Privacy Notice and further information in accordance with the Austrian Whistleblower Protection Act

We provide this electronic hotline for the following circumstances and use cases, which we are legally obliged to do under local law if they apply to our company and our business model

• Public Procurement,
• Financial services, financial products and markets, and prevention of money laundering and terrorist financing,
• Product safety and conformity,
• Environmental protection,
• Consumer protection,
• Protection of privacy and personal data as well as security of network and information systems,
• Prevention and punishment of criminal offenses in accordance with Sections 302 to 309 of the Austrian Criminal Code (abuse of official authority, negligent violation of personal freedom or domiciliary rights, corruptibility, acceptance of benefits, acceptance of benefits to influence, bribery, granting of benefits, granting of benefits to influence, prohibited intervention, acceptance of gifts and bribery of employees or agents).

As Compliance and correct behavior are important to us, we have voluntarily extended the scope of this Whistleblowing Hotline to the following areas:

• Inappropriate relationships with business partners
• Violations of antitrust laws 
• Collusion in bidding procedures
• Abuse of a market-dominating position
• Property crimes such as 
  • Fraud
  • Embezzlement
  • Theft
  • Tax evasion
  • Money laundering and terrorism financing
• Misconduct in payment transactions
  • Financial/economic sanctions and embargoes

We hereby undertake to provide Whistleblowers who provide us with information on this extended area with the same protection and the same rights as Whistleblowers in the statutory scope of application as described above.

You can also use this Whistleblowing Hotline to submit information about our affiliated companies - we have concluded corresponding internal contracts that enable this in accordance with the provisions of the Austrian Whistleblower Protection Act. The corresponding reports are forwarded internally to the relevant experts while maintaining confidentiality.

We will reject any information that is obviously false; we would like to take the opportunity that, in accordance with Section 6 (4) of the Austrian Whistleblower Protection Act, such information may give rise to claims for damages and may be prosecuted in court or as an administrative offense.

Please note that you only send us the personal data that is necessary for the specific incident - further information, e.g. about your personal circumstances, is not desired and will be deleted immediately where necessary. For the sake of form, we would like to point out in this context that you yourself become the Controller under the GDPR for all excessive information, as is also explicitly stated in the local Whistleblower Protection Act.

Please note that the legal protection for Whistleblowers in accordance with the provisions of the Austrian Whistleblower Protection Act only applies to persons who, due to a current or former professional relationship with us or a company affiliated with us, worked or work as employees, applicants, interns / volunteers or trainees, as self-employed persons, as members of an administrative, management or supervisory body, as shareholders or as employees of one of our contractors or subcontractors or suppliers and who have obtained information about a violation of the law as stated in Point 1 of this Privacy Notice and share this information with us in good faith.

After submitting a report or complaint, you will receive a confirmation of receipt from us within 7 days at the latest.

After the Compliance Forum evaluates your complaint or report (if necessary, together with external lawyers or experts), the further processing of the report is decided upon. If the Compliance Forum deems an internal investigation necessary, the case manager in charge reviews relevant documents, speaks with witnesses and affected parties, and, if necessary, analyzes electronic data.

At the end of the fact-finding, the results are summarized in a report that is distributed to relevant internal stakeholders. Results may include recommendations for disciplinary action or other remedial measures, such as risk management and internal process measures.

• In the case of substantiated reports, the Compliance Forum will inform the Executive Board and advice for actions to be taken. If the report should concern a member of the Executive Board, the chairman of the Supervisory Board shall be consulted.
• Substantiated reports concerning minor breaches may be discontinued if the Compliance Forum decides that the report can be remedied by simple measures.
• Should the report concern a specific department other that the Compliance Forum, the report may be forwarded and treated by the responsible department.
• Unsubstantiated or irrelevant reports will be terminated.

Insofar as it is possible and legally permissible, we will inform you within three months of the measures taken – even if the fact-finding has not been completed by then.

Retaliation against any employee who raised Compliance concerns in good faith is strictly prohibited. If you have reason to believe that you have been subjected to retaliation, please notify the Compliance Department directly or via our EQS Integrity Line.

If you click on "make a report" on the landing page of our electronic Whistleblowing Hotline, you create a report that is then processed by the responsible Compliance Expert. It is of course also possible to submit a report anonymously – in this case, please make sure that not only your name is not included, but also that the report does not contain any information that could be used to identify you.

Regardless of whether you wish to remain anonymous or not, we kindly request that you activate the Secure Inbox, which we can then use to contact you if necessary. The Secure Inbox is provided by EQS Integrity Line and is therefore outside our internal communication systems. This ensures that only the responsible Compliance Officer and you have access to the communication with you. Please note the CaseID for your report and select a password - if you lose this information, you will have to create a new report, as we have no way of resetting your password due to the confidentiality settings.

Yes. All complaints and reports may be submitted anonymously, and TTTech takes great care to protect you as a reporter and ensures your complaint or report is kept confidential. Confidential data may only be disclosed on an as-needed basis as permitted by law. These principles apply regardless of the reporting channel.

