BIO OIL GROUP is committed to integrity, transparency and lawful conduct across all business areas. To ensure that violations, misconduct and concerns can be reported confidentially, BIO OIL GROUP operates a whistleblower channel in line with the EU Whistleblower Directive (2019/1937), the German Whistleblower Protection Act (HinSchG) and the Austrian Whistleblower Protection Act (HSchG). Where individual group companies do not reach the employee threshold of these laws (in Germany, 50 employees under § 12 (2) HinSchG), the channel is operated on a voluntary basis to ensure that every reporter — regardless of company size — has access to a protected reporting path.
Who can report and what can be reported
The channel is open to all current and former employees, applicants, suppliers, customers, business partners and other third parties who have obtained relevant information in the context of their professional activities. Reports may concern in particular:
Discrimination, harassment or workplace bullying
Corruption, bribery, conflicts of interest or money laundering
Violations of occupational safety, health or environmental protection rules
Breaches of data protection, IT security or confidentiality
Accounting fraud, embezzlement or other financial irregularities
Violations of supply chain, human rights or sustainability obligations (LkSG, CSDDD)
Other material breaches of laws, regulations or our Code of Conduct
Protection of the whistleblower
BIO OIL GROUP guarantees comprehensive protection to all whistleblowers acting in good faith. Specifically, this means:
Strict confidentiality of every incoming report
Prohibition of any retaliation (dismissal, transfer, toleration of bullying, career obstruction, disciplinary action or comparable disadvantages)
Independent handling by a dedicated compliance function (see 'Responsibility' below)
Reversal of the burden of proof in suspected retaliation cases: the company must prove that any disadvantage is unrelated to the report
Abusive reports are reviewed but will not be used against the whistleblower unless the whistleblower acts unlawfully
Confidentiality and anonymity of this channel
This channel is designed so that you can submit a report confidentially and — if you choose — remain anonymous. We are transparent about the measures we take and about the technical limits of a web-to-email solution.
What our application does not collect or store:
No IP address or connection data of the reporter in our application
No cookies, tracking or browser fingerprinting on this page
No database record of the report on our web servers; the form does not write any content to a database
No automated content analysis by third parties (e.g. AI-based spam or sentiment filters)
Processing that is technically and legally necessary, disclosed transparently:
Our hosting provider (Vercel) briefly processes connection data in server logs to deliver the page. These logs are not available to the compliance function and are deleted after a short retention period
Your report is transmitted via TLS-secured transport to the compliance function's mailbox. E-mail is not an end-to-end encrypted channel; metadata such as server timestamps and mail routing are technically unavoidable. The report e-mail itself contains no data about the reporter unless you provide it
After receipt, the compliance function documents the case in an access-restricted case register in accordance with § 11 HinSchG / § 14 HSchG (see 'Procedure')
Recommendations for particularly sensitive reports:
Access this page via Tor Browser or a trusted VPN service
Omit a contact e-mail — or use an anonymous disposable address (e.g. ProtonMail, Tutanota)
Avoid identifying terms in the report text where they are not necessary for understanding
You may voluntarily provide a contact e-mail if you wish to receive follow-up questions or feedback. Otherwise your report remains anonymous; in that case an acknowledgement of receipt is technically not possible.
Responsibility and handling
Reports are received exclusively by the compliance function of BIO OIL GROUP. This function is organisationally independent of operational areas, reports directly to executive management and is subject to its own confidentiality obligation. The circle of authorised persons is defined by name and limited to the minimum required by law. Where necessary, an external law firm is engaged for support, in particular when reports concern members of executive management themselves.
Procedure after receipt of a report
The procedure follows the statutory requirements of § 17 HinSchG and § 19 HSchG:
If you provided a means of contact: acknowledgement of receipt within seven days
Review of the report for substance and plausibility by the compliance function
Where necessary, confidential follow-up questions via the channel you provided
Initiation of appropriate follow-up measures (internal investigation, remediation, referral to external bodies)
Feedback on the outcome within three months, provided a means of contact was given
Documentation of the case in an access-restricted case register, retained for three years after closure of the procedure (§ 11 HinSchG), unless a longer statutory retention period applies
Data protection under GDPR
When you submit a report via this form, we process personal data only to the extent required by law. This data protection notice supplements our general privacy policy.
Controller: BIO OIL GROUP, represented by executive management. Full contact details and address can be found in the imprint.
Data processed: The report content (category, description) and — if voluntarily provided — the contact e-mail address you specify.
Legal basis: Art. 6 (1) (c) GDPR (legal obligations under HinSchG, HSchG, LkSG); Art. 6 (1) (f) GDPR (legitimate interest in integrity and compliance); Art. 6 (1) (a) GDPR (consent) for the voluntary provision of a contact e-mail address.
Recipients: Exclusively the named members of the compliance function and, where necessary, an external law firm under a confidentiality obligation. Transmission to third parties (e.g. law enforcement) only takes place if legally required or necessary to assert legal claims.
Retention: The case file is retained for three years after closure of the procedure pursuant to § 11 HinSchG / § 14 HSchG, at most until the expiry of statutory retention periods.
Your rights: You have the right to access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21). The exercise of these rights may be statutorily restricted where it would impair the protection of whistleblowers or the investigation (§ 8 HinSchG).
Right to complain: You have the right at any time to lodge a complaint with a data protection supervisory authority, for example the Federal Commissioner for Data Protection and Freedom of Information (BfDI) in Germany or the Data Protection Authority in Austria.
International transfer: No transfer to third countries outside the EU/EEA takes place.
External reporting bodies
You are always entitled to report violations directly to external reporting bodies, such as the Federal Office of Justice (Germany), the Federal Bureau of Anti-Corruption (Austria), or the competent authorities of any EU Member State. Internal reporting beforehand is not required; we nevertheless recommend it to enable rapid remediation.
Submit a report
Please describe the matter as concretely as possible. Include dates, persons involved (if known), locations and any supporting evidence available to you. The more precise your report, the better we can respond.
For questions about this channel or the procedure, please contact our compliance function at: compliance@bio-oil.biz