Compliance Hotline
Data Protection & Privacy Notice

You are being asked to read and accept the terms contained below. If you do not wish to accept the terms below, we are unable to accept any information through this system and suggest you report this matter directly to your supervisor or manager or to a representative of the Human Resources, Legal or Compliance departments, depending on the nature of the possible violation.

1. General

This service is a web and phone-based intake system provided by Columbia University and its affiliated organizations for their respective employees (each separately, an “Employer”) for reporting suspected violations of laws or regulations, the Employer’s Code of Conduct or other policies.

In certain countries, such as the United States, this service may also be used to report other suspected violations. It and the database in which the personal data and information that you may report is stored, are operated by NAVEX in the United States.

You may contact your Employer with any questions relating to this Notice or this service.

To proceed further, you must read this notice in its entirety. If you agree and you are submitting a report on the phone, select the appropriate voice prompt to consent.  You will then be able to submit a report or question using this service. If you do not provide your consent, you will not be able to submit a report or question through this service.

2. Use of this service

Use of this service is entirely voluntary. You are encouraged to report possible violations directly to your supervisor or manager, or to a representative of the Human Resources, Legal or Compliance departments of your Employer, depending on the nature of the possible violation. If you feel that you are unable to do so, you may use this service to make your report.

This service is a confidential online reporting system that allows you to report suspected violations of law or Employer policies, as well as other concerns you may have, to your Employer. In certain countries, your Employer may only accept reports through this service on limited topics, generally restricted to financial, accounting, auditing, bribery, competition law, sanctions, discrimination and harassment and environment, health, hygiene, and safety matters. If your concern pertains to a matter that, under local law, may not be accepted by your Employer through this service, you will need to contact your supervisor or local management or a representative of the Human Resources, Legal or Compliance departments of your Employer to report the matter.

Please note that we are able to receive and process reports through this service if you confirm that you have read and taken note of this Data Protection and Privacy Notice and expressly consent to the processing of the reports and your personal information.

Please be aware that the information you supply about yourself, your colleagues, or any aspect of your Employer’s operations may result in decisions that affect others. Therefore, we ask that you only provide information that you believe is accurate and true. You will not be subject to retaliation from your Employer for any report of a suspected violation that is made in good faith, even if it later turns out to be factually incorrect. Please be aware, however, that knowingly providing false or misleading information will not be tolerated. The information you submit will be treated confidentially except in cases or in countries where this is not possible because of legal requirements or where, for example, your name may be disclosed if legally required or in order to conduct an investigation, in which case the information will be handled sensitively. We encourage you to identify yourself in order for us to follow up with questions we may have.

3. What personal data and information is collected and processed?

This service captures the following personal data and information that you provide when you make a report: (i) your name and contact details (unless you report anonymously) and whether you are employed by Columbia University or one of its affiliated organizations; (ii) the name and other personal data of the persons you name in your report if you provide such information (i.e.: description of functions and contact details); and (iii) a description of the alleged misconduct as well as a description of the circumstances of the incident. Note that depending upon the laws of the country in which you are residing, the report may not be made anonymously; however, your personal information will be treated confidentially and will only be disclosed as set out below.

4. How will the personal data and information be processed after your report and who may access personal data and information?

The personal data and information you provide will be transferred to and stored in a database which is located on servers hosted and operated by NAVEX in the United States. NAVEX has entered into contractual commitments with Columbia University on behalf of itself and its affiliated organizations to secure the information you provide in accordance with applicable law. NAVEX is committed to maintaining stringent privacy and security practices including those related to notice, choice, onward transfer, security, data integrity, access, and enforcement.

For the purpose of processing and investigating your report and subject to the provisions of local law, the personal data and information you provide may be accessed, processed and used by the relevant Employer personnel, including Human Resources, Finance, Internal Audit, Legal, Compliance, management, external advisors (e.g. legal advisors), or, in limited circumstances, by technical staff at NAVEX. Those individuals may be located in the United States or elsewhere.

Personal data and information you provide may also be disclosed to the police and/or other enforcement or regulatory authorities. The relevant bodies that receive and process personal data can be located in the US or in another country that may not provide the level of data protection available in the EU.

The personal data you provide will be kept as long as necessary to process your report, or, if applicable, as long as necessary to initiate sanctions or to meet our legal or financial needs.

5. Accessing information concerning the report

The Employer will promptly notify any person who is the subject of a report to this service except where notice needs to be delayed to ensure the integrity of the investigation and preservation of relevant information.

With some exceptions, the subject of the report may access information concerning the report (with the exception of the identity of the reporter) and request correction of personal data that is inaccurate or incomplete in accordance with applicable law. Similarly, with some exceptions, reporters may also access information about the report and request corrections of their personal data in accordance with applicable law. To make any such corrections, please contact the Office of General Counsel who will coordinate such corrections with your Employer.

6. Additional country regulations

In some counties, such as certain member states within the European Union, reports can only be made relating to limited topics, typically accounting, auditing, bribery, competition law, sanctions, discrimination and harassment and environment, health, hygiene, and safety matters. Further, some countries restrict reports such that only employees in key or management functions may be the subject of a report.

