Making the World a Better Place to Work
Code of Conduct 
Global Policy—Hewitt's Ethic Line European Privacy Policy

I. Introduction

General. This policy (hereinafter: "Policy") sets forth data protection measures taken by Hewitt Associates LLC (US) and its affiliates located in the European Economic Area and Switzerland (hereinafter: "Hewitt") with respect to the use of the EthicsPoint reporting tools (hereinafter: "Hewitt's Ethics Line"). Hewitt has retained EthicsPoint Inc. (hereinafter: "EthicsPoint") to provide compliance services that include solutions relating to call centre/web-based incident reporting and web-based case management. EthicsPoint operates its services in the United States of America, under the US Safe Harbor certification which ensures that personal data will be adequately protected, as required under the EU Data Protection Directive 1995/46 and applicable national data protection law. Personal data means all information that can be directly or indirectly linked to an identifiable individual.

Supplementary Nature. Hewitt's Ethics Line supplements current means of communications to report compliance issues or misconduct as set forth in the "Reporting an Issue or Concern" portion of Hewitt's Code of Conduct. Therefore, you should consider first contacting your local HR Contact. You may consider using Hewitt's Ethics Line (i) where the normal means of reporting do not function or are not appropriate; (ii) when a potential risk of retaliation exists; or (iii) when issues would otherwise not be reported. The use of Hewitt's Ethics Line is not compulsory and there are no adverse consequences for either making or not making a report through it in accordance with the requirements set forth in the Policy. The use of Hewitt's Ethics Line will in no case lead to acts of retribution or retaliation against the reporting individuals for making a report.

II. Scope Of Policy

Restricted Scope Of Hewitt's Ethics Line. Issues and concerns reported through Hewitt's Ethics Line are limited to the following matters: (i) accounting, (ii) internal accounting controls; (iii) auditing matters; (iv) fight against bribery; (v) banking; and (vi) financial crime. Personal data collected through Hewitt's Ethics Line will be processed for purposes of compliance reporting, investigating, follow-up and remedying reportable matters. Only facts that can in practice lead to the sanctioning of the implicated person are reportable through Hewitt's Ethics Line.

Exceptional Broader Reporting. A report falling outside these matters will be deleted immediately. If the report indicates a serious risk to Hewitt, its employees or third parties and if permitted by national law, it may be redirected via Hewitt's Global Ethics Manager to the appropriate Hewitt entity. After such redirection, the report will be deleted from EthicsPoint's central repository.

III. Use Of Hewitt's Ethics Line

Use In Good Faith. Hewitt's Ethics Line must not be used to defame or falsely accuse any person. Hewitt will not take any action against reporting individuals who make use of Hewitt's Ethics Line in good faith, even if the allegations made are not substantiated or if the investigation does not confirm such allegations. Reporting individuals should nonetheless act diligently when submitting a report. Malicious or vexatious allegations may be subject to disciplinary action as permitted under national law.

No Anonymous Reporting In Principle. Hewitt does not encourage anonymous reporting. Concerns expressed anonymously will be considered by Hewitt unless explicitly prohibited by national law. Hewitt will first assess the complaint. Only reports containing information that appears to be truthful and non-malicious will be retained for further investigation.

IV. Information Security And Confidentiality

General. Whether a report is made via the toll free number or via the secure web-based reporting site www.hewitt.ethicspoint.com, Hewitt has taken measures to maintain personal data in a secure web-based application and to protect such data from unauthorized access or disclosure, accidental or unlawful destruction or accidental loss or alteration.

Limited Disclosure. In addition to the persons set out in Section VI of the Policy, personal data contained in reports may only be made accessible to: (i) the reporting individuals and the implicated person in case of an access request (taking into account the obligation to keep the identity of the reporting individual confidential); (ii) the relevant Hewitt entity to take disciplinary action or to prepare for court proceedings (e.g. bad faith of the reporting individual); and (iii) the police, the public prosecutor or other public authorities if required under applicable law. In such cases, only the relevant information necessary for the required action will be disclosed.

Confidentiality. Concerns or conclusions resulting from investigations are reportable anonymously to other Hewitt entities or Hewitt's Internal Audit Function (i.e. communication of facts, not of the names of individuals). Hewitt has taken measures to keep the identity of the reporting individual confidential during the investigation as well as after the closing of a report. The identity of the reporting individual will not be disclosed to the implicated person(s) or his/her superior(s) (unless the latter is required in the course of investigation to prevent any retaliation against the reporting individual).

Access Controls. Hewitt's Ethics Line incorporates procedures designed to log access to reports and to control access on a recurrent basis.

V. Data Minimization And Proportionate Data Processing

Information Collection. Hewitt has taken measures to collect personal data in an objective manner. Only factual data relevant to the allegation will be processed. Rumors must not be reported and concerns must have a reasonable ground.

The veracity of the facts will be verified by the individuals conducting the investigation as set out below in Section VI of the Policy and inaccurate information will immediately be purged. Information that is unproven will be indicated as such in the report.

Information Minimization. The following primary information categories may be processed:

  • Identity, function and contact details of the reporting individual;
  • Identity, function and contact details of the implicated person;
  • Identity, function and contact details of persons intervening in the processing of the reports (call center personnel);
  • Facts of the incidents that are reported;
  • Evidence collected/facts in the context of the verification of the reported facts;
  • Summary of the investigation and the verification of facts;
  • Outcome of the investigation; and,
  • Supporting documentation.

