Whistleblowing personal data protection and privacy notice

The purpose of a whistleblowing system is to provide you with a confidential channel to report suspected misconduct or the risk of wrongdoing affecting Selecta and/or any of its affiliates.

We have contracted with a third party, NAVEX Global, to offer EthicsLine (at Selecta we refer to “SpeakUp”) to our associates and third parties.

The EthicsLine is a comprehensive and confidential reporting tool provided by NAVEX to assist management and associates work together in addressing fraud, abuse, and other misconduct in the workplace, all while cultivating a positive work environment.

With the EthicsLine any associate or third party has the ability to file a confidential report via either the telephone or the web intake reporting and is designed to report any violation of our Code of Conduct, or other concern you may have. You can report your concerns through the webpage EthicsPoint - Selecta AG. Phone numbers are also available through that link after selection of the location.

This notice will provide you with information on how your personal data will be processed through the whistleblowing system.

Controller:
Selecta Ireland, Unit 5, Block 4, City North Business Campus, Co. Meath, K32 KC65, Ireland (hereafter also referred to as the "Company" or "Selecta”)

GDPR:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Purpose:
Handling whistleblowing reports affecting Selecta or its affiliates (at Selecta we also refer to “SpeakUp reports”)

Legal Basis:
Handling whistleblowing reports affecting Selecta or its affiliates (at Selecta we also refer to “SpeakUp reports”)

Processor:
Navex as hosting provider and supplier of the channel as well as other third party acting as sub-processor engaged by Navex on a case by case for the purpose of providing the services (e.g. translators, interpreters, etc.)

Rights:
Access, rectification, erasure, limitation of processing, objection to processing and other rights

Personal Data:
Personal data that you may decide to provide to this whistleblowing system include the following: (a) full name and/or contact details; (b) job title/department and/or location; (c) third party personal data derived from facts described by you in your report; (d) identity, function and contact details of individuals allegedly involved in the suspected violation; (e)  identity, function and contact details of individuals who could provide information relating to the suspected violation; (f) any other information you decide to provide in the report, at the first filling-in stage, in case you wish to integrate your report already submitted or as invited to do so later on by Selecta so as to provide us with a better knowledge of the case and to carry out appropriate and/or necessary evaluation of the facts; and (g) personal PIN to log in the Navex portal for report follow-ups and updates.

 

 

Identity: Selecta Ireland, Unit 5, Block 4, City North Business Campus, Co. Meath, K32 KC65, Ireland (hereafter  "Company" or "Selecta“)    

Email: hq.dataprivacy@selecta.com

The purpose of processing the Personal Data is to receive, analyse, investigate and manage reports and any consequent actions, and in particular to ascertain the facts reported and to take any necessary measures.  More specifically, the purpose of processing the Personal Data is to handle whistleblowing reports delivered through EthicsLine affecting relating to Selecta and/or any of its affiliate(s) for (i) any violation of Selecta Code of Conduct and/or policies, (ii) any breach of the law, (iii) any case that implies or may imply a risk for any of the Selecta Group entities or its business and reputation.

All Personal Data collected within the scope of this processing are strictly functional and necessary for the pursuit of the provisions of Article 6(1)(c) GDPR and the relevant applicable local personal data protection laws, as well as for any possible internal auditing purposes, the monitoring of business risks, the defence of a right in court or for further legitimate interests of the Controller in accordance with Article 6(1)(f) GDPR. In limited and specific circumstances, provisions under Article 9 and Article 10 GDPR and relevant applicable local laws will apply whenever special categories of personal data and/or personal data relating to criminal convictions and offences are provided in your whistleblowing report.

You can submit your report in 2 different ways:

• by identifying yourself, or
• by remaining anonymous, where allowed by the local laws.

Any contact information provided by the whistleblower will be used if direct contact with the whistleblower is necessary and for updates regarding the report.

Navex acts as Processor for the management of the whistleblowing system and related reporting. The Personal Data are stored in the system hosted and managed by Navex acting as Processor, in Germany and the Netherlands. The Processor has implemented adequate technical and organizational measures to process the Personal Data and to ensure confidentiality, availability and integrity of the same. If you have any question on the mentioned measure, please contact hq.dataprivacy@selecta.com.

