Infomedia's Whistleblower Policy

Policy for the Whistleblower Scheme in Infomedia A/S, including the Data Protection Policy for the Whistleblower Scheme

1. Purpose of the whistleblower scheme

1.1 Infomedia A/S (hereinafter “Infomedia”) would like serious offences and other serious matters to be brought to light, as well as provide a channel for reporting such matters without fear of negative consequences.

1.2 The whistleblower scheme is considered to be a supplement to the normal channels –
e.g. line manager or HR department – when raising concerns about objectionable or
unsatisfactory conditions.

1.3 Reference is made to the fact that an external whistleblower scheme has been set up at the Danish Data Protection Agency. This does not, however, change the fact that Infomedia wishes to encourage the use of Infomedia’s own whistleblower scheme where a potential breach can be dealt with in an effective manner internally if the whistleblower does not believe that there is a risk of retaliation.

2. Who can submit a report to the whistleblower scheme?

2.1 Prospective, current and former employees, management, board members, freelancers, paid and unpaid trainees and permanent business partners – including employees of such business partners where the employees spend their working day in the Group – may report serious offences and other serious matters to the whistleblower scheme without fear of negative consequences.

3. What can be reported?

3.1 Information on infringements of EU law falling within the scope of the Whistleblower Directive (Directive 2018/0106) can be reported to the whistleblower scheme. This involves infringements of EU law in the following areas:

Public tender
Financial services, products and markets, prevention of money laundering and the financing of terrorism
Product safety and conformity
Transport safety
Environmental protection
Radiation protection and nuclear safety
Food and feed safety, animal health and welfare
Public health
Consumer protection
Protection of privacy and security of network and information systems

3.2 Serious offences, sexual offences or other serious matters may be reported to the whistleblower scheme.

Whether a report concerns serious offences, sexual offences or other serious matters depends on a specific assessment of the individual report.

As a rule, the following will fall within the scope of what can be reported to the whistleblower scheme:

Information on criminal offences, including infringements of any professional secrecy obligations, abuse of financial resources, theft, fraud, embezzlement, deception and bribery
Serious or repeated breaches of legislation, the Danish Data Protection Act and, depending on the circumstances, e.g. legislation, which aims to safeguard public health, safety in the transport sector or the protection of nature and the environment etc. are covered
Serious or repeated breaches of essential internal guidelines, e.g. guidelines on donations, business trips etc.
Sexual harassment or other serious personal conflicts in the workplace,
g. serious harassment

3.3 As a rule, the following matters cannot be reported to the whistleblower scheme:

Information about breaches of internal guidelines of a less serious nature, e.g. sick leave, alcohol, dress code, personal use of office supplies etc.
Information about less serious personal conflicts in the workplace will generally not be covered by the scope of the whistleblower scheme. This may be general dissatisfaction with a manager, dissatisfaction with a colleague’s work performance or cooperation problems

Such information should instead be submitted to the line manager, human resources/HR department or union representative. To the extent that information on such matters is nevertheless reported to Infomedia’s whistleblower scheme and Infomedia wishes to act on it, Infomedia will disclose such information internally, as appropriate.

3.4. It is a prerequisite that the person submitting a report does so in good faith and believes in the accuracy of the matter reported as well as the information provided in the report. If the person submitting the report is acting in bad faith and knowingly reports information or matters that that person knows to be incorrect at the time of reporting, this may lead to adverse consequences for the person’s employment status or similar.

4. How are reports submitted to the whistleblower scheme dealt with?

4.1 When a report is submitted on the whistleblower portal at https://infomedia.integrityline.com/, the report will be reviewed by a lawyer from the law firm of Norrbom Vinding. The whistleblower will automatically receive confirmation that the report has been received.

4.2 Once the lawyer has reviewed the report, an applicable contact at Infomedia will be informed of the report if the report falls within the scope of what may be reported to the whistleblower scheme.

If the report does not fall within the scope of what may be reported to the whistleblower scheme or if the report is manifestly unfounded, the report will be closed and the whistleblower will be notified accordingly and informed of whether the matter should, alternatively, be raised with a specific Infomedia department.

If the report falls within the scope of what may be reported to the whistleblower scheme, the applicable Infomedia contact will follow up on the report and investigate the matter further –
in cooperation with the relevant department, if applicable – and assess what response(s) may be necessary in following up on the report. A relevant follow-up on the report may e.g. consist of reporting the offence to the police, taking employment measures against employees or taking contractual measures against business partners. The appropriate way to follow up on a given case will always depend on a case-specific assessment.

