Group Whistleblower Policy
Last updated november 28, 2023

Group Whistleblower Policy

Operating in many countries and across many borders it is imperative to Egiss Group that we safeguard our integrity as a law-abiding company with high ethical standards. Egiss’ Whistleblower Policy outlines how to raise concerns about all matters regarding our business conduct and organization in a confidential and secure way using our whistleblower system.

The objective of the system is to bring light to matters that we would not know of otherwise. It can be suspicion or knowledge of any illegal, unethical, or irregular conduct, and whistleblowers may report both on matters that have occurred or matters that will take place in Egiss.

A concern can be raised anonymously, or you can decide to provide your name and contact details in confidentiality. In the following you can read more about the policy including guidelines on how to use the whistleblower system and how personal data will be protected.

Policy

At Egiss we want to promote trust in all the manners our business and organization is run. This policy is, in addition to following Danish and EU-legislation, also a way to ensure that concerns about Egiss´ Code of Conduct and serious breach of policies can be raised in a secure manner and handled without any personal consequences for the whistleblower.

How to raise a concern

All Egiss employees, customers, suppliers, and other business partners and associates can and are encouraged to use the whistleblower system. At the bottom of this policy,  you will find a link to the whistleblower system. The system will inform and guide the whistleblower on how to report a concern and on the principles guiding the assessment of the concern. This link also allows you to follow up on status, development or add further information to your existing report.

You can only use the whistleblower system to raise serious concerns within the scope of the current regulation regarding protection of whistleblowers. Dissatisfaction with your employment such as salary, management style and other contractual terms and conditions are not to be reported to the whistleblower system. Instead, such matters should be addressed through the usual channels for example to your line manager or People & Culture.

Examples of matters that are within the scope of the system are:

  • Suspicion or knowledge of any illegal, unethical, or irregular conduct, including matters regarding bribery and corruption, fraud and crime.
  • Gross personal data security violation.
  • Serious environmental damage
  • Sexual harassment, or other gross harassment.
  • Gross or repeated breaches of law.

These are just examples, so we recommend you raise a concern, should you be in doubt. Each concern will be assessed to check whether it is within the scope of current regulation regarding protection of whistleblowers.

Concerns must be raised in good faith. It should not be used to deliberately share information you know is wrong, and please note that in such a case you will not be protected by the whistleblower system.

How concerns are handled

Each specific concern will be screened and handled by the Egiss Whistleblower panel. The panel consists of a group of people who can relate objectively and factually to reports, and they determinate an eventual further process. Names of panel members are shown when you raise a case on the portal, and you have the option of excluding one or more of the panel members should you have concerns regarding impartiality.

You will receive a confirmation of the receipt of the concern as soon as possible and no later than 7 days after having submitted it.

If the case is found to be within the scope of the system, it will be further investigated. Firstly, by one or more members of the panel. The panel will then inform Group management or Board members with suggestions for further actions. Should the concern be regarding one or more members of either Group Management or the Board, the specific person will not be informed nor be part of the group handling the case.

Please note that:

  • If there is a violation of criminal law, it will be reported to the proper authorities.
  • If the case concern serious malpractice by employees at Egiss, it may lead to negative employment law reactions, including disciplinary sanctions, such as warning or dismissal.

As a whistleblower you will receive feedback to an the extent possible on the status of the concern within 3 months.

Anonymity and protection of the whistleblower

A whistleblower reporting a concern within the scope of the whistleblower system is by law protected and will not face retaliation of any kind because of the concern raised.

The Egiss whistleblower panel works under strict pledge of secrecy. And if you decide to give any personal information, they are prohibited to share that with anyone unless you explicitly constent to having it disclosed. Your identity can, however, in some cases, be disclosed to public authorities, such as the police or public prosecutor, if deemed necessary to respond to reported matters, or for the purpose of ensuring the right to defend affected people.

If you decide to raise the concern anonymously, neither Egiss nor a third party will process your personal information. You must, however, be aware that if you provide data that makes you identifiable or use Egiss owned IT systems or equipment that will disclose your identity, Egiss will be entitled to process the given information even if you have raised the concern anonymously.

