Whistleblower Privacy Notice

At ICARS we respect and protect personal data, and we are dedicated to being as transparent as possible regarding the use of your personal data.

This privacy notice explains how we process personal data we collect via the ICARS whistleblowing system and what your rights are with regard to your personal data.

For detailed information on the whistleblowing process view the ICARS whistleblowing policy.

For more information on ICARS commitments related to data protection view the ICARS data protection policy.

1. Who we are

As we process your personal data and determine the purposes and means of the processing, we act as a data controller pursuant to GDPR article 4(7).

You can contact us by using the following contact information:

International Centre for Antimicrobial Resistance Solutions

Ørestads Boulevard 5

2300 Copenhagen S

dataprotection@icars-global.org

2. What is personal data and what kind of personal data do we collect and process?

Personal data are all kinds of information that can be attributed to you to some extent.

The personal data we collect via the ICARS whistleblowing system depends on the concern raised and the steps needed to investigate, action and resolve the concern. It may include:

• Your name, position and contact details, as the person who raises the concern, unless you submit your report anonymously.
• The name and contact details of individuals involved, such as the subject of your concern, or witnesses, other people mentioned, and their relationship to ICARS
• The context of the concern being raised, depending upon the nature of the allegation or concern, this could include a description of behavior, activities in relation to ICARS, location and time of incident, or other data which is relevant to the allegation or As any concern can be raised through the whistleblowing process this list is not exhaustive.

The personal data collected may include ‘sensitive’ data:

• personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
• trade-union membership;
• genetic data, biometric data processed for the purpose of uniquely identifying a natural person;
• health-related data;
• data concerning a person’s sex life or sexual orientation.

For example, a safeguarding case may reveal sexual orientation data, and an anti-corruption case may reveal financial details.

We do not track nor use any third-party software, such as google analytics, to collect data from this webpage. All cookies and tracking elements on the ICARS whistleblowing page are disabled.

3. Why do we collect personal data?

If provided, we process your name and contact details in order to:

• Gather further information regarding your concern;
• Update you regarding the way in which we are dealing with it;
• Make referrals if appropriate to other services or

We process the other information regarding your concern to:

• Investigate the concern you raised;
• Take appropriate action where necessary to address your concern;
• Identify misconduct, illegal acts, or protect those with whom we

Our legal basis for processing your personal data is based on:

• Depending on the circumstance it may be a legal requirement for us to prevent and detect crime or misuse of our systems
• Our legitimate interest in running an internal whistleblowing system that protects the interests of you, ICARS and ICARS employees, those with whom we work and society by detecting or preventing unlawful acts or other improper activity and the associated prevention of damage and liability risks for ICARS (GDPR clause 6.1(f) and Section 8, Danish Data protection Act) – and this interest overrides the interests of the data subjects
• Where the data is particularly sensitive, also called special category data, there is a substantial public interest that we detect and prevent unlawful acts or
• Your consent with regard to sharing your personal data with therapeutic services or other agencies to provide support to you

4. How do we collect and share personal data

Data will be collected using the following methods:

• Via the online form;
• Via follow-up using phone, email or other direct communication mechanisms.

Brand by Hand provides the digital system which we use for receiving your concerns via our website, but only ICARS can access the data. Any data received and temporarily stored on the website database will be automatically deleted after 30 days. Your personal data will be stored securely in ICARS case management and email systems. Access to this information is strictly controlled and reviewed.

Your information will be shared internally with relevant staff in order that we can handle, investigate and respond to your disclosure. Internal access to information processed as part of the investigation is granted to limited individuals on a strict need-to-know basis. Our aim at all times is to ensure as far as possible the confidentiality of the information received and to protect the whistleblower’s identity and all other persons involved.

In some cases, we might need to share personal data, including special categories of personal data, with third parties, such as partners or suppliers, in order to gather information about your disclosure. Where we do so, we will ensure that any request for confidentiality and anonymity is respected wherever possible. We will also pass on whistleblowing disclosures given anonymously to relevant third parties where appropriate. However, please be aware that it may not always be possible to investigate anonymous disclosures fully.

Where ICARS partners or suppliers are outside the EU/EEA, the transfer of data will occur on the basis of appropriate data protection guarantees to protect those affected. Unless a specific adequacy decision has been taken by the EU Commission for the respective country outside the EU or the EEA, the above-mentioned guarantees are the standard contractual clauses of the European Commission. Data subjects have the right to obtain from ICARS a copy of the appropriate or appropriate guarantees for the transfer of personal data to third countries.

Other possible categories of recipients of your personal data include law enforcement authorities, antitrust authorities, other administrative authorities, courts and law and auditing firms commissioned by ICARS if required to do so by law.

Outside of ICARS, your data will only be shared in an anonymous way unless required by law (e.g. with regulators, public authorities, or law enforcement) or to prevent or detect crime or dishonesty.

ICARS is obliged to inform the suspect of the charges made against them. This is a legal requirement in cases where it can be objectively established that the disclosure of information to the suspect can no longer have an adverse effect on the whistleblowing investigation in question. As far as is legally possible, your identity as a whistleblower will not be disclosed and steps will also be taken to ensure that no conclusions can be drawn as to your identity as the whistleblower.

With your consent data may also be shared with therapeutic services or other agency to provide support to you.

5. How long is personal data stored

ICARS will keep your personal data for as long as is needed to fulfil our purposes of investigating compliance concerns and documenting our compliance with applicable laws, unless ICARS is required under applicable law to keep your personal data for a longer period.

The duration of storage depends in particular on the severity of the suspicion and the reported possible breach of duty. If you would like to receive more detailed information on our retention policy, please contact us by using the contact information in section 1.

There is a possibility that we process your data for statistical purposes, but in this case your data will always be anonymised.

6. Your data subject rights

Under data protection legislation, you have the right to:

• access and obtain a copy of your personal data
• require us to rectify / change incorrect or incomplete personal data
• require us to delete / erase your personal data
• request us to restrict the processing of your personal data (in certain circumstances)
• request your personal data in a portable format
• object to the processing of your personal data

In terms of restricting how we processes your personal data, please be aware that we cannot guarantee your confidentiality. We may need to disclose your identity where we are required to do so, for example, by law. We do, however, take the issue of maintaining the confidentiality of whistleblowers seriously and we will protect your identity as far as possible. You should also recognise that you might be identifiable by others due to the nature or circumstances of your concern.

If the right to object to the processing of the personal data is invoked, the necessity of the stored data for the examination of a report will be evaluated immediately. Data that are no longer required will be deleted immediately.

If you would like to exercise any of these rights, please contact ICARS Data Protection Officer via email at dataprotection@icars-global.org

7. Your right to lodge a complain

If you have any questions, comments or requests in relation to how we use your personal data, please let us know by contacting us using the contact information described in section 1.

If you, however, are still not satisfied with the way we use your personal data, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet):

Datatilsynet

Borgergade 28, 5

DK-1300 Copenhagen K

Tel: (+45) 3319 3200

E-mail: dt@datatilsynet.dk