1. INTRODUCTION AND PURPOSE
Through this whistleblower scheme, Amnesty International Denmark (“Amnesty”) wishes to provide a dedicated, independent and autonomous channel through which employees, both current and former employees, temporary workers, interns, whether paid or unpaid, board members, members of the established finance committee, business partners and their employees, volunteers, students, and activists at Amnesty (the “Covered Persons”) may make inquiries and report matters concerning:
1. Breaches of EU legal acts pursuant to the underlying Whistleblower Directive (for example concerning the protection of privacy and personal data, the security of network and information systems, public procurement, financial services and anti-money laundering),
2. Other serious legal violations, including, for example, repeated breaches of applicable legislation, or
3. Other serious matters, including, for example, breaches of policies and guidelines or information concerning any form of sexual harassment or serious harassment/bullying.
Please see further below under section 2 (collectively referred to as the “scope” or the “scope of the whistleblower scheme”).
The whistleblower scheme is not intended to replace or substitute the existing internal communication channels, and it is recommended that such existing communication channels be used to the greatest extent possible, cf., for example, Amnesty’s three (3) internal policies: 1) the Anti-Corruption Policy, 2) the Sexual Harassment and Safeguarding Policy, and 3) the Policy on Close Personal Relationships. This shall apply unless a report under the whistleblower scheme is considered the appropriate form of communication, and in case of doubt as to the appropriate communication channel, you may contact the whistleblower officer.
The whistleblower scheme constitutes an additional forum in which more serious incidents may be reported where such matters are not suitable for handling through the existing communication channels, or where the reporting person considers it necessary to report through the whistleblower scheme.
The following sets out how the whistleblower scheme operates in practice, including which matters may be reported (the scope) and how reports to the whistleblower scheme will be handled.
2. SCOPE – WHICH MATTERS CAN BE REPORTED?
The whistleblower scheme may be used to make confidential reports concerning the following:
1. Breaches of EU law concerning public procurement, financial services, anti-money laundering and General Data Protection Regulation (GDPR), cf. the scope of application of the Directive of the European Parliament and of the Council on the protection of persons who report breaches of Union law;
2. Other serious legal violations, which as a general rule include:
a. Violations relating to criminal offences, including misuse of financial resources, blackmail, theft, fraud, forgery, breach of trust, embezzlement, deception, computer fraud, bribery and hacking, wiretapping, unlawful recording of conversations between others, etc.
b. Breaches of sector-specific legislation or other legislation that would generally fall within the scope, for example breaches of tax legislation or bookkeeping rules, or violations of confidentiality obligations.
3. Other serious matters such as:
a. Failure to comply with professional standards which may, for example, give rise to a risk to the safety and health of individuals, serious errors and irregularities relating to IT operations or IT system management, as well as particular cases where minor cooperation difficulties involve major risks;
b. Sexual harassment (any form of unwanted verbal, non-verbal, or physical conduct of a sexual nature) or serious harassment/bullying with the purpose or effect of violating a person’s dignity, in particular by creating an intimidating, hostile, degrading, humiliating or unpleasant environment; and
c. Other forms of serious harassment, for example harassment on the grounds of race, political or religious affiliation, etc., subject, however, to the below regarding sensitive personal data.
As a rule, the following matters are not covered by the scheme:
- Complaints concerning cooperation difficulties, incompetence, salary matters, and other everyday or routine matters;
- Reports concerning the working environment, decision-making processes or general management decisions
- Breaches of a trivial nature; and
- Breaches of ancillary provisions, including documentation requirements or notification obligations.
However, the above matters, which as a general rule are not covered by the whistleblower scheme, may in special circumstances involve such risks to human life or health, or such significant harmful consequences, that they are nevertheless covered by the whistleblower scheme and may be processed under it.
Matters not covered by the whistleblower scheme may be discussed with the immediate manager, a member of the HR function, the health and safety representative, the employee representative, or similar persons.
3. WHO CAN REPORT?
Employees, both current and former employees, temporary workers, interns, whether paid or unpaid, board members, members of the established finance committee, business partners and their employees, volunteers, students, and activists at Amnesty (the “Covered Persons”) may submit reports.
4. HOW ARE REPORTS MADE AND TO WHOM?
Reports under the whistleblower scheme must be submitted electronically via an online portal provided by Legalsys ApS. The whistleblower scheme is handled and administered by SIRIUS advokater, who assesses whether a report falls within or outside the scope of the whistleblower scheme. SIRIUS advokater forwards received reports, or extracts of reports, to Amnesty’s whistleblower officer, who is responsible for the internal administration and handling of the whistleblower scheme on behalf of Amnesty, including any investigation of reports, etc.
If a report concerns the whistleblower officer, the report must be submitted to the alternative whistleblower officer.
