1. Introduction and purpose
With this whistleblower scheme, NIL Technology ApS (NILT) wishes to provide a special, independent, and autonomous channel through which current and former employees and current partners in and to NILT ("the covered persons") have the opportunity to, possibly anonymously, report matters concerning:
1) Infringement of EU legal acts under the underlying EU Whistleblower Directive (e.g., on the right to privacy and personal data protection and the security of networks and information systems, public procurement, financial services and money laundering);
2) other serious offences, including, for example, repeated breaches of applicable law; or
3) other serious matters, including, for example, breaches of policies and guidelines or information about any form of sexual harassment or severe harassment/bullying.
Due to the data protection rules (GDPR) the reports may not contain sensitive personal data about anyone other than yourself and the person you believe has committed a serious breach of the rules, laws or essential guidelines, see details below in section 3.
See below under section 3 (collectively referred to as the “Scope” or “Scope of the Whistleblower Scheme”).
The whistleblower scheme is not intended to replace or substitute existing internal communication channels and it is recommended that existing communication channels being used as far as possible, cf., for example, the current policy on harrasment and abusive behaviour. The above applies unless you consider that reporting under the whislteblower scheme is appropriate form of communication. The whistleblower scheme provides an additional forum for reporting more serious incidents, which are either not suitable for being dealt with through existing communication channels, where the whistleblower wishes to remain anonymous to NILT, or where the whistleblower considers for other reasons that reporting via the whistleblower scheme is necessary.
In connection with the whistleblower scheme, an external telephone hotline is established through which the persons covered will be able to receive advice on matters they consider reporting or with questions about the whistleblower scheme itself.
2. Telephone hotline
The telephone hotline is handled and administered by legal staff at the whistleblower advisory service of SIRIUS advokater. The advisory service currently includes lawyers Helle Nøhr Larsen and Laura Riggelsen, who can be contacted on +45 88 88 85 85.
It has been agreed that the hotline will be open between 9:00 am and 3:00 pm on weekdays, and that advice can be provided for a maximum of up to 30 minutes. Advice can only be provided regarding questions potentially covered by the scope of the Whistleblower Scheme, as set out in the bullet list above under section 1 and below under section 3.
If an enquiry clearly falls outside the scope of the Whistleblower Scheme, the person making the enquiry will be informed accordingly and advised to contact internal communication channels at NILT.
Information provided in connection with the use of the hotline will be fully confidential. SIRIUS advokater cannot and will not disclose information to NILT or others who can identify persons covered unless the persons covered explicitly consent to or request such disclosure. The above applies both to information on the identity of the covered persons and to the identity of the person who allegedly has breached the rules that the Whistleblower Scheme is designed to protect. SIRIUS advokater will provide advice and may propose referrals to, e.g., management, health and safety representatives, colleagues, health insurance or ultimately propose a report through the established Whistleblower Scheme.
When the hotline is used, SIRIUS advokater undertakes to report the content of the conversation in writing at the overall and general level for internal use at NILT. On request, NILT may be informed of the number of enquiries made to the hotline within a given period, as well as information on the nature of the enquiries and the duration of the advice. However, as stated above, in any disclosure of information relating to the use of the telephone hotline, SIRIUS advokater is obliged to ensure complete anonymity of the whistleblower and the reported person.
The following will explain how the Whistleblower Scheme works in practice, including the matters that can be reported (the scope) and how reports to the Whistleblower Scheme will be handled.
3. Scope – what incidents and situations can be reported?
The Whistleblower Scheme can be used to submit confidential reports on the following:
1) Infringements of EU law on public procurement, financial services, money laundering and GDPR, cf. the scope of the Directive of the European Parliament and of the Council on the protection of persons who report infringements of EU law;
2) Serious offences in general, which include:
a. Offences relating to criminal offences, including breach of professional secrecy, misuse of financial means, theft, fraud, embezzlement, fraud and bribery;
b. serious or repeated breaches of legislation.
3) Other serious matters, including:
a. Sexual harassment (any form of unwanted verbal, nonverbal or physical behaviour with sexual undertones) or severe harassment/bullying with the purpose or effect of violating a person’s dignity, in particular, by creating a threatening, hostile, degrading, humiliating or unpleasant climate and
b. other forms of harassment, e.g., harassment due to race, political or religious affiliation etc., however see below regarding personally sensitive information.
The following matters are generally not covered by the scheme:
- Complaints about co-operation difficulties, incompetence, pay, and other routine matters.
- Reports on working environment, decision-making processes or general management decisions.
- Violations of a trivial nature.
- Violations of ancillary provisions, including documentation obligation or notification obligation.
