Information obligations as per GDPR for the Daimler Truck Whistleblowing System SpeakUp

Protection of your personal data is of high priority to us. In the following privacy statement in accordance with the General Data Protection Regulation (GDPR), you will receive a detailed overview how your personal data is processed by Daimler Truck AG. Personal data refers to all information relating to an identified or identifiable natural person. Using these privacy statement, we inform you about the nature, scope, and purposes of collecting personal data at Daimler Truck AG and how we work with this data.

We would like to inform you about the rights you have regarding the processing of your personal data.

Who is responsible for processing my data and who can I contact regarding data protection?

The responsible party for the processing of personal data described below is:

Daimler Truck AG
Fasanenweg 10
70771 Leinfelden-Echterdingen
Germany
Email: contact@daimlertruck.com

The contact details for the Group Data Protection Officer are as follows:

Daimler Truck AG
Group Data Protection Officer
HPC DTF2B
70745 Leinfelden-Echterdingen
Germany
Email: dataprivacy@daimlertruck.com

For what purposes are my data used (Purpose of processing) and on what basis (legal basis) does this take place?

Within the Whistleblowing System SpeakUp, personal data is processed for the following purposes:

  1. Investigation and sanctioning of misconduct, including breaches of obligations within the employment relationship, regulatory offences, or crimes, in particular fraud, corruption, money laundering, theft, antitrust violations, tax offences, and other economic offences
  2. Compliance with legal requirements, including Sections 130, 30 Act on Regulatory Offences (OWiG), as well as Sections 93, 111 German Stock Corporation Act (AktG), to fulfil our supervisory, documentation, and reporting obligations, to uncover conflicts of interest, maintain whistleblowing systems, or ensure that our goods and services comply with legal requirements
  3. Rehabilitation of accused individuals, including identifying facts that lead to the exoneration of persons wrongly accused

The Whistleblowing System SpeakUp enables individuals to report potential crimes, serious policy violations, and other cases of misconduct within the Daimler Truck Group. Data processing is based on Article 6 paragraph 1 lit. f of the General Data Protection Regulation (GDPR).

The legitimate interest of the responsible party in data processing under Article 6 paragraph 1 lit. f GDPR is primarily derived from the legitimate interest of the responsible party or third parties to investigate and sanction a committed misconduct.

How long will my data be stored?

We impose a restriction on the storage of your data and delete it as soon as it is no longer necessary for the purposes mentioned above. If you are an employee of the Daimler Truck Group, your personal data will be stored after the termination of your employment relationship as long as we are legally obliged to do so. According to our Group Works Agreement (1118.2), we delete data related to minor risk rule violations after one (1) year and data related to major risk violations after six (6) years. If a major risk rule violation cannot be proven, but the suspicion also cannot be completely discounted, the data will be deleted after two (2) years. If compliance investigations determine that a reported violation is without merit, the collected data will be promptly deleted. Furthermore, it may be necessary to retain personal data for the period during which claims can be made against the accused person of misconduct (statutory limitation period of three (3) or up to thirty (30) years). Additionally, legal retention periods (including those from laws pertaining to tax or fees, or commercial laws) may also oblige us to store your data.

Will my data be disclosed?

The responsible party only discloses data to third parties within the scope of compliance measures and internal investigations if there is a legal basis or consent for such data transfer.

In the context of compliance measures and internal investigations, the following recipients are considered, in particular:

Within the Daimler Truck Group, your data may be transmitted to specific companies for the clarification of possible compliance matters, especially when involving multiple group companies.

The responsible party may disclose the results of compliance measures or findings from ongoing investigations to public authorities, particularly German or foreign law enforcement agencies, courts, or other authorities. Such disclosure may be necessary if legally obligated to disclose such data, for instance, which may be the case in the context of criminal investigations.

Furthermore, to fulfil our contractual and legal compliance obligations, we also make use of various external service providers, such as law firms, auditing firms, and technical service providers. In cases where we make use of service providers under our instructions (e.g., for the operation of the technical systems we use) within the framework of compliance measures and internal investigations, the transfer of data to these recipients is based on Article 28 of the GDPR in conjunction with the respective data processing agreement concluded with the service provider.

