CONTROLLER
Intergraph Corporation, 305 Intergraph Way, Madison, AL 35758. United States of America, and Intergraph PP&M Deutschland GmbH, Parkring 3, 85748 Garching by Munich, Germany, both trading under “Octave” are the joint data controllers for the processing of personal data in connection with receiving and assessing reports and conducting internal investigations. Intergraph PP&M Deutschland GmbH is designated as the primary point of contact for data subjects and is responsible for providing this privacy notice, responding to data-subject requests, and serving as the main contact for supervisory authorities.
Depending on the content of a report, including the geography, business area, and the functions involved in assessing or investigating the report or implementing follow-up measures, other affiliated Octave companies may act as joint controllers for the parts of the processing in which they participate and determine the purposes and means of those specific investigation or follow-up activities. Such joint controllership is case-specific and limited to the relevant involvement of the respective Octave company.
CATEGORIES OF INDIVIDUALS
We may process personal data relating to the following categories of individuals:
Reporters, only where they choose not to remain anonymous or accidentally include identifying information in the report.
Accused individuals, i.e., people named in a report as potentially involved in the alleged misconduct.
Witnesses or other individuals consulted during the investigation.
Individuals mentioned in the report or in evidence collected during the investigation.
Internal personnel involved in handling the report and conducting investigations.
CATEGORIES OF PERSONAL DATA
We may collect and process personal data that is either actively provided to us, already in our possession, or automatically generated, falling within the following categories:
Report Content: Information included in the report, which is submitted in free-text form and may include identification details, contact information, employment information, descriptions of events or behavior, and any other information the reporter chooses to provide.
Employment Data: Employment information relevant to assessing the report or conducting the investigation (e.g., job role, reporting line, work relationships).
Investigation Data: Information gathered during internal investigations, including interview notes, witness statements, internal communications, documents, system records, and findings generated by investigators.
Automated Data: Information generated during report submission, including submission date, time, and unique user identifiers.
PURPOSE AND LEGAL BASIS FOR PROCESSING
Personal data may be used for:
Handling the report, conducting the investigation, and implementing follow-up measures. Ensuring compliance with legal, regulatory, and policy requirements.
Protecting Octave’s assets, employees, and stakeholders.
The legal bases for processing are:
Consent.
Compliance with a legal obligation.
Our legitimate interests.
DATA SHARING AND TRANSFERS
Personal data received through reports or collected during an internal investigation is disclosed strictly on a need-to-know and confidential basis and only where necessary and proportionate for handling the report, conducting the investigation, or implementing follow-up measures. This may include sharing personal data between affiliated Octave companies where their employees need to be involved in assessing the report, carrying out the investigation, or supporting follow-up actions.
Internal recipients may include:
Compliance team and designated investigators, to assess the report and conduct the investigation.
Participants in the investigation, such as witnesses or accused individuals, where sharing certain personal data is necessary to conduct a meaningful interview (for example, where an accused individual must know the identity of the person they are alleged to have harassed in order to understand and respond to the allegation).
Internal Audit, only where relevant to their mandate.
Audit Committee or Board committees, only where necessary for oversight.
Senior management, only where required to decide on corrective measures, organizational actions, or risk-mitigation steps.
External recipients may include:
External legal counsel, forensic specialists, interpreters, external investigators, or regulatory authorities, where required by law or necessary to support the investigation.
Platform service providers acting as data processors on our behalf, limited to the services we have contracted them to perform.
We will not transfer your data to foreign jurisdictions unless such transfer is compliant with the applicable laws.
SECURITY
To protect your personal data against accidental or unlawful destruction, loss, use, or alteration and against unauthorized disclosure or access, we use adequate physical, technical and organizational security measures. Our Speak-Up Line, the platform we use for receiving and managing reports, is operated by an independent third-party service provider based in the EU. The platform is hosted entirely within the EU in ISO/IEC 27001-certified data centers and applies state-of-the-art security measures, including encryption of data in transit and at rest, strict role-based access controls, multi-factor authentication for authorized users, and comprehensive audit-trail logging. The service provider undergoes regular external security audits and penetration testing and is contractually required to support our incident response processes and to notify us without undue delay of any security incident. These safeguards are designed to maintain the confidentiality, integrity, and availability of all information submitted through Speak-Up Line.
RETENTION PERIOD
Personal data collected for the purposes of reporting and internal investigations will be retained for a period of 2 years from the date the report was resolved, unless a different retention period is warranted for legal compliance or to protect the legitimate interests of Octave and relevant stakeholders.
YOUR RIGHTS
Under applicable data protection law, you may have the following rights, which you may exercise by contacting us via our contact us page. These rights may be subject to certain legal limitations, particularly where necessary to protect the integrity of an investigation, the confidentiality of reports, or the rights of other individuals.
Right of access You can request information about the personal data we process about you and obtain a copy of that data.
Right to rectification You can request correction of inaccurate or incomplete personal data.
Right to erasure You can request deletion of your personal data where the legal requirements are met (e.g., where the data is no longer needed, or processing was unlawful). This right may be limited during ongoing investigations.
Right to restriction of processing You can request that we restrict the processing of your personal data in specific situations (e.g., while we verify accuracy or assess an objection).
Right to object Where we process your personal data based on our legitimate interests, you can object to such processing. We will assess your objection and stop processing unless we demonstrate compelling legitimate grounds or the processing is required for legal claims.
Right to withdraw consent Where processing is based on your consent, you can withdraw your consent at any time without providing a reason. Withdrawal does not affect processing carried out before the withdrawal, and we may continue processing where another legal basis applies.
Right to lodge a complaint In addition, you can lodge a complaint with the competent data protection authority where applicable laws provide such a remedy, including in the countries of the European Economic Area. The contact details of supervisory authorities within the EEA are available here.
FOR CALIFORNIA RESIDENTS ONLY
The purpose of this section is to provide information to California residents pursuant to the California Consumer Protection Act (CCPA). Personal data includes also any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a household. We do not and will not sell your personal data to third parties.