Either the whistleblower officer or the alternate whistleblower officer assists in the administration and handling of matters relating to the whistleblower scheme that are subject to the rules on professional secrecy, confidentiality, etc. under applicable whistleblower legislation and General Data Protection Regulation (GDPR).
Reports may be submitted in Danish or English, and the following information will be useful for the whistleblower officer and SIRIUS advokatere in connection with the assessment of a report:
- Name, department, and contact details of the person being reported;
- A description of the factual circumstances giving rise to the report; and
- Any documentation or evidence supporting the report.
The reporting person cannot request or require anonymity and is therefore fully identifiable to SIRIUS advokater and the whistleblower officer. However, to the extent possible, the reporting person’s identity will only be revealed to other individuals, if this is considered necessary due to conducting an investigation of the reported matter.
If a matter is reported which is not covered by the whistleblower scheme, the reporting person will be informed of this by SIRIUS advokater and referred to another communication channel.
5. THE PROCESS FOLLOWING A REPORT
Once SIRIUS advokater has received a report, SIRIUS advokater will screen the report in order to assess whether its contents fall within the scope of the whistleblower scheme.
If the report (or part of the report) falls outside the scope of the whistleblower scheme, the reporting person will be notified accordingly. SIRIUS advokater will furthermore be obliged to delete (that part of) the report without undue delay.
If the report falls within the scope of the whistleblower scheme, SIRIUS advokater will forward its contents to the whistleblower officer employed by Amnesty, together with a preliminary assessment of the content of the report. If the report concerns the whistleblower officer, the report will be forwarded to the alternative whistleblower officer.
The whistleblower officer may then choose either to handle the report internally or to use external assistance from SIRIUS advokater in connection with the further investigation prompted by the report.
6. PROTECTION OF PERSONS WHO REPORT
Persons who submit reports under the whistleblower scheme are protected against adverse consequences associated with the report itself, including dismissal and/or detrimental treatment, provided that the reports are made in good faith. Whistleblowers enjoy the same protection as that provided under the Danish Act on the Protection of Whistleblowers.
If the report concerns reprehensible conduct relating to the reporting person him- or herself, or if the whistleblower officer, in connection with the report, become aware of such reprehensible conduct relating to the reporting person him- or herself, the reporting person will not be exempt from any adverse consequences relating to such conduct.
If a false accusation is knowingly reported against a person, the reporting person will not be protected by the whistleblower policy, including the protection afforded under the Danish Act on the Protection of Whistleblowers.
7. CONFIDENTIALITY
All reports submitted under the whistleblower scheme are treated as strictly confidential by the whistleblower officer and by SIRIUS advokater, which administers the scheme as an independent third party.
As stated above, the reporting person does not have the option of making anonymous reports. Accordingly, SIRIUS advokater forwards reports to the whistleblower officer with the reporting person’s identity being fully identifiable.
8. DATA PROTECTION
8.1 Controllers and processors in the scheme
The processing of personal data provided in connection with the whistleblower scheme is subject to the applicable data protection rules.
SIRIUS advokater is responsible for ensuring an adequate level of security in relation to the personal data and reports received by SIRIUS advokater as part of the whistleblower scheme. SIRIUS advokater further warrants that it will comply with the requirements concerning independence, confidentiality, data processing and professional secrecy, etc. set out in the explanatory notes to section 11(2) of the Danish Act on the Protection of Whistleblowers. SIRIUS advokater complies with the data protection legislation in force at any given time in connection with the administration of and advice relating to the whistleblower scheme.
As external legal adviser, SIRIUS advokater acts as controller under the General Data Protection Regulation (GDPR). SIRIUS advokater’s processing of personal data is carried out solely for the purpose of making legal assessments and providing legal advice in connection with reports received through the whistleblower scheme. SIRIUS advokater also independently decide which personal data is to be deleted, disclosed, etc. The processing of data in connection with the provision of legal advice is not carried out on the basis of instructions from or subject to approval by Amnesty.
The system-related processing of personal data is carried out by the system provider Legalsys ApS on behalf of Amnesty, and a data processing agreement has been entered into between Amnesty and Legalsys ApS in accordance with the data protection rules.
As a data controller, SIRIUS advokater is obliged to ensure that SIRIUS advokater’s processing of personal data complies with data protection legislation, including:
- ensuring a lawful basis for processing;
- implementing appropriate technical and organizational measures to ensure a level of protection appropriate to the current risks of varying likelihood and severity to the rights and freedoms of data subjects;
- informing data subjects that personal data concerning them is being processed, unless such information may be omitted under the applicable rules (for example due to an ongoing investigation);
- granting data subjects the right of access to the processing of personal data concerning them, unless such access may be omitted under the applicable rules (cf. above regarding ongoing investigations); and
- reporting data breaches and, where necessary, informing data subjects thereof.
