Privacy

The protection and confidentiality of personal data is an integral part of the architecture of each whistleblowing system.

This service is designed to avoid any possible process of personal data via the whistleblowing system and metadata, which could result in tracing the whistleblower's identity in the course of data processing. IP addresses and metadata of the whistleblower will therefore, if technically not mandatory, not be recorded and not further processed. This service does not use any tracking technologies or third-party cookies.

This service uses, among others, Secure Socket Layer (SSL) technology - the industry standard for encryption in the internet - in order to ensure the safety of the data provided by whistleblowers. This internet encryption standard encrypts data during the transfer from the computer of the whistleblower to the server of the service.

Whistleblowers, who wish to remain anonymous, can further increase the technical safety by noting the following information:
  • do not disclose personal information (e.g.: own name, relationship to the accused) or any information as such in the message, that could lead to the conclusion of the identity;
  • do not use the service from company or authorities-owned networks or other networks that may monitor the internet use.

Note on data protection
Employees, customers, or business partners of the ANDRITZ Group can report violations of compliance regulations via "iWhistle". Reports can be submitted via the following reporting channels:

  • Insider trading
  • Bribery, corruption, conflicts of interest
  • Anti-competitive conduct, market abuse
  • Export controls
  • Personnel-related topics in breach of the law, particularly discrimination, harassment, bullying
  • Breach of data protection regulations
  • Facts relevant to procurement
  • Fraud, accounting fraud, breach of trust, money laundering, misappropriation of business and trade secrets
  • Other serious offenses

Breaches of relevant provisions from the EU Whistleblowing Directive:

  • Public procurement
  • Financial services, products, and markets as well as prevention of money laundering and terrorist financing
  • Product safety and compliance
  • Transport safety
  • Environmental protection, radiation protection, and nuclear safety
  • Food and feed safety, animal health and welfare
  • Public health
  • Consumer protection
  • Protection of privacy and personal data; security of network and information systems
  • Matters concerning the financial interest of the European Union
  • EU/national aid rules
  • Competition/antitrust rules
  • Tax policies for corporations and partnerships
  • Violations of policies that fall within the material scope of application of the respective national transposition law of the country in which the ANDRITZ Group company is domiciled, within whose operations the offenses that are the subject of the notice, occurred.

Information is only exchanged between departments if this would be exceptionally necessary to process a specific case.

The infrastructure of the system, including websites and database, is operated by the service provider iComply GmbH, located in 55116 Mainz, Große Langgasse 1A. iComply GmbH is contractually bound to strict confidentiality and to comply with all data protection requirements.

The system itself is operated by ANDRITZ AG, Statteggerstrasse 18, 8045 Graz, Austria. ANDRITZ AG is therefore the controller of the personal data.

What personal data and information is collected and processed?
When reporting violations via "iWhistle", personal data: 

  • Of the person submitting a report (e.g. name, contact details) (optional/voluntary!) and
  • of the persons affected by an incident (e.g. description of the actions of affected persons)

entered in the respective reporting form or transmitted via the protected mailbox are collected and processed. The data is processed by the responsible department in order to review the reported incidents, initiate and conduct investigations, and take remedial action as necessary.

As part of the reviews, investigations and remedial actions to be taken, it may be necessary to share information about a reported incident with employees of other departments such as the Legal Department or with the management of Muster GmbH, other Muster companies, external consultants (e.g. legal advisors) or the competent authorities. We may also be required to report a reported incident to the relevant authorities and to the affected individuals.

Processing and forwarding your report within ANDRITZ
After receiving your report, the Compliance Department will check whether an in-depth investigation is necessary. An investigation can be carried out by internal or external investigation specialists. External specialists that we involve are bound to us by contractual or legal confidentiality obligations to keep the information you provide confidential.

Depending on the content of your report, the departments responsible for further processing at ANDRITZ will receive the information you have reported. These will primarily be the responsible employees in the Compliance department. In addition, the responsible management within ANDRITZ will be informed, which also has the task of remedying any deficits discovered in the course of processing the report. The Audit Department, the Legal Department and the Human Resources Department are also frequently involved in the processing of compliance reports. If your report concerns a subsidiary, the responsible departments in these companies will be notified.

