TEMPLATE for data controlling and processing of personal data within the EU.
Please find the general EU definition of what can be reported and processed as a whistleblowing case in Chapter 2 of this template, marked in grey.
Note that in some countries there are national regulations and restrictions on the use of whistleblowing services. These restrictions can be included in chapter 2.
1. When to blow the whistle?
The whistleblowing service can be used to alert us about serious risks affecting individuals, our company/organisation, the society or the environment.
“Whistleblowing schemes may be a useful mechanism to help a company or an organisation to monitor its compliance with rules and provisions relating to its corporate governance, in particular accounting, internal accounting controls, auditing matters, and provisions relating to the fight against bribery, banking and financial crime and criminal law.” The EU Working Party under Article 29 of Directive 95/46/EC
For issues relating to dissatisfaction in the work place or related matters for example, employees (and any other stakekolders) are asked to contact their supervisor or manager, as these issues cannot be investigated in the scope of the whistleblowing.
A person who blows the whistle does not need to have firm evidence for expressing a suspicion. However, deliberate reporting of false or malicious information is forbidden. Abuse of the whistleblowing service is a serious disciplinary offence.
2. How to blow the whistle?
- Contact a supervisor or manager within our organisation.
- Contact the organisation’s whistleblowing team. Whistleblowing team: appointed individuals with the authority to handle whistleblowing cases:
< (Name), title, (contact details) >
- Anonymous messaging through the whistleblower communication channel:
<https://report.whistleb.com/organisation name >
We encourage anybody who shares their suspicions to be open with their identity. All messages received will be handled confidentially. For those wishing to remain anonymous, we offer a channel for anonymous reporting (Alternative 3).
Whistleblower protection in the case of non-anonymous whistleblowing
A person expressing genuine suspicion or misgiving according to these guidelines will not be at risk of losing their job or suffering any form sanctions or personal disadvantages as a result. It does not matter if the whistleblower is mistaken, provided that he or she is acting in good faith.
Subject to considerations of the privacy of those against whom allegations have been made, and any other issues of confidentiality, a non-anonymous whistleblower will be kept informed of the outcomes of the investigation into the allegations.
In cases of alleged criminal offences, the whistleblower will be informed that his/her identity may need to be disclosed during judicial proceedings.
For whistleblowers in the EU, being open with their identity:
When blowing the whistle, the person has to give consent that his/her personal data can be used in the investigation process, in accordance with these guidelines. The whistleblower also has the right to get incorrect data corrected as well as to request that data is permanently deleted.
3. The investigation process
The whistleblowing team
Access to messages received through our whistleblower communication channel is restricted to appointed individuals with the authority to handle whistleblowing cases. Their actions are logged and handling is confidential. When needed, individuals who can add expertise may be included in the investigation process. These people can access relevant data and are also bound to confidentiality.
If a person raises a concern directly to a supervisor, manager or by contacting the whistleblowing team in person the message is inserted into the whistleblowing communication channel and treated according to these guidelines.
Receiving a message
Upon receiving a message, the whistleblowing team decides whether to accept or decline the message. If the message is accepted, appropriate measures for investigation will be taken, please see Investigation below.
The whistleblowing team may decline to accept a message if:
- the alleged conduct is not reportable conduct under these Whistleblowing guidelines
- the message has not been made in good faith or is malicious
- there is insufficient information to allow for further investigation
- the subject of the message has already been solved.
If a message includes issues not covered by the scope of these Whistleblowing guidelines, the whistleblowing team should take appropriate actions to get the issue solved.
Do not include sensitive personal information about anybody mentioned in your message if it is not necessary for describing your concern.
All messages are treated seriously and in accordance with these Whistleblowing guidelines.
- No one from the whistleblowing team, or anyone taking part in the investigation process, will attempt to identify the whistleblower.
- The whistleblowing team can, when needed, submit follow-up questions via the channel for anonymous communication.
- A message will not be investigated by anyone who may be involved with or connected to the misgiving.
- The whistleblowing team decides if and how a whistleblowing message should be escalated.
- Whistleblowing messages are handled confidentially by the parties involved.
Protection of, and information to, a person specified in a whistleblower message
The rights of the individuals specified in a whistleblower message are subject to the relevant data protection laws. Those affected will be entitled to the right to access data relating to themselves and should the information be incorrect, incomplete or out of date to require amendments or deletion of data.
These rights are subject to any overriding safeguarding measures required to prevent the destruction of evidence or other obstructions to the processing and investigation of the case.
Deletion of data
Personal data included in a whistleblowing whistleblowing messages and investigation documentation is deleted when the investigation is complete, with the exception of when personal data must be maintained according to other applicable laws. Deletion is carried out 30 days after completion of the investigation. Investigation documentation and whistleblower messages that are archived should be anonymised; they should not include personal data through which persons can be directly or indirectly identified.
4. Legal basis of the Whistleblowing guidelines
This policy is based on, and adheres to the recommendation in Article 29 Data Protection Working Party and Directive 95/46/EC (Data Protection Directive) and the forthcoming General Data Protection Regulation.
NB. The scope of this Whistleblowing guideline does not include potential transfer of personal data from the EEA to affiliates located outside the EEA.