Report Intake. Once a concern is raised through Hewitt's Ethics Line, an intake report will be opened. Completed intake reports will be forwarded to Hewitt's Global Ethics Manager who will then forward the reports as described in the following paragraphs. Reports will in principle be redirected to the relevant local Hewitt entity. Reports may, however, exceptionally be communicated within the group if such communication is required by law, and necessary for the investigation, depending on the nature or the seriousness of the reported misconduct. Reports that require further investigation by Hewitt Associates LLC (US) or other group entities will be handled as described in the following two paragraphs of this section VI.

Reports Sent To Internal Audit. Reports sent to Internal Audit will be processed according to procedures established by the Audit Committee of Hewitt's Board of Directors. The Audit Committee is responsible for looking into allegations related to financial impropriety (such as the use of improper accounting procedures or fraudulent financial reporting). Each report will be handled promptly. Reports containing substantiated claims may be forwarded to the relevant Hewitt entity where the implicated person is employed to prepare for disciplinary or legal action.

Reports Handled By Global Ethics Manager. Reports submitted to the Global Ethics Manager requiring further investigation will be forwarded to an internal investigation team. The team may consist of members from Human Resources, General Counsel, Security Risk Management, and other functions, as appropriate. Each report will be handled promptly. Reports containing substantiated claims may be forwarded to the relevant Hewitt entity where the implicated person is employed to prepare for disciplinary or legal action.

Conflict Of Interest. Individuals involved in an investigation are subject to confidentiality requirements and are not allowed to handle complaints in the event of a conflict of interest. Individuals handling complaints have obtained specific training to process personal data in line with European and national data protection requirements. Circumstances of each report submitted to Hewitt's Global Ethics Manager will determine the appropriate investigator.

VII. Notice To Implicated Person

Notice. Hewitt has taken measures to inform the implicated person(s) about the fact that he/she is subject to a report as soon as possible upon reception of such report by Hewitt. The notice will contain information on: (i) the fact that his/her personal data were obtained through Hewitt's Ethics Line, (ii) the purposes of such personal data processing, (iii) the identity and address of the Hewitt entity ("data controller"), (iv) the facts the implicated person is accused of, (v) the potential information recipients (and their geographical location), and (vi) the modalities to exercise the right of access, rectification, and objection.

Timing. Such notice may be postponed (with a maximum of 3 months since the date of the filing of the report by the reporting individual) in case providing notice would endanger the investigation and if this is necessary to take preventive measures to protect Hewitt against the destruction of evidence. Status will be recorded in Hewitt's Ethics Line.

VIII. Rights of Reporting Individuals And Implicated Persons (hereinafter: "Individuals")

Point Of Contact. Individuals can exercise their rights of access, rectification, and objection under applicable data protection laws by contacting the local data protection officer or Hewitt's Global Ethics Manager.

Confidentiality. The right of access does not allow the implicated person to identify the reporting individual. The identity of the reporting individual may exceptionally be disclosed to the implicated person to the extent permitted by national law in order to prepare for legal action if: (i) a report is found to be unsubstantiated; (ii) the reporting individual has maliciously made a false report; and (iii) after prior consultation of the local data protection officer or Hewitt's Global Ethics Manager.

Right Of Correction. The right of correction or erasure only concerns personal data that is objectively inaccurate, incomplete, ambiguous or outdated (e.g. an individual that has been reported by mistake may have his/her information erased). The implicated person has, however, a right to comment on information, the veracity of which cannot objectively be verified.

Mode Of Correction. Whereas an access request is generally processed by means of providing the implicated person a copy of documents included in the report, Hewitt may provide a mere transcript of the information included in such documents in order to provide for (i) the confidentiality of the reporting individual or of other individuals, and (ii) the legitimate interests of Hewitt (such as, but not limited to, trade secrets or strategic information).

Restrictions. Hewitt may exceptionally restrict the aforementioned rights of the implicated person in order to preserve the protection of the rights and freedoms of other data subjects involved in the scheme. The local data protection officer or Hewitt's Global Ethics Manager will be consulted for advice on the matter.

IX. Retention Of Reports

Unsubstantiated Reports. Reports that are found to be unsubstantiated will be promptly deleted.

Substantiated Reports. Reports that are found to be substantiated will be deleted or archived within two months after the closure of the investigation, unless such information is required to prepare for disciplinary or legal proceedings and in the course of such proceedings. In such cases, personal data may be stored until the conclusion of these proceedings and the period allowed for any appeal under applicable law.

Archiving. Hewitt may archive reports and investigation files for a longer time period if permitted by local law.

X. Evaluation of Hewitt's Ethics Line

Hewitt's Ethics Line may be evaluated from time to time. Such evaluation shall be conducted without access to personal identifiers and evaluation reports shall not contain personal data. Specific prudence will be observed to avoid the identification of individuals by means of circumstantial information.

XI. Questions Or Concerns

Please contact your local data protection officer or Hewitt's Global Ethics Manager if you have questions or concerns concerning the handling of your personal data through Hewitt's Ethics Line.

BACK
Code of Conduct
email this page
printer-friendly version
{0} has not been created in MetaBasic, please go to Site Callouts in MetaBasic and create this callout.
Code of Conduct
 

Recently Viewed

Crise Financeira - Impacto para os Planos de Pensão Washington Report Index Fund Manager Review Who We Are Governance