1. Preface
This privacy policy serves as an addendum to the Solar Whistleblower Policy.
Solar A/S, located at Industrivej Vest 43, 6600 Vejen, Denmark, is the data controller of the whistleblower scheme and the processing of personal data in connection with any reports made through the whistleblower scheme.
Solar Group includes:
Solar A/S
Solar Danmark A/S
Solar Norge AS
Solar Nederland B.V.
Solar Polska Sp. Z o.o.
P/F Solar Føroyar
Solar Sverige AB
MAG45
Solar Polaris
Højager Belysning
ThermoNova
The legal basis for the processing of personal data is as follows:
Denmark: Article 6(1)(c), Article 6(1)(f), Article (9)(2)(b) of the GDPR and Section 8(3) and (5), cf. Section 7(1), of the Danish Data Protection Act.
Norway: Article 6(1)(c), Article 6(1)(f), Article (9)(2)(b) of the GDPR as well as Section 6 of the Norwegian Personal Data Act (sensitive data), and Section 11 of the Norwegian Personal Data Act, cf. Article 10 of the GDPR.
Sweden: Article 6(1)(c), Article 6(1)(f), Article (9)(2)(b) of the GDPR and Section 2 § 1 of the Swedish Data Protection Act.
The Faroe Islands: Section 8(1)(3), Section 8(1)(6), Section 12(1)(3) and Section 13(3) and (5) of the Faroese Data Protection Act.
The Netherlands: Article 6(1)(c), Article 6(1)(f), Article (9)(2)(b) of the GDPR and Article 31 up to and including 33 Dutch GDPR Implementation Act (UAVG).
Poland: Article 6(1)(c), Article 6(1)(f), Article (9)(2)(b) of the GDPR*.
2. How we handle the issue
Information submitted to the whistleblower scheme will be processed by Solar Group's internal whistleblower unit which consists of a few trusted persons.
External partners, such as lawyers and auditors, may be included in the processing of a submitted report.
The management and the board of directors and other third parties may also be included when it is relevant, provided it is in accordance with the duties of confidentiality applicable to the whistleblower scheme. In general, this means that the identity of a whistleblower is not shared with the management without the whistleblowers prior consent.
No later than seven days after a report is submitted, the whistleblower will receive a receipt of acknowledgement confirming the report was received, provided the whistleblower chose to set up a login on the whistleblower platform. It is possible to conduct a dialogue and send further information via the platform – including when the whistleblower has not disclosed his or her identity.
The trusted employees are also instructed to conduct a thorough follow-up on the report and to give feedback to a whistleblower to the extent it is possible and as soon as possible and no later than 3 months after the whistleblower received the receipt of acknowledgement.
Feedback contains information about the follow-up that was conducted and the reason for such follow-up. Feedback will in many cases be given in multiple instances. Feedback is given via the whistleblower platform. To receive feedback, the whistleblower needs to set up a login when the report is submitted.
If the initial investigation concludes that a potential violation may have occurred, the reported matter will be subject to further investigation. Information may in such cases be handed over to the police or other public authorities for further investigation.
If the report is assessed to be groundless, or there are no grounds to conduct further follow-up on the report or to respond to the reported matter, the case will be closed. The whistleblower will be notified via the whistleblower platform.
3. Protection of the whistle-blower’s identity
Information about your identity and other information which could identify you will only be disclosed to Solar Group's internal whistleblower unit, unless;
you have consented to the disclosure,
it is specifically required by legislation, or
the disclosure is to authorities, and it is necessary to counter for serious offences or other serious matters, cf. section 2 above, or required by law or a court decision.
Solar Group does not disclose your identity to the reported persons, unless this is specifically required by legislation. However, you should be aware that even though the information is not directly accessible to the reported persons, we cannot guarantee that the reported persons are not able to guess your identity based on the nature of the issue.
4. Notice to the persons concerned
Solar Group has a duty of confidentiality concerning the subjects of a report (person(s) concerned) and any third parties referred to in reports for the processing of their personal data. In principle, specific details must be given to them within a reasonable period of time after personal data have been gathered, and within one month at the latest.
However, the duty to inform can be postponed or dropped according to specific assessment, e.g., for the sake of investigating a case or if in the overriding interests of Solar Group, including with regard to the company’s core business, its business practices, know-how etc., which will outweigh the interests of data subjects.
5. Retention period, data integrity and security
Personal data will not be kept longer than necessary to fulfil the purposes for which it was collected and legitimately processed. When the personal data is no longer needed, we will ensure that it is deleted in a secure manner.
Upon request, we will erase or anonymize personal data without undue delay, unless we have a valid legal ground to continue to keep your personal data.
6. Rights of the data subject
As a data subject, you have certain rights under the General Data Protection Regulation. If you want to exercise your rights, please contact us.
• Right of access: You have the right to access the personal data we process about you.
• Right to rectification: You have the right to obtain rectification of any inaccurate and incomplete personal data about you.
• Right to erasure (right to be forgotten): In exceptional cases, you have the right to obtain erasure of information about you before the time when we would normally delete your personal data.
• Right to restriction of processing: In certain situations, you have the right to restrict the processing of your personal data. If you have the right to restrict the processing of your personal data, we may only process personal data in the future – apart from storage – with your consent, or for the establishment, exercise or defence of legal claims, or to protect an individual or important public interests.
• Right to object: In certain situations, you have the right to object to our processing of your personal data, and always if the processing is for direct marketing purposes.
• Right to data portability: In certain situations, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to have such personal data transferred from one data controller to another.
• Right to lodge a complaint: You can lodge a complaint at any time with your local data protection supervisory authority:
Denmark
Datatilsynet
Phone: +45 33 19 32 00
Norway
Datatilsynet
Phone: +47 22 39 69 00
Sweden
Integritetsskyddsmyndigheten
Phone: +46 08-657 61 00
Poland
Urząd Ochrony Danych Osobowych
Phone: +48 22 531-03-00
The Netherlands
Autoriteit Persoonsgegevens
Phone: +31 (0)70-888 85 00
The Faroe Islands
Dátueftirlitið
Phone: +298 309100
7. Questions and contact information
Questions about the whistleblower scheme and requests about the exercise of rights under personal data legislation can be made to Solar Group by contacting Christina Liljegren on chli@solar.dk or by phone on +45 30 23 66 88.
It is not possible to submit reports via this contact information.
*The law implementing the EU Whistleblower Directive has not yet been adopted in Poland. For now the Polish national law does not regulate a clear legal basis for processing information within the framework of the whistleblower scheme. Processing of personal data can be processed for the whistleblower scheme on a voluntary basis, cf. the GDPR, however the whistleblower will not be covered by protection provided in national legislation.