The VKR Holding whistle-blower system
The system can only be used to report on significant matters such as, e.g., financial crimes, significant work safety violations, significant violations of environmental regulations, and on environmental pollution, physical violence, sexual assaults, etc.
If reports on less significant matters, such as, e.g., dissatisfaction with wages, difficulties with cooperation and violations of smoking and alcohol policies are received, this information will be deleted immediately.
By “organisation” is referred to the organisation that receives the report.
The registration of reports takes place anonymously in the system. The only thing that is registered is the report itself. There is no log made as to the IP address or machine ID of the computer on which the report is made.
If you realise that you have provided incomplete or incorrect information, just make a new report in the system in which you refer to the previous report and describe what should be corrected.
If you, in connection with the creation of a report, have decided to create a secure post box, you can make the correction by logging in to the system using your case number and the password you had created.
The information registered in the system is generally not transferred to a third party outside of the organisation. However, in the following circumstances, the information may be transferred onward:
If you provide your personal information, be aware that the organisation can use your personal information when investigating the case, and also during any subsequent lawsuit.
The organisation guarantees that your personal data protection rights will be respected without limitations and will only be used as described above.
The organisation will not share your personal information with third parties outside of the organisation except for the cases as described above in the section ”Transfer of registered information."
Registered data may only be retained for as long as there is a need for it. When there no longer is a need for retaining the registered information, the information is deleted.
The reporting system is hosted by Got Ethics A/S, an independent party guaranteeing the system’s security and anonymity.
Got Ethics A/S has taken the necessary technical and organisational measures to prevent personal data from being accidentally or unlawfully destroyed, lost or damaged and to prevent any unauthorised disclosure or misuse of the personal data. The processing of personal data is subject to strict controls and procedures and is in compliance with good practices in the field.
All data is transmitted and stored encrypted. No unencrypted information is sent over the open Internet.
If a report is made from a computer on the organisation’s network, there is a risk that the visited webpages will be logged in the browser’s history and/or the organisation’s log. This risk can be eliminated by submitting the report from a computer which is not connected to the organisation’s network.
If you upload documents, you should be aware that the documents can contain metadata which can compromise your identity. Therefore, you should ensure that any identifying metadata is removed from a document before it is uploaded.
It is optional to make either an anonymous report or a report containing personal data. If a reporter chooses not to remain anonymous, the reporter’s identity will be known to the persons that handle the case. In this case the reporter risks being called as a witness in any lawsuit, and the reporter’s anonymity thus can be lost.
Be aware that if you choose to give further information when submitting the report from which you can directly or indirectly be identified, the organization will also process this information when handling the case. This also apply if you have chosen to remain anonymous.
What is the legal basis for the organisation’s processing of information in the system?
The legal basis for the processing of your information is as follows:
According to the European Data Protection Regulation you have a number of rights. If you want to exercise these rights, you must contact the organisation.
You can read more about your rights HERE
The organisation is data controller for the processing of the personal data that you report and can be contacted through the ordinary communication channels. Likewise, the organisation’s data protection officer can be contacted through the ordinary communication channels (if they have appointed a data protection officer) if you have questions about the processing of the information.
If you want to complaint about the processing of your personal data, you are entitled to submit a complaint to the competent supervisory authority.
You can download a list of the European supervisory authorities HERE