Privacy Statement – Whistleblowing platform

Privacy Statement

1. What is covered by this Privacy Statement?

By means of this whistleblowing platform, embedded in the SMS360 tool, a breach of the Code of Conduct in accordance with the Global Whistleblowing Policy can be reported, investigated and recorded.

This Privacy Statement explains how and why personal data are processed in this tool, how we protect them and how long we keep them, when the whistleblowing tool is used.  

Please follow the links below for further information:

 

Who will process personal data?

What are the purposes for processing personal data?

What are the legal grounds for processing personal data?

Which categories of personal data will be processed and where do the data come from?

Information of the individual(s) mentioned in the report

Who will have access to your personal data?

Will your personal data be transferred to countries outside the EEA?

Will we make use of automated decision-making?

How long will your personal data be retained?

Are your data safe and secure?

What are your rights with respect to the processing of your personal data?

Who can you contact?

Changes to this Privacy Statement?

 

2. Who will process personal data?

The Euroports group of undertakings (hereinafter referred to as “EUROPORTS”) (jointly) determine(s) the purposes and means of the processing of personal data in the context of the whistleblowing tool. Consequently, the group undertakings act as joint controllers with respect to this tool

They have determined their respective responsibilities with respect to the whistleblowing tool in an intra-group agreement. You can always contact us in order to obtain more information about the essence of this arrangement.

 

3. What are the purposes for processing personal data?

In the context of the whistleblowing tool, personal data are processed for the purpose of the initial reporting and investigation of reports of alleged breaches of the EUROPORTS Code of Conduct and the subsequent review of these reports and the reporting of the relevant outcome to the Executive Committee.

EUROPORTS reiterates the fact that ordinary channels of information exist within the company, allowing employees to report any malfunctions, in particular to their line manager, or through staff representatives or internal audits.

This whistleblowing process is only an addition to the other forms of reporting. It is implemented to allow individuals to make reports when the usual reporting channels/other reporting channels cannot be used or are considered unsuitable in the situation in question.

Furthermore, the use of the whistleblowing process is optional and not using it will not entail any consequences for employees or outside individuals who work for the company on an occasional basis.

However, an individual who abuses this whistleblowing process (e.g.: report made maliciously, to vex, in bad faith, with the intention of personal gain …) could face disciplinary measures as well as legal proceedings.

On the contrary, an individual who uses this process in good faith shall not face disciplinary measures, even if the reported facts are later revealed to be inaccurate or do not lead to any follow-up measures. All necessary and reasonable measures shall be taken to protect the whistleblower, if this report is made in good faith in compliance with this process, in particular to protect him/her from any retaliation, criticism or disciplinary proceedings.

 

4. What are the legal grounds for processing personal data?

In the context of the whistleblowing tool, we will mainly process your personal data based one of the following legal grounds:

  • Because it is necessary to comply with a legal obligation, given the fact that whistleblowing systems are mandatory in some countries where EUROPORTS is located;
  • For the purposes of our legitimate interests, more specifically to monitor compliance with our Code of Conduct. In this respect, we will always determine case by case whether our interests are not overridden by the interests, fundamental rights and freedoms of the data subjects involved.

If we have the legal obligation to obtain your free, informed, specific and unambiguous consent to process your personal data for certain purposes, we will only process your data for such purposes to the extent that we have obtained such consent from you.

 

5. Which categories of personal data will be processed and where do the data come from?

We will only process personal data that is strictly necessary for the purposes described above.

We may obtain these data in the context of the use of the whistleblowing tool. In particular, we may obtain these data because you give them to us (e.g. by filing a report), because others give them to us (e.g. because you occur in a report) or because they are generated by using the platform (e.g. because you occur in the investigation of a report).

In the whistleblowing tool, personal data from various data subjects can be processed, such as a person making a report, a person mentioned in a report, a witness statement or an interview, a person investigating a report or a person serving as a witness in the investigation.

For the purposes mentioned above, we can collect and process during the whistleblowing process the following personal data:

  • identity, job position and contact details of the whistleblower;
  • identity, job position and contact details of the individual(s) mentioned in the report;
  • identity, job position and contact details of the individuals involved in the receipt or processing of the report;
  • reported facts;
  • elements gathered during the investigation of the reported facts;
  • report of the investigative actions;
  • outcome of the report.

If you register for using the whistleblowing tool, you will be asked to provide us with the following personal data (although only the data marked by an (*) are mandatory:

  • Your login credentials for the tool (*);
  • Language (*);
  • Whether you are an employee or an external collaborator of EUROPORTS (*);
  • Whether you want to remain anonymous (*);
  • Your contact details (name, address, e-mail address, contact number);
  • Any optional information that you record about yourself.

 

6. Information of the individual(s) mentioned in the report

The individual mentioned in the report must be informed by the person in charge of the process as soon as data concerning him/her is recorded, by computer or otherwise, so that this individual can object to the processing of his/her personal data.

When safeguard measures are necessary, in particular to avoid the destruction of proof in relation to the report, this individual is informed after these measures have been taken.

