Stansomatic (CVR 17470833) is data controller for the data we process in this Internal Whistleblower Scheme. We have taken the necessary steps to ensure that your data are being processed in accordance with the regulations.
If you have any questions about our processing of your personal information, you are always welcome to contact us.
You can contact our GDPR adviser Claus Ransborg in the following ways:
By e-mail: firstname.lastname@example.org
By phone: 75338300
When reports are made via our Whistleblower scheme, we use the following processing basis:
· For general information: The data protection regulation article 6, no. 1, letter c, cf. The Danish Whistleblower act § 22
· For sensitive information: The data protection regulation article 9, no. 2, letter b, cf. The Danish Whistleblower act § 22
· For information on criminal offenses: The Danish Data protection act § 8, subsection 3 cf. The Danish Whistleblower act § 22
We share your information with the following:
· Gapsolutions A/S (Hosters of our whistleblower solution)
· The Police if we are obligated by relevant legislation
· Public authorities if we are obligated by relevant legislation
We process if it’s necessary for the purposes stated above:
· Personal data is processed, if an investigation is ongoing. The storing period depends on the outcome of the investigation.
· If we report to the police or another public authority, the data will be stored while the investigation is ongoing.
· If, based on the report, we implement a disciplinary sanction to an employee, or, if in other ways there are valid reasons to keep the data from the report for future investigation, we store the information in the employee’s personal file.
· If the report falls outside of the scope of the Whistleblower Scheme, or the report is concluded to be unfounded, the personal data will be deleted no later than 6 months after the reporter has been notified.
Our whistleblower solution is hosted by Gapsolutions A/S who is ISO 27001 and ISAE3000 certified and ensures the necessary security and anonymity in the solution.
Gapsolutions A/S has taken the necessary technical and organizational measures to ensure that personal data is not a subject to accidental or unlawful destruction, is lost or compromised, and that no unauthorised personnel is given access or can misuse personal data.
All data transmissions and storage of data are encrypted. The platform does not log IP addresses or machine IDs and only uses technical cookies.
If a report is made from a device on the company’s network, there is a risk that visited websites are logged in your browser history and/or in the company’s own logs. This risk can be eliminated by making your report on a device, that is not connected to the company’s network.
If you upload documents, you should pay attention to, whether these contains metadata or other information that can compromise your own identify.
If you choose to upload or in any other way disclose personal data about yourself in the report or the following correspondence with us, we will process these data in addition.
Registration of reports is done anonymously in the system. The only thing which is registered is the report itself. There is no log of the used IP-address or machine-ID on the device used to make the report.
· At any time, you have the right to be informed of which data we process concerning you, from where we have collected it, and what we use it for. You may also be informed about how long we store your data, who receives data concerning you, and to what extent we pass on the data in Denmark and foreign countries.
· Upon request, we can inform you about what data we process concerning you. The access might be limited with respect to privacy protection, business secrets, and immaterial rights.
· If you think that the personal data, we process concerning you is incorrect, you have the right to have it corrected. In that case you must contact us and inform us what the correct information is. Make sure to be as precise as possible with your corrections, otherwise it may make it difficult or even impossible to comply with your request.
· In some cases, we will have an obligation to delete your personal data. This is for instance the case if you withdraw your consent. If you think that your data is no longer necessary for the purpose for which we collected it, you can request for it to be deleted. You can also contact us if you believe that your data is processed in contravention of the law or other legal obligations. When you contact us with a request to have your personal data corrected or deleted, we examine whether the requirements are fulfilled, and if that is the case, we make the changes or delete your data as soon as possible.
· You can lodge a complaint with a supervisory authority (Datatilsynet, Denmark).
· You have the right to object to the processing of your personal data. You can make use of the contact information at the top to object. If your objection is justified, we shall stop the processing or passing of your personal data.
· You can make use of data portability if you want your data transferred to another data controller or data processor.
· On our own initiative, we delete your personal data, when it is no longer needed for the purpose for which we collected it.
When you contact us with a request to have your personal data changed or deleted, we check whether the requirements are fulfilled, and if so, change or delete the data as fast as possible.
You can make use of your rights by contacting us. You can find our contact information at the top.