Genvejsmenu:
S - Indhold
1 - Forside
2 - Nyheder
3 - Oversigt
4 - Søg

Whistleblower guidelines

Procedure for notification of whistleblower systems

The following outlines the procedure for notification of whistleblower systems to the Danish Data Protection Agency. Such systems must be notified using the “Privat virksomhed” (Private entity) notification form.

Section 1 of the notification form

You must list the name of the controller company in section 1 of the notification form. You must also list the name of any processors.1.1. If your company is not part of a group, your company must always be listed as the controller. If a processor is used, refer also to section 1.4.

Then proceed to section 2 of the notification form.

1.2. The Danish Data Protection Agency recommends that companies in a group establish separate whistleblower systems so that reporting of an employee at one of the group’s companies is not transmitted to other companies in the group. If your intention is to submit notification of the whistleblower system in this way, your company must be listed as the controller (of your own whistleblower system). If a processor is used, refer also to section 1.4.

Then proceed to section 2 of the notification form.

1.3. The Danish Data Protection Agency’s experience is that many groups wish to implement a common whistleblower system and that the processing of reports in such cases often involves both the parent company and subsidiaries in the group, and sometimes also companies outside the group.

If your intention is to submit notification of a whistleblower system of this nature, the role of the individual companies in connection with the whistleblower system must be clarified:

• If your company is a Danish parent company, go to section 1.3.A.

• If your company is a Danish subsidiary with a parent company established in the EU/EEA,
go to section 1.3.B.

• If your company is a Danish subsidiary with a parent company established outside the EU/EEA,
go to section 1.3.C.

1.3.A. Your company is a Danish parent company

Before submitting the notification form to the Danish Data Protection Agency, you must determine whether your company is the controller for all processing of data in connection with the whistleblower system.

If your company is the controller for all processing of data in connection with the whistleblower system:

o You must submit a notification to the Danish Data Protection
Agency, i.e. your company must be listed as the controller
on the notification form.


Section 4 of the notification form (categories of persons)
must state that your company is the controller for processing
data on employees for all companies within the group.


o Your subsidiaries do not have to submit any notifications to the
Danish Data Protection Agency.


If your company is the controller for processing data about your own employees but processes data solely on behalf of your subsidiaries with regard to reported employees:

o You must submit a notification to the Danish Data Protection
Agency, i.e. your company must be listed as the controller on the
notification form.


Section 4 of the notification form (categories of persons)
must state that your company is the controller for processing
data on your own employees.


o Your subsidiaries established outside the EU/EEA and your Danish
subsidiaries must submit a separate notification form
to the Danish Data Protection Agency. In this form, they must be
listed as the controllers and your company must be listed as
the processor.


Section 4 of the your subsidiaries’ notification forms
(categories of persons) must state that they are controllers
for processing data on their employees.


In connection with processing data on your
subsidiaries’ employees, your company must comply
with the requirements for processors as set out in the Act
on Processing of Personal Data. If it is not possible
with the requirements for processors as set out in the Act
to fulfil these requirements, this solution model cannot
be used and your company must instead be considered
the controller for all processing of data in connection with the
whistleblower system.


o Your subsidiaries established in other EU/EEA countries do not have
to submit notifications to the Danish Data Protection Agency,
but should perhaps contact the data protection authorities in
their home countries.


If the tasks in connection with the whistleblower system are placed with a company outside the group, see section 1.4.

Then proceed to section 2 of the notification form.

1.3.B. Your company is a Danish subsidiary with a parent company established in the EU/EEA

Before submitting the notification form to the Danish Data Protection Agency, you must have determined in collaboration with your parent company whether your parent company is the controller for all processing of data in connection with the whistleblower system.

If your parent company is the controller for all processing of data in connection with the whistleblower system:

o Neither your parent company nor your company has to
submit notifications to the Danish Data Protection Agency.
Your parent company should contact the data protection authority
in its home country.


If your parent company solely processes data on your behalf with regard to reported employees:

o Your company must submit a notification to the Danish Data
Protection Agency, i.e. your company must be listed as
the controller on the notification form. Your parent company must
be listed as the processor.

Section 4 of the notification form (categories of persons)
must state that your company is the controller for processing
data on your own employees.


In connection with processing data on your employees,
your parent company must comply with the requirements for
processors as set out in the Act on Processing of Personal Data.
If it is not possible to fulfil these requirements, this
solution model cannot be used and your parent company
must instead be considered the controller for all processing of data
in connection with the whistleblower system.


o Your parent company does not have to submit a notification to
the Danish Data Protection Agency, but should perhaps contact
the data protection authority in its home country.


