Whistleblower Privacy Policy
for private schemes administered by Mazanti-Andersen
1. Processing of personal data by Mazanti-Andersen
Mazanti-Andersen offers our customers to set up internal whistleblower schemes to be administered by us. We provide a platform for reporting of incidents (“reports”) open to employees and other persons whom the customers offer access to their internal whistleblower scheme.
Mazanti-Andersen carries out screening and assessment of reports under professional secrecy in accordance with the Act on Protection of Whistleblowers (the "Whistleblower Act").
If your company (the "Company") has established a whistleblower scheme with Mazanti-Andersen, and we receive your personal data, we will process your personal data in accordance with this privacy policy.
2. The processing of personal data
You can find information about our processing of your personal data under the following sections:
Section 3: If you report an incident
Section 4: If we receive information about you
Section 5: Data controller
Section 6: Purposes and legal basis for the processing of your personal data
Section 7: Categories of personal data
Section 8: Recipients or categories of recipients
Section 9: Transfer to recipients in third countries, including international organisations
Section 10: Storage of your personal data
Section 11: The right to withdraw consents
Section 12: Your rights
Section 13: Complaint to the Danish Data Protection Agency
3. If you report an incident
You are not obliged to provide personal data if you report to the whistleblower scheme. Neither are you obliged to provide your personal data if you during an investigation are in contact with us about an incident.
If you provide your personal data, we will process your personal data in accordance with this privacy policy.
4. If we receive information about you
This privacy policy also applies to personal data that we receive with a report or receive during our processing of the case.
Mazanti-Andersen will notify you of the personal data we have received about you and our purpose in processing your personal data. The notification is provided under Article 14 of the EU regulation (EU) 2016/679 (the “General Data Protection Regulation”) and will include information on our legal basis for the processing activities. We will also inform you if we find it necessary to disclose your personal data for specific purposes.
Our duty of confidentiality under the Whistleblower Act may dictate a postponement in our notification to you on receipt of your personal data, or even that we will be exempted from the duty to notify you. The rules on such delays or exclusions follows from Article 14(5) of the General Data Protection Regulation, and further exceptions are provided with section 22 of the Danish Data Protection Act, of which we refer to the exclusions stated in section 4 and 4.5 below.
We are not obliged to notify you if you already are aware that we have received your personal data or if we consider, based on a balancing of the legitimate interests for processing the incident, that notification to you should be postponed or give way to overriding reasons of private interest, including your interests.
We will not notify you if we determine that notification must give way to overriding reasons of public interest, including in particular (a) the protection of your rights and freedoms or those of others, (b) the enforcement of civil claims, or (c) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security.
5. Data controller
Mazanti-Andersen
Amaliegade 10
1256 København K
CVR no.: 35 89 20 52
Phone: +45 33 14 35 36
Mail: whistleblower@mazanti.dk
If you have any questions about our processing of your personal data, you can contact us using the above contact information. You can also contact us by using the Company's portal to the whistleblower scheme, and you will find a link in the Company's policy for the whistleblower scheme.
6. The purposes and legal basis for the processing of your personal data
We process your personal data for the purpose of screening and assessing the report received in the Company's whistleblower scheme and for conducting any investigations related thereto.
Our processing of your personal data is based on Article 6(1)(f) of the General Data Protection Regulation (the balancing of legitimate interests rule), as Mazanti-Andersen's processing is necessary to pursue the Company's legitimate interest in setting up a whistleblower scheme and processing personal data reported hereto, and this interest is considered to outweigh the interests of data subjects who may be the subjects of a report.
The processing of sensitive personal data covered by Article 9 of the General Data Protection Regulation, and information about criminal offences and violations of the law, will have its legal basis for processing as follows depending on the subject matter:
- Article 9(2)(f) of the General Data Protection Regulation (necessary for the establishment, the exercise, or the defense of legal claims).
- Section 8(3)-(5) of the Danish Data Protection Act (regarding information on criminal offences and criminal convictions).
- Section 12(2) of the Danish Data Protection Act (balancing of interests in employment relationships).
The processing of personal identification numbers is also based on section 11(2) of the Danish Data Protection Act and, depending on the facts, the legal basis stated in subsections 11(2) (3) (disclosure) and 11(2)(4), cf. section 7 (on sensitive information, see section 6.3 above).
7. Categories of personal data
Our processing of your personal data, which is carried out as part of our processing of reports received in the Company's whistleblower scheme, may include the following categories of personal data:
- General personal data, including information about name, position and contact information (e.g., e-mail, phone number) as well as information about the incident or incidents that are the reason for the report.
