Privacy Policy – whistleblower scheme

At the JPS Marselis Group, we have set up an internal, Group-wide whistleblower scheme operated by JPS Marselis ApS. In this Privacy Policy, we describe our processing of personal data in connection with our whistleblower scheme.

When we refer to ‘we’, ‘us’ or ‘our’ in this Privacy Policy, we are referring to JPS Marselis ApS and the JPS Marselis Group company or companies which the whistleblower and the person being reported or named in a report are employed or otherwise associated with.

You can read more about our whistleblower scheme in our whistleblower policy.

Data controller and contact details

JPS Marselis ApS and the JPS Marselis Group company or companies which the whistleblower and the person being reported or named in a report are employed or otherwise associated with are data controllers with regard to processing personal data under the whistleblower scheme.

JPS Marselis ApS’ legal information and contact details are as follows:

JPS Marselis ApS

Thyrasgade 4
DK-8260 Viby J
CVR no. 38 11 01 36

Email: pna@jpsmarselis.dk

Information about JPS Marselis Group companies including contact details is available here: jpsmarselis.com.

Our processing of personal data

Categories of personal data

The personal data about you that we process may include:

Personal data for individuals being reported

Reports submitted via the whistleblower scheme may deal with employees in the JPS Marselis Group and other persons who have an association with the JPS Marselis Group. When we receive a report, we process the following types of personal data:

  • Ordinary personal data, including:
    • Identity details (name, title, company name, telephone number, email address).
    • Personal data that is included in the description of the situation being reported, including any criminal activity
  • Sensitive personal data, including information about sexual relations, if this is part of the report.
  • Ordinary and any sensitive personal data about individuals who are named in the disclosure, for example, someone exposed to undesirable conduct by the individual being reported.

Any person mentioned in a report will be notified about our processing of his/her personal data provided that such notification does not seriously impair the achievement of the objectives of the processing.

Personal data about whistleblowers

Whistleblowers can choose to be anonymous. If you make a report and choose not to be anonymous, we process the following types of personal data about you:

  • Ordinary personal data, including:
    • Identity details (name, title, company name, telephone number, email address).
    • Personal data included in your report, including in relation to any criminal offence, if it is suspected that you have knowingly made a false accusation.
  • We do not process sensitive personal data about you, unless you choose to disclose this kind of information in the report.

If you make a report about a person employed or otherwise associated with Hornbaek Baltic AS and choose not to be anonymous, your personal data will be pseudonymized.

Purpose and legal grounds

We process personal data for the purpose of handling and investigating reports made as part of our whistleblower scheme.

Legal grounds for processing personal data:

  • With respect to processing necessary to fulfil our obligations under the Danish whistleblower legislation, the legal basis for our processing is the Danish Whistleblower Protection Act, Sec. 22, cf. GDPR Art. 6, para 1, lit. c and e, Art. 9, para 2, lit. g, and the Danish Data Protection Act Sec. 8, para 5, cf. Sec. 7, para 4.
  • With respect to processing necessary to fulfil our obligations under the German whistleblower legislation, the legal basis for our processing is Art. 6, para 1, lit. f of the GDPR, cf. Sec. 10 of the German Whistleblower Protection Act (“HinSchG”). The legal basis for processing sensitive personal data in accordance with Art. 9 para. 1 of the GDPR follows directly from Sec. 10 HinSchG (in connection with Art. 6 para. 1 lit. c, cf. Art. 9 para 1 of the GDPR).
  • With respect to processing necessary to fulfil our obligations under the Latvian whistleblower legislation, the legal basis for our processing is Art. 6, para 1, lit. c and f of the GDPR and Art. 11 of the Latvian Whistleblower Act. The legal basis for processing sensitive personal data is Art. 9, para 2, lit. f of the GDPR.
  • For reports not covered by whistleblower legislation, the legal basis for our processing is Art. 6 para 1 lit. f of the GDPR as we have a legitimate interest in investigating reports under the whistleblower scheme, and Art. 9 para 2, lit. f of the GDPR.

Disclosure of personal data and categories of recipients

Personal data about you may be disclosed in accordance with the processing rules in the General Data Protection Regulation (the “GDPR”) and in accordance with applicable national whistleblower and privacy legislation.

We disclose or make available personal data to the following categories of recipients:

  • The management of JPS Marselis ApS and the management of the company/companies to which the reports relates.
  • The subsidiary that the person being reported is employed in or associated with, for the purpose of investigating the report.
  • External solicitors, accountants and other consultants in connection with the investigation and following up on the report.
  • Police authorities and other public authorities.
  • Our data processors on the basis of data processing agreements, e.g. IT system providers.

Transfer of personal data to recipients outside of the EU/EEA

In certain cases, we will transfer your personal data to non-EU/EEA countries. We will do so when we use data processors in non-EU/EEA countries. Such transfers will take place in compliance with the GDPR, for example through the use of the European Commission’s standard contractual clauses, on the basis of European Commission Adequacy Decisions, or on the basis of the recipient’s adherence to the EU-US Data Privacy Framework.

Deletion

We delete your personal data when storing it is no longer necessary and proportional.

Reports not covered by the whistleblower scheme, or which are clearly unfounded, will be deleted immediately.

If an investigation is launched against the background of a report, as a general rule the data will be deleted 6 months after the end of the investigation, unless we have a legitimate interest in storing the data for longer.

If matters are reported to the police or other relevant authorities, the data is deleted immediately after the case has been closed by the relevant authorities, unless we have a legitimate interest in storing the data for a longer period of time.

If, following a report, a contractual, disciplinary or other sanction is carried out for the employee reported or a whistleblower, or if there is an objective reason for storing the data about the employee or the whistleblower, the data will be stored in that individual’s personnel file. After termination of employment, data about an employee is, as a general rule, stored for up to five years after the year of termination. After termination of employment, data about an employee is, as a general rule, stored for up to five years after the year of termination.

Your rights

You have the following rights with regard to our processing of your personal data:

  • You have the right to request insight into, correction or deletion of your personal data that we process. If you request deletion, we will delete the personal data without unnecessary delay, unless we can continue processing the data on a different legal basis.
  • You are entitled to object to our processing of your personal data and to restrict the processing of your personal data unless we can continue processing the data against the background of another legal basis.
  • You have the right to have the personal data that you have personally provided us returned to you in a structured, commonly used, and machine-readable format (data portability).

There may be legally set restrictions or limitations in relation to these rights. In this context it should be noted that your rights do not apply in cases where your interest in exercising your rights should give way to crucial consideration of private or public interests. Therefore, the person being reported does not have the right to receive information about the identity of a person who made the report in good faith, or factual information other than those related to him/her, unless otherwise clearly mandated by legislation.

To exercise your rights or if you have any questions about how we process your personal data, please contact us. You will find our contact details at the top of this privacy policy.

Please include sufficient information in this regard to enable us to process your enquiry, including your full name and email address, so we can identify you and respond to your request. We will respond to your enquiry as soon as possible.

You have the right to lodge a complaint about our processing of your personal data with the competent supervisory authority. Contact details available here:

Updated March 2025