Privacy Notice

APi Group Corporation, inclusive of its subsidiaries, maintains a global Ethics Helpline (the "Helpline") that can be used to report certain types of potential misconduct. The Helpline is a web-based reporting system operated by a third-party company, NAVEX ("NAVEX").

Use of the Helpline is voluntary. If you choose to use the Helpline to report one of the types of issues set out below, we may need to process any information you submit through the Helpline that relates to an identified or identifiable individual (“Personal Data”) in order to investigate your report and meet our regulatory requirements.

Legal information

Chubb Österreich GmbH - CAMPUS 21, Businesspark Wien Sued - Liebermannstrasse F02/102 - 2345 Brunn am Gebirge - Austria and JBS Brandschutz Sicherheitstechnisches Zentrum GmbH - CAMPUS 21, Businesspark Wien Sued - Liebermannstrasse F02/102 - 2345 Brunn am Gebirge, Austria (together the “APi Austrian Companies") have prepared this Information Notice ("Notice") to inform you about the Helpline and related data processing. The APi Austrian Companies are the data controllers of the data collected through the Helpline from its respective employees, suppliers, customers, contractors or any other third parties who have had dealings with the relevant APi Austrian Company (“Constituents”), who wish to make a report in Austria using the Helpline.

APi Group Corporation and APi Group, Inc. (jointly, “APi Group”), of 1100 Old Highway 8 NW, New Brighton, Minnesota, 55112, USA, the indirect parent companies of the APi Austrian Companies, are also data controllers of the data transferred to them through the Helpline for the purposes of its review and investigation of reports made via the Helpline.

All reported issues, both by phone or by the Navex web-intake form, will be automatically transferred to a local appointed Complaint Manager designated by your organization. Each report will be routed for this purpose to a local generic email address for your organization. Ethic and compliance matters can be reported by the local Complaint Manager up the chain within the APi Legal Department, i.e. to the regional Legal & Compliance supervisor, the APi Chief Compliance Officer and the APi General Counsel.

When we say "APi Austrian Companies" in this document, we mean the company Chubb Österreich GmbH or JBS Brandschutz Sicherheitstechnisches Zentrum GmbH with which you have or have had dealings with as a Constituent. When we say "we" or "us" in this document, this refers to APi Group and the APi Austrian Companies collectively in their various capacities as data controllers. For those with whom one of the APi Austrian Companies has a contract (such as an employment contract), this Notice does not form part of your contract, and we may update this Notice from time to time.

The Helpline does not replace other local company reporting channels.

What type of questions, concerns and matters may be reported via the Helpline?

The Helpline may only be used to report complaints or concerns incurring relevant risks for the APi Group relating to any ethics or compliance matter. (“In-Scope Matters”). You should not assume that management is aware of such matters, and you are encouraged to use the Helpline to report any concerns you may have in this regard.

If you try to use the online reporting tool to report any other type of matter, we will recommend that you use one of our other reporting channels, such as by contacting your line manager or human resources.

What Personal Data will be processed as a result of a report to the Helpline?

The following categories of Personal Data may be processed by us in connection with a report:

• identification data, such as your name, business email address, business address, business landline;
• information about your job, such as your job title, level, function, management reporting structure, business unit;
• alleged facts reported; and
• information to perform the investigation.

In the event your report leads to a further investigation, the APi Austrian Companies and APi Group may also process the following categories and types of Personal Data when investigating a report that has been made to the Helpline or reviewing the investigation findings:

• additional information about your job, such as the nature of your duties and responsibilities and your job history (including position history, title history, effective dates and past pay groups);
• further facts reported; and
• information collected in connection with the investigation of the reported facts.

Depending on the report that has been made and only if actually required, other categories of Personal Data about employees of the APi Austrian Companies may also be processed, such as:

• information about your salary and benefits, which may include, as applicable, your basic salary, bonus and equity compensation entitlements, raise amounts and percentages, allowances, and insurance benefits, health plans, pension plans, tax code, your bank account details and payment dates, accrued salary information, employee pay group, information relating to your pension (This information may be relevant if the submitted report deals with remuneration issues, such as equal pay);
• time and systems / buildings access monitoring information, which may include, as applicable, swipe card access, IDs for IT systems and IT access rights, time recording software, internet, email and telephone usage data; and
• your performance and disciplinary information, which may include, as applicable, performance reviews, evaluations and ratings, information about disciplinary allegations, the disciplinary process and any disciplinary warnings, details of grievances and any outcome.

Similar Personal Data can be processed from individuals identified in the Helpline report/subject to the reporting.

Why do we need to use this information about you?

We process Personal Data to fulfill the requirements of the European Whistleblowing Directive and its national incorporations as well as serve our legitimate interests to manage compliance with business policies; to prevent and detect fraud and other unlawful activity; to conduct internal investigations; and to protect the interests of our organization, personnel and further stakeholders. We cannot operate the Helpline without processing Personal Data.

We are committed to maintaining high standards of integrity and take concerns about suspected unethical behavior or illegal conduct very seriously. We want to maintain the highest business, legal and ethical standards. We also expect our employees to act and perform their duties ethically, honestly and with integrity, which includes reporting any legal or ethical concerns they may have.

If you choose to use the Helpline to report an issue, we will have to process Personal Data to review your report and to investigate the issue you have raised.

Is anonymous reporting possible via the Helpline?

Yes. Although you may make reports via the Helpline anonymously, we encourage you not to report anonymously, because anonymous reporting significantly impairs our ability to verify the report and to conduct a meaningful review and investigation of the reported matter. However, if you insist on remaining anonymous, the anonymous report will be accepted unless the report concerns a matter relating to an APi Group company or employee located in a country where local laws prohibit reporting on an anonymous basis.

