The whistleblowing system is used to report any suspicion of unacceptable circumstances. Personal data will, in many cases, be processed in connection with the handling of whistleblowing reports.
Whistleblowing reports may be submitted via the external whistleblowing service managed by KPMG or via the regular reporting line at Bane NOR (i.e. via a manager, who will escalate the matter to the Whistleblowing Secretariat).
The personal data protection requirements apply regardless of how and where a report is submitted and regardless of who the whistleblowing report is handled by.
You can choose to submit a report anonymously if you prefer. You can also choose to be anonymous in relation to Bane NOR only. This means that KPMG would know your identity and would be able to pass on any questions between yourself and us, but we would not be informed of who the whistleblowing report was submitted by.
All processing of personal data at Bane NOR, including data relating to both the whistleblower and the reported individual, shall take place in accordance with Norwegian legislation.
Bane NOR is the data controller for the processing of personal data in connection with the handling of whistleblowing reports.
KPMG supplies and operates the solution for Bane NOR’s whistleblowing channel and is our data processor.
Bane NOR has entered into a data processing agreement with KPMG, which ensures that any personal data that is registered and stored in the solution is processed in accordance with the requirements set out in the General Data Protection Regulations.
When you report unacceptable circumstances, the reporting may involve the processing of personal data. If you do not choose to submit your report anonymously, we will process data relating to you and we may also process data about individuals mentioned in your report.
Data may also be processed in connection with the follow-up on whistleblowing reports in order for us to clarify the facts and take the necessary action. The content of a whistleblowing report can be wide-ranging and may include allegations of criminal offences, as well as health data. This type of data is subject to particularly stringent requirements for processing.
We encourage whistleblowers to provide only the information that is relevant to highlighting the unacceptable circumstances that are being reported and to avoid including any unnecessary personal data.
It is entirely up to you whether you want to be anonymous when you report a matter. If a whistleblower chooses not to be anonymous, the identity of the whistleblower will be shared with those who are dealing with the matter. If the whistleblower chooses to use the whistleblowing service, the whistleblower will have the opportunity to be anonymous in relation to Bane NOR but to share their identity with KPMG. In such cases, the whistleblower’s personal data would not be processed by Bane NOR.
When following up on a whistleblowing report, the collection of data is limited only to what is strictly necessary to clarify the matter and, if necessary, to verify the content of the whistleblowing report. In connection with investigations, additional information may be obtained or information that has already been collected may be used. The extent of data that is collected should be minimised.
In order to process personal data in connection with whistleblowing reports, Bane NOR’s legal basis for processing is Article 6 c and, if applicable, Article 9 b of the General Data Protection Regulation.
The processing of personal data in connection with the handling of whistleblowing cases is necessary to fulfil Bane NOR’s obligations pursuant to Chapter 2 A, etc. of the Norwegian Working Environment Act.
Articles 5 and 32 of the General Data Protection Regulation set out strict requirements concerning security in connection with the processing of personal data. Our procedures will ensure compliance with these requirements, both in connection with communication and continued follow-up on a whistleblowing report.
When communicating a whistleblowing report, the only data recorded in the online whistleblowing system will be the whistleblowing report itself. All data transmission is also encrypted, i.e. no unencrypted data is transmitted over the open internet.
We do not log IP addresses or machine IDs for the device (tablet, phone, PC, Mac, etc.) from which the whistleblowing report is submitted.
If a whistleblowing report is submitted from a computer connected to the company’s network, there will be a (theoretical) risk that the websites you have visited will be recorded in the company’s log.
If you want to submit a report anonymously and wish to eliminate the (theoretical) risk of the log being used to identify you, you can make sure that you submit your report from a computer that is not connected to the company’s network.
Your personal data will be stored for as long as necessary to fulfil the purposes for which the data was collected.
Personal data in the KPMG whistleblowing system will be deleted as soon as possible and usually within two months of completing the investigation of the facts.
This period may vary in the event that legal or disciplinary action is taken against the accused or against the whistleblower in cases where the report is false or defamatory. In such cases, personal data will be retained until a final decision has been made and the appeals deadline/right of appeal has expired.
There may be cases in which the Norwegian Archives Act imposes longer retention periods. This will be assessed on a case-by-case basis.
Upon request, you have the right to receive information about the personal data we process in relation to you and to receive a copy of such data.
Both the whistleblower and the reported individual have a right to information pursuant to Articles 13 and 14 of the General Data Protection Regulation. This applies to the collection of personal data directly from the person to which the personal data relates and to the collection of personal data via others.
The reported individual has a right to receive information as soon as possible and no later than within one month of their personal data having been collected (cf. Article 14.no 1 to no. 3 of the General Data Protection Regulation). It is important that the reported individual is informed of any suspicion and the basis for such suspicion.
You have a right of access to your own personal data.
If the reported individual, or others, request access to their own personal data, they shall generally have the right to request access to all personal data relating to them that is being processed in connection with the whistleblowing report.
Nevertheless, there are some exceptions from the right of access in cases where access could infringe upon the rights of others. This means, among other things, that no access to data will be provided in relation to the identity of the whistleblower or data that could reveal the identity of the whistleblower.
Exceptions from this may apply in cases where the whistleblower has demonstrably and knowingly made false accusations.
Please note that even though access to the identity of the whistleblower should not be provided pursuant to the provisions of the General Data Protection Regulation, this does not preclude access from being granted pursuant to other relevant legislation, for example in the event of a police investigation or legal proceedings.
It is important to ensure that the data we process is correct. You can ask Bane NOR to correct or supplement data relating to you if such data is incorrect or misleading.
In some situations, you can also ask Bane NOR to erase data relating to you.
Please contact us via e-mail if you would like to exercise your rights as a data subject.
You have the right to complain about our processing of personal data to the Norwegian Data Protection Authority. Read more on the Norwegian Data Protection Authority’s website.
If you have experienced something you believe to be a violation of the regulations, you can complain to the Norwegian Data Protection Authority by sending a written request to:
The Norwegian Data Protection Authority