Data Privacy Policy
Webhelp SAS, Département Compliance – Confidentiel, 3 Rue d'Héliopolis, 75017 Paris - France, acting as the data controller of your personal data, takes data protection and confidentiality very seriously and adhere to the provisions of the EU General Data Protection Regulation (EU-GDPR) as well as current and applicable national data privacy law and regulations. Please read this data privacy information carefully before submitting a report via the BKMS® System.
Purpose of the whistleblowing system and legal basis
The whistleblowing system (BKMS® System) serves the purpose of securely and confidentially receiving, processing and managing reports regarding violations of the compliance rules of Webhelp Group. Webhelp SAS acts as the controller of your personal data for the purpose of operating the whistleblowing system and carrying out the necessary or legally required subsequent investigations or actions, in accordance with current and applicable national laws and regulations.
The processing of personal data in the BKMS® System is based on the following legal basis:
- The legal obligation to implement a whistleblowing system, to which we are subject pursuant to applicable national laws and regulations, international treaties, secondary law or international or European Union organizations. Article 6 (1) (c) EU-GDPR serves as legal basis for this data processing; and
- the legitimate interests of our company to detect and prevent misconduct and thus avoid damage to Webhelp, its employees and customers. Article 6 (1) (f) EU-GDPR serves as legal basis for this data processing.
Responsible authority
The party responsible for data privacy in the whistleblowing system is
- Webhelp S.A.S., Département Compliance – Confidentiel, 3 Rue d'Héliopolis, 75017 Paris - France and
- its subsidiaries
as parties with mutually autonomous responsibility (hereafter also: “Webhelp”). The reporting system is operated by a specialised company, EQS Group AG, Bayreuther Str. 35, 10789 Berlin in Germany, on behalf of Webhelp.
Personal data and information entered into the reporting system are stored in a database operated by EQS Group AG in a high-security data centre. Only Webhelp authorised personnel has access to the data. EQS Group AG and other third parties do not have access to the data. This is ensured in the certified procedure through extensive technical and organisational measures.
All data are stored encrypted with multiple levels of password protection so that access is restricted to a very small selection of expressly authorised persons at Webhelp.
Webhelp has appointed a Group Data Protection Officer. Questions on data protection and privacy can be sent to
Webhelp Group Data Protection Officer, 3 Rue d'Héliopolis, 75017 Paris - France
privacy@webhelp.com
Type of personal data collected
Use of the reporting system takes place on a voluntary basis. If you submit a report via the whistleblowing system, we collect the following personal data and information:
- your name, if you choose to reveal your identity (in such case, this information will remain confidential),
- whether you are employed at Webhelp, and
- the names of persons and other personal data of persons that you name in your report.
Confidential handling of reports
Incoming reports are received by a small selection of expressly authorised and specially trained employees of the Compliance department of Webhelp and are always handled confidentially. The employees of the Compliance department of Webhelp will evaluate the matter and perform any further investigation required by the specific case. During the processing of a report or the conduction of a special investigation, it may become necessary to share reports with additional employees of Webhelp or employees of other group companies, e.g. if the reports refer to incidents in subsidiaries, for the sole purposes of processing the report or conducting a special investigation. The latter may be based in countries outside the European Union or the European Economic Area with different regulations concerning the privacy of personal data. Webhelp can also share the reports with judicial or administrative authorities, inside and outside of the European Union, upon request and in accordance with applicable national laws and regulations. We always ensure that the applicable data privacy regulations are complied with when sharing reports. All persons who receive access to the data are under a contractual obligation to maintain confidentiality.
Information of the accused person and/ or any other individual named in the report
As a basic principle we are bound by law to inform the accused persons and other individuals named in the report (e.g., witness, victim) that we have received a report concerning them, unless this threatens further investigations into the report, in which case such information will be postponed until the end of the investigations. In doing so, your identity as whistleblower and the identity of the other individuals named in the report are not revealed as far as is legally possible. In France, information that could identify you as the whistleblower can only be disclosed, except to the judicial authority, with your consent.
Transfers of personal data
During the processing of a report or the conduction of a special investigation, it may become necessary to share personal data outside of the territory of the European economic area (EEA), to countries that do not provide the same level of personal data protection as in the EEA, for instance the USA. In accordance with Article 44 of the GDPR, any transfer of personal data outside of the EEA will be governed by an appropriate transfer mechanism, such as the following:
- a valid adequacy decision from the European commission (Article 45 GDPR);
- Binding Corporate Rules (BCR) or the European commission Standard Contractual Clauses (Articles 46 and 47 GDPR);
- A valid derogation, such as your explicit consent to the transfer (Article 49 of the GDPR).
A copy of the data transfer mechanism implemented by Webhelp is available, upon request to Webhelp Group Data Protection Officer (privacy@webhelp.com).
Rights of the data subjects
According to European data protection law, you and the persons named in the report have the right to access, rectification, erasure, restriction of processing and the right to object to processing of personal data concerning them. If the right of objection is claimed, we will immediately examine to what extent the stored data is still necessary for the processing of a report. Data that is no longer required is deleted immediately. In addition, you have the right to lodge a complaint with a data protection supervisory authority.
Retention period of personal data
Personal data is retained for as long as necessary to clarify the situation and perform an evaluation of the report or a legitimate interest of the company exists, or it is required by law. After the report processing is concluded, this data is deleted in accordance with the statutory requirements.
In general, the following retention periods apply:
- Personal data relating to a report that is considered as not sufficiently grounded or outside of the scope of the reporting tool will be deleted without delay or anonymized;
- Personal data relating to a report within the scope of the reporting tool but to which no follow-up measure will be implemented will be destroyed two months after the end of the verifications relating to that report;
- Personal data relating to a report which resulted in a judicial or disciplinary procedure against the whistleblower in the event of a fraudulent or abusive report, or against the accused person, will be retained until the end of that procedure or the end of the statute of limitations which applies to appeals against such decision.
Please note that the above retention periods may vary depending on statutory requirements.
Use of the reporting portal
Communication between your computer and the reporting system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the reporting system. In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that merely contains the session ID (a so-called null cookie). This cookie is only valid until the end of your session and expires when you close your browser.
It is possible to set up a postbox within the reporting system that is secured with an individually chosen pseudonym/ user name and password. This allows you to send reports to the responsible employee at Webhelp either by name or in an anonymous, safe way. This system only stores data inside the reporting system, which makes it particularly secure. It is not a form of regular e-mail communication.
Note on sending attachments
When submitting a report or an addition, you can simultaneously send attachments to the responsible employee of Webhelp. If you wish to submit an anonymous report, please take note of the following security advice: Files can contain hidden personal data that could compromise your anonymity. Remove this data before sending. If you are unable to remove this data or are unsure how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the reporting process.
Version: November 2022