The Grant Thornton Germany Whistleblowing System

Using this system, whistleblowers may report incidences of non-compliance confidentially, or anonymously if desired. The disclosure is sent directly to our Legal & Compliance staff. At the same time, the whistleblower system enables the whistleblower and Legal & Compliance staff to communicate, while ensuring the whistleblower remains anonymous. The Grant Thornton Germany whistleblower system is available in German and English. 

Report

Apart from the online whistleblower system, written reports may also be handed in to:

Grant Thornton AG
Wirtschaftsprüfungsgesellschaft
Legal & Compliance / confidential 
Johannstraße 39
40476 Düsseldorf

The following email address may also be used for disclosures: compliance@de.gt.com

The Legal & Compliance contacts are also available for a personal conversation on prior arrangement, including by video or voice call if desired.

Alternatively, the following external reporting bodies can also be used for complaints: 

Hinweisgeberstelle des Bundesamtes für Justiz (BfJ)

Hinweisgeberstelle der Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin)

Hinweisgebersystem des Bundeskartellamts

You can find more information on the digital whistleblower system and the complaints procedure behind it in this policy. 

1. Purpose of this investigations policy 

This investigations policy regulates the investigation that follows when a disclosure is received. Grant Thornton Germany also considers its whistleblower system as an early warning system to become aware of potential risks within its own area of business or its supply chain.

The whistleblower system fulfils both the requirements of the Whistleblower Protection Act [Hinweisgeberschutzgesetz – HinSchG] and the complaints procedure pursuant to the Supply Chain Due Diligence Act.

The validity of the complaints procedure is reviewed annually and on particular events. Adjustments to the policy and any preventive or remedial measures are made as needed.

2. Confidentiality and protection of whistleblowers

Disclosures are processed by the responsible Legal & Compliance contact at Grant Thornton AG Wirtschaftsprüfungsgesellschaft (“internal reporting point”). The internal reporting point fulfils its responsibilities impartially, independently, free from instruction and is obliged to keep confidentiality and observe the rights of the whistleblowers and other affected persons.

Disclosures are always investigated, discussed and examined in strict confidentiality. This does not apply, however, if a report is submitted with gross negligence or that is intentionally false or if statutory duties to provide information to authorities or courts must be complied with.

The digital whistleblower system allows communication with whistleblowers via an anonymous mailbox. The system does not store technical data that allow conclusions to be drawn about whistleblowers (IP address, location data, device specifications, etc.). Whistleblowers’ personal data are only collected if the whistleblowers enter these data in the digital whistleblower system. If whistleblowers disclose their identity or name other persons in their disclosure, this information is treated confidentially in further processing and following up of the disclosure.

 3. Investigation procedure 

 3.1 Receiving a report 

When a report is received, this is recorded in the digital whistleblower system and forwarded to the internal reporting point. After submitting the report, the whistleblower is shown an ID and a Password on the screen. This information should be kept in a safe place because it will be needed later to log into the digital whistleblower system. 

Whistleblowers are notified immediately that their report has been received, and within seven days at the latest.

3.2 Processing the report 

The internal reporting point will consider the report, examine whether it comes within the scope of use of the digital whistleblower system, ask any questions, investigate the matter and take any follow-up measures.

3.3 Potential measures

Follow-up measures that the internal reporting point may take include carrying out internal inquiries and contacting persons and entities concerned, referring the whistleblowers to other responsible bodies, concluding the investigation owing to a lack of evidence or for other reasons or for the purpose of passing further inquiries on to either: a) a department responsible for internal investigations or b) a responsible authority.  

If the internal reporting point is convinced that misconduct has taken place, a proposal for further action is developed, including preventive and remedial measures. Whistleblowers are included in this process as much as possible and necessary. 

3.4 Response to whistleblowers

A response will be given to whistleblowers three months at the latest after confirmation of receiving the report. This includes notification of planned follow-up measures as well as those already taken and the reasons for these or a notification giving reasons why action is not being taken.

Whistleblowers may only be notified if this does not affect internal investigations or inquiries and does not affect the rights of persons who are the subject of a report or are named in the report.

3.5 Conclusion of the investigation

Whistleblowers will be informed when the investigation has been concluded.  

The time taken to process an investigation varies by the complexity of the matter and can therefore take a few days or several months.

How we handle your data on visiting our website and your rights

Data protection information under Art. 13 f. of the EU General Data Protection Regulation

Thank you for visiting the Grant Thornton Germany[1] (“GT” or “we”) webpage on using our whistleblower system. The security and protection of data when using our website is very important to us. We would therefore like to let you know what personal data we collect about you when you visit our website and what purposes we use them for. 

