iWhistle is our whistleblowing system. Employees, customers, business partners or other persons providing information can use iWhistle to report suspected violations of laws and internal rules to the internal reporting office. iWhistle is part of our compliance management system.

Who is responsible for data processing?
Responsible for the processing of your personal data is (hereinafter also organisation):
SCHOTT AG, Compliance Office, Hattenbergstraße 10, DE-55122 Mainz,

What data is processed?
The use of iWhistle is on a voluntary basis. In the case of tips, the following personal data is processed
a) whistleblower: name (if you disclose your identity), contact details (if you provide them)
b) Persons affected by incidents: First name and surname, information about incidents and suspicions of violations of laws and regulations
c) Witnesses and/or third parties named in the notice (e.g. customers, suppliers, colleagues or business partners): first and last name, contact details.

What do we process your data for and on what legal basis?
The above-mentioned data is processed for the purpose of uncovering and preventing serious wrongdoing and avoiding and warding off particularly drastic or existence-threatening legal consequences and damages both for our organisation (criminal prosecution, claims for damages, damage to our image, supervisory measures) and for our employees. The legal basis for the processing is a legal obligation (pursuant to Art. 6 para 1 lit b DSGVO) to comply with the requirements under the EU Whistleblower Directive of 23.10.2019 (EU 2019/1937) as well as the national implementing laws in this regard. In addition, the processing is based on the overriding legitimate interest of our organisation (pursuant to Art. 6 para 1 lit f DSGVO), which is to achieve the above purposes.

Who receives my data?
Within our organisation, the compliance team processes data in order to review reported incidents, initiate and conduct investigations and take remedial action where necessary. As part of the reviews, investigations and remedial actions to be taken, it may be necessary to share information about a reported incident with employees in other departments (such as Human Resources, Internal Audit or Senior Management) or with external advisors (e.g. legal advisors) or to the competent authorities. iWhistle is operated on our behalf by the specialised software service provider iComply GmbH, Große Langgasse 1a, DE-55116 Mainz. iComply GmbH is contractually obliged to maintain strict confidentiality and to comply with all data protection requirements. The data centre operator has no access to data of any kind; it serves exclusively to store the application and the data stored in it.

What data security measures does iWhistle have?
Personal data and information entered into iWhistle is stored in a database operated by iComply GmbH in an ISO/IEC 27001 certified data centre in Germany. Access to the data is only possible for our organisation. iComply GmbH and other third parties have no access to the data. This is guaranteed in a certified procedure by comprehensive technical and organisational measures. All data is encrypted and stored with multi-level password protection, so that access is restricted to a very narrow circle of expressly authorised persons. Communication between your end device and iWhistle takes place via an encrypted connection. The IP address of your end device is not stored during use.

What data protection rights do you have?
You have the right, upon request and free of charge, to receive information about the personal data stored about you, its origin and recipient and the purpose of the data processing. If we process your data on the basis of our legitimate interest, you have the right to object to the processing if there are legitimate grounds arising from your particular situation (right of objection). In addition, you have the right to correct incorrect personal data, the right to delete personal data, the right to restrict the processing of personal data, the right to data portability. You can contact us at any time about this and other questions on the subject of personal data. Finally, you have the option of lodging a complaint with the supervisory authority if you believe that the processing of your data violates data protection law or your data protection rights have otherwise been violated in any way.

How long will personal data be stored?
Personal data is stored for as long as clarification and final assessment require or there is a legitimate interest of the company or this is required by law. Afterwards, this data will be deleted in accordance with the legal requirements. If a tip proves to be unfounded, the tip together with the personal data contained therein will be deleted immediately.