Fair Way Channel Privacy Notice for Sweden (EN)

Fair Way Channel Privacy Notice for Sweden (EN)

Read more below.

We at HKScan are committed to operating fairly and upholding high standards of ethics. On this page, we describe and provide further information on how we will collect and process personal data of Alleged Wrongdoers, Reporters and Witnesses in connection with our Fair Way channel. 

It is important to us that you feel safe with how we handle your personal data. We take measures to ensure that your personal data is protected and that the processing of your personal data is carried out in accordance with applicable data protection regulations and our internal policies and procedures.

Alleged Wrongdoer is a person who has, pursuant to the report, allegedly acted improperly in a way that would be in the public interest to be disclosed, or otherwise violated inter alia EU laws.

Fair Way channel is intended for reporting suspected cases of unethical behavior in HKScan’s busi-ness. This applies to suspected violations of the law or other official regulations or deviations from HKScan’s Code of Conduct or other policies as further described in our Fair Way Page. https://www.hkscan.com/en/about-us/policies-and-certificates/hkscan-fair-way/

GDPR means the General Data Protection Regulation (EU) 2016/679.

Personal data means any information, which may, directly or indirectly, be used to identify an indi-vidual.

Processing means everything we do with your personal data (normally by digital means), such as collection, compilation, disclosure, structuring, storage, etc. 

Reporter is a person who reports any suspected violation through the Fair Way channel.

Witness is a person identified (directly or indirectly) in the report or in communication by the Re-porter as a witness to the suspected violation.

HKScan Sweden AB ("HKScan Sweden") has designated edpLaw Advokatbyrå that receive and investigate the reports ("edpLaw Advokatbyrå") as a competent external party under the Swedish Whistleblowing Act (2021:890) (the “Swedish Whistleblowing Act”) for receiving and investigating whistleblowing reports, as well as following-up and communicating with the Reporter. As a result, HKScan Sweden and edpLaw Advokatbyrå are jointly responsible (joint controllers) for the pro-cessing of your personal data for such purposes, as further described below in our detailed infor-mation on our use of personal data.

Moreover, HKScan Sweden and HKScan Oyj are cooperating with each other when addressing re-ported breaches under the Fair Way channel, including when making business decisions and taking other actions as a result of a report. When processing your personal data for such purposes, HKScan Sweden and HKscan Oyj are jointly responsible (joint controllers), as further described below in our detailed information on our use of personal data.

HKScan Sweden and the relevant parties identified above have set up internal arrangements to de-termine their respective responsibilities in relation to the use of your personal data.

You have the right to obtain the essence of the above-mentioned arrangements, in which case we ask you to contact us on the contact details set out in Section 11 below. This information also reflects the essence of the internal arrangement.

To the extent necessary and depending on the circumstances in each case, we collect and process the following categories of personal data:


  • Identity information. Information that makes it possible to identify an individual, for example name or personal identification number.


  • Contact information. Information that makes it possible to contact an individual, for example address, e-mail address and telephone number.


  • Employment information. Information regarding an employment, e.g. current position, employment type, period and tasks.


  • Profile information. Information regarding a profile, e.g. gender, age, title, department, marital status and otherwise details of the relationship to us.


  • Communication. Contents of communication with us, e.g. as part of our follow-up with you in a reported matter.


  • Matter details. Information necessary in each case to investigate a whistleblowing report, e.g. obtained from the submitted report.


  • Audio material. Recorded statements from you on a whistleblowing matter, if you have chosen to submit a report orally to us ([e.g. via our whistleblowing phoneline]) and approved that we record such submission.


As a Reporter you have the possibility to report anonymously, in which case none of your personal data that directly identifies you will be processed by us.

We collect personal data from the following sources:

  • Reporter. We collect personal data that the Reporter provides to us when submitting a whis-tleblowing report, either in writing or orally, and in connection with further communication with the Reporter following submission of the report.

  • Authorities and public records. We collect personal data from authorities and public rec-ords where necessary, for example to  investigate a whistleblowing report.

  • Other employees, external persons and/or companies. We may also collect personal data from other employees, external persons and/or companies where necessary to investigate a whistleblowing report. An external person may for example be an individual of a supplier who provides us input for the investigation. An external company may for example be a company that we engage to help us in the investigation or to take measures due to the whis-tleblowing report.

