Information on Personal Data Processing

Whistleblowing

Below is information about the personal data processing that takes place in connection with our handling of whistleblowing cases and your rights as a data subject.

Data Controller

The controller for the processing of personal data is:

SamCert AB], org.nr. 556872-5344

Theres Svenssons gata 13, 417 55 Gothenburg

kontakt@samcert.se, 010-148 55 00

For further information about our handling of personal data, please see our Personal Data Policy in force from time to time.

Purpose of Processing and Legal Basis

The purpose of the processing is to be able to meet the legal requirements placed on the organization to provide whistleblowing and to carry out the investigation that the cases require. The purpose is also to process personal data where it is necessary in connection with follow-up matters. This means that we may need to process personal data in order to:

–       Handle reported whistleblowing cases,

–       Safeguard the organization’s rights and obligations based on the irregularities that emerge in whistleblowing cases,

–       Meet the legal requirements placed on the organization.

The legal basis for the processing of personal data in connection with whistleblowing cases is generally a legal obligation pursuant to Chapter 5. Section 2 of the Act on the Protection of Persons Who Report Misconduct.

The legal basis for processing personal data in connection with the follow-up of whistleblowing cases and other measures taken in connection with a reported case is the fulfilment of a legal obligation or the organization’s legitimate interest in safeguarding its rights based on suspected or established irregularities.

Categories of Data Subjects

In connection with the handling of whistleblowing cases, personal data may be processed in relation to the following categories of data subjects:

–       The person who reports a case, unless they choose to remain anonymous,

–       The person or persons who appear in a report,

–       The person who has an administrative role to process and investigate reported cases.

Disclosure of Data and Data Processors

The information may be disclosed to authorities (e.g. the police authority in cases where whistleblowing cases lead to a police report). Data may also be disclosed to other parts of businesses or other companies within the Group in connection with investigations, follow-ups and remedies in connection with a whistleblowing case.

Processing in connection with whistleblowing cases also takes place with personal data processors. These may only act on our instructions, which are regulated in particular in the assistant agreement.

Transfers to Third Countries

We  strives not to transfer data to a country or company located outside the EU/EEA and all storage of personal data relating to the content of whistleblowing cases takes place within the EU/EEA on servers owned by companies within Sweden.

Login administration is done through active directory, Microsoft Azure. The storage takes place within the EU/EEA, but since the provider is American, there is a risk that login-related personal data may be made available to US authorities, which may have a negative impact on privacy protection since US authorities are not bound to comply with GDPR. In the event of a transfer to a third country, there are standard contractual clauses as a safeguard. Please contact us for more information about how we protect your personal data.

Storage and Thinning

Your personal data that appears in a whistleblowing case will be stored for two years from the time the case is closed. The personal data that is used to manage administration and authorization is stored for as long as the authorization is valid. When the storage period expires, all personal data is deleted.

If a matter requires further investigation internally, we will continue to process your personal data for as long as the matter requires it.

Your Right as a Data Subject

When we collect and process your personal data, you have certain rights. You have the right to:

–    Request an extract of the personal data the Company processes and the manner in which it is processed;

–    Request correction of any inaccurate information;

–    Request to be deleted. However, this can only be carried out provided that the Company is not entitled to retain the data on any other legal basis;

–    Request that processing be restricted in certain circumstances, e.g. during the time a question about whether or not data is being investigated;

–    Exercise the right to data portability;

–    Object to profiling. Only applies to data you have provided to the company, and this is processed automatically and that this is processed on the basis of agreement or consent; and

–    Please contact the competent supervisory authority (in Sweden, the Swedish Authority for Privacy Protection (IMY) if you have any comments on how we process your personal data.

Please note that your rights according to the above may be affected by the duty of confidentiality that applies to whistleblowing-related information and in cases where disclosure makes the investigation more difficult. The possibility of exercising your rights will be assessed based on, among other things, the legal basis and the purpose of the processing in question.

If you have any questions regarding the processing of your personal data, please contact us via the contact details provided in the introduction to this information.

Safety

The Company takes appropriate technical and organizational information security measures to prevent and limit risks associated with the disclosure of personal data such as unauthorized access, disclosure, misuse, alteration and destruction. Only a few authorized persons bound by confidentiality have access to identifiable personal data.