Skip to main content

Privacy Policy for the Whistleblower System

Last updated: June 2023

We, Bionorica SE, are not only committed to protecting your health but also to protecting your data and therefore your privacy. This Privacy Policy is designed to inform you regarding

  • which personal data we collect, store, block, delete or otherwise process from you in the course of our Whistleblower System (collectively referred to as "processing"),  
  • the purpose for which we use the data, 
  • how you can object to the use of such data or withdraw your consent and
  • which rights you have as a data subject, e.g. how you can revoke your declared consent and exercise additional rights to information, rectification, objection and deletion with respect to your data

1. Who is responsible for data processing and who can I contact?

The (data) “controller”, as defined in the GDPR (General Data Protection Regulation), is:

Bionorica SE
Kerschensteinerstr. 11-15
92318 Neumarkt
Telefon: +49 (0) 9181 231-90
Telefax: +49 (0) 9181 231-265

You can contact our company data protection officer by email at or by post at the above address to "The Data Protection Officer".

2. Scope of validity

This Privacy Policy applies to the operation of the whistleblower system of Bionorica SE in accordance with § 12 HinSchG, including the receipt and processing of hints (e.g. communication with the whistleblower, verification of hints, case-related investigation measures, documentation).

We reserve the right to change this Privacy Policy at any time with effect for the future. The current version is available on our website. Please visit our website regularly to consult the applicable data protection provisions.

3. What sources and data does Bionorica SE use?

We process personal data that we receive in the course of a hint received, the clarification of the case that may be triggered by this and any follow-up measures. The scope of the data depends in particular on each specific case. When you submit a hint, you are free to decide whether you wish to do so under your name or anonymously.

The personal data processed by us regarding the whistleblower, the persons affected by the whistleblowing as well as other relevant persons may include in particular:

  • Personal master data e.g. name, address
  • Information on job position e.g. function, job title, field of activity
  • Information on personal conduct e.g. suspected misconduct
  • Any other data related to the receipt or adequate processing of hints

During the processing of the above-mentioned data categories, there may also be processing of special categories of personal data (e.g. processing of health data), depending on the specific hint.

4. Processing purposes and legal basis

We process personal data in accordance with the provisions of the European General Data Protection Regulation (EU GDPR) and the German Federal Data Protection Act (BDSG) on the following legal bases:

4.1. For the fulfilment of legal obligations (Art. 6 para. 1 cl. 1 lit. c GDPR)

Bionorica SE is obliged by law to establish and operate an internal whistleblower reporting office in accordance with Section 12 HinSchG. The measures implemented by Bionorica SE serve to fulfill this legal obligation. The Whistleblowing Desk is further authorized under Section 10 HinSchG to process personal data (including data of special categories) to the extent necessary to fulfill its legal duties.

4.2. For the purposes of the legitimate interests (Art. 6 para. 1 cl. 1 lit. f GDPR)

Insofar as we process data (in particular in the case of identified misconduct) as part of or in preparation for legal defense, this is done on the basis of our legitimate interests.

Our Whistleblowing Desk also investigates information about legal violations that do not fall within the scope of § 2 HinSchG. In such cases, the processing is based on our legitimate interest in acting in a legally compliant and ethical manner.

Processing on the basis of legitimate interests shall only take place if our legitimate interests outweigh any conflicting legitimate interests of the data subject(s).

4.3. Based on your consent (Art. 6 para. 1 cl. 1 lit. a GDPR)

Insofar as you have given us consent to process personal data for specific purposes, the lawfulness of this processing is given on the basis of your consent. This is the case, for example, when the identity of the whistleblower is disclosed or when a verbatim record is created as part of a personal meeting.

Consent given can be revoked at any time. This also applies to the revocation of declarations of consent given to us prior to the application of the GDPR. Please note that the revocation of consent does not affect the lawfulness of the processing carried out until the revocation.

The revocation of consent can be made free of charge and informally to our contact data mentioned under item 1. In the case of a revocation by telephone, we may ask you to provide additional proof of your identity by another means.

5. To what extent is automated decision making applied in individual cases?

When operating our whistleblowing system, we do not use automated decision-making pursuant to Article 22 of the GDPR. If we use these procedures in individual cases, we will inform you about this separately if this is required by law.

6. Who gets my data?

Bionorica SE ensures that personal data is only accessible to a limited number of authorized persons who require this data for the performance of their duties (employees of the Whistleblowing Desk and persons who support them in the performance of their duties).

Carefully selected and controlled service providers used by us may also receive data for these purposes (e.g. operators of a web-based information reporting tool), but are obligated to comply with the applicable data protection requirements as part of a so-called contract data processing.

Personal data will only be passed on or otherwise transferred to third parties (e.g. lawyers, courts, official or public bodies) if there is a legal basis for doing so (e.g. legal obligation, consent).

Any disclosure of the identity of the whistleblower or of data that allows conclusions to be drawn about the identity of the whistleblower shall only be made on the basis of the written consent of the whistleblower, unless otherwise required by law.

7. Is data transferred to companies in third countries or to an international organisation?

As a matter of principle, data is not transferred to bodies in countries outside the European Union (so-called third countries) within the framework of our whistleblower system. If such a transfer is necessary in individual cases (e.g., because a hint is received from a country outside the EU), the data will only be transferred if there is a legal basis and a suitable guarantee (e.g., adequacy decision, standard contractual clauses, express consent).

8. How long will my data be stored?

We process your personal data only as long as it is necessary for the fulfilment of the processing purposes described above. If the data is no longer necessary for the fulfilment of the processing purposes described above, it shall be deleted. In accordance with § 11 HinSchG, we delete the data no later than three years after the closing of the case.

9. What rights do I have as a data subject?

As a data subject, you have the right to access pursuant to Article 15 GDPR. In the case of a request that is not made in writing, we may ask you to provide supplementary proof of your identity by another means. You also have the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR and the right to data portability under Article 20 GDPR. With respect to the right to access and the right to erasure, the limitations set forth in Sections 34 and 35 BDSG apply. You also have the right to lodge a complaint with a responsible data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG).

You also have the right to object under Article 21 GDPR and you may object to the processing of personal data on the basis of Article 6 para. 1 lit. e or f GDPR at any time without giving reasons.

10. Where can I access the relevant legal texts?

You can access the legal text of the GDPR at

You can access the legal text of the HinSchG in the Federal Law Gazette at