You can come forward with any questions or concerns without fear of retaliation. We will not tolerate retaliation against anyone for seeking advice, making a good-faith report of suspected misconduct, or for participating in the investigation of suspected misconduct.

We (and NAVEX) will treat the identity of the reporter as confidential and will not disclose it to the persons named in any report unless it is necessary to do so (e.g., for the effective conduct of the investigation). Even if the reported facts ultimately are not substantiated, we (and NAVEX) will still treat the identity of the reporter as strictly confidential to the greatest extent permissible by law, provided that the report was made in good faith. However, if any of the facts in a report concerning one of the In-Scope Matters are found to be unsubstantiated and/or the reporter is found to have knowingly and maliciously made a false accusation, the reporter’s identity may have to be disclosed to the accused individual, if such disclosure is required by applicable law.

If you make a report anonymously, the data you submit through the Helpline will constitute your Personal Data only to the extent the detail you provide other than your name would reveal your identity. As such, if you wish to proceed anonymously, you are urged to carefully consider the data you submit and not provide details that would tend to reveal your identity.

What is the legal basis for all of this?

We are required to tell you the legal basis for our collecting, processing and use of your Personal Data under Austrian data protection law and under EU data protection law. Our legal basis is the European Whistleblowing Directive and its national incorporations as well as the legitimate interests of the APi Austrian Companies, APi Group, APi Group affiliates and/or other third parties (such as existing or potential business partners, suppliers, customers, end-customers or governmental bodies or courts) which includes all such parties’ legitimate interest in operating the Helpline; managing compliance with business policies; preventing and detecting fraud and other unlawful activity; conducting internal investigations; and protecting the interests of our organizations, personnel and further stakeholders.

In relying on the legitimate interests basis for processing the Personal Data, we have carried out a balancing exercise between the reason for the processing of your Personal Data on the one hand, with your rights and freedoms on the other, to ensure it is appropriate for us to proceed.

Who might we share your personal information with?

To operate the Helpline and investigate any reports made via the Helpline, APi Austrian Companies will transfer Personal Data to third parties, including to entities within and outside APi Group, as follows:

• Data processor(s). Your Personal Data will be shared with the third-party reporting platform provider NAVEX. NAVEX provides the Helpline reporting platform, and the Personal Data you provide via the Helpline will be stored in a database located on servers hosted and operated by NAVEX within the European Economic Area (“EEA”). NAVEX is subject to contractual obligations requiring it to implement appropriate security measures to safeguard your personal information and to process the personal information only as instructed.
• Other third parties. Your Personal Data may be transferred - as reasonably necessary - to regulators, courts, and other authorities (e.g., law enforcement) and independent external advisors (e.g., lawyers, auditors).

APi Group, as well as other recipients falling within the “other third parties” category above, may be located outside of Europe and/or the EEA.

APi Group will be receiving your report and assessing the appropriate actions and response, which involves a transfer of Personal Data outside the EEA. NAVEX may also provide occasional back-end support and maintenance functions from the US which may involve a limited transfer of Personal Data outside the EEA. We have put in place an agreement -- known as the EU Standard Data Protection Clauses -- to ensure that Personal Data is protected when Personal Data is processed by APi Group or NAVEX outside the EEA. Where any follow up steps require transfer of Personal Data to other recipients outside of the EEA, we will take steps to ensure that such transfers are adequately protected as required by applicable data protection law. You can ask for a copy of the EU Standard Clauses by contacting us as set out below ("Who can I contact?").

How long will my personal information be retained?

The Personal Data processed as part of operating the Helpline will not be kept in a form that allows you to be identified for any longer than we think is reasonably necessary to achieve the purposes for which it was collected or processed, or as established by applicable laws relating to record retention.

In short, this means that we will retain your personal data for a period of 7 years from the conclusion of the investigation into your report, though certain data may be kept longer than that where it is required to meet our compliance and legal obligations, or as long as there is a statutory retention obligation or for litigation purposes.

Notwithstanding the above, if the report concerns an Austrian employee, the report will only be retained for three months unless legal proceedings are initiated.

What rights do I have in respect of my Personal Data?

You have a number of rights in relation to your Personal Data under applicable law:

1. Right of access

You have the right to confirm with us whether your Personal Data is processed, and if it is, to request access to that Personal Data including the categories of Personal Data processed, the purpose of the processing, and the recipients or categories of recipients. However, the APi Austrian Companies do have to take into account the interests of others; as such, this is not an absolute right.

If you request more than one copy of any given data, the APi Austrian Companies may charge a fee.

2. Right to rectification

You may have the right to rectify inaccurate or incomplete Personal Data concerning you; such requests will be considered and determined in accordance with the applicable laws.

3. Right to erasure (right to be forgotten)

You may have the right to ask us to erase Personal Data concerning you; such requests will be considered and determined in accordance with the applicable laws.

4. Right to restriction of processing

In limited circumstances, you may have the right to request that the APi Austrian Companies restrict processing of your Personal Data; such requests will be considered and determined in accordance with the applicable laws. Where we process Personal Data to comply with laws and regulations, our legitimate interest in processing that data may override a request that you make.

5. Right to data portability

You may have the right to receive Personal Data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and you may have the right to transmit that data to another entity.

6. Right to object

Under certain circumstances you may have the right to object, on grounds relating to your particular situation, to the processing of your Personal Data by the APi Austrian Companies, and we can be required to no longer process your Personal Data.

The operation of the Helpline and any subsequent action taken does not involve any automated decision-making.

To exercise any of these rights, please contact us as stated below under “Who can I contact?”. You also have the right to lodge a complaint with the competent Austrian data protection supervisory authority.

Who can I contact?

If you are an APi Group employee and have questions about this Notice or would like to exercise your rights as a data subject, contact privacy@apigroupinc.us.

Continue