Privacy policy

December 2023 version.

This privacy policy sets out the conditions under which the company collects and uses your personal data. It may change according to the legal and regulatory context.

Personal data is collected and processed in compliance with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable from 25 May 2018.

1.The data collected

In particular, the following categories of data may be collected when a person uses the alert system:

  • Personal identification data such as the surname, first name, job title and e-mail and telephone contact details of the whistleblower, persons who are the subject of a whistleblowing alert and persons involved in the collection or processing of the alert;

  • Electronic identification data such as IP addresses, cookies, connection logs, etc. ;

  • Geolocation data ;

  • Sensitive data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation;

  • Any other data required to verify the facts.

2.The identity of the data controller

The company acts as "Data Controller", in the sense that it determines the means and purposes of processing personal data. The company can be contacted at the following e-mail address dpo@geh.lu

3.Recipients and sub-contractors

Your personal data may be sent to the following recipients:

  • Third parties involved in disciplinary or legal proceedings relating to a warning;

  • To the host and publisher of the Platform: PLUG'N'COM, whose registered office is at ZAE Wolser G.220- L3434 DUDELANGE (LUXEMBOURG).

4.Purposes of processing

This data is collected and processed as part of the whistleblowing system, which enables anyone to report malfunctions that could affect the company's business, reputation and/or which could seriously engage the company's liability.

This purpose is based on international, european and national standards such as but not limited to and subject to any applicable new legislation: the principles of the Organization for Economic Co-operation and Development (OECD), the US Foreign Corrupt Practices Act (FCPA) of 1977, the UK Bribery Act of 2010, Directive (EU) 2019/1937 of 23 October 2019 etc.

5.Date retention period

The data will be :

  • immediately destroyed when the alert does not fall within the scope of the alert system as defined in point 1 ;

  • kept for a period of two (2) months after the end of the verification procedure if the alert falls within the scope of the alert system and no disciplinary or legal proceedings have been initiated;

  • kept until the end of the procedure when disciplinary or legal proceedings are initiated against the person who is the subject of the alert, or against the perpetrator of an abusive alert. If there is an obligation to archive the data, it will be stored on a separate information system with limited access for a period not exceeding the duration of the legal proceedings.

The data collected will be stored in the EU.

6.Safety and security

Our company takes appropriate organizational, technical, software and physical measures to protect personal data against alteration, destruction and unauthorized access.

7.Your rights

Pursuant to the regulations applicable to personal data, as the owner of the personal data collected by our company you have the following rights in particular:

  • rectify, update or delete your personal data;

  • exercise your right of access to details of your personal data collected by our company. In this case, before exercising this right, we reserve the right to request proof of identity;

  • object to the processing of your personal data. The exercise of this right is only possible in one of the following two situations: when the exercise of this right is based on legitimate grounds or aims to prevent the data collected from being used for commercial prospecting purposes;

  • request the portability of your data where processing is based on your consent and is carried out using automated processes;

  • request the restriction of the processing of your data, for a certain period of time, when :

    • you dispute the accuracy of the personal data,

    • the processing is unlawful but you object to the deletion of the personal data in question,

    • the data controller no longer needs your personal data but it is still necessary for you to establish, exercise or defend legal claims,

    • you have objected to processing on legitimate grounds ;

  • lodge a complaint with a supervisory authority: If you consider that our company is not complying with its obligations with regard to the protection of personal data, you may lodge a complaint or

a request with the competent authority. By way of example and without claiming to be exhaustive:

  • "Commission Nationale de l'Informatique et des Libertés" in FRANCE,

  • "Commission Nationale de contrôle de la protection des Données à Caractère Personnel" in LUXEMBOURG,

  • "Data Protection Authority" in BELGIUM,

  • "Agencia de Protección de Datos" in SPAIN,

  • "Garante per la protezione dei dati personali" in ITALY,

  • "National Authority for Data Protection and Freedom of Information in HUNGARY,

  • "Information Commissioner's Office in the UNITED KINGDOM,

  • And so on.

These requests can be made via the https://geh.lanceuralertes.com/ platform.