Sartorius is requested by European and local adoption laws to establish and operate internal reporting channels and procedures enabling the notification of alleged cases of non compliance with applicable laws, regulations and human rights principles. Sartorius has established reporting channels for the purpose of complying with this statutory request. You are entitled to use these reporting channels to report circumstances that you believe constitute a case of non-compliance under such laws or under the Sartorius policies and principles. You have the option to make a report anonymously, but we encourage you to leave your name and contact information so we can reach out for clarification of facts and background. If you do not report anonymously, your data will be processed for the purpose of investigating and clarifying the notified compliance issue. The legal basis for the processing of your personal data is Art. 6 (1) (c) of the General Data Protection Regulation (EU) 2016/679 ("GDPR") in conjunction with the local whistleblower protection laws applicable in your country for the implementation of the European Whistleblowing Directive (EU) 2019/1937 ("Local Whistleblowing Laws"), including, without limitation, Section 10 of the German Whistleblower Protection Act ("HinschG"). The processing of your personal data is also based on Sartorius’ legitimate interest in the performance of the reporting channel, the detection and prevention of misconduct and thus in the prevention of damages or the enforcement of related claims. Alternatively, the processing of your personal data can be based on your consent if you provided such consent.

The legal basis for the processing of your personal data is Art. 6 (1) (a) GDPR, in case you provided your consent, or alternatively Art. 6 (1) (f) GDPR, respectively Art. 9 (2) (f), (g) GDPR, if personal health data are concerned, both legal bases each in conjunction with applicable Local Whistleblowing Laws. If we have received your personal data in the context of a report or a subsequent investigation, we will process it for the same purposes and on the same legal basis as those already mentioned above.

As part of the investigation, it may be necessary to disclose your report or the information you provided as part of a compliance investigation to other employees involved in the investigation. These may be employees of affiliated companies of the Sartorius group (“Sartorius Affiliates”). We may also share your personal data with trusted vendors that help us operating the reporting channel, all of which are contractual bound to secrecy and compliance with applicable data protection laws (e.g. whistleblower portal). Furthermore, we are legally obligated to inform the accused persons who are subject of the reported allegation as soon as this information no longer jeopardizes the investigation of the report. Your identity as a whistleblower will not be disclosed in this process, to the extent permitted by law. Regarding the origin of your data, we may receive your personal data as part of a report from a whistleblower or the accused. 

Your personal data will be kept for as long as is required for the purpose of the investigation of the reported case of non-compliance and for making a final assessment on the case. Once the investigation has been completed, the related data is deleted in accordance with applicable data protection and Local Whistleblowing Laws. The standard retention period after the conclusion of the investigation will be three years in Germany, Sec. 11 (5) HinschG. We may retain your personal data beyond this retention period if Sartorius has a legitimate interest to retain the data (e.g. for the enforcement or defense of legal interests and claims), or is required by law to keep such data. After the legal basis for lawfully processing and storing your personal data has expired, the data will be deleted in accordance with applicable privacy laws.

For the purpose of the investigation, it may be necessary to transfer your personal data to Sartorius Affiliates, which may have their registered office in countries outside the European Union or the European Economic Area. A transfer will only take place if the Commission has decided that the third country provides an adequate level of protection (adequacy decision), or if appropriate safeguards are in place that establish an adequate level of protection of your data, such as the conclusion of Standard Contractual Clauses between Sartorius and the data importer in the third country. You are entitled to request a copy of the applicable Standard Contractual Clauses from the Data Protection Officer (see Sec. 1).

Every data subject has the right to have access to and receive a copy of the stored personal data according to and under the conditions of Art. 15 GDPR, withdraw his or her consent at any time according to Art. 7 GDPR, ask for rectification of their personal data according to Art. 16 GDPR, erasure of their personal data according to Art. 17 GDPR, restriction of the processing of their personal data according to Art. 18 GDPR, data portability according to Art. 20 GDPR and objection to the processing of their data according to Art. 21 GDPR where the processing is based on Sartorius’ legitimate interest. Every data subject also has the right to complain to the competent Data Protection Supervisory Authority if they believe the processing of their data does not comply with applicable data privacy laws To exercise your rights, please contact our Data Protection Officer at: dataprotection@sartorius.com

When you make a report, the data you provide is voluntary. This does not apply if, as an employee, you are required to cooperate in the investigation as part of your employment obligations.