Privacy policy
Protecting your privacy is important to us. We respect your identity and privacy and ensure that they are protected and that your personal data is processed in accordance with the applicable laws.
Please read this data protection information carefully before submitting a report.
Purpose of the whistleblowing portal
The whistleblowing portal (BKMS® system) serves as a secure and confidential means of receiving, processing and managing reports about suspected or actual violations of the SBB Code of Conduct or other internal regulations and unlawful acts.
The processing of personal data in connection with the whistleblowing portal serves to uncover and prevent abuses and thus to avert losses for SBB, its employees and its customers.
Responsibility
SBB is responsible for processing your data.
Please do not hesitate to contact our in-house data protection consultants officer at any time with any questions or comments regarding data protection. You can either contact him by post:
SBB AG
Data protection office
Hilfikerstrasse 1
3000 Bern 65
or by email: datenschutz@sbb.ch.
How to reach our data protection representation in the EU:
MLL Brussel SPRL
222, Av. Louise
1050 Bruxelles
Belgium
sbb@mll-gdpr.com
The whistleblowing portal is operated by a specialized company, EQS Group GmbH, Member of EQS Group, Bayreuther Str. 35, 10789 Berlin, Germany, on behalf of SBB .
Personal data and information entered the whistleblowing portal are stored in a database operated by EQS Group GmbH in a high-security data center. Only SBB has access to the data. EQS Group GmbH and other third parties do not have access to the data. This is ensured in the certified procedure through extensive technical and organizational measures.
All data are stored encrypted with multiple levels of password protection so that access is restricted to a very small selection of expressly authorized persons at SBB.
Type of collected personal data
Use of the whistleblowing portal is voluntary. If you submit a report via the whistleblowing portal, we collected the following personal data and information:
- your name, if you choose to reveal your identity,
- whether you are an employee of SBB or their Group companies, and
- as applicable, the names and other personal data of persons that you name in your report.
Confidential handling of reports
Incoming reports are received by a small selection of expressly authorized and specially trained employees of SBB or their Group companies and are always treated as confidential. The employees examine the relevant facts and perform any further investigation as may be required in the specific case. All data relating to the investigation are also treated as confidential.
During the processing a report or the conduct of an investigation it may become necessary to share reports with employees of group companies , especially if the report refers to incidents at subsidiaries. The latter may be based in countries outside Switzerland, with different regulations concerning the protection of personal data. We always ensure that the applicable data protection regulations are complied with when sharing reports.
All persons who receive access to the data are obligated to maintain confidentiality. Based on applicable law, governmental authorities may under special circumstances require the disclosure of the personal data.
Internal forwarding of reports
Reports that do not contain any violations of the SBB Code of Conduct or other internal guidelines or any unlawful acts, and for which a different internal reporting process is in place, will be forwarded directly to the responsible office, subject to the consent of the person making the report. If the person making the report does not grant its consent, he or she will be informed of the responsible office. If the reported circumstances do not constitute a security issue, the report will not be forwarded or processed.
Use for specified purpose
SBB uses the personal data only for the purpose of clarifying facts and implementing corresponding measures, including potentially preventive measures. SBB has taken appropriate measures to ensure that data that is incorrect or incomplete for the intended processing purpose will be corrected or destroyed.
Duty to provide information
If personal data is collected via the SBB whistleblowing portal, SBB will inform employees affected by the report about the internal investigation as soon as feasible considering the purpose of investigation.
Rights of data subjects
Upon request, SBB will provide information to data subjects on the respective personal data that it stores about them If any stored data is incorrect, the data subjects have the right to rectification, modification, or erasure. As a general principle, the identity of the person making the report remains exempted from the right of access.
The right of access and rectification may be met as soon as this would no longer jeopardize the handling of the case and related measures.
Retention period of personal data
Personal data are retained for as long as necessary for the processing of a report and the implementation of any related measures. After completion of the procession of a report, these data are erased according to applicable law. After the processing of the report has been completed, this data is generally deleted after five years (subject to deviating statutory retention obligations) or after expiration of the statute of limitations for criminal prosecution. If reports are forwarded to the responsible body, the data is deleted after just one year.
Use of the whistleblowing portal
Communication between your computer and the reporting system takes place over an encrypted connection (SSL). Your computer's IP address is not stored during your use of the whistleblowing portal. To maintain the connection between your computer and the whistleblowing portal, a cookie is stored on your computer that merely contains the session ID (a so-called null cookie). This cookie only remains valid until the end of your session and expires when you close your browser.
You have the option of setting up a secure mailbox on the whistleblowing portal using a pseudonym / username and password of your choice. This allows you to send reports to the competent SBB or the Group companies’ employees in a secure manner either in your own name or anonymously. This system only stores data inside the whistleblowing portal, which makes it particularly secure. It is not a form of regular e-mail communication.
Note on sending attachments
When submitting a report or sending supplementary information, you have the option of also sending attachments to the competent SBB or Group companies’ employees. If you wish to submit an anonymous report, please take note of the following security advice: Files can contain hidden personal data that could compromise your anonymity. Please remove this data before sending. If you are unable to remove this data or are unsure how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the reporting process.
Amendments to this privacy policy
SBB may amend this privacy policy at any time. Please consult this policy regularly.