The TTTech Compliance department. This is the company’s central department, which handles all complaints and reports, regardless of how they were submitted. The Compliance Department reports directly to the responsible management team member. Our Compliance team members are subject to a special duty of confidentiality, are impartial, and have the necessary expertise to professionally handle complaints and reports.

The Controller for this Whistleblowing Hotline is

TTTech Computertechnik AG
Schönbrunner Street 7
1040 Vienna, Austria
c/o Data Privacy Organization

You can contact us either by post or by sending an email to datenschutz(at)tttech.com.

As part of the provision, we process the information that you provide in the context of a complaint or a report, if you do not do this anonymously, then in any case your name, your e-mail address and your professional affiliation to our company.

Due to the nature of the Whistleblowing Hotline, special categories of personal data may also be processed in individual cases, such as health-related data or information on criminal offenses or administrative offenses. Accordingly, Data Subjects may be employees, former employees, relatives of employees, customers, service providers or other persons in a professional relationship with our company.

Your self-chosen password and the CaseID are stored on the platform itself - however, we do not have access to your password. Your IP address or similar technical data such as information about your device is also not stored - no Cookies, Pixels or similar are set on our Whistleblowing Hotline page.

When you speak to a member of our Compliance team, telephone calls are not recorded.

We will process your personal data for the following purposes:

• Regarding the data that you provide to us as part of a report: For the reporting of specific indications of Compliance violations and the conduction of internal and external investigations,
• regarding your password and the CaseID: To ensure your anonymity, should you wish to do so.
• In addition, we use your personal data in anonymous form for statistical purposes.

The legal basis for processing your personal data is:

• Insofar as it concerns the reporting facts specified in the Austrian Whistleblower Protection Act, fulfillment of a legal obligation to which TTTech is subject (Art. 6 para. 1 lit. c GDPR).
• Insofar as it concerns the reporting of facts that do not fall under the Austrian Whistleblower Protection Act, legitimate interest of TTTech pursuant to Art 6 para 1 lit f GDPR. TTTech's legitimate interest lies in the processing of your personal data for the purpose of uncovering Compliance violations that are of great importance for the integrity and correct conduct of our company.
• Safeguarding the legitimate interests of TTTech (Art. 6 para. 1 lit. f GDPR). The legitimate interest of TTTech lies in the processing of your personal data for the purpose of detecting Compliance violations and the conduction of internal and external investigations. 
• your consent (Art. 6 para. 1 lit. a GDPR). 

Your personal data as well as the data of the persons included in your report or complaint may subsequently be passed on to lawyers, courts and authorities where this is legally required or appropriate. External specialists whom we engage are bound to TTTech by contractual or legal confidentiality obligations to keep confidential the information provided by you.

TTTech may also be required by law to provide certain government agencies, including, without limitation, government investigative agencies or courts with information about Compliance violations. If we are obligated to provide information, as well as in the event of confiscations, we are not able to withhold the information provided by you.

In some instances, TTTech is not obligated to share personal data with government agencies, but has the legal right to do so voluntarily. Please let us know if you do not want us to voluntarily share your personal data, including, without limitation, your name, with government agencies (unless this is necessary to safeguard the legitimate interests of TTTech). Please note, however, that, as a consequence, we may not be able to give full consideration to your report.

In addition, we will also forward the data contained in the report or complaint to our Group companies if they are the actual addressee of your information. However, this will be done in compliance with a strict need2know principle, while preserving your anonymity and maintaining strict confidentiality standards. The same applies to any forwarding to experts in other departments where necessary. 

Personal information that you may have provided in your report, may be transferred to other European Union countries or countries outside the European Union where the confidential treatment of personal data is not guaranteed by law to the same extent as it is in Austria. This applies particularly to countries which are not considered to have an adequate level of data protection as provided for in the European Union provisions. Within TTTech, however, an adequate level of data protection is guaranteed through corresponding inter-company agreements also in countries other than Austria. Please let us know if you do not want us to transfer your personal data, including, without limitation, your name, to countries other than Austria (unless this is necessary to safeguard the legitimate interests of TTTech). Please note, however, that, as a consequence, we may not be able to give full consideration to your report.

It is frequently required by law that the persons about which a report on indications of a Compliance violation has been received have to be notified and heard. In the course of the investigation, these persons will have the opportunity to present their view about the report. Please let us know if you do not want us to give your name as the Whistleblower. Please note that the person affected may have legal rights to information which may require us to disclose your name. Government agencies may also have similar rights to information or confiscation which will result in disclosure of your name. This may be the case in particular if the person affected claims that the information brought forward against him/her is knowingly or negligently untrue and decides to file charges.

Finally, we may note that our Whistleblowing Hotline (EQS Integrity Line) is provided for us by an external provider - this guarantees the Security Inbox functionality and the non-traceability of your identity. The service provider hosts our Whistleblowing Hotline in a strictly protected data center of the highest security level in Germany. Personal data entered into the Whistleblowing Hotline is stored in a database operated by EQS Integrity Line. All data is encrypted, password protected and stored in a secure location so that access to the content of the data stored electronically in EQS Integrity Line is restricted to a narrow circle of authorized persons from TTTech. EQS cannot view the content of the data stored electronically in this database.

