Anonymous Report for Cennox
Privacy Notice
← Back to Report

Cennox Anonymous Reporting Portal — Privacy Notice

Data Controller: Cennox Group Limited
Contact: Compliance Department, compliance@cennox.com
Data Protection Enquiries: legal@cennox.com
Last Updated: 7 February 2026

1. About This Notice

This privacy notice explains how Cennox Group Limited ("Cennox," "we," "us," or "our") handles information in connection with the Cennox Anonymous Reporting Portal (the "Portal"). It is provided in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"), the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"), and applicable U.S. privacy laws.

This notice applies to all individuals who use the Portal, including employees, contractors, vendors, and third parties, regardless of their location.

2. Our Commitment to Anonymity

The Portal is designed so that no personally identifiable information about the reporter is collected, stored, or transmitted. Specifically:

  • We do not ask for or collect your name, email address, phone number, or any other contact information.
  • We do not log, store, or forward your IP address.
  • We do not set cookies, use browser local storage, or employ any client-side tracking technologies.
  • We do not collect your browser type, operating system, device identifiers, screen resolution, or any other technical fingerprint.
  • We do not embed any third-party analytics, advertising scripts, or tracking pixels on the Portal.
  • We do not use Google reCAPTCHA or any other service that transmits your data to third parties.

Your report is anonymous. We cannot identify you from the information the Portal collects, and we have designed the system to ensure that we are unable to do so.

3. What Information Is Processed

Although the Portal does not collect personal data about reporters, the following information is processed when a report is submitted:

Data ElementSourcePurpose
Report category (selected by reporter)Reporter inputTriage and classification of the report
Description of the concern (free text)Reporter inputInvestigation and follow-up
Approximate date / time frameReporter inputContext for investigation
Location / business unitReporter inputContext for investigation
Randomly generated reference numberSystem-generatedEnables reporter to check for follow-up messages; not linked to any PII
Submission timestamp (UTC)System-generatedRecord-keeping and EU Directive acknowledgment compliance
Follow-up messages (if any)Reporter and/or Legal Department inputTwo-way anonymous communication regarding the report

Important: The free-text description field and follow-up messages may contain personal data about third parties (e.g., the name of a person whose conduct is being reported). We process this data as described in Section 5 below.

4. What Information Is Not Processed

To be explicit, the Portal does not process any of the following about the reporter:

  • Name or identity
  • Email address
  • IP address
  • Device or browser information (User-Agent, screen resolution, plugins, etc.)
  • Location data (GPS, Wi-Fi, or network-derived)
  • Cookies, session identifiers, or persistent identifiers of any kind
  • Any information that could be used to identify or re-identify the reporter

5. Legal Basis for Processing

5.1 EU GDPR / UK GDPR

Because the Portal does not collect personal data about the reporter, GDPR processing obligations do not arise in relation to the reporter's own data.

However, reports may contain personal data about third parties (e.g., individuals whose conduct is described in the report). The legal bases for processing this data are:

  • Article 6(1)(c) — Legal obligation: Processing is necessary for compliance with legal obligations to which Cennox is subject, including obligations under the EU Whistleblower Protection Directive (2019/1937), national transpositions thereof, the UK Public Interest Disclosure Act 1998, and U.S. laws including the Sarbanes-Oxley Act and the Dodd-Frank Act.
  • Article 6(1)(f) — Legitimate interests: Processing is necessary for the purposes of the legitimate interests pursued by Cennox, namely the detection and prevention of misconduct, fraud, corruption, and violations of law or company policy, and the maintenance of a safe and lawful workplace.

Where reports contain special category data (e.g., information revealing racial or ethnic origin, health data, trade union membership, or data concerning sex life or sexual orientation), we rely on:

  • Article 9(2)(g) — Substantial public interest: Processing is necessary for reasons of substantial public interest, on the basis of applicable EU or Member State law or UK law (including Schedule 1, Part 2, Paragraph 6 of the UK Data Protection Act 2018).

5.2 United States

In the United States, Cennox processes report data in accordance with applicable federal and state laws, including the Sarbanes-Oxley Act (Section 301), the Dodd-Frank Wall Street Reform and Consumer Protection Act, and applicable state whistleblower protection statutes. No personal data of the reporter is collected through the Portal.

6. How We Use Report Data

Report data is used exclusively for the following purposes:

  • Receiving, reviewing, and triaging reports of potential misconduct, legal violations, or policy breaches.
  • Investigating the matters raised in reports.
  • Taking appropriate remedial, disciplinary, or corrective action where warranted.
  • Complying with legal obligations, including the obligation under the EU Whistleblower Protection Directive to acknowledge receipt of a report within seven days and to provide feedback to the reporter within three months.
  • Defending or establishing legal claims, if necessary.

Report data is not used for marketing, profiling, automated decision-making, or any purpose unrelated to the investigation and resolution of the reported concern.

7. Who Has Access to Report Data

Access to submitted reports and follow-up messages is strictly limited to:

  • The Chief Legal Officer and authorised members of the Cennox Legal and Compliance Departments who are responsible for receiving, reviewing, and investigating reports.
  • External legal counsel, where engaged to advise on or assist with an investigation, subject to professional obligations of confidentiality.
  • Law enforcement or regulatory authorities, only where disclosure is required by law or court order.

