Whistleblowing Channel and Internal Investigations
XXL ASA is the data controller for personal data recorded in connection with a whistleblower case.
If you submit a report through XXL’s Whistleblowing Channel, we will collect information about whether you are an employee of XXL and, if you choose to identify yourself – your name and contact information. We may also process data relating to your knowledge of the reported incident to the extent such information is included in your report or is requested by us. Such information may include any facts or details connected to the reported incident, e.g., details on potential misconduct, information about the alleged person(s) involved and other details and facts revealed as part of the investigation, e.g., relevant emails and witness statements.
You can choose to make an anonymous report, but we encourage you to provide your contact information in the report or to open a secure communication channel when you submit the whistleblower report, so that we may contact you for more information when needed to support effective investigation of the facts.
The purpose of the Whistleblowing Channel is to allow anyone to report, in a confidential manner, any incidents, breaches or suspected breaches of applicable law, XXL’s Code of Conduct or other internal policies and procedures. The Whistleblowing Channel also provides a key resource for managing and following-up of internal investigations of incidents and concerns that are reported.
The legal basis for processing the personal data you submit through the Whistleblowing Channel is that the processing is necessary for XXL’s legitimate interest to discover breaches or suspected breaches or incidents of applicable law, XXL’s Code of Conduct, or other internal policies and procedures.
To the extent that the processing relates to sensitive personal data, the legal basis for such processing is that it is necessary for the purposes of carrying out the obligations in respect of compliance with applicable law and exercising the specific rights of XXL in the field of employment and social security and social protection law, or that the processing is necessary for the establishment, exercise or defense of legal claims.
Processing of your personal data connected to a whistle-blower case
Reporting through the Whistleblowing Channel is anonymous. It is optional for you to provide your name and contact information when you submit a report, or to open a secure communication channel. By doing the latter, you will remain anonymous unless you choose to provide your name or other contact information at a later stage.
If you provide your name, your identity will be known to the persons that handle the case. All reports will be treated confidentially. Please note that XXL may use your registered personal data where such is required to enlighten the case, or in a subsequent court case.
All personal data shall be managed and stored in accordance with the Norwegian Personnel Data Act (“personopplysningsloven”) and the Norwegian Working Environment Act (“arbeidsmiljøloven”) and/or other applicable local laws and regulations.
Your registered personal data will not be shared outside XXL without your prior approval. The data in the system is not generally shared with a third party, except in the following circumstances where it may be required to share the information: to an external attorney or auditor in connection with processing of the case; if the report results in a court case; or if the law so requires.
Retention of personal data received in a whistle-blower case
The personnel data provided or identified during investigation of a whistle-blower case, will only be stored until its purpose is fulfilled, after which the data is deleted.
Other data
The only information recorded in the IT system is the Whistleblower Report itself. The system does not log the IP address or the ID of the computer the report is sent from and does not use cookies.
If a report is made from a computer on a company’s network, there is a risk that the visited webpages will be recorded in the browser’s history and/or company’s log. The risk can be eliminated by making the report from a computer which is not on the company’s network.
If you upload documents to your report, please be aware that the documents may contain meta-data which can disclose your identity if it’s not properly removed before the document is uploaded.
To ensure your anonymity, you must do the following:
- Access the Whistleblowing Channel directly by copying or writing the URL address in an internet browser rather than by clicking on a link
- Do not write your personal details in the Report Form
Correction and deletion of registered data
If you realize that you have provided incomplete or incorrect information, just make a new report in the system in which you refer to the earlier report and describe what should be corrected.
IT security
The whistleblowing IT system is hosted by Konsistens AS, an independent party guaranteeing the system’s security and anonymity.
Konsistens AS has taken the necessary technical and organizational measures to prevent personal data from being accidentally or illegally destroyed or lost, and to prevent any unauthorized disclosure or misuse of the personal data. The handling of personal data is subject to strict controls and procedures and is in compliance with good practices in the field.
All data is transmitted and stored encrypted. No unencrypted information is sent over the open internet.
Data subject rights
XXL will adhere to data subject rights related to data protection under Norwegian laws or as laid down in our internal procedures. This includes, but is not limited to, the right of access, erasure and restriction of processing.
If you have any questions regarding personal data protection within this IT system you may contact Konsistens AS by e-mail to xxl@speakups.org