 Soweit in dieser Datenschutzerklärung die männliche Form verwendet wird, steht die männliche Form stellvertretend für eine weibliche, nichtbinäre, intersexuelle und transsexuelle Person.

[1] This includes the following controllers: Grant Thornton AG Wirtschaftsprüfungsgesellschaft and Grant Thornton Rechtsanwaltsgesellschaft mbH.

I. Name and address of the controller

The controller within the meaning of the EU General Data Protection Regulation (“GDPR”) and of other national data protection legislation of the Member States (in Germany, the Federal Data Protection Act [Bundesdatenschutzgesetz], “BDSG”) and of other data protection regulations is:

Grant Thornton AG
Wirtschaftsprüfungsgesellschaft
Johannstraße 39
40476 Düsseldorf

Tel: +49 211 9524 0
Email: datenschutz@de.gt.com

You can find more information on data protection at Grant Thornton AG Wirtschaftsprüfungsgesellschaft and Grant Thornton Rechtsanwaltsgesellschaft mbH at www.grantthornton.de/en/gdpr-information. 

II. Data protection officer contact information

CONCEPTEC GmbH

Thorsten Werning (certified DPO)

Bleichstraße 5

45468 Mülheim an der Ruhr

Tel.: (0208) 69609 0

Fax: (0208) 69609 190

Email: Datenschutzbeauftragter@de.gt.com 

III. Definitions

These definitions are based on the GDPR, the BSDG and other data protection regulations. The definitions of Arts. 4 and 9 of the GDPR apply in particular.

IV. General information on data processing

GT processes your personal data only to the extent necessary to process your report or complaint. You can submit your report or complaint anonymously. If you do so, the issue will be processed and communication with you will be not including personal data. This means your report or complaint will not be traceable back to you.

The processing of personal data (e.g. collection, recording, consultation, use, storage or transmission) always requires a legal basis or your consent. 

Personal data are erased as soon as the purpose of the processing has been achieved and no legally prescribed retention duties must be observed. 

V. Data collection through use of the whistleblower system

1. Description and extent of data processing

Using our reporting procedure, disclosures can be made anonymously. To make a disclosure on our whistleblower portal, all that is needed is to state the place, time and background to be reported in the description of your concern. Your report will be sent in an encrypted and anonymised format, i.e. it is not assigned to a user and your metadata are removed. You can, however, voluntarily disclose personal data about your person as part of the reporting process. If you do not disclose any data about your person, the case processors will have no way to relate it to you.

In using our whistleblower system, we only process such personal data as you, the whistleblower, provide to us when making the disclosure. This may include named persons, address information or information on personal circumstances. Furthermore, the whistleblower system does not process any personal data that the whistleblower does not consciously provide to us.

These data are not combined with other sources of data. The registration data (user name and password) are also not linked to an email address, so it is not possible to reset the password you have selected.

2. Purpose of data processing and legal bases

We have implemented a whistleblower system in order to comply with laws and internal policies and to be able to rapidly identify, process and eliminate misconduct without reasonable delay.

Establishing the whistleblower system is to fulfil our legal duties under Art. 6(1)(c) of the GDPR in conjunction with Directive (EU) 2019/1937 (the “EU Whistleblower Directive”) and to implement internal compliance measures to detect breaches of duties under employment law (Section 26(1) sentence 1 BDSG) and to detect crimes (Section 26(1) sentence 2 BDSG). We otherwise base the processing of personal data on our legitimate interest of appropriately preventing and combating corruption under Art. 6(1)(f) of the GDPR. By submitting the report form, whistleblowers declare their consent to the processing of the data (Art. 6(1)(a) GDPR).

3. Duration and place of storage

Personal data that we receive via our whistleblower system are stored for the duration necessary to investigate and conclusively assess the disclosure. After investigations have been concluded, the personal data are erased within an appropriate period of one month as a rule in compliance with the statutory regulations. If court and/or disciplinary proceedings are initiated, they may be stored until conclusion of the proceedings or until the deadlines for legal remedies expire. Personal data related to disclosures that are baseless will be erased without reasonable delay.

Based on our storage and documentation duties, we store your information (outside our whistleblower system) on servers at a high-security server centre in Germany that is certified under ISO-27701.

If an allegation made in a disclosure cannot be proven, all personal data within the case are anonymised.

4. Recipients of personal data

Only authorised staff receive access to your data, in order to investigate the allegations in your disclosure. Your personal data are not disclosed in any other way.

