Whistleblowing System at Firefly
Information for reporting individuals and others than reporting individuals.
1. Data Controller
The data controller for the processing of personal data in connection with reporting misconduct is Firefly AB. Contact information and information about representatives are available on the Firefly AB website.
2. General Handling of Personal Data after Reporting in the Whistleblower Channel
Reporting individuals report via a web application or via voicemail. A specially authorized handler is assigned to the case and can then read/listen to the report.
Only the employee(s) assigned to a case in the reporting system can read/listen to a report and correspondence with the reporting individual.
The reporting individual may choose to remain anonymous, but there is a risk that the information will be more difficult to follow up on.
There is a messaging function in the web application. When reporting individuals write messages in a reported case, the handler of the case only sees the case reference number as the sender.
Upon receipt of a report, an initial assessment of the information in the report is made regarding whether further information is needed. The case leads to the handler providing a recommendation to the data controller regarding further handling. It is always the data controller who decides on actions based on the report.
Decisions on actions may include, for example, that the case should:
- be closed (for example, due to insufficient evidence or other reasons),
- initiate a more in-depth investigation,
- be forwarded for internal or external handling (for example, to the responsible person at Firefly or the police authority).
Reporting individuals are encouraged to refrain from providing information that is not relevant to the case. This includes, among other things, knowingly false statements and information that may be perceived as offensive.
3. Purpose of Processing Personal Data
The purpose of processing personal data in connection with the handling of whistleblower cases is for Firefly AB to prevent, become aware of, and address misconduct in its operations, and in some cases to be able to establish, assert, or defend legal claims arising from reported misconduct.
The purpose of processing personal data is also for Firefly AB to fulfill its obligations under applicable regulations regarding the reporting of misconduct (including the law on protection for individuals reporting misconduct).
4. Legal Basis for Processing Personal Data
The legal basis for processing personal data in internal and external reporting is that the processing is necessary to fulfill legal obligations incumbent upon the data controller. The legal obligations are set forth in the law on protection for individuals reporting misconduct.
5. Recipients of Personal Data
The information in the system is stored within Sweden and processed on behalf of the data controller.
Additionally, information containing personal data may be provided to the designated contacts of the data controller, police or prosecutor’s authority, or other authority.
The circumstances of the individual case determine whether information needs to be disclosed, such as whether it is necessary to initiate a personnel matter or, due to the report, file a police report.
6. Storage of Personal Data
Personal data collected for the handling of whistleblower cases is retained for a maximum of two years after the processing of the data in the case has been completed.
A reporting case is considered closed when the whistleblower function has taken closing measures in the case, for example, when the data controller has decided that an investigation should be closed, that the information should be forwarded for further investigation or handling, and when any legal proceedings have concluded, etc.