Below we explain the purposes with our use of personal data and provide examples of processing activities carried out for each purpose. 

To read more about which categories of personal data, which legal basis that we rely on for the use of your personal data for each purpose and for how long your personal data is stored as well as which companies that are joint or separate controllers for the respective processing, please see our detailed information on our use of personal data.

Receive and investigate whistleblowing reports, including communicating with the Reporter

We use, to the extent necessary, your personal data to manage reports submitted in our internal whis-tleblowing channel (the Fair Way channel) in accordance with the Swedish Whistleblowing Act. This includes to receive and investigate reports, as well as to be in contact with and report back to the Reporter on actions taken.

For more information about the internal reporting channel, please see 
our HKScan Fair Way Page. 


Make business decisions and take other actions as a result of whistleblowing reports

Where necessary, we use and share your personal data between authorized functions and departments within the HKScan Group to address whistleblowing reports. By way of example, this may include to carry out legal investigations and take disciplinary actions in relation to employees, such as written warnings, and suspensions and terminating contracts.


Manage and defend legal claims

We will, where necessary, use and share your personal data internally between functions and depart-ments within the HKScan Group to manage and defend legal claims in relation to a reported whistle-blowing matter, including using reports as evidence in legal proceedings and other disputes.


Follow up and evaluate whistleblowing matters (statistics)

We use your personal data to follow up and evaluate whistleblowing reports, for example to compile reports and statistics on an aggregated level (i.e. information that cannot be directly related to you) to better understand our business and identify any trends regarding whistleblowing matters (such as the number of matters and types of reported matters).


Ensure technical functionality and security  

We use your personal data to ensure necessary technical functionality and security of the Fair Way channel and our IT systems, for example for security logging, error handling, and backups.


Fulfil data protection obligations

We will use your personal data to fulfil our legal obligations, for example in order to comply with data protection obligations under the GDPR (such as requests to exercise your rights).


Below we describe which recipients that we share your personal data with. The recipients below is responsible (data controller) for its own use of your personal data, unless we have stated otherwise.

To read more about why and based on which legal bases that we share your personal data with dif-ferent recipients, please see our detailed information on our use of personal data. 

We share personal data with:

Service providers. To process personal data for the proposes described in this information, we share personal data with service providers that we have engaged. These service providers provide, for ex-ample, IT services (such as hosting of and operating the Fair Way channel). When these service pro-viders process personal data on our behalf, they act as data processors for us, and we are responsible for the processing of your personal data. They must not use your personal data for their own purposes and are contractually and legally obliged to protect your personal data.

Other recipients. If needed, we share your personal data with other recipients for the following pur-poses:

  • Respond to legal requests;

  • Fulfil legal obligations;

  • Manage sales, investments, re-organisations and restructuring of the business; and

  • Manage and defend legal claims as well as taking necessary procedural steps following a re-ported breach.

Examples of recipients are HKScan Group companies, external advisors, trade unions, public authori-ties, law enforcement and courts. These recipients will normally act as sole and separate controllers for their own use of your personal data.

Subject to applicable law, you have a number of rights regarding the processing of your personal data. Below we explain your rights and under which circumstances you may exercise them. 

To be as transparent as possible, we have only described the rights and terms that we, in light of the processing activities carried out by us, have deemed will be relevant for you. For a full description of the rights under chapter III of the GDPR, please see the information on rights at the Swedish Authority for Privacy Protection’s (IMY’s) website.

Please note that the person managing a whistleblowing matter is not, according to the Swedish Whis-tleblowing Act, permitted to make any unauthorized disclosures of information that would reveal the identity of the Reporter or any other individual involved in the matter. Moreover, pursuant to the Swedish Data Protection Act (2018:218), Articles 13–15 of the GDPR will not apply to personal data that the data controller is prohibited to disclose according to law or other regulation. Therefore, the below stated rights will not apply in case they conflict with the said rules on confidentiality under the Swedish Whistleblowing Act or where any other legal exemption applies.


In order to exercise your rights, please contact us on the contact details in Section "Any questions?"