Report data is not shared with the reporter's manager, HR (unless the CLO determines it is necessary for a specific investigation), or any other Cennox employee or department outside of the Legal or Compliance Departments without a documented, justified need.

8. Data Transfers

Cennox operates in the United States, the United Kingdom, and multiple EU Member States (including Belgium, France, Netherlands, and Sweden). Report data may be transferred between these jurisdictions as necessary for the purposes described in this notice.

  • EU to UK: Transfers are made pursuant to the UK adequacy decision adopted by the European Commission.
  • EU/UK to USA: Transfers are made on the basis of appropriate safeguards, including Standard Contractual Clauses (SCCs) adopted by the European Commission, or other applicable transfer mechanisms under Chapter V of the EU GDPR or UK GDPR.

9. Data Retention

  • Report content delivered via email: Retained in the restricted mailbox in accordance with Cennox's document retention policy and applicable legal hold obligations. Reports that do not lead to an investigation are retained for a maximum of 12 months from receipt, unless a longer period is required by law.
  • Follow-up messages in the Portal message store: Automatically deleted after a configurable retention period (default: 12 months from the date of the last message), or upon manual deletion by an authorised reviewer, unless a legal hold or investigation requires longer retention.
  • Reference numbers: Retained for the same period as the associated report. Reference numbers are not linked to any personal data of the reporter.

We do not retain any data that could identify the reporter, because no such data is collected.

10. Data Security

We implement appropriate technical and organisational measures to protect report data, including:

  • Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
  • Access controls restricting report data to authorised Legal Department personnel only.
  • Enforced HTTPS with HSTS headers on all Portal connections.
  • Content Security Policy headers preventing execution of unauthorised scripts.
  • No third-party scripts, analytics, or trackers on the Portal.
  • Authenticated access to the Legal reviewer admin interface with multi-factor authentication, session timeouts, and account lockout controls.
  • Periodic technical audits to verify that no personally identifiable information about reporters is captured.

11. Your Rights

11.1 Reporters

Because the Portal does not collect or process any personal data about the reporter, the data subject rights under the EU GDPR and UK GDPR (including the rights of access, rectification, erasure, restriction, portability, and objection) do not apply to the reporter in connection with their use of the Portal — there is no personal data to access, correct, or delete.

If you choose to submit a confidential (non-anonymous) report by emailing the Legal Department directly at confidentialreporting@cennox.com, your personal data (such as your name and email address) will be processed. In that case, you may exercise your data subject rights by contacting compliance@cennox.com.

11.2 Individuals Named in Reports

If you are a person whose conduct is described in a report, you have data subject rights under the EU GDPR and UK GDPR, including the right to access, rectification, and erasure. However, these rights may be limited where exercising them would:

  • Compromise the confidentiality of the reporter or the investigation.
  • Prejudice the prevention, detection, or investigation of breaches of law or company policy.
  • Impair the ability of Cennox to comply with its legal obligations.

You may exercise your rights by contacting compliance@cennox.com.

11.3 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your personal data has been processed in violation of applicable data protection law. Relevant authorities include but are not limited to:

  • United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
  • Netherlands: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
  • Sweden: Integritetsskyddsmyndigheten (IMY) — imy.se
  • France: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr
  • Germany: Relevant state data protection authority (Landesdatenschutzbeauftragte)
  • Belgium: Autorité de protection des données / Gegevensbeschermingsautoriteit — dataprotectionauthority.be

12. Confidential (Non-Anonymous) Reporting

If you prefer to identify yourself when making a report, you may do so by emailing confidentialreporting@cennox.com. Reports submitted via email are treated as confidential, not anonymous. Your identity will be known to one or more members of the Legal Department and will be protected from unauthorised disclosure in accordance with the EU Whistleblower Protection Directive, the UK Public Interest Disclosure Act, and applicable U.S. law.

13. Non-Retaliation

Cennox strictly prohibits retaliation against any individual who makes a good-faith report through the Portal or via the confidential email channel. This commitment applies regardless of whether the reporter's identity is known, and is enforced in accordance with the EU Whistleblower Protection Directive (2019/1937), national transpositions thereof, the UK Public Interest Disclosure Act 1998, the U.S. Sarbanes-Oxley Act, the Dodd-Frank Act, and Cennox's internal Non-Retaliation Policy.

14. Changes to This Notice

We may update this privacy notice from time to time to reflect changes in law, regulatory guidance, or the Portal's functionality. The "Last Updated" date at the top of this notice indicates the most recent revision. Material changes will be communicated via the Portal itself.

15. Contact Us

If you have questions about this privacy notice or about how Cennox handles data in connection with the Portal, please contact:

Cennox Legal Department
Email: legal@cennox.com

Data Protection Enquiries
Email: compliance@cennox.com

This privacy notice is provided for transparency purposes and does not create any contractual or other legal rights or obligations beyond those established by applicable law.

← Back to Report Form