliged to collect. Anonymous reports are permitted (there are instructions in several places in the system (e.g. guaranteed by the technical default settings) or outside the system via a telephone message with number suppression). Without providing the data, the company will not be able to issue the notifications or feedback required under the HinSchG, for example.
9. Rights of data subjects
You can request information about the Personal Data stored about you at the above address. In addition, under certain conditions, you can request the correction or deletion of your data. You may also have the right to restrict the processing of your data and the right to receive the data you have provided in a structured, commonly used and machine-readable format. You can revoke your consent at any time with effect for the future.
10. Right of objection
If we process your data to protect legitimate interests, you can object to this processing by contacting our Data Protection Officer at the above address if your particular situation gives rise to reasons that speak against data processing. We will then no longer process your Personal Data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms. Or the processing serves the assertion, exercise or defence of legal claims.
11. Right of appeal
You have the option of lodging a complaint with the Data Protection Officer named under point 1 or with a competent data protection supervisory authority.
The data protection supervisory authority responsible for us is
The State Commissioner for Data Protection of Lower Saxony
Prinzenstraße 5
30159 Hanover
Telephone: +49 (0511) 120 45 00
Fax: +49 (0511) 120 45 99
E-Mail: post office[at]lfd.niedersachsen.de
Prinzenstraße 5
30159 Hanover
Telephone: +49 (0511) 120 45 00
Fax: +49 (0511) 120 45 99
E-Mail: post office[at]lfd.niedersachsen.de
12. Information on confidentiality in accordance with the Whistleblower Protection Act (HinSchG)
12.1. According to § 8 HinSchG, reports are subject to a high degree of confidentiality. The confidentiality of the identity of the following persons must be maintained:
- of the whistleblower, provided that the reported information concerns violations that fall within the scope of this Act or the whistleblower had reasonable grounds to believe that this was the case at the time of the report,
- the persons who are the subject of a notification, and
- the other persons named in the notification.
12.2. The identity of the persons named in points 1-3 will only be known to the persons responsible for receiving reports or for taking follow-up measures, as well as to the persons supporting them in the fulfilment of these tasks.
13. Exceptions to the protection of the whistleblower's confidentiality
13.1. There is no confidentiality obligation for the identity of a whistleblower if he or she intentionally or grossly negligently reports incorrect information about offences.
13.2. Information about the identity of a whistleblower or about other circumstances that allow conclusions to be drawn about the identity of this person may be passed on to the competent body in the following cases, in deviation from the existing confidentiality obligations:
- in criminal proceedings at the request of the criminal prosecution authorities,
- on the basis of an order in an administrative procedure following a notification, including administrative fine proceedings,
- due to a court decision.
13.3. The reporting person will be informed of the disclosure in advance. This shall not be done if the law enforcement authority, the competent authority or the court has informed the notification office, that the information would jeopardise the relevant investigations, enquiries or court proceedings. The person providing the information shall also be informed in writing or electronically of the reasons for the disclosure.
13.4. Furthermore, information about the identity of the person providing the information or about other circumstances that allow conclusions to be drawn about the identity of the person may be passed on if,
- the disclosure is necessary for follow-up measures and
- the person providing the information has previously consented to the disclosure.
14. Exceptions to the protection of the confidentiality of persons who are the subject of a report
Disclosure of information on persons who are the subject of a report or other persons named in a report is permitted in deviation from the confidentiality obligations if the information is passed on to the competent body in the following cases:
a) if consent has been given in this regard,
b) from internal reporting offices, insofar as this is necessary in the context of internal investigations at the respective employer or in the respective organisational unit,
c) if this is necessary for taking follow-up measures,
d) in criminal proceedings at the request of the prosecuting authority,
e) on the basis of an order in an administrative procedure following a notification, including administrative fine proceedings,
f) due to a court decision.