1. Introduction and purpose
With this whistleblower scheme, NDI Group A/S wishes to provide a special, independent and autonomous channel where employees of the company can report suspected irregularities, violations or potential violations of applicable legislation or company policies or guidelines.
The whistleblower scheme cannot and should not replace direct contact with the company, including your manager and others. However, the whistleblower scheme should create a space where you can report serious incidents that either do not lend themselves to being dealt with through existing communication channels or where you want to ensure anonymity.
The following describes how the whistleblower scheme works in practice, including which matters can be reported and how reports in the whistleblower scheme will be handled.
2. What can be reported?
The whistleblower scheme can be used to report suspected irregularities, violations or potential violations of applicable legislation or company policies or guidelines.
For example, the following matters are not covered by the scheme:
- Complaints about co-operation difficulties, incompetence, pay issues and other everyday or routine matters.
- Reports about work environment, decision-making processes or general management decisions.
The issues not covered by the scheme can be addressed in other ways within the organisation.
Deliberate false accusations against persons or incorrect information must not be reported.
3. Who can report?
All employees in the organisation.
4. Who can be reported on?
Reports can be made about offences committed by the company, the company's employees, management, owners and members of the board of directors.
5. How to report and to whom?
Reports to the whistleblower scheme are made electronically via the whistleblower portal on the link published by the company.
Reports can be submitted in Danish or English and the following information will be useful for those assessing the reports:
- Name, department and contact details of the person being reported about,
- A description of the facts giving rise to the report, and
- Any documentation or evidence that supports the report.
The report is initially reviewed by the company's designated whistleblower committee, which screens cases and, depending on the nature of the case, appoints an internal investigator or external lawyer to investigate the case further.
6. Anonymity?
The person making a report can choose to make the report anonymously.
The whistleblower system does not log IP addresses and machine ID, and all data transmission and storage of data is encrypted. Depending on the nature of the case, only the internal investigator or external lawyer has access to the case management part of the system.
The reporter will be able to log into the system anonymously later and see if the internal investigator or external lawyer has asked further questions about the case or requested additional documentation.
Any subsequent dialogue is always anonymous, unless the reporter chooses to disclose their identity, and is based solely on the reporter's willingness to log into the system and answer the external lawyer's questions.
Regardless of whether the reporter chooses not to disclose his identity, an investigation or case may mean that anonymity cannot be maintained, e.g. if an employment law case or legal action is initiated against the person reported about.
7. The post-reporting process
If the internal investigator or external lawyer considers that the report concerns a member of the company's executive management or board of directors, another relevant, appointed and impartial person in the company will be informed.
When a report is received by the external lawyer, the external lawyer is obliged to initiate an investigation into the reported matter.
If a report is not correct or is found to be outside the scope of the scheme, it will be immediately rejected and deleted from the system and the person who reported the matter will be notified. If the report is made anonymously, the reporter can be notified by logging into the whistleblower portal with username and password.
If the initial investigation concludes that the report is deemed to fall within the purpose of the scheme, it will be subject to further investigation. The case is first handled by the internal investigator or the external lawyer and possibly subsequently by the company and may have employment consequences for the person, including the management or board member, who has been reported. The case is deleted in the whistleblower portal when it is no longer required to have the information registered.
In cases where the report concerns specific individuals, the company may be obliged to provide the reported individuals with information about the reported matter. In each individual situation, a specific assessment will be made of when such notification can or should be given, so that the notification cannot have consequences for the uncovering of the reported matter and the collection of evidence.
No information is provided about who made the report, even if the reporter has chosen to disclose his identity. However, it should be noted that a reporter of non-anonymous reports runs the risk of being called as a witness if legal proceedings are initiated. Anonymous reporters are made aware that the company's investigation of a report and the subsequent handling of a possible case may mean that anonymity cannot be maintained.
The case may be of such a nature that it is passed on to the police for further investigation. When the police (and possibly the courts) have finalised the case and any appeal period has expired, the case is deleted from the whistleblower portal. The case may end up in court and the person reported on may, depending on the nature of the case, risk fines and imprisonment.
It is important that the whistleblower portal is not used for false accusations, where suspicion is directed towards innocent people. All reports must therefore be made in good faith. If a report is made in bad faith and the report turns out to be a result of personal negative feelings, vindictiveness, etc. an unfounded report can have employment consequences for the whistleblower if he can be identified.
8. Protection of employees
Persons submitting reports to the whistleblower scheme are protected against negative consequences associated with the report itself, including dismissal and unfavourable treatment, provided that the reports are submitted in good faith.
If the report relates to reprehensible matters concerning the reporter, or if the company becomes aware of such reprehensible matters concerning the reporter in connection with the report, the reporter will not be exempt from any negative consequences relating to these matters.
If a false accusation is knowingly or in bad faith reported against a person, the reporter is not protected from negative consequences.
9. Confidentiality
All reports to the whistleblower scheme are treated in strict confidence by the company, the internal investigator and the lawyer administering the scheme.
If the whistleblower so wishes, he may at any time request that the lawyer deletes his personal data from a report.
10. IT security
The whistleblower system is operated by Legalsys ApS, which is an independent party and guarantees the security and anonymity of the system. A data processing agreement has been signed with Legalsys ApS.
Read more about system security in the whistleblower portal.
11. Personal data
Processing of personal data submitted in connection with the whistleblower scheme is subject to applicable data protection rules.
As an external lawyer/partner administers the whistleblower scheme, he acts as data processor for the company, which is the data controller.
A data processing agreement has been entered into between the company and the lawyer, which, among other things, instructs the lawyer not to disclose personal data about a whistleblower to the company unless the whistleblower has specifically consented to this.
Unless the report is made anonymously, the report means that the lawyer will process personal data about the reporter. In any case, the company, the internal investigator and the lawyer will process personal data about the reported person and any other persons mentioned in the report. These personal data are usually the name and description of the reported matter, which may include one or more potential criminal offences and/or employment law offences.
General personal data is processed based on Article 6(e) of the GDPR, according to which personal data may be processed when necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. For example, the company may process personal data in reports to ensure that potential violations of the law cease, thereby ensuring trust in the company.
Sensitive personal data may be processed based on Article 9(2)(f) of the GDPR, according to which processing is necessary for the establishment, exercise or defence of legal claims or when courts act in their judicial capacity.
Personal data contained in and related to a report shall be kept for as long as necessary for the purposes for which the data were collected and the specific retention period will depend on the content of the report.
The whistleblower and the subject of the report have the right to complain about the processing of personal data in connection with the whistleblower scheme. Such a complaint can be submitted to the Danish Data Protection Agency: Borgergade 28, 1300 Copenhagen K, tel: 33193200, or via e-mail: dt@datatilsynet.dk.
12. Entry into force
The whistleblowing policy enters into force as soon as it is published in the company and is revised at least once a year.
13. Questions
Questions regarding this whistleblower scheme can be directed to the relevant persons listed on the whistleblower portal.