It follows from the Whistleblower Protection Act, in conjunction with data protection rules, that the following sensitive personal data are not covered by the Scheme:
- Reports containing sensitive information about racial or ethnic origin, political, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data or information about a natural person's sex life or sexual orientation.
- Reports of sexual offences or harassment on the grounds of race, political or religious affiliation, etc., made by persons other than the offended person and where the offended person is named or otherwise identifiable.
If SIRIUS advokater receives reports containing sensitive personal data, as stated above, or receives reports from third parties containing information about who has been offended/harassed, SIRIUS advokater will be required to immediately anonymize or erase such information.
A disclosure that a (possibly named) person has offended/harassed another unnamed person is, on the other hand, covered by the Whistleblower Scheme and may be reported.
However, the above-mentioned situations, which are generally not covered by the Whistleblower Scheme, may, in exceptional cases, involve such risks to human life or health or such risks of significant harm that they are nevertheless covered by the Whistleblower Scheme and can be dealt with under the Scheme.
Matters not covered by the Whistleblower Scheme may be discussed with the immediate manager, the health and safety representative or the like.
4. Who can report?
Current and former employees and current partners in and to NILT of ("the covered persons") can file a report.
5. How is a report filed – and to whom?
Reports to the Whistleblower Scheme are filed electronically via the online portal https://whistleblower.legalsys.dk/nilt/wb/en/front-page.html for which a license has been purchased from Legalsys ApS. The Whistleblower Scheme is handled and administered by SIRIUS advokater that assesses whether a report is within or outside of the scope of the Whistleblower Scheme. SIRIUS advokater will forward reports received or extracts of reports to NILT’s person in charge of the Whistleblower Scheme, NILT's CFO, who will be responsible for the internal administration and handling of the Whistleblower Scheme on behalf of NILT, including any investigation of reports, etc., as set out below.
If NILT's CFO is reported, the report will be forwarded to NILT's Chairman of the Board.
Both NILTs CFO and chairman of the board, who assist in the administration and handling of matters related to the Whistleblower Scheme, are subject to the rules on professional secrecy, confidentiality, etc., in applicable whistleblower legislation and GDPR legislation.
Reports can be submitted in Danish or English, and the following information will be useful for the person in charge of the Whistleblower Scheme to have when assessing a report:
- Name, department and contact details of the person being reported;
- a description of the facts giving rise to the report, and
- any documentation or evidence supporting the report.
Unless the whistleblower explicitly consents to his or her personal data being disclosed to the person in charge of the Whistleblower Scheme, SIRIUS advokater, the administrator of the scheme, is obliged to anonymise the report before it is disclosed.
It is entirely up to the individual whistleblower whether he or she wishes 1) to be fully anonymous, 2) to be partially anonymous so that only SIRIUS advokater knows the name, etc., or 3) to be fully identifiable by name, etc., – also in relation to the disclosure of information about the matter to the person in charge of the Whistleblower Scheme.
Please note that anonymous and partially anonymous reports (where only SIRIUS advokater knows the identity of the whistleblower) may make it more difficult for the person in charge of the Whistleblower Scheme to investigate and assess a report. In particular, in the case of anonymous and partially anonymous reports, it may be difficult to assess the credibility of the whistleblower. It is important to note that even with anonymous reports, it is important that the whistleblower helps to elaborate the report to ensure that it is sufficiently disclosed. Cooperation will make it more difficult to remain anonymous. Conversely, failure to cooperate may mean that the matter is not sufficiently disclosed and may be difficult to uncover.
It should also be noted that full or partial anonymity may be difficult to maintain if further investigation of the reported matter requires contact with one or more persons, since they may be able to recognise the matter and possibly the identity of the whistleblower or other persons concerned. It is noted that persons who become aware of the facts relating to the report, including possibly the identity of the persons involved, will be bound by professional secrecy and must observe confidentiality regarding the matters in question.
If a matter is reported that is not covered by the Whistleblower Scheme, the whistleblower will be informed of this by SIRIUS advokater and directed to another communication channel.
Persons considering making a report may contact SIRIUS advokater's whistleblower advisory service, which currently includes, among others, lawyers Helle Nøhr Larsen and Laura Riggelsen. They can be contacted by phone +45 88 88 85 85 or by e-mail; hnl@siriusadvokater.dk or lfc@siriusadvokater.dk, if there are questions relating to the reporting procedure, see section 2 above.
6. The process after reporting
Once SIRIUS advokater has received a report, SIRIUS advokater will screen the report to assess whether the content falls within the scope of the Whistleblower Scheme.
If the report (or part of the report) falls outside the scope of the Whistleblower Scheme, the whistleblower will be notified. SIRIUS advokater will be obliged to erase (this part of) the report immediately.