The person who submitted the report will receive feedback when the follow-up has been completed. If the follow-up has not been completed within three months, the whistleblower will, to the extent possible, receive feedback within three months of receipt of the report. To the extent that a response to the report involves personal consequences for others, it is not always possible to inform the whistleblower of the precise responses the report may have given rise to. This also applies if is not possible to provide more detailed feedback to the whistleblower for other reasons.

4.3 Infomedia will, in any case, follow up on the report to the extent possible as well as confirm receipt of the report to the greatest extent possible and seek to provide the whistleblower with feedback to the extent that the report falls within the scope of what can be reported to the whistleblower scheme.

5. How are reports to the whistleblower scheme submitted?

5.1 Reports to the whistleblower scheme are submitted on a portal that can be accessed via the Infomedia website at: www.infomedia.dk

5.2 A form containing a number of questions for the person who wishes to submit a report can be accessed on the portal. These questions concern the subject of the report and the location in Infomedia to which the reported matter relates.

It is possible to upload documentation in addition to the information entered in the form. This may include documents, e-mails or images.

5.3 Anonymity

5.3.1 It is not possible to submit anonymous reports to the whistleblower scheme. This does not change the fact that the identity and information provided by the whistleblower will be treated confidentially.

6. Rights

6.1 For whistleblowers

6.1.1 Data protection regulations apply when submitting reports to Infomedia’s whistleblower scheme. Reference is made to point 7 below.

Norrbom Vinding and Infomedia are under obligation to treat information about the whistleblower with the utmost confidentiality. Depending on the circumstances, there may, however, be cases where access to data is possible under the data protection regulations.

6.1.2 Infomedia does not accept that whistleblowers who have reported matters covered by the whistleblower scheme in good faith become subject to negative consequences as a result of having submitted a report to the whistleblower scheme. If a person who has submitted a report to the scheme in good faith feels that he or she becomes the subject of negative consequences as a result of the report, he or she is invited to submit a notification thereof using the secure mailbox, which is created when a report is submitted. A union representative or the whistleblower’s trade union may also be contacted.

6.1.3 As stated above, it is a prerequisite that the person submitting the report does so in good faith and believes in the accuracy of the matters reported as well as the information provided in the report. If the person submitting the report is acting in bad faith and knowingly reports information or matters that that person knows to be incorrect at the time of reporting, this may lead to adverse consequences for the person’s employment status or similar.

6.2 For persons reported on

6.2.1 Data protection regulations apply when submitting reports to Infomedia’s whistleblowerscheme.

Reference is made to data protection information in point 7 below.

6.2.2 To the extent that there is a basis for taking action under employment law against a person who has been reported when following up on a report, this will be done in accordance with the rules applicable to the employment contract.

7. Data protection

7.1 Personal data will be processed as part of the management of Infomedia’s whistleblower scheme. The processing of personal data in the whistleblower scheme is subject to the GDPR and Danish Data Protection Act.

7.2 Data Controller and Data Protection Officer

Norrbom Vinding is the data controller for the processing of personal data that takes place as part of the screening of reports under Infomedia’s whistleblower scheme. Infomedia is the data controller for the processing of personal data as part of Infomedia’s follow-up on reports. Norrbom Vinding further acts as the data controller to the extent that Norrbom Vinding is involved in the follow-up:

Norrbom Vinding
Dampfærgevej 26,
DK-2100 Copenhagen E
CVR no.: +45 20 49 14 77

Telephone: +45 35 25 39 40
E-mail: info@norrbomvinding.com
Secure mail via: security@norrbomvinding.com

Infomedia A/S
Pilestræde 58, 3.,
DK-1112 Copenhagen K
CVR no.: +45 26937698

E-mail: support@infomedia.dk
Secure mail via e-Boks

7.3 Purpose

The purpose of processing personal data included in reports submitted to the whistleblower scheme or as part of the follow-up on a report submitted to the scheme is to investigate any serious offences, sexual offences or other serious matters, as well as to follow up on and prevent such matters from taking place at Infomedia.

7.4 Legal basis for the processing

As of 17 December 2023, the legal basis for the processing will apply pursuant to Section 22 of the Danish Whistleblower Protection Act, according to which personal data may be processed when necessary for the purpose of processing reports received as part of the whistleblower scheme set up by Infomedia under the Danish Whistleblower Protection Act. Personal data covered by Articles 6, 9 and 10 of the GDPR may be processed on this legal basis.

The legal basis for the processing will follow general data protection regulations until
17 December 2023. Data included in the whistleblower scheme will be processed insofar as processing is necessary for the pursuit of a legitimate interest by Infomedia or a third party, unless overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, particularly if the data subject is a child. This follows from
Article 6(1)(f) of the GDPR.

