Ramboll Group A/S, Hannemanns Allé 53, DK-2300 Copenhagen S, CVR-number 10160669 (“Ramboll”, “we”, “us”, “our”) will as data controller operate Ramboll’s Whistleblower System to ensure that you know how to raise a compliance concern if you observe or suspect misconduct, and provide a remediation framework for serious and sensitive compliance concerns that could have an adverse impact on Ramboll’s business.
Below you will find a description of the personal data we will collect and process about you as well as the purpose on which basis we are processing the personal data when you use the Whistleblower System.
What concerns can you raise?
You can raise a compliance concern if you reasonably suspect a breach of laws, policies, and/or other Ramboll obligations.
The nature of compliance concerns could include:
Illegal activity;
Financial fraud (for example accounting manipulation, noncompliance with internal controls procedures, misappropriation of assets or fraudulent statements);
Bribery or corruption (for example conflicts of interest or facilitation payments);
Violation of competition laws (for example price fixing, exchange of price sensitive information, collusion with competitors); and/or
Activities, which otherwise by law, treaty or agreement amount to serious improper conduct (for example discriminatory practices, sexual harassment, use of child labour, human rights violations).
Reports on matters that are not a breach of law, policy and/or other Ramboll obligations, such as dissatisfaction with wages or difficulties with cooperation between colleagues, should be made via the usual internal channels if you are an employee of Ramboll or any of the Ramboll entities.
Types of personal data and legal basis
Legitimate interest. Ramboll collects and processes personal data about you for the purpose of pursuing a legitimate interest of Ramboll, in ensuring compliance with applicable laws throughout all of Ramboll’s operations and facilitating the provision of information by data subjects from Ramboll regarding a suspected breach of such compliance and in order to provide a response to the requests made by you which interests in processing the personal data overrides your interests. Under the GDPR this is in accordance with article 6(1) (f).
To comply with a legal requirement. We collect and process personal data about you for the purpose of complying with legal requirement in order to meet a legal obligation imposed by law, by regulation or by community and/or national rules specific for the reported concern if applicable. Under the GDPR this is in accordance with article 6(1) (c).
Ramboll collects and processes the following personal data about you for the above purposes:
Report made by (name, e-mail and telephone number);
Depending on the compliance concern reported e.g.:
o Description of the alleged violation, including names of any persons involved in the violation, as well as the date and place of the violation;
o If the possible violation is expected to reoccur – specifying where and when;
o Specifying if any other person within Ramboll or outside Ramboll knows of the violation or is expected to have this knowledge as well;
o Any document(s) or evidence relating to the possible violation attached when filing the report; and
o Any other detail or information that may facilitate the investigation.
There is no log made in the Whistleblower System as to the IP address or machine ID of the computer on which the concern is reported.
How we process your personal data
Your personal data will be accessed by specially appointed employees at Ramboll and third party IT service providers engaged by Ramboll including specially appointed employees in Ramboll entities globally on a need to know basis only.
Ramboll will generally not disclose the personal data to third parties, however, we will transfer your personal data to our IT service providers, and/or Ramboll entities that are established outside of the EU/EEA. When third party services providers and/or Ramboll entities process your personal data outside of the EU/EEA, such transfer of personal data will either be subject to the EU-U.S. Privacy Shield or the European Commission’s standard contractual clauses.
Ramboll will also transfer your personal data to our external attorney or auditor in connection with the processing of the concern, including reporting the concern to relevant authorities.
Ramboll will keep your personal data for as long as is needed to fulfil our purposes of investigating compliance concerns and documenting our compliance with applicable laws, unless Ramboll is required under applicable law to keep your personal data for a longer period.
Different retention periods apply if legal proceedings or disciplinary measures are initiated.
Do reported compliance concerns remain confidential?
All reports made through Ramboll’s reporting channels are confidential. Only the Ramboll Group Compliance Director and Ramboll Group Compliance Investigators have access to the reporting email and the Whistleblower system. Ramboll’s Whistleblower System is monitored by an independent external assurance provider.
Information about your concern, including your personal data will only be shared with a limited number of people on a strict need-to-know basis, or if required to do so by law or an important public interest is at stake.
All Ramboll Group Compliance investigations are conducted under a qualified attorney for the purpose of preventing recurrence and for obtaining legal advice on behalf of Ramboll.
You can help us keep compliance concerns confidential by being discreet and not discussing an ongoing investigation with others.
Will you be protected if you speak up?
You are protected for speaking up in good faith. Ramboll will not accept any retaliation, discrimination or disciplinary action against anyone for raising concerns in good faith or based on a reasonable belief of violation or suspected violation, even if the compliance concern turns out to be mistaken.
What happens after I have reported a compliance concern?
You will be notified when Ramboll Group Compliance has received your compliance concern.
Ramboll Group Compliance will assess and investigate your compliance concern in accordance with internal procedure for compliance concerns and whistleblower handlings.
Your rights
The right to information and access. You have the right to ask us for information about or access to your personal data. There are some exemptions, which means you may not always receive all the personal data that we process.
The right to object. You have the right to object to Ramboll processing (using) your personal data. This effectively means that you can stop or prevent us from using your personal data. However, it only applies in certain circumstances, and we may not need to stop the processing of your personal data if we can give legitimate reasons to continue using your personal data.
The right to erasure. You have the right to ask us to erase your personal data in certain circumstances.
The right to rectification. You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete personal data you think is incomplete.
The right to restriction of processing. You have the right to ask us to restrict the processing of your personal data in certain circumstances.
The right to complaint. If you have any complaints about Ramboll’s processing of your personal data, you may contact the Danish Data Protection Agency.
Contact information
If you observe or suspect breach of laws, policies, and/or other Ramboll obligations. You should report the compliance concerns through Ramboll Group Compliance (reporting@ramboll.com).
You may otherwise contact us by contacting privacy@ramboll.com in regard to your personal data.