- Special categories of personal data, including sensitive data, see Article 9(1) of the General Data Protection Regulation (e.g., sexual relations and membership of trade unions) and data regarding personal identification numbers.
- Information on violations of the law and criminal offences.
8. Recipients or categories of recipients
If you are reporting an incident, we process your personal data and the information you report. Information about your identity or other information that can directly or indirectly reveal your identity is processed by employees of Mazanti-Andersen. We do not disclose your personal data unless, (a) following our dialogue, you specifically consent to a disclosure of information in whole or in part, or (b) it is necessary to disclose the personal information to public authorities to counter violations or to ensure affected persons’ right to a defense. In the latter case, you will be notified prior to the disclosure, unless the notification would jeopardize related investigations or legal proceedings. Information that does not directly or indirectly reveal your identity may be disclosed in order to follow up on the report or to address violations. To the extent necessary, this information may be shared with relevant contact persons at the Company, or in the Company's group, in connection with our recommendation to the Company on the further handling of the report. We also refer to the Company's whistleblower policy.
If you are named in a report, we may, to the extent we deem it necessary, including under a balancing of interests, share your personal data with relevant contact persons at the Company, or in the Company's group, in connection with our recommendation to the Company on the further handling of the report. In situations where we deem it necessary, we may disclose personal information to public authorities to counter violations or to ensure affected persons’ right to a defense.
The information in the report, including your personal data, is stored in Nordic Whistle's IT system based on Microsoft Azure, which is used to handle the whistleblower scheme, as well as in our electronic case handling and document management system with Mazanti-Andersen.
Nordic Whistle uses encryption in its data processing to guarantee the security of data. Encryption keys and encrypted data are stored separately on different servers and with different hosting providers, which – in Nordic Whistle's setup – guarantees a very high degree of security that prevents unauthorized access to encrypted data.
9. Transfer to recipients in third countries, including international organisations
We do not normally transfer personal data outside the EU/EEA or to countries that have not obtained the EU Commission's adequacy approval. Should such a transfer become relevant, we will observe the necessary security safeguards as required by applicable data protection legislation.
We use the digital whistleblower system provided by Nordic Whistle. Data submitted hereto is processed on Microsoft Azure and hosted in Microsoft data centers in Ireland with a backup in Germany. We refer to section 4 on the supplementary measures of encryption.
10. Storage of your personal data
Personal data is stored for as long as necessary and proportionate to the efficient and legal handling of the reporting as well as to any other obligations that may legitimately justify continued storage under the data protection rules. We will continuously assess whether the storage is still necessary and proportional.
11. The right to withdraw consent
To the extent that you may have given specific consent to our processing of your personal data, you have the right to withdraw your consent at any time. You can do this by contacting us using the contact information stated in section 2.
If you choose to withdraw consent, it will not affect the lawfulness of our processing of your personal data based on the report or your previously given consent and up to the time of withdrawal. Therefore, if you withdraw your consent, it will only take effect from that point in time.
12. Your rights
According to the General Data Protection Regulation, you have several rights in relation to our processing of personal data about you.
Right of access
You have the right to receive information about the personal data we process about you as well as additional information about the processing. Restrictions may apply when there is a legitimate basis, see above under "If we receive information about you".
Right to rectification (correction)
You have the right to have incorrect personal data about you corrected or made complete.
Right to erasure
In special cases, you have the right to have personal data about you deleted before the time of our general deletion occurs.
Right to restriction of processing
In certain cases, you have the right to have the processing of your personal data restricted. If you have the right to have the processing restricted, we may from then on only process personal data – except for storage – with your consent, or for the purpose of establishing, exercising or defending legal claims, or to protect a person or important public interests.
Right to object
In certain cases, you have the right to object to our processing of your personal data.
Please be aware that there may be conditions or limitations to the above rights. Furthermore, your access to information may be restricted when there is a legitimate more compelling consideration for other people's privacy protection.
If you want to exercise your rights, please contact us.
You can read more about your rights in the Danish Data Protection Agency's guide on the rights of data subjects, which you can find on datatilsynet.dk.
13. Complaint to the Danish Data Protection Agency
You have the right to lodge a complaint with the Danish Data Protection Agency if you are dissatisfied with the way we process your personal data. You will find the Danish Data Protection Agency's contact information on datatilsynet.dk.
This information has been updated 18 October 2023.