Schibsted uses an externalSchibsted uses an external service for reporting misconduct. Here you can find information about how personal data is handled in connection with reporting. service for reporting misconduct. Here you can find information about how personal data is handled in connection with reporting.
1.1 Data controller
The data controller for the processing of personal data in connection with the reporting of breaches is Schibsted News Media AB. Information about representatives at group level is available on Schibsted’s website.
1.2 General about handling personal data after reporting in the whistle‑blowing channel
Reporting persons report via KPMG AB’s web application or via voicemail. A specially authorised case handler at KPMG AB is assigned the case and may thereafter read/listen to the report.
Only the employee(s) who have been assigned a case in the reporting system can read/listen to a report and correspondence with the reporting person. The reporting person may choose to be anonymous, but then there is a risk that the information will be more difficult to follow up.
There is a messaging function in the web application. When reporting persons write messages in a reported case, the case handler sees only the case reference number as sender.
Upon receipt of a report an initial assessment is made of the information in the report and whether additional information is needed. The case results in KPMG AB submitting a recommendation to the data controller on further handling. It is always the data controller who decides on measures due to the reporting.
Decisions on measures may, for example, be that the case should:
- be closed (e.g., due to insufficient evidence or other reasons),
- lead to an in‑depth investigation,
- be forwarded for internal or external handling (e.g., to the HR department or authority such as the police).
Persons who report are encouraged not to provide information that is not relevant to the case. This includes, among other things, intentionally false statements and information that may be perceived as offensive.
1.3 Purpose of the processing of personal data
The purpose of processing personal data in connection with handling whistle‑blowing cases is that Schibsted News Media AB shall prevent, become aware of and remedy misconduct in the operations, and in some cases be able to establish, assert or defend legal claims due to reported misconduct. The purpose of processing personal data is also that Schibsted News Media AB shall fulfil its obligations under applicable legislation on reporting of misconduct (including the Act on protection of persons who report misconduct).
1.4 Legal basis for processing personal data
The legal basis for processing personal data during internal and external reporting is that the processing is necessary to fulfil legal obligations incumbent on the data controller. The legal obligations are set out in the Act on protection of persons who report misconduct.
1.5 Recipients of personal data
Reporting in the whistle‑blower service is handled by KPMG AB, in the system tool provided by KPMG AB. The information in the system is stored within Sweden and is processed on behalf of the data controller by specially designated employees at KPMG AB.
In addition, information containing personal data may be disclosed to the contact persons designated by the data controller, law‑enforcement or prosecuting authorities or other authorities. It is the circumstances of the individual case that determine whether information needs to be forwarded, for example if it is appropriate to initiate an HR matter or, due to the report‑ing, file a police report.
1.6 Storage of personal data
Personal data collected for handling whistle‑blowing cases are retained for at most two years after processing of the data in the case has concluded.
A reporting case is deemed concluded when the whistle‑blower service has taken closing measures in the case, e.g., when the data controller has decided that an investigation shall be closed, that the information shall be forwarded for further investigation or handling, and when any legal procedures have been concluded or similar.
1.7 Categories of personal data
The categories of personal data that may be processed within the framework of a whistle‑blowing case depend on both the information provided by the reporting person and the information that needs to be obtained from other persons or information sources, for example in order to investigate or verify the information provided by a reporting person.
The following categories of personal data may be processed within the framework of a whistle‑blowing case:
- contact details,
- personal identity number/co‑ordination number,
- employment information, e.g., position,
- income information such as salary and other benefits, income from capital and business activities,
- information about assets and investments such as account numbers, bank account holdings, holdings of securities and real estate, etc.,
- trade‑union membership,
- sexual orientation (e.g., in reporting regarding discrimination),
- religious or philosophical belief (e.g., in reporting regarding discrimination),
- race or ethnic origin (e.g., in reporting regarding discrimination),
- political opinions (e.g., in reporting regarding discrimination),
- information about a natural person’s sexual life (e.g., in reporting regarding harassment or abuse),
- health data and suspected or confirmed regulatory violations.
In view of the fact that the data controller does not determine which information is provided in the reporting channel, it is not certain that the above list is exhaustive.
1.8 Origin of the data
Personal data for handling whistle‑blowing cases are collected from persons who report cases in the whistle‑blowing channel and may also be collected from:
- other persons who may be contacted because they are deemed to have relevant information about the case,
- publicly available sources such as search engines,
- social media and
- authorities such as the Swedish Tax Agency, the Enforcement Authority and courts.
1.9 Rights of the data subjects
Data subjects have, subject to certain limitations and exceptions, the right to:
- obtain access to personal data processed about them,
- request correction of inaccurate personal data and to complete personal data that are missing and relevant for the purpose of the processing,
- request that data concerning them be erased,
- request that processing of personal data concerning them be restricted,
- request to receive and use their personal data elsewhere (the data controller who has received such data has an obligation to facilitate such transfer, data portability) and
- object to the data controller’s processing of their personal data (this right covers, among other things, personal data processed following a balancing of interests and includes the right to object to profiling).
A request to exercise any of the above rights should be sent to: dpo@schibsted.com.
The person whose personal data is processed also has the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten) – see the authority’s website for information.