Privacy

iWhistle is our whistleblowing system. Employees, customers, business partners or other persons providing information can use iWhistle to report suspected violations of laws and internal rules to the internal reporting office. iWhistle is part of our compliance management system.

Data protection at AMAG

This privacy statement informs you about the use and processing of personal data throughout all companies of AMAG. 

1. Data protection policy

The protection and security of your personal data is an important concern to us. Therefore, we process and use your data exclusively in the sense of and in accordance with the principles of the applicable data protection law as amended. We undertake to secure the data against unauthorised access and have taken extensive technical and organisational security measures.

2. Data processing

The data will only be processed for the individually stated purposes such as to answer your requests or for technical administration. There will be no automated data collections or data evaluations to pursue any other purposes. In addition, data that you make available to us when you visit our website will not be processed, evaluated or passed on for marketing purposes.

2.1 What data is processed?
The use of iWhistle is on a voluntary basis. In the case of tips, the following personal data is processed
a) whistleblower: name (if you disclose your identity), contact details (if you provide them)
b) Persons affected by incidents: First name and surname, information about incidents and suspicions of violations of laws and regulations
c) Witnesses and/or third parties named in the notice (e.g. customers, suppliers, colleagues or business partners): first and last name, contact details.

2.2 What do we process your data for and on what legal basis?
The above-mentioned data is processed for the purpose of uncovering and preventing serious wrongdoing and avoiding and warding off particularly drastic or existence-threatening legal consequences and damages both for our organisation (criminal prosecution, claims for damages, damage to our image, supervisory measures) and for our employees. The legal basis for the processing is a legal obligation (pursuant to Art. 6 para 1 lit b DSGVO) to comply with the requirements under the EU Whistleblower Directive of 23.10.2019 (EU 2019/1937) as well as the national implementing laws in this regard. In addition, the processing is based on the overriding legitimate interest of our organisation (pursuant to Art. 6 para 1 lit f DSGVO), which is to achieve the above purposes.

2.3 Who receives my data?
Within our organisation, the compliance team processes data in order to review reported incidents, initiate and conduct investigations and take remedial action where necessary. As part of the reviews, investigations and remedial actions to be taken, it may be necessary to share information about a reported incident with employees in other departments (such as Human Resources, Internal Audit or Senior Management) or with external advisors (e.g. legal advisors) or to the competent authorities. iWhistle is operated on our behalf by the specialised software service provider iComply GmbH, Große Langgasse 1a, DE-55116 Mainz. iComply GmbH is contractually obliged to maintain strict confidentiality and to comply with all data protection requirements. The data centre operator has no access to data of any kind; it serves exclusively to store the application and the data stored in it.

2.4 What data security measures does iWhistle have?
Personal data and information entered into iWhistle is stored in a database operated by iComply GmbH in an ISO/IEC 27001 certified data centre in Germany. Access to the data is only possible for AMAG. iComply GmbH and other third parties have no access to the data. This is guaranteed in a certified procedure by comprehensive technical and organisational measures. All data is encrypted and stored with multi-level password protection, so that access is restricted to a very narrow circle of expressly authorised persons. Communication between your end device and iWhistle takes place via an encrypted connection. The IP address of your end device is not stored during use.

3. Your rights

As the data subject, you have rights of information, rectification, erasure, restriction of data, the portability of data, the right to object and the right not to be subject to automated individual decision-making. If you want to exercise your rights or have any queries, please contact us by sending an email to datenschutz@amag.at or datenschutz@components.amag.at (for processing by our German components companies).
 
The data protection authority is responsible for any requests regarding breaches of your rights.

Contact

Your trust is particularly important to us.

If you have any queries on data protection in connection with AMAG Austria Metall AG, please use the following contact options:

AMAG Austria Metall AG
Lamprechtshausener Strasse 61
A-5282 Braunau-Ranshofen
Email:  datenschutz@amag.at
Phone: +43 (0) 7722 - 801 - 0

Designation of a data protection officer as mandated by law
We have appointed a data protection officer for our German components companies.
Michael JJ Vienhues
Zornedinger Strasse 9b · 85630 Grasbrunn
E-Mail: datenschutz@components.amag.at

How long will personal data be stored?
Personal data is stored for as long as clarification and final assessment require or there is a legitimate interest of the company or this is required by law. Afterwards, this data will be deleted in accordance with the legal requirements. If a tip proves to be unfounded, the tip together with the personal data contained therein will be deleted immediately. For documentation purposes, a final assessment is also stored. The statutory retention periods are as follows:
  •  § Section 11 (5) of the German Whistleblower Protection Act: 3 years after the conclusion of a procedure; documentation may be kept longer in order to meet the requirements under this Act or other legal provisions, as long as this is necessary and proportionate
  • § Section 8 (11) of the Austrian Whistleblower Protection Act: 5 years from the last processing or transmission and, in addition, for as long as necessary to carry out administrative or judicial proceedings already instituted or an investigation under the Code of Criminal Procedure (StPO)