You have the option to decide to make yourself available for any further investigation by setting up a secure and anonymous mailbox, that allows Egiss to contact you anonymously. We recommend that you set up such a mailbox, as in some cases further information could be needed for the investigation.

Egiss Whistleblower system & Protection of personal data

General principles

Personal data obtained when reporting a concern using the whistleblower system is handled according to Danish and EU-legislation. The whistleblower system is based on a 3rd party platform and all legal procedures and formalities regarding the system are protected according to the highest standards. Egiss is the data controller of the personal data processed in the whistleblower system, and all personal data collected through the system will be treated as confidential to the maximum extent possible.

All data is handled securely and in accordance with the European and Danish Data protection legislation (GDPR).

Rights

If the concern raised affects one or several named persons, the person(s) in question will generally be notified about:

  • he subject-matter of the concern raised and the outcome of the concern raised, including whether the concern is rejected as unfounded or made subject to further investigation.
  • The contemplated period when the personal data will be kept or alternatively the criteria used to determine such period of time.
  • How the relevant person may exercise his/her right of objection and right of correction to receive data about and respond to the concern raised.

The notification will be made as quickly as possible and no later than 14 days after the above data has been obtained.

As a data subject (whistleblower, affected person or third party mentioned in the report), you have several rights, unless the report is assessed not to fall within Egiss' whistleblower system or is exempted from the data protection legislation.

As the data subject you have a right to object to the processing of data and to request that data be corrected, restricted or erased in compliance with the data protection legislation. The rights can be exercised by contacting Hanne Bak, People & Culture, Egiss.

Storing and erasing personal data

All data is erased immediately if a concern raised is not covered by the whistleblower system.

Storage of personal data is not extended beyond what is necessary to ensure requirements pursuant to the Whistleblower Act, including in particular the whistleblower's and affected persons' possible need for preservation of evidence as well as Egiss' duty to follow up on reports received, including by linking such reports to previously received reports.

A concrete assessment will be made on an ongoing basis of how long continued storage of previously received reports is necessary. The specific assessment will include whether it is likely that persons entitled to protection under the Whistleblower Act may need to document the report in question. It will also argue in favor of continued storage if there is reason to believe that the report could be followed by subsequent reports on the same matter. Continued storage may also be necessary to fulfil a legal obligation under another legislation.

If a disciplinary action is taken against a reported employee, or if there are other reasons why it is factual and necessary to continue storing information, the information may be stored on the employee's personnel file. In this case, the information will be deleted no later than 5 years after the employee's resignation, unless in the specific case it is still factual and necessary to store the information, e.g., because of a pending court case.

Making available and disclosing personal data

Personal data related to a reported concern will be made available to the Whistleblower panel. Being the data processor the panel is responsible for the initial screening of the received concern.

Egiss does not generally disclose personal data collected through the whistleblower system to third parties. However, the following types of disclosure could take place on a case-by-case basis:

  • Disclosure to an external advisor, for example an attorney or auditor for the purpose of a detailed investigation of the concern raised.
  • Transfer to relevant authorities, including the police and the prosecution service, in contemplation of any legal proceedings.
  • Other disclosure required by law.

Other disclosure required by law. Personal data collected and stored in the whistleblower system will not be transferred to a third country outside the EU/EEA.

Complaint

If involved in a whistleblower case you have the right to complain to the Danish Data Protection Agency if you are dissatisfied with the way Egiss is handling personal data. The Danish Data Protection Agency's contact information can be found on their website: www.datatilsynet.dk/english.

Exsternal whistleblower scheme

If you do not feel comfortable using Egis' whistleblower system, or for other reasons would rather use an external whistleblower scheme, you have the opportunity to use the Danish Data Protection Agency's external whistleblower scheme, where it is possible to make written and oral reports. You can find more information here at the National Whistleblower Scheme:  www.whistleblower.dk/english.

Raise concern