Compliance & Whistleblower Channel

Introduction

BIO OIL GROUP is committed to integrity, transparency and lawful conduct across all business areas. To ensure that violations, misconduct and concerns can be reported confidentially, BIO OIL GROUP operates a whistleblower channel in line with the EU Whistleblower Directive (2019/1937), the German Whistleblower Protection Act (HinSchG) and the Austrian Whistleblower Protection Act (HSchG). Where individual group companies do not reach the employee threshold of these laws (in Germany, 50 employees under § 12 (2) HinSchG), the channel is operated on a voluntary basis to ensure that every reporter — regardless of company size — has access to a protected reporting path.

Who can report and what can be reported

The channel is open to all current and former employees, applicants, suppliers, customers, business partners and other third parties who have obtained relevant information in the context of their professional activities. Reports may concern in particular:

  • Discrimination, harassment or workplace bullying
  • Corruption, bribery, conflicts of interest or money laundering
  • Violations of occupational safety, health or environmental protection rules
  • Breaches of data protection, IT security or confidentiality
  • Accounting fraud, embezzlement or other financial irregularities
  • Violations of supply chain, human rights or sustainability obligations (LkSG, CSDDD)
  • Other material breaches of laws, regulations or our Code of Conduct

Protection of the whistleblower

BIO OIL GROUP guarantees comprehensive protection to all whistleblowers acting in good faith. Specifically, this means:

  • Strict confidentiality of every incoming report
  • Prohibition of any retaliation (dismissal, transfer, toleration of bullying, career obstruction, disciplinary action or comparable disadvantages)
  • Independent handling by a dedicated compliance function (see 'Responsibility' below)
  • Reversal of the burden of proof in suspected retaliation cases: the company must prove that any disadvantage is unrelated to the report
  • Abusive reports are reviewed but will not be used against the whistleblower unless the whistleblower acts unlawfully

Confidentiality and anonymity of this channel

This channel is designed so that you can submit a report confidentially and — if you choose — remain anonymous. We are transparent about the measures we take and about the technical limits of a web-to-email solution.

What our application does not collect or store:

  • No IP address or connection data of the reporter in our application
  • No cookies, tracking or browser fingerprinting on this page
  • No database record of the report on our web servers; the form does not write any content to a database
  • No automated content analysis by third parties (e.g. AI-based spam or sentiment filters)

Processing that is technically and legally necessary, disclosed transparently:

  • Our hosting provider (Vercel) briefly processes connection data in server logs to deliver the page. These logs are not available to the compliance function and are deleted after a short retention period
  • Your report is transmitted via TLS-secured transport to the compliance function's mailbox. E-mail is not an end-to-end encrypted channel; metadata such as server timestamps and mail routing are technically unavoidable. The report e-mail itself contains no data about the reporter unless you provide it
  • After receipt, the compliance function documents the case in an access-restricted case register in accordance with § 11 HinSchG / § 14 HSchG (see 'Procedure')

Recommendations for particularly sensitive reports:

  • Access this page via Tor Browser or a trusted VPN service
  • Omit a contact e-mail — or use an anonymous disposable address (e.g. ProtonMail, Tutanota)
  • Avoid identifying terms in the report text where they are not necessary for understanding

You may voluntarily provide a contact e-mail if you wish to receive follow-up questions or feedback. Otherwise your report remains anonymous; in that case an acknowledgement of receipt is technically not possible.

Responsibility and handling

Reports are received exclusively by the compliance function of BIO OIL GROUP. This function is organisationally independent of operational areas, reports directly to executive management and is subject to its own confidentiality obligation. The circle of authorised persons is defined by name and limited to the minimum required by law. Where necessary, an external law firm is engaged for support, in particular when reports concern members of executive management themselves.

Procedure after receipt of a report

The procedure follows the statutory requirements of § 17 HinSchG and § 19 HSchG:

  • If you provided a means of contact: acknowledgement of receipt within seven days
  • Review of the report for substance and plausibility by the compliance function
  • Where necessary, confidential follow-up questions via the channel you provided
  • Initiation of appropriate follow-up measures (internal investigation, remediation, referral to external bodies)
  • Feedback on the outcome within three months, provided a means of contact was given
  • Documentation of the case in an access-restricted case register, retained for three years after closure of the procedure (§ 11 HinSchG), unless a longer statutory retention period applies

Data protection under GDPR

When you submit a report via this form, we process personal data only to the extent required by law. This data protection notice supplements our general privacy policy.

  • Controller: BIO OIL GROUP, represented by executive management. Full contact details and address can be found in the imprint.
  • Data processed: The report content (category, description) and — if voluntarily provided — the contact e-mail address you specify.
  • Legal basis: Art. 6 (1) (c) GDPR (legal obligations under HinSchG, HSchG, LkSG); Art. 6 (1) (f) GDPR (legitimate interest in integrity and compliance); Art. 6 (1) (a) GDPR (consent) for the voluntary provision of a contact e-mail address.
  • Recipients: Exclusively the named members of the compliance function and, where necessary, an external law firm under a confidentiality obligation. Transmission to third parties (e.g. law enforcement) only takes place if legally required or necessary to assert legal claims.
  • Retention: The case file is retained for three years after closure of the procedure pursuant to § 11 HinSchG / § 14 HSchG, at most until the expiry of statutory retention periods.
  • Your rights: You have the right to access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21). The exercise of these rights may be statutorily restricted where it would impair the protection of whistleblowers or the investigation (§ 8 HinSchG).
  • Right to complain: You have the right at any time to lodge a complaint with a data protection supervisory authority, for example the Federal Commissioner for Data Protection and Freedom of Information (BfDI) in Germany or the Data Protection Authority in Austria.
  • International transfer: No transfer to third countries outside the EU/EEA takes place.

External reporting bodies

You are always entitled to report violations directly to external reporting bodies, such as the Federal Office of Justice (Germany), the Federal Bureau of Anti-Corruption (Austria), or the competent authorities of any EU Member State. Internal reporting beforehand is not required; we nevertheless recommend it to enable rapid remediation.

Submit a report

Please describe the matter as concretely as possible. Include dates, persons involved (if known), locations and any supporting evidence available to you. The more precise your report, the better we can respond.

Minimum 50, maximum 5000 characters.

Only fill in if you would like a response. Anonymous disposable addresses (ProtonMail, Tutanota, etc.) are explicitly allowed.

This application does not store any IP address or cookies, and does not write the report to a database. Your report is transmitted via TLS-secured transport to the compliance function and documented there on an access-restricted basis in accordance with § 11 HinSchG / § 14 HSchG.

For questions about this channel or the procedure, please contact our compliance function at: compliance@bio-oil.biz