If the content of your report does not relate to any of the compliance topics listed at the beginning, we will forward your report to the responsible department within ANDRITZ if we consider this necessary and appropriate. In the case of personnel issues, for example, this may be the responsible HR department.

ANDRITZ may also involve external specialists, such as lawyers, auditors or forensic experts, who will investigate your report on behalf of ANDRITZ. If you do not want us to pass on your personal data, in particular your name, to persons outside the ANDRITZ Compliance Department (unless this is necessary to protect the legitimate interests of ANDRITZ), please let us know. We would like to point out that we may then not be able to process your information comprehensively.

Access by government agencies
ANDRITZ may also be legally obliged to make information on compliance violations available to certain government agencies, in particular state investigating authorities or courts. We cannot withhold the information provided by you in the event of information and disclosure obligations or seizures.

In some cases, ANDRITZ is not obliged to disclose personal data to government authorities, but is legally authorised to do so voluntarily. If you do not want us to voluntarily disclose your personal data, in particular your name, to government authorities (unless this is necessary to protect the legitimate interests of ANDRITZ), please let us know. We would like to point out that we may then not be able to process your information comprehensively.

Forwarding to other countries
If you have provided personal information in your notice, this may be transferred to other EU countries or countries outside the EU in which the confidential treatment of personal data is not guaranteed by law to the same extent as in Germany. This applies in particular to countries that are considered by EU regulations as countries without an adequate level of data protection. Within ANDRITZ, however, an adequate level of data protection is also guaranteed in countries outside Germany by binding group-internal guidelines on data protection.

If you do not want us to pass on your personal data, in particular your name, to countries outside Germany (unless this is necessary to protect the legitimate interests of ANDRITZ), please let us know. We would like to point out that we may then not be able to process your information comprehensively.

Informing the persons concerned
The law often requires that persons who have been notified of indications of a compliance violation are informed and heard. During the course of the investigation, these persons are given the opportunity to comment on the report.
Please let us know if you do not wish to be named as a whistleblower. We would like to point out that the person concerned may have legal rights to information that may oblige us to disclose your name. Government agencies may also have corresponding rights to information or seizure that disclose your name. This may be the case, in particular, if the data subject claims that the information provided against him/her is knowingly or negligently untrue and files a criminal complaint.

Retention of personal data
The personal data you provide will be retained for as long as necessary to clarify the compliance report and finalise its processing, including the rectification of any deficiencies identified and the handling of any associated legal proceedings. Your personal data will also be retained thereafter if this is required or permitted by law due to statutory, regulatory or contractual retention obligations. Your personal data will be deleted as soon as this is legally required.

Your rights
Under the applicable data protection law, you have the right to

  • to request confirmation as to whether we process personal data about you and to receive information about the personal data we process,
  • to request the rectification of inaccurate personal data,
  • to request the erasure of personal data processed by us
  • to request the restriction of the processing of personal data
  • to request the transfer of personal data that you have actively provided to us,
  • to object to the processing of personal data on grounds relating to your particular situation.

Our data protection organisation provides support for all questions relating to data protection. Complaints can also be made to our data protection organisation and the rights mentioned in this privacy policy can be asserted. Our data protection organisation can be contacted at dataprotection@andritz.com. Our data protection organisation will always endeavour to address and remedy your enquiries and complaints. In addition to contacting the data protection organisation, you also have the option of contacting the competent data protection supervisory authority at any time.

If you do not want ANDRITZ to collect, process and use your personal data as described, you can submit your report anonymously. The provision of your personal data is voluntary, as is the use of the whistleblower system. However, we would appreciate it if you could provide us with your name. Many investigations can be processed more quickly and effectively if the name of the whistleblower is known, as the person handling the report can then contact the whistleblower directly.
By using this whistleblower system, you agree that your personal data, if provided by you, will be collected, processed and used as described above.

ANDRITZ AG, Your Group Corporate Compliance Team