Privacy Policy - Whistleblower Scheme
Persons covered by the whistleblower scheme at Flügger group A/S
As controller, data protection is highly important to us. We protect the personal data we handle and we make sure that we comply with the Danish data protection legislation.
We provide the persons about whom we process data (the 'data subjects') with information about our data processing and about the rights of data subjects.
Who are we – and how to contact us
Identity and contact details of the controller:
Flügger group A/S
Islevdalvej 151
2610 Rødovre
CVR-nr. 32788718
Tel: +45 70 15 15 05
E-mail: legal@flugger.com, gdpr@flugger.com
Web: www.flugger.com
Contact regarding data protection:
If you have any questions regarding our processing of your data, please do not hesitate to contact Legal.
You can contact Legal via the address specified above.
Our processing of personal data
Categories of personal data
The data we process about you may include:
Data about persons about whom information is reported
The reports we receive via the whistleblower scheme can include both Flügger group employees and other persons affiliated with the group. When we receive reports, we process the following types of personal data:
- General personal data, including
- Identity information
- Information about the offence being reported, including any criminal offences
- Description of the nature and course of the offence.
- Information about persons mentioned in reports because they are victims of undesirable behaviour committed by the persons reported.
Persons reporting offences may remain anonymous. If you report an offence and state your name, we will process the following types of personal data about you:
- General personal data, including
- Identity information
- Your report
Purpose and legal basis
Our data processing serves the following purposes:
- To establish a whistleblower scheme in the Flügger group that can be used for reporting potential criminal offences and/or irregularities of major concern to the group. The scheme is to allow internal and external people to report such matters to the relevant persons in the company in a confidential and anonymous manner.
- The legal basis for processing any information about criminal offices follow from section 8(3), second sentence, of the Danish Data Protection Act, stipulating that processing is allowed if necessary for the purpose of pursuing a legitimate interest, and such interest clearly overrides the interest of the data subject, and/or section 8(5)of the Danish Data Protection Act, see section 7(1), see point f in Article 9(2) of the General Data Protection Regulation, where processing is necessary for the establishment, exercise or defence of legal claims.
- The legal basis for our collection and registration of data on the use of the other personal data follows from section 6(1) of the Danish Data Protection Act; see point (f) of Article 6(1) of the General Data Protection Regulation on processing necessary for the purposes of the legitimate interests which are not overridden by the interests of the data subjects. The legitimate interest reasoning the processing is the regard for proper handling of data received via the Flügger group’s whistleblower scheme.
- Disclosure of data about you is subject to the provisions on processing of the Danish data protection legislation and other Danish legislation. In each individual case, we will assess whether disclosure requires your express consent or whether disclosure can take place subject to another legal basis.
- Transfer of personal data to third countries may occur when we transfer data to our subsidiary in China, if the report concerns an employee working for or affiliated with the subsidiary. The basis for the transfer to China will be the Commission’s standard contract for transferring data to a controller outside the EU.
Categories of recipients
We disclose or transfer personal data to the following categories of recipients:
- The subsidiary for which the person works, with a view to investigating the report
- External lawyers, accountants and other consultants in connection with the investigation
- Police and other public authorities
- Our processors on the basis of processor contracts
Erasure
We erase data about you when they are no longer necessary.
If a report is filed with the police or any other relevant authorities, the data will be erased immediately after the authorities in question have closed the case.
If the collected information gives reason for disciplinary sanction against the reported employee or other reasonable grounds exist to store data about the employee, such data will be kept in his/her staff folder.
After termination of employment, the employee data will be kept for up to five years plus the current year.
Your rights
According to legislation, you have certain rights in relation to our processing of data about you.
If you want to exercise your personal data rights, please do not hesitate to contact us. See our contact details at the beginning of this policy.
If you want access to change or erase data about you or object to our data processing, we will check whether it is possible and respond to your request as soon as possible and no later than one month after we have received your request.
Your rights
- Right to see data (access right): You have the right to access the data we process about you and a range of other data.
- Right to rectification (change): If you believe that the personal data we process about you are inaccurate, you have the right to have them changed. Please contact us and tell us about the inaccuracies and how they can be changed. In any case, we need to consider if we believe that your request is justified. When you contact us with a request to have your personal data changed or erased, we will check whether the conditions are met and if so, we will make the changes or erasure as soon as possible.
- Right to erasure: We generally erase personal data when they are no longer necessary. In special cases, you are entitled to have specific data about you erased before the deadline for our general erasure. This applies if, for instance, you withdraw your consent and we have no other basis for processing the data. If you believe that your data are no longer necessary for the purposes for which they were originally collected, you may request to have them erased. You can also contact us if you believe that your personal data are processed contrary to legislation or any other legal obligations.
- Right to restriction of processing: If you contest the data we have registered or otherwise process, you may request us to restrict the processing of the data until we have had the opportunity to determine whether the data are correct. You may also request a restriction rather than erasure if you believe that our processing of the data is unlawful or if you believe that we no longer need the data, or if you believe that your legitimate interests override the legitimate interests of the controller. If you are successful in claiming that our processing has to be restricted, in future we may only process data subject to your consent or for the establishment, exercise or defence of legal claims or to protect a person or important public interests.
- Right to transmit data (data portability): You are entitled to receive personal data you have made available to us and personal data we have collected about you from other actors based on your consent. If we process data about you as part of a contract to which you are a party, you are also entitled to receive your data. You are also entitled to transfer these personal data to another service provider. You may also request us to have the details sent directly from the controller to another authority or company. If you want to exercise your right to data portability, you will receive your personal data from us in a commonly used and machine-readable format.
- Right to object: You have the right to object to our processing of data about you. You may also object to our use or disclosure of your data for marketing purposes. You can use the contact details at the beginning of this policy to send an objection. If your objection is justified, we will make sure to stop processing the data.
- Right to receive data about new purposes: If we want to use data about you for a purpose other than the purposes we have previously told you about, e.g. in this privacy policy, you are entitled to be told thereof before we further process the data for such other purpose.
- Right to withdraw your consent: If our processing of your data is based on your consent, you may withdraw the consent at any time. If you withdraw the consent, we are not allowed to process the data in future. Withdrawal of your consent will not affect the lawfulness of the processing already carried out prior to the withdrawal. If we have a lawful basis for processing other than consent with an independent purpose – e.g. storing data for the purpose of complying with the bookkeeping rules – such processing can still be carried out.
If you are not satisfied with our response or if you do not approve of the way in which your personal data have been processed, you can complain to the Danish Data Protection Agency.
You can find the contact details of the Danish Data Protection Agency on www.datatilsynet.dk.