Any issues or concerns relating to topics not permitted by law to be reported via this service should be reported directly to your Manager or Supervisor or a representative of the Human Resources, Legal or Employer Compliance departments as appropriate for the subject matter of the possible violation. In some countries, anonymous reports may not be permitted under the law except under extremely restrictive circumstances.

Some countries have additional considerations when filing a report. Please see below:

Democratic Republic of Congo

Everyone has the right to consent to disclosure of personal data and information that will be transferred to and stored in a database handled by the Employer or by NAVEX as long as the respect of privacy is maintained and no activity against the law have been conducted or could have been considered.

While the Employer manages safely database, in case of investigation and breach of Law, public order and good mores the DRC judicial authorities might access and collect any information needed for their purposes according to the Law.

France

The reporter is informed and accepts that the personal Data, necessary for his/her report, are collected, processed, protected and stored by NAVEX and by COLUMBIA, as long as it is useful and up to date, and for only as long as necessary to investigate and resolve any matters reported after report is made.

This Data may only be forwarded to services and third parties listed above, and will be transferred in the US to the campus of COLUMBIA, in the NAVEX management center and/or their related Clouds.

The reporter is informed that he/she has, since the implementation of the European GDPR on May, 25, 2018, a right to access, accurate and complete processing of his/her personal Data, along with the right to be informed and to consent, to access, edit, limit, forward and eliminate (right to be forgotten) his/her personal Data, subject to the term and conditions set the GDPR.

For more information about GDPR, and the right it confers, visit http://www.cnil.fr. For questions about this right, please contact the Data Protection Officer of COLUMBIA (Director, Global Centers, Paris, Brunhilde Biebuyck, bb2006@columbia.edu.

Jordan

Columbia University may modify this Data Protection and Privacy Notice at any time to comply with applicable laws, or to reflect our updated business practices, without prior notice. In the event of a change, we will post the revised Data Protection and Privacy Notice to the Website with the effective date.

Kazakhstan

The personal data and information you provide will be transferred to and stored in a database which is located on servers of the Employer in the Republic of Kazakhstan, as well as on servers hosted and operated by NAVEX in the United States.

I have read and expressly consent to the collection and processing of my personal information as described in this Data Protection and Privacy Notice, including without limitation to the personal data transferring out of the Republic of Kazakhstan.

Mozambique

Please note that NAVEX is a data processor and is an entity that acts under the direction of Columbia University and its affiliated organizations.

Nigeria

The submission of a report is optional and requires your consent. At any time prior to submission, you may opt out by not providing your consent. This will result in the form not being submitted. You have the right to withdraw consent at any time, although this will not affect the lawfulness of processing based on the consent earlier given.

In the event of any violation of this privacy policy, you have recourse to the remedies available under Nigerian law within the timeframe permitted by law and the right to lodge a complaint with the relevant Nigerian data protection authority.

You have the right to request access to and rectification or erasure of your personal data, which will be granted as appropriate and subject to applicable law and policies. Please see below the contact details of the data protection officer:

Name: Dr. Adewale Akinjeji
Email Address: aoa2141@cumc.columbia.edu

South Africa

For those with personal information processed in South Africa, if you believe that the Employer has utilized such personal information contrary to applicable law, you should attempt to resolve such concerns with the Employer. If you are not satisfied with the response, you may have the right to lodge a complaint with the Information Regulator under the Protection of Personal Information Act, 2013 (full enactment pending as of January 2020). See https://www.justice.gov.za/inforeg/ for more details.

Tanzania

The submission of a report is optional and requires your consent. At any time prior to submission, you may opt out by not providing your consent below. This will result in the form not being submitted. If you choose to continue with a report, you should complete the form, provide your consent below, and submit the form.

Tunisia

The submission of a report is optional and requires your consent. At any time prior to submission, you may opt out by not providing your consent. This will result in the form not being submitted. You have the right to withdraw consent at any time, although this will not affect the lawfulness of processing based on the consent earlier given. In addition, you have the right to access the data you report.

The personal data and information you provide will be transferred to and stored in a database which is located on servers of the Employer in Tunisia, as well as on servers hosted and operated by NAVEX in the United States. I have read and expressly consent to the collection and processing of my personal information as described in this Data Protection and Privacy Notice, including without limitation to the personal data transferring out of Tunisia.

In the event of any violation of this privacy policy, you have recourse to the remedies available under Nigerian Tunisian law within the timeframe permitted by law and the right to lodge a complaint with the relevant Nigerian Tunisian data protection authority.

You have the right to request access to and rectification or erasure of your personal data, which will be granted as appropriate and subject to applicable law and policies. Please see below the contact details of the Data Protection Officer: Director, Global Centers, Tunis, Youssef Cherif, yc2514@columbia.edu.

Zambia

Please note that the consent below includes consent to the collection, collation, processing or disclosure of personal information as described in this Data Protection and Privacy Notice. At any time prior to submission, you may opt out by not providing your consent below. This will result in the form not being submitted. If you choose to continue with a report, you should complete the form, provide your consent below, and submit the form.