Norrbom Vinding and/or Infomedia may process data included in the whistleblower scheme if such processing is necessary for compliance with a legal obligation incumbent on Infomedia. This follows from Article 6(1)(c) of the GDPR.

To the extent that special category data covered by Article 9 of the GDPR are included, the legal basis for Infomedia’s processing of such data in order to establish, exercise or defend a legal claim will be Article 9(2)(f) of the GDPR. In addition, Infomedia’s legal basis for the processing of personal data covered by Article 9 of the GDPR will be the legal basis according to Article 6 of the GDPR as set out above.

Furthermore, in relation to any specific staff cases as a follow-up or response to a report, the legal basis may be Section 12 of the Danish Data Protection Act.

To the extent that data on criminal offences are processed, the legal basis for the processing will be Section 8 of the Danish Data Protection Act, which may be relevant, e.g. if a police report is required as a follow-up or response to the report.

7.5 Categories of personal data

The personal data processed in Infomedia’s whistleblower scheme depends on the matters reported. The personal data processed will typically be information contained in the report and otherwise obtained as part of the follow-up on the report.

Generally, the following categories of personal data may be processed in the whistleblower scheme:

Master data, e.g. name, position, e-mail address, telephone number etc.
Information about employment contract, e.g. position, information about possible or potential breach of employment contract etc.
Information about serious offences, sexual offences and other serious matters
Information about criminal offences, e.g. if there is a suspicion that a criminal offence has been committed and this suspicion is confirmed

7.6 Possible recipients or categories of recipients of the personal data

As a general rule, personal data included in Infomedia’s whistleblower scheme will not be shared with others. There may, however, be cases in which it may be necessary to disclose personal data, e.g. if, in response to a report, it is deemed necessary to report the matter to the police. Infomedia will not disclose information to third parties if this is unnecessary for the follow-up on or response to the specific case, or if it is not in an anonymised, aggregated form as part of the annual report on the scheme.

Personal data included in the whistleblower scheme may further in specific cases be shared with Infomedia’s lawyers or auditors.

7.7 Where do the personal data originate from?

Personal data included in Infomedia’s whistleblower scheme generally originate from the person who submitted a report to the whistleblower scheme. However, in the context of the follow-up to a report, personal data may also be collected from publicly available sources or from others who have knowledge of the specific matters to which the report relates.

7.8 Storage of personal data

Reports will only be stored for as long as it is necessary and proportionate in order to meet the provisions contained in the Danish Whistleblower Act, or if there is a legitimate reason for continued storage, e.g. if this is required by other legislation, including in relation to data protection regulations, or if there is reason to believe that the report may be strengthened by subsequent reports received (linking).

There is no specific time limit for the storage of reports. Reports that are not covered by the whistleblower scheme will generally be deleted after one (1) year.

7.9 Rights

Individuals whose personal data are processed in Infomedia’s whistleblower scheme have a number of rights under the GDPR.

Persons wishing to exercise their rights should contact Norrbom Vinding and/or Infomedia.

Right to view data (right of access)
Data subjects have a right to access the information that Norrbom Vinding and/or Infomedia process about the individual, as well as a range of other data.

Right to rectification (correction)
Data subjects have a right to rectify inaccurate data relating to the data subject or to supplement the data being processed.

Right to erasure
In exceptional cases, data subjects have a right to have data erased prior to the date of ordinary, general erasure.

Right to restriction of processing
In certain cases, data subjects have a right to restrict the processing of personal data. If data subjects have a right to restrict processing, Norrbom Vinding and/or Infomedia may, in future, only process the data – with the exception of storage – with consent or for the establishment, exercise or defence of legal claims or for the protection of a person or of important public interests.

Right to object
In certain cases, data subjects have a right to object to the otherwise lawful processing of personal data by Norrbom Vinding and/or Infomedia.

Right to transmit data (data portability)
In certain cases, data subjects have a right to receive personal data in a structured, commonly used and machine-readable format and to transmit those personal data from one controller to another without hindrance.

Further information on data subjects’ rights under the GDPR and the Danish Data Protection Act can be found in the Danish Data Protection Agency’s guidance on data subjects’ rights, which can be found at www.datatilsynet.dk/english/rights-and-duties.

7.10 Complaints to the Danish Data Protection Authority

Anyone has the right to lodge a complaint with the Danish Data Protection Authority if they are dissatisfied with the way in which Norrbom Vinding and/or Infomedia process their personal data. The contact details of the Danish Data Protection Authority can be found at www.datatilsynet.dk/english.