If the tasks in connection with the whistleblower system are placed with a company outside the group, see section 1.4.

Then proceed to section 2 of the notification form.

1.3.C. Your company is a Danish subsidiary with a parent company established outside the EU/EEA

• Before submitting the notification form to the Danish Data Protection Agency, you must determine in collaboration with your parent company whether your parent company is the controller for all processing of data in connection with the whistleblower system.

If your parent company is the controller for all processing of data in connection with the whistleblower system:

o Your parent company is subject to the Danish Act on Processing of
Personal Data with regard to processing data related to your
company’s employees. Your parent company must therefore
submit a notification to the Danish Data Protection Agency,
i.e. your parent company must be listed as the controller on
the notification form.


Section 4 of the notification form (categories of persons)
must state that your parent company is the controller for
processing data on your employees.


o Your company does not have to submit a notification to the
Danish Data Protection Agency for the whistleblower system.


If your parent company processes data solely on your behalf with regard to reported employees

o Your company must submit a notification to the Danish Data
Protection Agency, i.e. your company must be listed as the
controller on the notification form. Your parent company must
be listed as the processor.


Section 4 of the notification form (categories of persons)
must state that your company is the controller for processing data
on your own employees.


Section 6 of the notification form must state that the intention
is to transmit data to third countries.


In connection with processing data on your employees,
your parent company must comply with the requirements
for processors as set out in the Act on Processing of
Personal Data. If it is not possible to fulfil these requirements,
this solution model cannot be used and your company must
instead be considered the controller for all processing
of data in connection with the whistleblower system.


o Your parent company does not have to submit a notification to
the Danish Data Protection Agency, but should perhaps contact
the data protection authority in its home country, if such
an organisation exists.


If the tasks in connection with the whistleblower system are placed with a company outside
the group, see section 1.4.

Then proceed to section 2 of the notification form.

1.4. Use of a processor

Often, part of the processing (e.g. reception) of reports in a whistleblower system will be assigned to a company with special expertise in this area.

Such companies must be listed on the notification form as processors and must comply with the requirements for processors as set out in the Act on Processing of Personal Data.

If the company is established in a country outside the EU/EEA, the special rules for the transfer of data to third countries must also be complied with.

Section 2 of the notification form

You must list the name of the data processing in question in section 2 of the notification form. For example, “Whistleblower system”.

The purpose and any sub-purposes must also be outlined. For example, this field may include background information on the reason for implementing the whistleblower system and the expected results from the system.

Section 3 of the notification form

You must provide a general description of the whistleblower system in section 3 of the notification form. For example, this field may include a brief description of what happens with data reported to the whistleblower system from the time of reporting to the conclusion of the case.

You must also tick off the boxes indicating the types of sensitive information processed in connection with the whistleblower system. Note that, as a general rule, it is not permitted to process other sensitive data than data on criminal offences and other purely private matters.

Section 4 of the notification form

You must provide information on the categories of persons about whom data will be processed in section 4 of the notification form.

One category is comprised of those people who can be reported via the whistleblower system. This category must be listed in accordance with considerations about the scope of your responsibility; see section 1 of the notification form.

For example, it will depend on the scope of your responsibility; whether you as a Danish parent company must indicate “Employees at [your company name] who are reported to the whistleblower system” or “Employees at companies in [group’s name] are reported to the whistleblower system”.

Also note that whistleblower systems may be configured solely for the purpose of reporting people connected to the group/company, e.g. employees, board members, auditors, lawyers, suppliers etc. Another category is comprised of people who can make reports, enquiries etc. via the whistleblower system.

In general, employees and board members can make reports to whistleblower systems.

Some companies may deem it necessary to give other people with a connection to the company the ability to make reports as well. Note, in this regard, that if the access to reporting is located on a website on the open internet, the website must clearly state that reports can only be made by employees, board members, customers, suppliers and others with a connection to the company. Reports must be screened upon receipt in the system to determine whether they have been submitted by a person with connection to the company. It is recommended that external parties be encouraged to identify themselves in connection with a report.

You must also provide information in section 4 of the notification form on the types of data that will be processed for the aforementioned categories of persons.

Note that, as a general rule, it is not permitted to process other sensitive data than data on criminal offences and other purely private matters.

