Notes on data privacy, valid from January 1st, 2024

Skip to Content

Article: Notes on data privacy, valid from January 1st, 2024

Who is collecting and processing my personal data?

Deutsche Bahn AG and its subsidiaries (hereinafter referred to as "DB"), Potsdamer Platz 2, 10785 Berlin, Germany, is the controller for the whistleblowing system and collects and processes your data in this regard. This is used to receive and process information about (legal) violations in connection with the business activities of DB, in particular those under the German Whistleblower Protection Act (HinSchG) and complaints under the Supply Chain Segregation Obligations Act (LkSG), in a secure and confidential manner.

The appointed data protection officer is Ms. Dr. Marein Müller.

e-mail: konzerndatenschutz@deutschebahn.com

What data do we collect, and why and how do we process it?

Personal data of natural persons (personal data) entered into the whistleblowing system is stored in an encrypted and password-protected manner in a database operated on our behalf by EQS Group GmbH, which is located in a high-security data center in Germany.

DB uses the personal data, such as name and other communication and content data, confidentially for the sole purpose of receiving and processing reports according to violations of the law, in particular in accordance with the above-mentioned laws, in a secure and confidential manner. Legal basis for processing personal data is Article 6(1)(c) DSGVO in connection with Section 8 LkSG, Article 6(1)(c) DSGVO in connection with Section 10 HinSchG and Article 6(1) lit. f) DSGVO to safeguard DB's legitimate interest in clarifying potential criminal offences as well as breaches of the law that occurred in connection with the DB Group and to protect the Group and its employees from possible damage. Where applicable additional legal basis may be the internal company agreements and guidelines as well as, under certain circumstances, specifically for the disclosure of personal data to other competent bodies, also the consent pursuant to Section 9 (3) or (4) HinSchG in connection with Art. 6 (1) lit. c) DSG. Art. 6 Para. 1 lit. a) DSGVO or Art. 9 Para. 2 lit. a) DSGVO.

Do we share your data with other parties?

Access to the data is restricted to a very limited circle of expressly authorized and specially trained persons from the internal reporting offices, in particular the DB Compliance organization, Group Data Protection, Group Security, Sustainability, Procurement or the Human Resources division, as well as the DB Group’s Internal Investigation department, in each case according to their specialist responsibility. In addition, depending on the content of the report and the progress of the investigation, a very limited number of other authorized persons, such as in particular the further compliance and data protection organizations as well as the responsible departments of the DB subsidiaries concerned, may be given access to this data, e.g. if the information relates to processes in the subsidiaries. The latter may also be based in countries outside the European Union or the European Economic Area. In the case of data transfer to third countries outside the EU/EEA, appropriate safeguards are in place. These include the EU standard contractual clauses and an adequacy decision of the EU Commission.

In the course of processing a report, it may be necessary to pass on personal data or information that allows conclusions to be drawn about the identity of a whistleblower to other responsible offices. For this purpose and if necessary, we obtain the prior consent of the whistleblower in accordance with Section 9 (3) HinSchG.

Any person who gains access to the data is obligated to maintain confidentiality. In the course of criminal prosecution or due to other obligations to authorities, it may be necessary to disclose the personal data to state investigating authorities or other competent state authorities within the scope of legal obligations.

How long do we store your data?

We store your data only for as long as is necessary to fulfil the purpose for which the data was collected or as long as we need, to comply with legal requirements. In every specific case, we use a set of criteria established as part of our data deletion policy to check whether and how long your data may be stored or archived before it is deleted. Regularly, data will be deleted at the latest six years after the case it relates to is closed. Facts concerning the LkSG are documented for at least seven years.

What rights do data subjects have?

Data subjects have the right to request information about what data is stored about them at any time.

They may request correction, deletion and/or restriction of processing (blocking) of their personal data as long as this is legally permissible and possible within the framework of an existing contractual relationship.

You have the right to lodge a complaint with any data protection supervisory authority.

You may object to data processing on grounds relating to your particular situation if the data processing is carried out on the basis of our legitimate interests or is necessary for the performance of a public task.

To exercise your rights when your data is processed in accordance with the Supply Chain Sourcing Obligations Act, please contact us by mail or by e-mail at the following address:

Deutsche Bahn AG
Sustainability & Environment
Potsdamer Platz 2
10785 Berlin
Germany

e-mail: nachhaltigkeit@deutschebahn.com

In all other cases, please contact us by mail or by e-mail to the following address:

Deutsche Bahn AG
Compliance Whistleblowing Management
Potsdamer Platz 2
10785 Berlin
Germany

e-mail: whistleblowing@deutschebahn.com