Right to access (Article 15 GDPR)

You have the right to receive confirmation that your personal data is being processed by us and, if so, to access the personal data and the following information:

  • the purpose of the processing;

  • the categories of personal data being processed;

  • the recipients of personal data (in particular if they are located outside the EU/EEA and if that is the case, the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer);

  • the period during which the personal data is processed;

  • information on the rights set out in this section (such as your right to the rectification or eras-ure of your personal data);

  • information about the source from which the personal data has been collected; and

  • whether your personal data has been subjected to any automated decision-making, including profiling.

You have also the right to receive a copy of your personal data in a commonly used electronic format.


Right to rectification (Article 16 GDPR)

You have the right to rectification of incomplete or incorrect personal data processed by us. Depend-ing on the purpose of the processing you also have a right to have incomplete personal data completed, including by means of providing a supplementary statement.


Right to deletion (Article 17 GDPR)

You have the right to erasure of your personal data. The right to erasure apply:

  • if the personal data processed is no longer necessary for the purpose or the personal data is otherwise unlawfully processed; 

  • if you object to the processing under Article 21 of the GDPR where the processing is based on a legitimate interest (Article 6.1f of the GDPR) or public interest (Article 6.1e of the GDPR) and there are no compelling reasons to continue the processing or you object to pro-cessing for direct marketing purposes; or

  • if the personal data must be erased to comply with a legal obligation.

What is stated above regarding the right to erasure does not apply to the extent the processing is nec-essary e.g.:

  • for compliance with a legal obligation;

  • for archiving purposes in the public interest, scientific or historical research purposes or sta-tistical purposes in accordance with Article 89.1 of the GDPR; or

  • to establish, exercise and defend legal claims.


Right to restrict processing (Article 18 GDPR)

You have the right to obtain restriction of processing where one of the following grounds applies:


  • the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;

  • the processing is unlawful, you oppose the erasure of the personal data, and you request the restriction of their use instead;

  • we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; and

  • you have objected to processing pursuant to Article 21.1 of the GDPR pending the verifica-tion of overriding legitimate interests.

Where processing has been restricted, such personal data shall, except for storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. If you have obtained restriction of processing you shall be informed by us before the restriction of processing is lifted.


Right to data portability (Article 20 GDPR)

The right to data portability only applies when the processing takes place on the basis of your consent or to fulfil or enter into an agreement with you, why this right cannot be exercised by you in relation to our use of your personal data as described in this information.


Right to object to processing (Article 21 GDPR)

You have also the right to object, on grounds relating to your particular situation, to the pro-cessing of your personal data by us or on our behalf, where such processing is based on Article 6.1f (legitimate interests) of the GDPR.

Where an objection is made for processing activities based on Article 6.1f of the GDPR, we may only continue processing your personal data if (i) we can demonstrate compelling legitimate grounds that outweigh your privacy interests, or (ii) the processing is necessary for us to estab-lish, exercise or defend legal claims. 


Automated decision-making, including profiling

We do not carry out any automated decision-making or profiling which have any legal effects or similar on you.


Your personal data will at all times be used and stored within the EU/EEA.

In order to ensure that the content reflects our use of personal data from time to time, we regularly update this information. As an example, we will update this information if we decide to collect additional categories of personal data or if we intend to use collected personal data for additional purposes.


We will in such case notify you in advance by appropriate means, for example by showing a message on this page. The latest version of this information is always available on this page and the date when this information was last updated is stated above.

If you have questions about this information, our use of your personal data or if you wish to exercise your rights, please contact us. Please see contact details below.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your country. In Sweden, the Swedish Authority for Privacy Protection (IMY) (www.imy.se) is the data protection authority. In Finland, the Office of the Data Protection Ombudsman (https://tietosuoja.fi/home) is the data protection authority. 


Data controllers

HKScan Sweden AB
Company registration number: 556655-4597 

HKScan Oyj
Company registration number: 0111425-3

edplaw Advokatbyrå AB
Company registration num-ber: 559280-3208


Joint contact point

Address: Lemminkäisenkatu 48, FI-20520 Turku, Finland
E-mail: privacy@hkscan.com
DPM: juha.koskimaa@hkscan.com