Note also that there are other limitations on the types of data that can be reported.

In the view of the Danish Data Protection Agency, reporting may only take place in case of serious offences – or suspicion of serious offences – that can be of importance to the group/company as a whole, or which can be of significant importance to the life and well-being of individual persons.

For example, this may include suspicion of serious economic criminality, including bribery, fraud, forgery etc.

Note in this regard that, in the view of the Danish Data Protection Agency, reporting can take place to the degree required by the American Sarbanes Oxley Act, i.e. for irregularities in the areas of accounting, internal auditing, auditing and suspicion of corruption and criminality in the bank and finance sector. Other examples deemed suitable for reporting by the Danish Data Protection Agency include cases of environmental contamination, serious breaches of work safety and serious circumstances involving an employee, e.g. assault or sexual abuse.

However, less serious offences cannot be reported, e.g. cases of harassment, cooperative difficulties, incompetence, absence, violation of guidelines for e.g. attire, smoking/drinking, using e-mail/internet and the like. In these cases, the normal communication channels must be used instead.

Section 5 of the notification form

You must list all the companies, categories of external consultants etc. that will have access to a report to the whistleblower system in section 5 of the notification form.

Section 6 of the notification form

Section 6 of the notification form must provide an indication of whether the data is to be transferred to a third country.

This will always be the case if a processor established outside the EU/EEA is used, e.g. a company outside the group with special expertise in the area.

This will also be the case if you are a Danish parent company and the controller for all processing of data in connection with the whistleblower system (see more in section 1.3.A. of the notification form) and transfer data to your subsidiaries established outside the EU/EEA.section If data is transmitted to a third country, the special rules in Section 27 of the Act on Processing of Personal Data regarding the transfer of data to third countries must be complied with.

Section 7 of the notification form

You must provide a general description of the measures to be taken with regard to processing security in section 7 of the notification form.

This includes protection of electronic data, e.g. in connection with transmission, storage etc. You must also indicate security measures for any manually processed data.

It is your responsibility to ensure that data does not come into the hands of unauthorised parties. The Danish Data Protection Agency’s handling of the notification does not involve a comprehensive examination of the security of your whistleblower system.

Note that in connection with the authorisation, the Danish Data Protection Agency will stipulate a number of security measures in connection with your whistleblower system. These security measures must be implemented regardless of whether they are listed on the notification form.

Section 8 of the notification form

The scheduled commencement of the data processing must be listed in section 8 of the notification form. Note that the data processing must not commence prior to obtaining authorisation from the Danish Data Protection Agency.

Section 9 of the notification form

The scheduled deletion of the data must be indicated in section 9 of the notification form.

If your company has a separate whistleblower system (see section 1.1. and section 1.2) the planned deletion could be described as follows:

“If a report is made to the police or other relevant authorities, the data is generally deleted immediately after completion of the case by the involved authorities, cf. however below. If disciplinary measures are taken against the reported employee on the basis of the collected data, or if there are other grounds for which it is relevant and necessary to store the data on the employee, the data will be stored in the employee’s personnel file. After resignation, the data regarding the employee will be stored for a period of up to five years.”

The above also applies in cases where you are a Danish subsidiary submitting a notification regarding the processing of data for which your parent company is the processor on your behalf; see section 1.3.B or section 1.3.C.

If your company is a Danish parent company with responsibility for all processing of data in connection with the whistleblower system (see section 1.3.A), the planned deletion could be described as follows:

“If the report is not within the area covered by the whistleblower system or proves to be unfounded, the data will be immediately deleted or transmitted to the subsidiary where the reported employee works. If a report is made to the police or other relevant authorities, the data is generally deleted immediately after completion of the case by the involved authorities. If no report is made to the police or other relevant authorities, the data is generally deleted immediately after transmission of the data to the subsidiary. Data is otherwise deleted if no report has been made to the police or other relevant authorities within 2 months following the completion of the investigation of the reported allegations, or if the data is not transmitted to the subsidiary prior to this deadline.”

The above also applies in cases where your parent company is established in a country outside the EU/EEA and, as the controller, must submit a notification to the Danish Data Protection Agency regarding processing of data on your company’s employees; see section 1.3.C.

Section 10 of the notification form

A signature and date must be provided in section 10 of the notification form. The Danish Data Protection Agency accepts that your company, as a Danish subsidiary, submits the notification on behalf of your parent company in cases where your parent company is responsible for notifying to the Danish Data Protection Agency.