VI. Technically necessary data collection on the website

1. Description and extent of data processing

Every time our website is accessed, our system automatically collects data and information from the system of the accessing computer. These include:

·        account data and user name

·        IP address

·        Browser type and browser version

·        Transient cookies: Language setting and session ID

2. Purpose of data processing and legal bases

The temporary storage by the system of technically necessary log files, transient cookies and the IP address is necessary to allow the website to be provided to your computer. To do this your IP address must be stored for the duration of the session.

Log files are stored to ensure the functionality of the website. The data also allow us to safeguard the security of our IT systems.

The legal basis for the storage of the technically necessary log files, transient cookies and IP address is based on our legitimate interest pursuant to Art. 6(1)(f) of the GDPR related to the provision and functionality of the webpage.

3. Storage duration

The log files and IP address are stored for such time as is necessary to achieve legitimate purposes. Transient cookies are automatically erased when you close your browser. This particularly includes session cookies. These store a session ID which allows different queries from your browser to be attributed to the same session. In this way, your computer can be recognised again when you return to our website.

4. Maintaining your anonymity

If you have decided to make an anonymous disclosure, the whistleblower system does not provide any way for the log files to jeopardise your anonymity using data from the database or your IP address.

VII. Rights of data subjects

The GDPR conveys certain rights to data subjects whose data are processed (“rights of the data subject”). If you would like to exercise one or more of these rights, you can contact us at any time. As a data subject you have the following rights in particular:

1. Right of access under Art. 15 GDPR

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed.

2. Right to rectification under Art. 16 GDPR

You have a right vis-à-vis the controller to rectification and/or to have incomplete personal data completed if the processed personal data concerning you are inaccurate or incomplete. The controller is to rectify them without unreasonable delay.

3. Right to erasure under Art. 17 GDPR

You have the right to obtain from the controller the erasure of personal data concerning you without unreasonable delay and the controller is obliged to erase personal data without unreasonable delay unless one of the exceptions laid down by the GDPR applies or other statutory retention duties require us to keep the relevant data.

4. Right to restriction of processing under Art. 18 GDPR

You may obtain from the controller restriction of processing of personal data concerning you under the conditions laid down by the GDPR.

5. Right to data portability under Art. 20 GDPR

You have the right to receive the personal data concerning you which you have provided to the controller and which is based on consent or on a contract with you in a structured, commonly used and machine-readable format. Furthermore, based on the conditions laid down by the GDPR, you have the right to transmit these data to another controller without hindrance from the controller to which the personal data have been provided.

In exercising this right, you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This may not adversely affect the rights and freedoms of others.

6. Right to object under Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on points (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.

Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.

7. Right to withdraw consent under Art. 7(3) GDPR

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. In this case, all personal data stored based on consent shall be erased unless another legal basis for continued storage exists under the law.

You can withdraw your consent at any time at datenschutz@de.gt.com.

8. Right to lodge a complaint under Art. 77 GDPR

In the case of infringements against data protection regulations, data subjects have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedies.

The data protection supervision authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit

Nordrhein-Westfalen

Postfach 20 04 44

40102 Düsseldorf

Tel.: +49 (0)211 38424-0

Fax: +49 (0)211 38424-999

Email: poststelle@ldi.nrw.de 

You can find the contact information of other data protection supervisory authorities in Germany by following this link: www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.htm.

VIII. Duty to provide data

When using our whistleblower system, you only need to provide the information necessary to process and follow up your disclosure. If you do not supply the information necessary to resolve the allegations properly, we will probably not be able to resolve the issue.

IX. Profiling/Profile creation

We do not process your data in an automated manner to evaluate certain personal aspects (“profiling” pursuant to Art. 4(4) GDPR). We do not use profiling.

X. Automated individual decision-making

We do not use automated decision-making pursuant to Art. 22 of the GDPR.

XI. Security

GT protects your data using technical and organisational security measures to prevent accidental or intentional manipulation, loss, destruction or access by unauthorised persons. Our security measures, e.g. data encryption, are regularly improved according to the development of technology. Furthermore, our employees and service providers are obliged to maintain confidentiality in handling your personal data.

XII. Further information

We value the trust you place in us. We therefore intend to be available to you at all times to answer your questions about the processing of your personal data. If you have any questions that this Privacy Policy has not been able to answer or if you would like in-depth information on any point, please contact us at any time at the following email address: datenschutz@de.gt.com. 

We reserve the right to amend this Privacy Policy from time to time upon further development of data protection legislation or technological or organisational changes and will notify you of all major changes that will have an effect on the use of your personal data. This Privacy Policy was updated in December 2025.