Ramboll Group A/S, Hannemanns Allé 53, DK-2300 Copenhagen S, CVR-number 10160669 (“Ramboll”, “we”, “us”, “our”) will as data controller operate Ramboll’s Whistleblower System to ensure that you know how to raise a compliance concern if you observe or suspect misconduct and provide a remediation framework for serious and sensitive compliance concerns that could have an adverse impact on Ramboll’s business.

Below you will find a description of the personal data we will collect and process about you as a whistleblower as well as the purpose on which basis we are processing the personal data when you report a compliance concern to the Whistleblower System.

What concerns can you raise?

You can raise a compliance concern if you reasonably suspect a breach of laws (can be both national or regional, e.g., EU), policies, and/or other Ramboll obligations

The nature of compliance concerns could include:

• Illegal activity;
• Financial fraud (for example accounting manipulation, noncompliance with internal controls procedures, misappropriation of assets or fraudulent statements);
• Bribery or corruption (for example conflicts of interest or facilitation payments);
• Violation of competition laws (for example price fixing, exchange of price sensitive information, collusion with competitors); and/or
• Activities, which otherwise by law, treaty or agreement amount to serious improper conduct (for example discriminatory practices, sexual harassment, use of child labour, human rights violations).

Reports on matters that are not a breach of law, policy and/or other Ramboll obligations, such as information of a trivial nature and information regarding the employee’s own employment conditions (e.g. dissatisfaction with wages or difficulties with cooperation between colleagues) except in cases of sexual harassment or other form of serious harassment, is not covered by the whistleblower solution. Such reports should be made via the usual internal channels if you are an employee of Ramboll or any of the Ramboll entities.

Types of personal data and legal basis

To comply with a legal requirement. We collect and process personal data about you for the purpose of complying with legal requirement in order to meet a legal obligation imposed by law, by regulation or by community and/or national rules specific for the reported concern if applicable. Under the GDPR this is in accordance with GDPR article 6(1) (c), cf. the Whistleblower Directive and national whistleblower legislations.

Legitimate interest. Ramboll collects and processes personal data about you for the purpose of pursuing a legitimate interest of Ramboll, in ensuring compliance with applicable laws throughout all of Ramboll’s operations and facilitating the provision of information by whistleblowers from Ramboll regarding a suspected breach of such compliance and in order to provide a response to the requests made by you which interests in processing the personal data overrides your interests. Under the GDPR this is in accordance with GDPR article 6(1) (f).

Necessary for reasons of substantial public interest. If Ramboll has received sensitive personal data in relation to a reported compliance concern, these data are processed in accordance with GDPR article 9(2)(g), cf. the Whistleblower Directive and national whistleblower legislations.

Unless you choose to stay anonymous Ramboll collects and processes the following personal data about you for the above purposes:

• Report made by (name, e-mail and telephone number);
• Depending on the compliance concern reported e.g.:
• Description of the alleged violation, including names of any persons involved in the alleged violation, as well as the date and place of the alleged violation;
• If the alleged violation is expected to reoccur – specifying where and when;
• Specifying if any other person within Ramboll or outside Ramboll knows of the alleged violation or is expected to have this knowledge as well;
• Any document(s) or evidence relating to the alleged violation attached when filing the report; and
• Any other detail or information that may facilitate the investigation.

The IP address or machine ID of the computer on which the concern is reported is not logged in the Whistleblower System.

If you have decided to report anonymous, please be aware that you do not include any information in your report which may identify you.

How we process your personal data

Your personal data will be accessed by specially appointed employees at Ramboll and third-party IT service providers engaged by Ramboll including specially appointed employees in Ramboll entities globally on a strict need-to-know basis.

Ramboll will generally not disclose the personal data to third parties, however, we will transfer your personal data to our IT service providers, and/or Ramboll entities that are established outside of the EU/EEA. When third party services providers and/or Ramboll entities process your personal data outside of the EU/EEA, such transfer of personal data will either be subject to Ramboll’s BCR, the EU-U.S. Data Privacy Framework or the European Commission’s Standard Contractual Clauses.

Ramboll will also transfer your personal data to our external attorney or auditor in connection with the processing of the concern, including reporting the concern to relevant authorities.

Ramboll will keep your personal data for as long as necessary to fulfil our purposes of investigating compliance concerns and documenting our compliance with applicable laws, unless Ramboll is required under applicable law to keep your personal data for a longer period.

Different retention periods apply if legal proceedings or disciplinary measures are initiated.

Do reported compliance concerns remain confidential?

All reports made through Ramboll’s reporting channels are confidential. Only the Ramboll Group Business Integrity, Data & Information Security Director and Ramboll’s Speak Up Team investigators have access to the reporting email and the Whistleblower system. They are all subject to strict confidentiality. Ramboll’s Whistleblower System is monitored by an independent external assurance provider.

Information about your compliance concern will only be shared with a limited number of people on a strict need-to-know basis or if required to do so by law or an important public interest is at stake. Information about your identity or information which might identify you directly or indirectly, will not be disclosed to other than authorised employees or unauthorised employees (e.g., follow up on a compliance concern where unauthorised employees also become subject to the strict confidentiality) at Ramboll without your explicit consent. It is based on a concrete assessment if information can make you identifiable.

All Ramboll Group Compliance investigations are conducted under a qualified attorney for the purpose of preventing recurrence and for obtaining legal advice on behalf of Ramboll.

You can help us keep compliance concerns confidential by being discreet and not discussing an ongoing investigation with others.

Will you be protected if you speak up?

You are protected for speaking up in good faith. Ramboll will not accept any retaliation, discrimination or disciplinary action against anyone for raising concerns in good faith or based on a reasonable belief of violation or suspected violation, even if the compliance concern turns out to be mistaken.

What happens after I have reported a compliance concern?

You will be notified when Ramboll’s Global Speak Up Team has received your compliance concern.

The Global Speak Up Team will assess and investigate your compliance concern in accordance with internal procedure for compliance concerns and whistleblower handlings.

Your rights

The right to information and access. You have the right to ask us for information about or access to your personal data. There are some exemptions, which means you may not always receive all the personal data that we process.

The right to object. You have the right to object to Ramboll processing (using) your personal data. This effectively means that you can stop or prevent us from using your personal data. However, it only applies in certain circumstances, and we may not need to stop the processing of your personal data if we can give legitimate reasons to continue using your personal data.

The right to erasure. You have the right to ask us to erase your personal data in certain circumstances.

The right to rectification. You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete personal data you think is incomplete.

The right to restriction of processing. You have the right to ask us to restrict the processing of your personal data in certain circumstances.

The right to complaint. If you have any complaints about Ramboll’s processing of your personal data, you may contact the Danish Data Protection Agency.

Contact information

If you observe or suspect a breach of laws, policies, and/or other Ramboll obligations. You should report the compliance concerns through Ramboll Group Business Integrity, Data & Information Security (speakup@ramboll.com).

You may otherwise contact us by contacting privacy@ramboll.com in regard to your personal data.