Data protection statement for compliance proceedings and whistleblowing system at ALDI SÜD
The German Whistleblower Protection Act (“Hinweisgeberschutzgesetz”, HinSchG) entered into force on 2 July 2024, requiring employers to establish internal reporting channels. These channels are intended to enable individuals to report violations in connection with work-related activities or prior to a work-related activity. This obligation applies to all German business entities of the ALDI SÜD Group. Even before HinSchG came into force, ALDI SÜD had already carried out compliance proceedings in order to fulfil its legitimate interests and legal obligations (especially the principle of legality according to Sections 30, 130 of the German Act on Regulatory Offences (“Gesetz über Ordnungswidrigkeiten”, OWiG) when clarifying and resolving legal violations. In the future, this will also apply to reported violations that do not fall under the scope of HinSchG.
Within the context of compliance proceedings, ALDI SÜD processes the personal data of individuals who are involved as whistleblowers, the accused or witnesses. These individuals can be employees of ALDI SÜD, as well as suppliers, business partners or other persons who have professional dealings with ALDI SÜD.
Data Controller
The ALDI SÜD business entity that is responsible for a reported violation as the affected employer or business partner is Controller for the processing of personal data in connection with the relevant compliance proceedings. Usually this is the ALDI SÜD business entity which has a contractual relationship with the whistleblower.
A central reporting channel has been set up for the ALDI SÜD Group, which carries out all compliance proceedings and processes the associated personal data on behalf of all German ALDI SÜD business entities. The central reporting channel consists of:
Risk and Compliance Management (RCM) ALDI SÜD International Services SE & Co. oHG
And for reported violations related to data protection:
Data Protection Officer & Data Protection Advisory ALDI SÜD Dienstleistungs-SE & Co. oHG
Contacting our Data Protection Officer
Our Data Protection Officer can be contacted here: datenschutzbeauftragter@aldi-sued.de
Please note that the contents of any e-mail you send to the above e-mail address may also be read by persons other than our Data Protection Officer. If you would like to share confidential information, please first request direct contact via this e-mail address.
Purpose of data processing and legal basis
The purpose of data processing is to fulfil our legally mandated duties and obligations, especially those laid out in HinSchG. This includes protecting whistleblowers and protecting the individuals involved in a reported violation (“the accused”), as well any other persons affected by a reported violation (see Section 1 HinSchG). In addition, these duties and obligations include clarifying any reported violations and taking appropriate follow-up measures to resolve them. The data collected and processed in this context can also be processed for the purpose of exercising a right, enforcing a law or defending a right, provided there are no legal provisions prohibiting this use, especially for the protection of the persons involved in the process.
In general, the internal reporting channel at ALDI SÜD processes personal data to ensure compliance with a legal obligation as defined in Art. 6 para. 1 lit. c GDPR in connection with Section 10 Paragraph 1 HinSchG and Sections 13, 17, 18 HinSchG, which define the legally mandated duties to be fulfilled by internal reporting channels. In certain cases, the internal reporting channel also collects special categories of personal data as part of the reporting process as defined in Art. 9 para. 1 GDPR or personal data about criminal convictions and criminal offences as defined in Art. 10 GDPR. This may be the case, for example, if a report contains such data. Special categories of personal data are processed based on Section 10 para. 2 HinSchG, which is permitted provided it is deemed necessary to fulfil the duties of the reporting channel. If data of whistleblowers is to be shared with individuals outside the central reporting channel for the purpose of clarifying the facts of a case, this data processing will take place solely on the legal basis of the express consent of the whistleblower, which is obtained separately before the data is shared, see Section 9 para. 3(2) HinSchG and Art. 6 para. 1 lit.a GDPR. This consent can be revoked at any time with future effect.
Whistleblowers are not obligated to provide personal data. In this case, however, our options for clarifying and resolving reported violations may be limited.
Automated individual decision-making in the sense of Art. 22 GDPR does not take place.
Data sources and categories of personal data
In general, ALDI SÜD processes personal data received from whistleblowers via the reporting channel. In particular, this data can include the names, addresses and contact information of the whistleblowers, the accused or witnesses, as well as other information about the groups of people included in the report. Regarding the accused individual, a report is normally expected to contain information about the alleged legal violation. In addition, it can also contain special categories of personal data as defined in Art. 9 GDPR. Furthermore, ALDI SÜD processes other data from internal sources as required for the proceedings.
Categories of data recipients
According to Section 8 para. 1 sentence 1 HinSchG, the internal reporting channel must ensure that the identity of the whistleblowers, the persons involved in a reported violation and any other persons mentioned in the report is kept confidential. As a rule, personal data obtained via the reporting channel must not be disclosed. Exceptions are stipulated explicitly in Section 9 HinSchG based on strict conditions.
The internal reporting channel only discloses personal data about whistleblowers to other persons and parties at ALDI SÜD if the whistleblower has given their express consent to do so and if disclosing the information is necessary to implement the follow-up measures. The personal data is disclosed to government agencies such as law enforcement agencies or administrative bodies if ALDI SÜD is required to do so by law or on the grounds of a court ruling.
ALDI SÜD receives support from service providers in ensuring the availability of the relevant technical infrastructure, developing its services and carrying out its tasks, and these service providers may have access to your personal data in this context.
In this context, data may also be transferred to external service providers and/or business entities of the ALDI SÜD Group outside the European Economic Area (EEA).
Data will only be transferred to companies in third countries which have been confirmed by the EU Commission to provide an adequate level of data protection or to companies that provide other adequate data protection safeguards (e.g. binding corporate data protection regulations or EU standard contractual clauses). Detailed information on this and on the level of data protection that our service providers in third countries provide can be requested from the respective Data Protection Coordinator / Data protection team.
Retention periods and erasure of data
ALDI SÜD stores all data related to the reported violation, including the personal data of the whistleblowers and of the persons involved in or mentioned in the report, for a period of three years after the process has been completed in accordance with Section 11 para. 5 HinSchG and then deletes the data in compliance with applicable data protection laws.
Rights of the data subjects
Provided that the necessary requirements as stipulated in Art. 15 et seq. GDPR are fulfilled, data subjects are entitled to exercise their rights of access, rectification, erasure, restriction of processing and data portability at any time.
In addition, data subjects have the right to object to the processing of their personal data which is based on Art. 6 para. 1 lit. f GDPR, at any time based on grounds relating to their particular situation.
To exercise the rights mentioned above, data subjects may contact datenschutz@aldi-sued.de.
Data subjects accused of a legal violation as part of a report (“the accused”) are informed separately of any compliance proceedings concerning them and in detail during the course of the proceedings and are given the opportunity to comment on the violations and exercise their rights. ALDI SÜD complies with any applicable obligation to provide information regarding data protection rights, particularly in accordance with Art. 14 GDPR. However, please note that these obligations to provide information are subject to legal exceptions and restrictions, especially to protect the rights and interests of third parties and to avoid endangering the success of the proceedings.
Notes regarding this document
Last updated: 18 June 2024