Data Privacy - Trusty
The following section contains information about the collection, processing and use of personal data in the context of the whistleblowing system. Please read this privacy information carefully before submitting a report.
The whistleblowing system Trusty is used to accept and process information relating to suspected breaches to the detriment of the organization in a secure and confidential way.
The processing of personal data within Trusty is based on the legitimate interest of the organization in the detection and prevention of breaches and the associated prevention of damage and liability risks for the organization. If a report received concerns an employee of the organization the processing also serves to prevent criminal offences or other legal infringements in connection with the employment relationship.
The whistleblowing system Trusty (the application, its webpages, as well as the database in which the submitted personal data and information are stored) is operated by Trusty AG, Bösch 82, 6331 Hünenberg, Zug, Switzerland, on behalf of the organization. The database is encrypted and hosted on virtual servers in a high-security data centre located in the EU.
For the purpose of processing of a submitted report, the personal data and information may be generated, accessed, processed and used only by persons authorised by the organization. Trusty AG has no rights with regard to the said data; its assigned personnel has access to the database exclusively for the purpose of technical maintenance. The ownership of the data and the associated legal responsibilities are retained by the organization at all times. Whether and to what extent third parties have access to the data is solely within the responsibility of the organization. If legaly necessary, personal data and information may be disclosed to the police and/or other enforcement or regulatory authorities.
The whistleblowing system Trusty is used on a voluntary basis. The following personal data and information are collected:
- your name, e-mail address, telephone number and your relationship to the organization, should you decide to disclose your identity,
- where applicable, the names of persons suspected to be involved and their other personal data,
- where applicable, the names of persons aware of the breach and their other personal data.
All communication between Trusty and the web browser of a reporting person is encrypted to protect data confidentiality (SSL). Neither IP addresses, time stamps nor any other metadata of the reporting person are logged or stored. To maintain the connection between the web browser of the reporting person and Trusty, a cookie which contains only the session ID is stored on the reporting person's desktop. The cookie is only valid until the end of the session and becomes invalid when the browser is closed. We also use a HTTP cookie with a random string to enhance security. That cookie expires in two hours.
When submitting a report or supplementary information, a reporting person may attach documents to the report. In this case reporting persons are notified that attached files may contain hidden personal data which might reveal their identity. Such data should hence be removed, should the reporting person wish to remain anonymous. In case removal of such data is not possible, it is recommended to send the documents in a pdf format or in paper to the address of the organization and writing the username which is assigned to a reporting person upon completion of the procedure.
The submitted personal data shall be kept and processed in accordance with the organization's policies as long as the organization has the legitimate interest to process the report (including conducting any investigations) and, if applicable, initiate sanctions (including conducting any investigations and, if applicable, further measures). You are entitled to get acquainted with your personal data, to receive your personal data in a generally readable electronic format, provide corrections and request that the processing of your personal data be limited. The right to deletion of your personal data is limited with the legitimate interest of the organization described above. For further details please refer to the organization's relevant policies.