Personal data that is not required for processing a report will be deleted immediately in accordance with Section 8 (10) of the Austrian Whistleblower Protection Act if it has been shared with us unintentionally. This principle applies to all reports that reach us via this Whistleblowing Hotline, regardless of whether the specific facts fall within the scope of the Whistleblower Protection Act.

All other personal data in connection with the provision of information will be stored for the duration of their necessary processing plus for a further five years from the date of completion of this processing or for as long as is necessary to carry out administrative or judicial proceedings already initiated or investigative proceedings under the Austrian Code of Criminal Procedure in accordance with the provisions of Section 8 (11) of the Austrian Whistleblower Protection Act. Deletion is carried out manually by the appointed Case Manager.

The EQS Integrity Line stores the processing activities actually carried out, in particular changes, queries or transfers, in accordance with the legal requirements. This log data is stored for three years after the retention period described in the paragraph above has expired and then deleted.

According to the data privacy law applicable in the EU/EEA, you have the right – provided that the respective legal requirements are fulfilled – to: 

• obtain confirmation as to whether TTTech processes personal data about you and, where that is the case, obtain access to your personal data processed by TTTech as well as other information, 
• obtain the rectification of your inaccurate personal data processed by TTTech,
• obtain from TTTech the erasure of your personal data processed by TTTech,
• obtain from TTTech restriction of processing of your personal data, 
• obtain your personal information that you have provided to TTTech in a structured, commonly used and machine-readable format or request that your personal information be transmitted to another recipient, 
• object to the processing of your personal data by TTTech and, on grounds relating to your particular situation, to object to the processing of your personal data insofar as the processing of your personal data is based on legitimate interests. 

You have the right to withdraw your consent at any time with effect for the future, i.e. your withdrawal does not affect the legality of the processing carried out based on the consent prior to the withdrawal. After withdrawal, TTTech may only process your personal data to the extent that TTTech can base the processing on another legal basis.

Our Data Privacy Organization provides support with any Data Privacy related questions, comments, concerns or complaints or in case you wish to exercise any of your Data Privacy related rights. The Data Privacy Organization may be contacted at: datenschutz(at)tttech.com.

Please note that pursuant to Section 8 (9) of the Austrian Whistleblower Protection Act, at least a restriction of the above-mentioned Data Subject Rights may apply as long as and to the extent necessary to protect the identity of a Whistleblower and to achieve the purposes specified by law, in particular to prevent, undermine or delay attempts to prevent, undermine or delay Whistleblowing or follow-up measures based on Whistleblowing, in particular for the duration of administrative or judicial proceedings or investigative proceedings under the Austrian Code of Criminal Procedure. In fact, in individual cases we are even obliged to refrain from providing information on a report.

The Data Privacy Organization will always use reasonable efforts to address and settle any requests or complaints you bring to its attention. Besides contacting the Data Privacy Organization, you always have the right to approach the competent Data Protection Authority with your request or complaint.

The Austrian Data Protection Authority is generally responsible for us as we are based in Austria; you can find their contact details here.

Here you will find a list of the external reporting channels responsible for Austria in accordance with the Austrian Whistleblower Protection Act:

• Bundesamt zur Korruptionsprävention und Korruptionsbekämpfung / Federal Office for the Prevention and Combating of Corruption
• Abschlussprüferaufsichtsbehörde (aufgrund des Abschlussprüfer-Aufsichtsgesetzes) / Auditor Supervisory Authority (on the basis of the Auditor Supervision Act)
• Bilanzbuchhaltungsbehörde (aufgrund des Bilanzbuchhaltungsgesetzes) / Accounting authority (on the basis of the Accounting Act)
• Bundeswettbewerbsbehörde (aufgrund des Wettbewerbsgesetzes) / Federal Competition Authority (on the basis of the Competition Act)
• Finanzmarktaufsichtsbehörde (aufgrund des Finanzmarkaufsichtsbehördengesetzes) / Financial Market Authority (on the basis of the Financial Market Authority Act)
• Geldwäschemeldestelle (aufgrund des Bundeskriminalamt-Gesetzes) / Money Laundering Reporting Office (on the basis of the Federal Criminal Police Office Act)
• Notariatskammern (aufgrund der Notariatsordnung) / Notarial chambers (on the basis of the Notarial Code)
• Rechtsanwaltskammern (aufgrund des Disziplinarstatuts für Rechtsanwälte und Rechtsanwaltsanwärter) / Bar Associations (on the basis of the Disciplinary Statute for Lawyers and Trainee Lawyers)
• Kammer der Steuerberater und Wirtschaftsprüfer (aufgrund des Wirtschaftstreuhandberufsgesetzes)[BS1]  / Chamber of Tax Consultants and Auditors (on the basis of the Act on the Public Accounting Professions)

Of course, you may also to turn to European institutions, at this point we would like to provide you with the contact details of the European Commission's Whistleblowing Hotline; you can find all the information you need here.