Information on personal data processing

 

Below is information about the processing of personal data that takes place in connection with our handling of whistleblowing cases and your rights as registered.

 

Controller

The party responsible for the processing of personal data, the controller, is:
XANO Industri AB, corp. ID no. 556076-2055
Industrigatan 14 B
SE-553 02  JÖNKÖPING
Sweden
info@xano.se
+46 36 31 22 00

For additional information regarding our processing of personal data, see the from time-to-time applicable Privacy Policy.

 

Purpose and legal basis for processing

The purpose for processing is to fulfil the legal requirements put on the organisation to have a whistleblowing function and to be able to investigate incoming whistleblowing cases. The purpose is also to process personal data when it is necessary to follow up whistleblowing cases. This means that we might need to process personal data to be able to:
-    Manage reported whistleblowing cases.
-    Protect the organisations’ rights and fulfil its obligations in light of the reported irregularities.
-    Fulfil the legal requirements put on the organisation.

The legal basis for the processing of personal data in whistleblowing cases is the legal obligation in chap. 5 § 2 of the Swedish Act on Protection of Persons Reporting Irregularities (2021:890) (‘the Whistleblowing Act’).

The legal basis for the processing of personal data when following up whistleblowing cases and when taking other measures in relation to a whistleblowing case is to comply with a legal obligation or the organisation’s legitimate interest in looking after its rights in relation to reported irregularities.

 

Categories of data subjects

Personal data of the following categories of data subjects may be processed when handling whistleblowing cases:
-    The reporting data subject, if this person does not choose to be anonymous.
-    Data subjects mentioned in a whistleblowing case.
-    Data subjects with the administrative role to manage and investigate whistleblowing cases.

 
Data transfer and processors

Data may be provided to public authorities (e.g. the Swedish police authority when a whistleblowing case leads to a police report) in compliance with legislation. Data may also be provided to other parts of our organisation or another company within our group when investigating and following up on whistleblowing cases. 

Personal data is also processed by processors when we handle whistleblowing cases. Processors are only allowed to act on instructions from us. These are regulated in a data processing agreement.

 

Data transfer to a third country

We strive not to transfer data to a country or company located outside the EU/EEA, and all personal data related to the content in reported whistleblowing cases is stored within the EU/EEA on servers owned by Swedish companies.

Login and access to the whistleblowing system is administrated through Microsoft Azure Active Directory. The data is stored within the EU/EEA but the supplier of the service is an American company. This means that personal data related to login and access administration might be accessed by American authorities which could have a negative effect on the data subjects’ privacy since American authorities are not bound by the GDPR. If personal data is transferred to a third country, standard contractual clauses are in place as appropriate safeguards. Please contact us for more information on how we protect your personal data.

 

Retention and deletion

The personal data included in a whistleblowing case will be kept for two years from when the case is closed. 

The personal data which is needed for administration and management of login and access to the whistleblowing system will be kept for as long as the login and access is valid.

If a whistleblowing case needs further internal investigation, the personal data will be kept for as long as it is needed to investigate the case.

All personal data will be deleted when the retention period ends.