By means of this whistleblowing platform, embedded in the SMS360 tool, a breach of the Code of Conduct in accordance with the Global Whistleblowing Policy can be reported, investigated and recorded.
This Privacy Statement explains how and why personal data are processed in this tool, how we protect them and how long we keep them, when the whistleblowing tool is used.
Who will process personal data?
What is the purposes for processing personal data?
What are the legal grounds for processing personal data?
Which categories of personal data will be processed and where do the data come from?
Information of the individual(s) mentioned in the report
Who will have access to your personal data?
Will your personal data be transferred to countries outside the EEA?
Will we make use of automated decision-making?
How long will your personal data be retained?
Are your data safe and secure?
What are your rights with respect to the processing of your personal data?
Who can you contact?
Changes to this Privacy Statement?
The Euroports group of undertakings (hereinafter referred to as “EUROPORTS”) (jointly) determine(s) the purposes and means of the processing of personal data in the context of the whistleblowing tool. Consequently, the group undertakings act as joint controllers with respect to this tool
They have determined their respective responsibilities with respect to the whistleblowing tool in an intra-group agreement. You can always contact us in order to obtain more information about the essence of this arrangement.
In the context of the whistleblowing tool, personal data are processed for the purpose of of the initial reporting and investigation of reports of alleged breaches of the EUROPORTS Code of Conduct and the subsequent review of these reports and the reporting of the relevant outcome to the Executive Committee.
EUROPORTS reiterates the fact that ordinary channels of information exist within the company, allowing employees to report any malfunctions, in particular to their line manager, or through staff representatives or internal audits.
This whistleblowing process is only an addition to the other forms of reporting. It is implemented to allow individuals to make reports when the usual reporting channels/other reporting channels cannot be used or are considered unsuitable in the situation in question.
Furthermore, the use of the whistleblowing process is optional and not using it will not entail any consequences for employees or outside individuals who work for the company on an occasional basis.
However, an individual who abuses this whistleblowing process (e.g.: report made maliciously, to vex, in bad faith, with the intention of personal gain …) could face disciplinary measures as well as legal proceedings.
On the contrary, an individual who uses this process in good faith shall not face disciplinary measures, even if the reported facts are later revealed to be inaccurate or do not lead to any follow-up measures. All necessary and reasonable measures shall be taken to protect the whistleblower, if this report is made in good faith in compliance with this process, in particular to protect him/her from any retaliation, criticism or disciplinary proceedings.
In the context of the whistleblowing tool, we will mainly process your personal data based one of the following legal grounds:
If we have the legal obligation to obtain your free, informed, specific and unambiguous consent to process your personal data for certain purposes, we will only process your data for such purposes to the extent that we have obtained such consent from you.
We will only process personal data that is strictly necessary for the purposes described above.
We may obtain these data in the context of the use of the whistleblowing tool. In particular, we may obtain these data because you give them to us (e.g. by filing a report), because others give them to us (e.g. because you occur in a report) or because they are generated by using the platform (e.g. because you occur in the investigation of a report).
In the whistleblowing tool, personal data from various data subjects can be processed, such as a person making a report, a person mentioned in a report, a witness statement or an interview, a person investigating a report or a person serving as a witness in the investigation.
For the purposes mentioned above, we can collect and process during the whistleblowing process the following personal data:
If you register for using the whistleblowing tool, you will be asked to provide us with the following personal data (although only the data marked by an (*) are mandatory:
The individual mentioned in the report must be informed by the person in charge of the process as soon as data concerning him/her is recorded, by computer or otherwise, so that this individual can object to the processing of his/her personal data.
When safeguard measures are necessary, in particular to avoid the destruction of proof in relation to the report, this individual is informed after these measures have been taken.
This information, carried out in conditions which ensure proper delivery of the information to the person in question, mentions, in particular:
Personal data collected in the context of a report made through the whistleblowing tool may be processed by or communicated to the following parties when required:
Individuals accessing the personal data are specifically trained and subject to a reinforced confidentiality obligation contractually provided for.
We also reserve the right to disclose your personal information as required by law, or when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, request from a regulator or any other legal process served on us.
Safety Management Systems Inc., supporting the administration of the SMS360 tool, is located in the United States. Accordingly, we have entered into contractual commitments with this company, considered as a data processor, to ensure that the personal data is kept secure in accordance with applicable law.
Further, EUROPORTS has undertakings in, among others, China and Brazil, to whom the whistleblowing system applies. It is therefore possible that personal data are transferred to recipients in those countries.
Both the data transfer to Safety Management Systems Inc. on the one hand and the data transfer to non-EEA countries within EUROPORTS on the other hand is covered by standard data protection clauses under Article 46.2 of the General Data Protection Regulation.
If occasionally any other recipient of personal data would be located outside of the EEA where the law does not provide the same level of data protection, we will adopt appropriate safeguards to ensure compliance with data protection requirements if needed. If you need any clarification about your personal data being shared outside of the EEA, please contact email@example.com.
If necessary, personal data processed in the context of non-EEA EUROPORTS entities can be sent to other countries. As far as necessary, persons using the whistleblowing tool consent to such cross-border transfer. In that event, EUROPORTS will adopt appropriate safeguards in relation to cross-border transfer of personal data in accordance with applicable law.
The personal data will be kept as long as necessary to process and investigate the report, or, if applicable, as long as necessary to initiate sanctions or to meet any legal or financial requirement. In any case, if judicial or disciplinary proceedings are initiated, the personal data provided will be kept until those proceedings are definitively closed; if not, they will be kept no longer than two months from the date on which investigations end.
We employ strict technical and organizational (security) measures to protect your information from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage both online and offline.
These measures include:
Although we use appropriate security measures once we have received your personal data, the transmission of data – especially over the internet (including by e-mail) – is never completely secure. We endeavour to protect personal data, but we cannot guarantee the security of data transmitted to us or by us.
Automated decisions are defined as decisions about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved.
As a rule, your personal data will not be used for automated decision-making. We do not base any decisions about you solely on automated processing of your personal data.
You have several rights concerning the information we hold about you. We would like to inform you that you have the right to:
In order to exercise any of your rights, you can send us a request, indicating the right you wish to exercise by e-mailing us at firstname.lastname@example.org.
We hope that this Privacy Statement helps you understand, and feel more confident about the way we process your data. If you have any further queries about this Privacy Statement and this tool in general, please contact email@example.com.
We may modify or amend this Privacy Statement from time to time. Any changes we may make to this Privacy Statement in the future will be posted on this page. To let you know when we make changes to this Privacy Statement, we will amend the revision date at the top of this page. The new modified or amended Privacy Statement will apply from that revision date. Please check back periodically to see changes and additions.