If the report falls within the scope of the Whistleblower Scheme, SIRIUS advokater will pass on the content to the person in charge of the whistleblower scheme employed by NILT along with a preliminary assessment of the content of the report. If the report concerns NILT’s person in charge of the Whistleblower Scheme, the CFO,, the report will be forwarded to NILTs chairman of the board .
From here, the person in charge of the Whistleblower Scheme may choose to process the report internally or use external assistance from SIRIUS advokater in connection with the further investigation that the report gives rise to.
7. Protection of persons filing a report
Persons who report to the Whistleblower Scheme are protected from negative consequences related to the report itself, including dismissal and/or unfavourable treatment, provided that the reports are filed in good faith. Whistleblowers are subject to the same protection as under the Whistleblower Protection Act.
If the report involves critical matters concerning the whistleblower, or if the person in charge of the whistleblower scheme becomes aware of such critical matters concerning the whistleblower, the whistleblower will not be exempted from any adverse consequences regarding those matters.
If a false accusation is reported against a person knowingly or in bad faith, the whistleblower is not protected by the whistleblower policy, including the protections under the Whistleblower Protection Act.
8. Confidentiality
All reports to the Whistleblower Scheme are treated in strict confidence by the person in charge of the Whistleblower Scheme and by SIRIUS advokater, who administers the scheme as an independent third party.
As stated, the whistleblower has the option of making anonymous and partially anonymous reports, in which case SIRIUS advokater reports to the person in charge of the Whistleblower Scheme without stating where the reports come from, if such information appears.
SIRIUS advokater does not disclose the whistleblower's personal data without obtaining explicit consent from the whistleblower first.
9. Data protection
9.1 Data controllers and data processors in the scheme
The processing of personal data provided within the confines of with the Whistleblower Scheme is subject to applicable data protection rules.
SIRIUS advokater is responsible for ensuring adequate security regarding the personal data and reports received by SIRIUS advokater as part of the Whistleblower Scheme. SIRIUS advokater also guarantees that SIRIUS advokater will comply with requirements of independence, confidentiality, data processing and professional secrecy, etc., as set out in the comments on section 11(2) of the Whistleblower Protection Act.
SIRIUS advokater complies with the data protection legislation in force at any time in connection with the administration of and advice in connection with the Whistleblower Scheme. As an external legal adviser, SIRIUS advokater is the data controller under the Data Protection Regulation. The sole purpose of SIRIUS advokater’s processing of personal data is to take a legal position on and provide advice on reports received through the Whistleblower Scheme. SIRIUS advokater also decides which personal data are to be erased, disclosed, etc. The processing of data in connection with the provision of advice does not take place on the instructions of or with the approval of NILT.
The system processing of personal data is carried out by the system supplier Legalsys ApS on behalf of NILT, and in accordance with the data protection rules, a data processor agreement has been concluded between NILT and Legalsys ApS.
As a data controller, SIRIUS advokater has a duty to ensure that SIRIUS advokater's processing of personal data complies with data protection legislation, including
- ensure a legal basis for processing
- ensure appropriate, technical and organisational measures to ensure a level of protection appropriate to the current risks of varying likelihood and severity of the rights and freedoms of data subjects;
- inform data subjects that personal data are being processed, unless the applicable rules allow otherwise (for example, due to a pending investigation);
- give data subjects the right of access to the processing of personal data relating to them, unless the applicable rules allow otherwise (cf. above on pending investigation);
- report data breaches and, if necessary, inform data subjects accordingly.
Reference is also made to SIRIUS advokater’s general terms and conditions and privacy policy on SIRIUS advokater’s website: www.siriusadvokater.com. In addition, reference is made to the Danish Bar and Law Society’s guidance of April 2018 on the processing of personal data of lawyers.
9.2 Legal basis for the processing of personal data
Because non-anonymised reports are made, SIRIUS advokater will process personal data about the whistleblower and any other persons mentioned in the report in connection with the processing of reports. The processing will usually include name and contact details, as well as a description of the reported matter, which may include one or more potential criminal offences and/or incriminating acts in terms of employment law.
Ordinary personal data are processed on the basis of the Whistleblower Protection Act and Article 6(f) of the Personal Data Regulation, which provide that personal data may be processed where the legitimate interests of the company in processing the information contained in a report so require, and these interests are considered to outweigh the data subjects’ interest in not being the subject of processing or their fundamental rights and freedoms.
