Protecting the identity of individuals who report an incident in good faith via the Hain Celestial Ethics and Reporting Portal is very important to us. This statement explains how we handle your personal information in the event that you file an incident.
The Investigator assigned to investigate a good faith report will work to protect the identity of the reporting person and information which makes the reporting person identifiable. The identity of the reporting person, however, may be disclosed if essential in the context of administrative or judicial proceedings or a law enforcement investigation, or (ii) due to the inherent nature of the report, and after a balanced consideration of the potential risks to the person reporting, in relation to the seriousness and significance of the accusations.
To the extent a report involves persons or information located in the United Kingdom or the European Union, if the processing of personal data within the meaning of the General Data Protection Regulation (“GDPR”) is not necessary for the handling of a report, personal data will not be collected or will be deleted immediately if such personal data was collected unintentionally.
Processing of personal data will occur if (i) the processing is in the public interest to prevent or punish breaches of the law or the Code of Conduct and to provide indications for this purpose and to verify their validity and (ii) is limited to data that is required to investigate the report establish and punish a breach of the law or the code of conduct.
The processing of special categories of personal data, such as race, ethnicity, political opinion, religious or philosophical belief, trade union membership, genetic or biometric data, or sexual orientation is permissible (i) if the processing is necessary to achieve the purposes specified according to this Policy, and (ii) if effective measures are taken to protect the rights and freedoms of the data subjects.
Personal data collected during an investigation shall be kept for maximum 3 years or in compliance with regional records retention policies, from the last processing or transfer, and beyond for as long as this is necessary due to applicable law to keep these longer or for administrative or judicial proceedings or for the protection of the reporting person, the person concerned or any other person that is affected by follow-up measures or that is involved in follow-up measures.
As long as and to the extent necessary to protect the identity of a reporting person or to achieve the purpose of this Policy, certain rights provided for in the GDPR may not apply in accordance with Section 8 (7).