Reference is also made to SIRIUS advokater’s general terms of business and privacy policy on SIRIUS advokater’s website: www.siriusadvokater.com. Reference is further made to the Danish Bar and Law Society’s guidance of April 2018 on lawyers’ processing of personal data.
8.2 Lawful basis for the processing of personal data
To the extent that non-anonymised reports are submitted, SIRIUS advokater will, in connection with the processing of reports, process personal data relating to the reporting person and any other persons mentioned in the report. Such processing will most often include name and contact details as well as a description of the matter reported, which may include one or more potentially criminal offences and/or employment-related matters of a sensitive nature.
Personal data reported by or about employees, whether current or former employees, temporary workers, interns, whether paid or unpaid, board members, members of the established finance committee, business partners and their employees, volunteers, students, and activists at Amnesty, or about other covered persons, is processed pursuant to the Danish Act on the Protection of Whistleblowers, under which personal data may be processed where necessary for the handling of reports received under the whistleblower scheme.
Amnesty’s investigation of a report may entail that Amnesty collects and reviews additional information, conducts investigations relating to the reports, imposes sanctions, including employment-related sanctions, notifies relevant authorities, and files police reports, etc.
Such information is also processed in accordance with Amnesty’s legitimate and justified interests pursuant to Articles 6 and 9 of the General Data Protection Regulation (GDPR) and section 12 of the Danish Data Protection Act, cf. Amnesty’s general data protection policy.
8.3 Security and storage of data
SIRIUS advokater stores personal data received as part of the whistleblower scheme securely and confidentially and has implemented technical and organizational security measures for that purpose. In addition, SIRIUS advokater uses only data processors that maintain at least the same level of security in their processing of personal data as SIRIUS advokater.
Personal data contained in and connected with a report is retained for as long as necessary for the purposes for which the data was collected, and the specific retention period will depend on the content of the report.
However, if a report proves to be unfounded, all information connected thereto will be deleted immediately upon such determination.
Similarly, information connected with a report falling outside the scope of the whistleblower scheme will be deleted immediately after the reporting person has been informed that the report is not covered by the scheme.
If the report falls within the scope of the whistleblower scheme, the report and the personal data contained therein will be retained by SIRIUS advokater until the report has been forwarded to Amnesty, following which the information will be deleted no later than within six months. f SIRIUS advokater is to carry out further investigation, etc. in relation to the report, a case file will be opened, which will thereafter be stored in accordance with SIRIUS advokater’s data protection policy.
If a report results in a police report or a report to another authority, the information will be deleted immediately after the police or other authority has concluded the matter.
The period for Amnesty’s retention of personal data contained in a report will depend on the nature of the report and will therefore be based on a concrete assessment. Amnesty will delete information that is demonstrably found to be incorrect during the investigation of the report.
8.4 Information to the person concerned by the report
As a general rule, the person who is the subject of a report under the whistleblower scheme will receive notice that information concerning him or her has been reported, who will have access to the information, the purpose of the processing of the information, and the basis for the processing, including the legitimate interests justifying the processing, the period for which the personal data will be stored (or, if this is not possible to state), the criteria used to determine that period, the person’s right to request access to and rectification or erasure of personal data, or restriction of the processing of personal data, as well as the right to object to the processing and the right to lodge a complaint with the Danish Data Protection Agency. In addition, the person concerned will be informed of any recipients or categories of recipients of the personal data, for example where the report gives rise to a police report.
The person who is the subject of a report under the whistleblower scheme will be informed about the processing of personal data concerning him or her at the time of receipt of the report. However, this shall not apply if notification to the person concerned must, in the circumstances, be postponed out of consideration for the investigation/inquiry or for an essential and legitimate interest of Amnesty, the reporting person or other affected parties, which in the specific situation is assessed to outweigh the interests of the person concerned. Reference is made to the rules in force from time to time regarding exceptions to the information obligation under the General Data Protection Regulation (GDPR) and the Danish Data Protection Act. In such cases, the right of access and the right to be informed of any security breaches may likewise be restricted in relation to the person concerned.
8.5 Rights of data subjects
Data subjects under the whistleblower scheme (those making reports, those being reported, and any third parties referred to in connection with a report) may contact the whistleblower officer regarding access to, rectification, blocking, amendment or deletion of information concerning themselves.
The whistleblower officer will assess whether, and if so to what extent, any requests for access, rectification, blocking or deletion may and must be accommodated under the applicable rules.
Data subjects also have the right to lodge a complaint concerning the processing of their personal data in connection with the whistleblower scheme. Such complaint may be submitted to the Danish Data Protection Agency, Carl Jacobsens Vej 35, 2500 Valby, tel.: +45 33 19 32 00, or via email: dt@datatilsynet.dk.