The Whistleblower Scheme does not, in principle, cover sensitive personal data within the meaning of Article 9(1) of the Data Protection Regulation, unless the whistleblower and persons referred to in the report have expressly consented to the processing of sensitive personal data in accordance with Article 9(2)(a). If SIRIUS advokater receives reports containing sensitive personal data within the scope of Article 9(1) or receive reports from persons other than the offended/harassed person, and where, for example, the report contains sensitive personal data about another person, who has been offended/harassed, SIRIUS advokater will be obliged to erase or anonymise such information immediately, as referred to in section 3 on sensitive personal data.
Reports containing information on criminal offences will be processed on the basis of Section 8(3)(2) of the Data Protection Act, according to which private individuals may process information on criminal offences if necessary to safeguard a legitimate interest, and this interest clearly outweighs the interests of the data subject. If a report contains information about a criminal offence, but the processing of such information in the specific situation is not considered necessary to safeguard a legitimate interest, or the interest does not outweigh the interests of the data subject, SIRIUS advokater will be obliged to immediately erase or render anonymous the report or the relevant part of the report.
NILT’s investigation of a report may involve NILT collecting and reviewing further information, conducting investigations into the reports, imposing sanctions, including employment law sanctions, and notifying relevant authorities and filing police reports, etc. This information is also processed in accordance with the legitimate and factual interests of the company, cf. above.
9.3 Security and storage of data
SIRIUS advokater keeps personal data received under the Whistleblower Scheme safe and confidential and have implemented technical and organisational safeguard measures to ensure this. In addition, SIRIUS advokater only uses data processors that have at least the same level of security when processing personal data as SIRIUS advokater itself.
Personal data contained in and associated with a report will be kept for as long as is necessary for the purposes for which the data were collected and the specific retention period will depend on the content of the report.
However, if a report proves to be unfounded, all information related to it will be erased immediately after its detection.
Similarly, the information associated with a report that falls outside the scope of the Whistleblower Scheme will be erased immediately after the whistleblower has been informed that the report is not covered by the Scheme.
If the report falls within the scope of the Whistleblower Scheme, the report and the personal data contained in the report will be stored with SIRIUS advokater until the report has been forwarded to NILT, after which the information will be erased within six months at the latest. Should SIRIUS advokater conduct further investigation, etc., regarding the report, a case file will be created and kept in accordance with SIRIUS advokater’s data protection policy.
If a report leads to a police report or notification to another authority, the information will be erased immediately after the police, or the other authority, has closed the case.
The period for which NILT keeps personal data contained in a report will depend on the nature of the report and thus depend on a specific assessment. NILT will erase information that is proven to be incorrect during the investigation of the report.
9.4 Information to the reported person
Persons reported to the Whistleblower Scheme will, as a general rule, be informed that information has been reported about them, who has access to the information, the purpose of the processing of the information and the basis for the processing, including the legitimate interest justifying the processing, the period during which the personal data will be kept (or if this is not possible to disclose), the criteria used to determine this period, the person's right to request access to and rectification or erasure of personal data or restriction of the processing of personal data, as well as the right to object to the processing and the right to lodge a complaint with the Danish Data Protection Agency. In addition, the person will be informed of any recipients or categories of recipients of the personal data, which will be the case, for example, if the report gives rise to a police report.
Persons reported to the Whistleblower Scheme will be notified of the processing of information about them at the time of receipt of the report. However, this does not apply if the notification to the person being reported may, depending on the circumstances, be delayed for reasons of investigation or for reasons of a substantial and legitimate interest of NILT or of the whistleblower, which in the specific situation is deemed to outweigh the interests of the person concerned. Reference is made to the rules on exemption to the obligation to disclose information in the Data Protection Regulation and the Data Protection Act in force at any time. In such a case, the right of access and the right to notification of any security breaches may be accordingly limited for the reported person.
9.5 The rights of data subjects
The data subjects of the Whistleblower Scheme (whistleblowers, reported persons and any third parties of whom information is disclosed in the report) may contact the person in charge of the Whistleblower Scheme regarding access to, rectification, blocking, modification or erasure of data concerning themselves.
The person in charge of the Whistleblower Scheme will consider to what extent, if any, requests for access, rectification, blocking or erasure can and should be complied with under the applicable rules.
Data subjects also have the right to complain about the processing of their personal data in connection with the Whistleblower Scheme. Such a complaint can be submitted to the Danish Data Protection Agency, Carl Jacobsens Vej 35, 2500 Valby, tel. +45 33 19 32 00, or via e-mail: dt@datatilsynet.dk.
10. Question
Questions about this Whistleblower Scheme can be directed to SIRIUS advokater’s whistleblower counsels, currently, among others, lawyers Helle Nøhr Larsen and Laura Riggelsen, who can be contacted by phone +45 88 88 85 85 or by e-mail: hnl@siriusadvokater.dk or lfc@siriusadvokater.dk.
***