This information, carried out in conditions which ensure proper delivery of the information to the person in question, mentions, in particular:

  • the entity in charge of the process;
  • the alleged facts;
  • the recipient(s) of the report;
  • as well as the manner in which the individual can exercise his rights to access and modify the data.

 

7. Who will have access to your personal data?

Personal data collected in the context of a report made through the whistleblowing tool may be processed by or communicated to the following parties when required:

  • Safety Management Systems Inc., with address in the United States, at CT 06851, 5 Eversley St., Suite 360, the independent third party who manages the SMS360 tool on a daily basis;
  • Authorised EUROPORTS representatives responsible for investigating reports (whose involvement depends on the nature or extent of the reported facts and this on a strict need-to-know basis).

Individuals accessing the personal data are specifically trained and subject to a reinforced confidentiality obligation contractually provided for.

We also reserve the right to disclose your personal information as required by law, or when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, request from a regulator or any other legal process served on us.

 

8. Will your personal data be transferred to countries outside the EEA?

Safety Management Systems Inc., supporting the administration of the SMS360 tool, is located in the United States. Accordingly, we have entered into contractual commitments with this company, considered as a data processor, to ensure that the personal data is kept secure in accordance with applicable law.

Further, EUROPORTS has undertakings in, among others, China and Brazil, to whom the whistleblowing system applies. It is therefore possible that personal data are transferred to recipients in those countries.

Both the data transfer to Safety Management Systems Inc. on the one hand and the data transfer to non-EEA countries within EUROPORTS on the other hand is covered by standard data protection clauses under Article 46.2 of the General Data Protection Regulation.

If occasionally any other recipient of personal data would be located outside of the EEA where the law does not provide the same level of data protection, we will adopt appropriate safeguards to ensure compliance with data protection requirements if needed. If you need any clarification about your personal data being shared outside of the EEA, please contact privacydata@euroports.com.

If necessary, personal data processed in the context of non-EEA EUROPORTS entities can be sent to other countries. As far as necessary, persons using the whistleblowing tool consent to such cross-border transfer. In that event, EUROPORTS will adopt appropriate safeguards in relation to cross-border transfer of personal data in accordance with applicable law.

 

9. How long will your personal data be retained?

The personal data will be kept as long as necessary to process and investigate the report, or, if applicable, as long as necessary to initiate sanctions or to meet any legal or financial requirement. In any case, if judicial or disciplinary proceedings are initiated, the personal data provided will be kept until those proceedings are definitively closed; if not, they will be kept no longer than two months from the date on which investigations end.

 

10. Are your data safe and secure?

We employ strict technical and organizational (security) measures to protect your information from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage both online and offline.

These measures include:

  • training to relevant staff to ensure they are aware of our privacy obligations when handling personal data;
  • administrative and technical controls to restrict access to personal data on a ‘need to know’ basis (roles and rights mechanisms, passwords);
  • technological security measures (including fire walls, encryption and anti-virus software, monitoring of access, customer-specific controls, regular review of user accounts, regular back-ups etc.);
  • incident management (strict procedures for incidents, bug fixing, personal data breaches, etc.);
  • physical security measures, such as staff security badges to access our premises.

Although we use appropriate security measures once we have received your personal data, the transmission of data – especially over the internet (including by e-mail) – is never completely secure. We endeavor to protect personal data, but we cannot guarantee the security of data transmitted to us or by us.

 

11. Will we make use of automated decision-making?

Automated decisions are defined as decisions about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved.

As a rule, your personal data will not be used for automated decision-making. We do not base any decisions about you solely on automated processing of your personal data.

 

12. What are your rights with respect to the processing of your personal data?

You have several rights concerning the information we hold about you. We would like to inform you that you have the right to:

  • obtain confirmation that we are processing your personal data and request a copy of the personal data we hold about you;
  • ask that we update the personal data we hold about you, or correct such personal data that you think is incorrect or incomplete;
  • ask that we delete personal data that we hold about you, or restrict the way in which we use such personal data if you believe that there is no (longer a) lawful ground for us to process it;
  • withdraw consent to our processing of your personal data (to the extent such processing is based on consent);
  • receive a copy of the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit such personal data to another party (to the extent the processing is based on consent or a contract);
  • in France: give instructions on your personal data after your death;
  • object to our processing of your personal data for which we use legitimate interest as a legal basis, in which case we will cease the processing unless we have compelling legitimate grounds for the processing.

In order to exercise any of your rights, you can send us a request, indicating the right you wish to exercise by e-mailing us at privacydata@euroports.com.

 

13. Who can you contact?

We hope that this Privacy Statement helps you understand, and feel more confident about the way we process your data. If you have any further queries about this Privacy Statement and this tool in general, please contact privacydata@euroports.com.

 

14. Changes to this Privacy Statement

We may modify or amend this Privacy Statement from time to time. Any changes we may make to this Privacy Statement in the future will be posted on this page. To let you know when we make changes to this Privacy Statement, we will amend the revision date at the top of this page. The new modified or amended Privacy Statement will apply from that revision date. Please check back periodically to see changes and additions.