For reports received by telephone, Navex staff receives those phone calls, and the information is entered within the EthicsLine application.

In order to pursue the above-mentioned purposes, the Personal Data provided through EthicsLine is made accessible only to individuals in the Legal department who are authorised to receive or follow up on the analysis, investigation and management of reports and any consequent actions. These persons are duly instructed to avoid loss, access to data by unauthorised persons or unauthorized processing of data and, more generally, in relation to personal data protection obligations.

In some cases, personal data may have to be provided to other departments and people, subject to the provisions of local law. For the purpose of processing and investigating a report, and/or taking appropriate decisions, and/or corrective/disciplinary actions, the personal data and information may be accessed, processed and used by the relevant personnel of Selecta on a need-to-know basis. The Personal Data may also be disclosed to the relevant Selecta affiliate(s) in Europe and/or in the UK which, in liaison with Selecta, may carry out the necessary internal assessment and investigation and take the relevant decisions.

The Personal Data may also be processed by external consultants and advisors, if necessary, to support with potential investigations.

Finally, Personal Data may also be transmitted to other independent data controllers, in accordance with the law or regulations (e.g. Public Authorities, Judicial Authorities, etc.).

Navex may also share the Personal Data with third parties engaged for the provision of services strictly necessary to the abovementioned purpose such as translators. Please contact hq.dataprivacy@selecta.com for requiring the list of the third parties.

EthicsLine involves the use of interpretations (live over-the-phone calls) and translation (written word translations). The individual interpreters and translators are located throughout the world to support non-English languages. As a result, Personal Data and information provided in a report may be transferred outside of the United Kingdom, Switzerland, the European Union, and/or the European Economic Area for the purpose of providing translations or administration of this service. Navex is committed to maintaining compliance with all applicable data protection requirements and privacy and security practices. If Personal Data needs to be transferred outside the European Economic Area, the same level of protection will be maintained on the basis of compliance with the provisions of European personal data protection regulations. Accordingly, international data transfers will be done (i) to countries that the European Commission has declared to have an adequate level of protection, (ii) on the basis of the provision of adequate guarantees such as standard contractual terms or related corporate standards, or (iii) pursuant to the authorisation of the competent supervisory authority or to other conditions laid down in the applicable personal data protection regulations.

Personal data will be retained in the whistleblowing system during the time required to process the report, carry out and complete an internal investigation, evaluate the matter and take all the necessary measures and actions.  Personal Data will, in any case, be erased from the whistleblowing system in accordance with local laws.

If, after such evaluation, a legal claim arises such Personal Data shall be stored for the additional period which is necessary for the purpose of such legal claim.

In accordance with the provisions of articles 15 to 22 GDPR, data subjects are entitled to exercise specific rights. Specifically, in relation to the processing of your Personal Data covered by this policy, you have

the right to request the following from Selecta:

• Access: you may request confirmation as to whether or not your Personal Data is being processed, along with further clarification of the information referred to in this policy;
• Rectification: you may ask that the data that you have provided be rectified or integrated if the data is inaccurate or incomplete;
• Erasure: you may ask that your data be deleted if it is no longer necessary for the purposes mentioned above, if consent is withdrawn or if the processing is opposed, in the event of unlawful processing, or if there is a legal obligation to delete the data;
• Restriction of processing: you may request that your data only be processed for the purposes of retention, with the exclusion of other processing operations, for the period necessary to rectify your data, in the event of unlawful processing for which you object to the erasure, whereby you must exercise your rights in court, and the data stored may be of use to you and, finally, if you object to processing and a check is being carried out as to whether the legitimate reasons of Selecta prevail over yours;
• Objection: you may object at any time to the processing of your data, unless there are legitimate grounds for processing which override your own, for example for the exercise or defence of legal claims;
• Portability: you may request to receive your data or to send to another data controller indicated by you in a structured, commonly used and machine-readable format.

In order to exercise the abovementioned rights, please write to Selecta clearly indicating the right that you would like to exercise, at Selecta, Alte Steinhauserstrasse 14, 6330 Cham, Switzerland or by email to hq.dataprivacy@selecta.com.