Privacy policy – Whistleblower system

Information on how we process your personal data

1. Introduction

We, Svensk Bakgrundsanalys AB, company registration number 559305-2615 (”Bakgrundsanalys”, ”we”, ”us” and ”our”) have established a whistleblower system that is used by our clients. The company (e.g. your employer, supplier, customer or other) from which you were directed or linked to this whistleblower system (”the Company”) is the controller in respect of the processing of your personal data when you use our whistleblower system or are involved in a case reported under this system.

Bakgrundsanalys is the processor in respect of the processing of your personal data. This means that we only process your data on the Company’s instructions. All questions, concerns or other communications relating to the processing of your personal data by us or by the Company, for example if you wish to exercise any of your rights, should be addressed directly to the Company (e.g. to the Company’s HR manager or data protection officer). All such communications received by us will be forwarded directly to the Company.

2. Scope of the privacy policy

This privacy policy covers the Company’s processing of personal data belonging to persons making reports (i.e. whistleblowers) and individuals who are the subject of reports (e.g. as a suspect or witness) in our whistleblowing system. This privacy policy contains, among other things, information about the purposes for which the Company processes personal data, who the Company shares your data with and what rights you have in relation to your personal data.

To the extent that the Company has drawn up its own privacy policy concerning the processing of your personal data in connection with whistleblowing, that privacy policy takes precedence over this privacy policy.

3. Which categories of personal data does the Company process and for which purposes, and on what legal basis does the Company base its processing of the personal data?

Personal data in whistleblowing reports is processed to the extent necessary to investigate the case. This means that personal data will be processed for:

  • Receiving whistleblowing reports;
  • Communicating with the whistleblower; and
  • Verifying the veracity of the allegations made.

These processing activities are described in more detail in the table below, including the legal basis on which the Company bases its processing and how long your personal data will be stored for.

What the Company does and why

The Company will process your personal data to deal with reports on wrongdoing (including crimes and acts that are in breach of the Company’s internal policies) that are submitted via the whistleblower system by:

  • Collecting and documenting reports in the whistleblower system;
  • Communicating with the person making the report and/or the person(s) referred to in the report (including suspects and alleged witnesses to the reported violation);
  • Conducting investigations and following up on the content of the report and any further questions arising from the investigation (including, if necessary, collecting information from IT equipment controlled by the Company);
  • Reporting violations to the relevant authorities and company management (if necessary). If it is not deemed necessary to disclose your identity, the Company will anonymise your identity before the report is made.

Personal data processed by the Company

De personuppgifter vi behandlar avser:

  • Contact details, such as name, telephone number, address and email address;
  • Date of birth;
  • Report history and report number;
  • Employment information (such as role and responsibility);
  • Images and audio recordings;
  • Personal data relating to criminal convictions, suspected and/or actual offences, such as bribery or financial crime;
  • Personal data relating to acts and omissions in breach of the Company’s internal guidelines and policies; and
  • User history from the IT equipment and digital systems controlled by the Company.

Legal basis: Legal obligation: The processing of your personal data is required under the Whistleblower Law (Act (2021:890) on the protection of persons reporting irregularities). Without processing personal data, the Company cannot fulfil its legal duty.

How the Company shares and transfers your data: To fulfil the purposes set out above, the Company will share your personal data with the following recipients:

  • Bakgrundsanalys, which supplies the IT solution for the whistleblower system and assists the Company in the assessment and management of the case;
  • Relevant authorities (such as law enforcement authorities), if the Company is ordered by the relevant authority to disclose your personal data or if the Company presses ahead with reporting the breach; and
  • Other external professional advisors and service providers engaged by the Company in order to ensure that the investigation is conducted properly (e.g. legal advisors and forensic analysis providers).

The Company will not transfer personal data collected in connection with use of the Bakgrundsanalys whistleblower system to countries outside the European Union (”EU”)/European Economic Area (”EEA”).

Storage period: The Company processes your personal data for the storage period required by law, which is no longer than two years after the closure of the case for which the whistleblowing system was used, or otherwise for the period necessary to establish, exercise or defend legal claims.

4. Additional processing purposes

In addition to the processing purposes listed above, it may be necessary for the Company to process personal data for additional purposes, which include being ordered to process personal data (and/or to disclose it) by a competent court or authority.

The Company may also process your personal data so that you, the Company, Bakgrundsanalys or other relevant third parties can establish, exercise or defend legal claims, for example in the case of an ongoing or potential dispute. Personal data for these purposes will be stored for up to ten (10) years from collection or for the period necessary to fulfil the purpose in question. This processing of your personal data is based on the legitimate interest of the Company, Bakgrundsanalys or the relevant third party in establishing, exercising and/or defending legal claims.

5. How do we collect your personal data?

The Company processes personal data that is collected directly from you when you use the whistleblower system, or data that is provided by another party in connection with a case or investigation.

6. Transfer to a third country

If the Company shares your personal data in accordance with the table above, the Company is responsible for ensuring that the transfer is compliant with applicable data protection legislation before it takes place. Such safeguards may include ensuring that the country where the recipient is located guarantees an adequate level of data protection as defined by the European Commission, or ensuring appropriate safeguards based on the use of standard contractual clauses adopted by the European Commission and other appropriate measures to protect your rights and freedoms.

You will find a list of the countries the European Commission has defined as having an adequate level of data protection here.

You will find the European Commission’s standard contractual clauses here.

7. Your rights

Below is a summary of your rights under European data protection legislation. It does not cost you anything to exercise these rights and you can exercise them by contacting the Company. Do not hesitate to contact the Company if you have any questions regarding your rights.

Please note that the Company will always assess a request to exercise a right to determine whether the request is justified. None of the rights set out below are absolute and exceptions may apply.

  1. Right of access. You are entitled, upon request, to obtain a copy of the personal data being processed by the Company and to obtain supplementary information concerning the Company’s processing of your personal data.
  2. Right to rectification. You have the right to have your personal data rectified and/or completed if it is inaccurate and/or incomplete.
  3. Right to erasure. Du har rätt att begära att Bolaget raderar dina personuppgifter utan onödigt dröjsmål i följande situationer:
    • The personal data is no longer needed for the purposes for which it was collected or otherwise processed;
    • You withdraw consent to the processing and there is no other legal basis for the processing;
    • You make a legitimate objection to the processing of your personal data;
    • The personal data has been unlawfully processed; or
    • Erasure is necessary in order to comply with a legal obligation.
  4. Right to restriction of processing. You have the right to request the Company to erase your personal data without undue delay in the following situations:
    • The accuracy of the personal data is being investigated;
    • The processing is unlawful or is no longer needed for the purpose for which it was collected but you oppose the erasure of the personal data and request that processing be restricted instead;
    • The Company no longer needs the personal data but you need it for the establishment, exercise or defence of legal claims; or
    • You have objected to processing of your personal data and your objection is being investigated.
  5. General right to object. You have a general right to object at any time to processing of your personal data which is based on the Company’s legitimate interest. If you object, the Company must demonstrate that it has compelling legitimate grounds for such processing or that it needs the personal data for the establishment, exercise or defence of legal claims.

8. Complaint to the supervisory authority

The data supervisory authority in Sweden is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten). If you believe that your data is being processed by us or the Company in violation of applicable data protection legislation, we encourage you to contact the Company/us in the first instance so that we can review your complaint. You can make a complaint to the supervisory authority at any time.

9. Contact us

You can contact us in the following ways:

Svensk Bakgrundsanalys AB
Visiting address: Holländargatan 20, 111 60 Stockholm
Phone: +46 (0)10 491 1227
Email: [email protected]