What personal data do we process?

In the context of compliance measures, we particularly utilise the following categories of data:

  • Personal master data (e.g., first name, last name, titles, nationality, employee ID, marital status, social security number, if applicable, work permit)
  • Contractual data (type of employment, employment status, start date, and, if applicable, end date of employment), contact details (e.g., home address, mobile and telephone number, email address)
  • Company-related information (e.g., position in the company, supervisor/management level, job title, professional contact details)
  • Information regarding the matter of concern, for instance, for internal investigations (e.g., all relevant details for evaluating the matter, conversation logs; this may also include breaches of obligations or criminal offences in individual cases)
  • Company documents (e.g., travel expense reports, time tracking data, time records and hour breakdowns, performance records, travel logs, and invoices)
  • Communication data generated in connection with your professional activity (e.g., official documents, internal and external correspondence in the context of email evaluations, IT usage information, information about internal access and authorisation, evaluation of electronic storage media, internet usage analysis, connection data analysis)
  • Data for performance evaluation, personnel development/promotion, qualifications, and further education (e.g., certificates, evaluations, training history, information about misconduct and resulting measures or employment law sanctions)
  • Data related to internal investigations (e.g., information contained in final or interim reports, documented interviews, witness statements, or similar documents)
  • Special categories of personal data as defined in Article 9 paragraph 1 of the GDPR (e.g., health data, data about possible union membership, biometric data, or data about political or religious beliefs; your employer will process such data only in individual cases and in accordance with relevant data protection regulations under Article 9 paragraph 2 of the GDPR or Section 26 paragraph 3 of the BDSG)


Will my data be transferred to a third country or international organisation?

If the data controller responsible for processing personal data transfers such data to affiliated or non-affiliated entities in third countries that are not within the European Economic Area (EEA) as part of compliance measures and investigations, the transfer of the same shall only occur if the third country has been confirmed by the European Commission to have an adequate level of data protection, or other legal safeguards are in place. Legal safeguards for internal data transfer within the Group include the Data Protection Directive of the Daimler Truck Group (A17). An appropriate safeguard for transferring data to external third parties outside the EEA may include EU standard contractual clauses, which can be complemented by supplementary agreed-upon technical and organisational measures as needed.

What rights do you have as a data subject?

You can assert the following data protection rights against the responsible party. You are welcome to use the email Speakup@daimlertruck.com:

  • You have the right to request information about the personal data stored or processed about you, as well as the information listed in Article 15 of the GDPR.
  • You can promptly request a correction of incorrect personal data concerning you and, if necessary, the completion of incomplete personal data (Article 16 of the GDPR).
  • You can demand that the personal data concerning you be deleted, provided that such data are no longer necessary for compliance measures and legal obligations. The specific reasons are listed in detail in Article 17 of the GDPR (Right to erasure).
  • You can request the restriction of processing if one of the conditions listed in Article 18 of the GDPR is met, e.g., if you, as the data subject, object to the processing during the examination by the responsible party.
  • You can demand the release of the personal data concerning you in a readable electronic format if you have provided it electronically yourself (Article 20 of the GDPR).
  • Moreover, you can object to the processing of your data if there are specific reasons arising from your situation that contradict data processing. Unless compelling legitimate interests of Daimler Truck AG are present (e.g., exercising legal claims or defending against legal claims), Daimler Truck AG may no longer process your data (Article 21 of the GDPR). The right to object also applies to cases of conducting compliance measures (e.g., internal investigations). In such cases, the responsible parties promptly review your requests to consider them as required by law during the execution of the measures.


You have the right to lodge a complaint with the Group Data Protection Officer or a data protection supervisory authority if you believe that the processing of personal data concerning you violates the GDPR or other laws (Article 77 of the GDPR).

You can reach the Group Data Protection Officer of Daimler Truck AG at:

Group Data Protection Officer
Daimler Truck AG, HPC DTF2B
Fasanenweg 10
70745 Leinfelden-Echterdingen
Germany
dataprivacy@daimlertruck.com