Whistleblowing policy

GENERAL

NYORDA has established this Whistleblowing Policy, in order to comply with EU Whistleblower Directive (2019/1937) and also all national whistleblowing legislations where applicable but also for the below reasons:

1. Reduced risk for the brand to be damaged. The organizations that lacks an established function which enables anonymous notification of misconduct, are at greater risk that any dissatisfaction increases and spreads further in the organization.
2. Acts preventively and cost savings. Irregularities can be about a variety of things but don’t necessarily have to about direct irregularities such as corruption, bribery, theft, fraud or lawlessness. It can also deal with deviations from internal or external regulations, that transactions have not taken place on commercial terms, misconduct or other act or a behavior which is to be considered unethical.
3. Enables efficient and discreet handling. An unethical behavior or abuse is rarely detected through, for example audits or internal controls.
4. Builds credibility and healthy values.

NYORDA strives to maintain a transparent corporate climate, to observe a standard of business ethics and to always see opportunities for improvement. We always aim to run NYORDA in a long-term and sustainable manner. We are therefore dedicated to ensuring that any irregularities that concern the company, and that might seriously damage the company or our employees, should be drawn attention to and investigated as early as possible. Employees should always contact their manager in the first instance, but this is not always possible. Sensitive information can be hard to share for various reasons. This is why we are now providing a whistleblowing solution where urgent information can be submitted. The system offers the opportunity to remain anonymous, and cases are handled with the utmost confidentiality. In order to further increase credibility, an external party, 2Secure, receives and handles all reports in consultation with NYORDA’s whistleblowing committee. Anyone who suspects an irregularity that is in breach of the law or that the disclosure of which may be in the public interest has the opportunity to speak out with protection against retaliation. You can choose to provide your information anonymously. The right to protection is regulated in the law “Protections for Persons Reporting Irregularities Act” (SFS 2021:890). What can be reported?

• The law applies when reporting a misconduct in a work-related context that there is a public interest in them coming to light.
• The law also applies to the reporting of misconduct in a work-related context in accordance with Directive (EU) 2019/1937. 

What can be reported in other words?

• Serious misconduct that breaches EU law or
• Cases that might be of public interest.

The misconduct must be work related, and you must have come across it in your professional role. Examples of “qualified” whistles BRIBES

• Personal gain
• Systematic
• Internal acceptance
• Fraud

HARASSMENT AND DISCRIMINATION

• Systematic
• Internal acceptance
• Public interest

Examples of “unqualified” whistles/what is not a “whistle”?

• HR matters
• Work environment problems
• Opinions on leadership
• Views on change

Who can submit a report? All persons who, through their work, have come into contact with a suspected misconduct can submit a report, for example:

• employees
• volunteers and trainees
• persons who are performing work under the control and management of a business operator (e.g. hired consultants)
• shareholders who are actively involved in the company
• self-employed persons
• persons who are members of a company’s administrative, management or supervisory body

How can a report be made? Option 1: Report to your Line Manager within NYORDA’s organisation or to the corporate Group’s Management Option 2: Report (anonymously or not) through the reporting tool for whistleblowing in accordance with the instructions below Reporting tool To guarantee a whistleblower’s anonymity, a reporting tool is provided from an independent, external agent. The reporting channel is encrypted and password-protected. The whistleblower never needs to state their identity if they do not want to. If you are using a computer that is connected to NYORDA, however, it may be recorded in the Internet log that you visited the website where reports are submitted. If you do not wish this information to be visible, use a computer that is not connected to NYORDA’s network, or a personal smartphone or tablet.

• The whistleblower does not need to have evidence for their suspicions, but no accusations may be made with malicious intent or in the knowledge that the accusation is false.
• It is important that the whistleblower describes all the facts in the report, including any circumstances that are believed to be less important. Statements should be carefully considered and all documentation that may be relevant should be attached.

REPORTING VIA INTERNAL WHISTLEBLOWING CHANNELS

Reporting can take place in writing via the website, wb.2secure.se or verbally by phone at +46 (0)77 177 99 77. You can choose to remain anonymous in both of these reporting channels. If you would like to report via an in-person meeting, this can be requested by registering a report on the website, wb.2secure.se. The in-person meeting will be held by agreement either with a representative from NYORDA or with NYORDA’s provider of whistleblowing services, 2Secure. When registering a new report on wb.2secure.se, you must state the company-specific code: tbr726 to identify that the report is being made for NYORDA. On the website, you will be asked to answer a number of questions about the matter to which the report relates. You can remain anonymous and are assigned a unique case number and password, which must be saved so that you can actively log in to the website, monitor the report and communicate with the case officer at 2Secure. Once a report has been registered, it is processed by experienced case officers at 2Secure, who will contact NYORDA’s primary contact person based on a predetermined contact list with several names. If the primary contact person is the subject of the report, another person on the contact list will be informed. It is always NYORDA who ultimately assesses the report and decides what measures are to be taken. When reporting orally, you have the right to control and correct potential errors in your report. As you report a case by phone you will receive login information to follow your case on wb.2secure.se. If you wish to control and possibly correct your report after registration, this can be requested through the web portal. You can also choose to sign the protocol of your report by requesting this in the web portal. An administrator from 2Secure will coordinate this. If you choose to sign the protocol from your registration, this means that 2Secure becomes aware of your name / identity. 2Secure protects your anonymity and will not disclose this information to the company. You can thus, even if you wish to sign the protocol from your registration, remain anonymous to NYORDA.

REPORTING VIA EXTERNAL WHISTLEBLOWING CHANNELS

In addition to reporting to NYORDA’s internal whistleblower channel, you can report externally to a competent authority within a specific area of responsibility according to each country´s local legislation. Those local authorities will be made available in this Policy when required by law, ie more than 50 employees per local Nyorda company/subsidiary and when the local whistleblowing legislation is in place. The following authorities have been appointed as competent authorities and established external reporting channels in Sweden: Swedish Work Environment Authority, National Board of Housing, Building and Planning, National Electrical Safety Board, Swedish Economic Crime Authority, Swedish Estate Agents Inspectorate, Swedish Financial Supervisory Authority, Public Health Agency of Sweden, Swedish Agency for Marine and Water Management, Swedish Authority for Privacy Protection, Inspectorate of Strategic Products, Health and Social Care Inspectorate, Swedish Chemicals Agency, Swedish Consumer Agency, Swedish Competition Authority, Swedish Food Agency, Medical Products Agency, The county administrative boards, Swedish Civil Contingencies Agency, Swedish Environmental Protection Agency, Swedish Post and Telecom Authority, Government Offices, Swedish Inspectorate of Auditors, Swedish Tax Agency, Swedish Forest Agency, Swedish Gambling Authority, Swedish Energy Agency, Swedish Board of Agriculture, Swedish Board for Accreditation and Conformity Assessment, Swedish Radiation Safety Authority and Swedish Transport Agency. Go to the website of the Swedish Work Environment Authority for a summary of each authority’s area of responsibility and contact details: https://www.av.se/om-oss/visselblasarlagen/extern-rapporteringskanal/lista-over-myndigheter-med-ansvar-enligt-ansvarsomrade-enligt-forordning-2021949/

PERSONAL DATA

You can remain anonymous when you use the whistleblowing service. NYORDA takes the protection of personal privacy extremely seriously. Below is a summary of some important points regarding the General Data Protection Regulation. Personal data In all cases, NYORDA is obliged to comply with legislation regarding the processing of personal data. It is important that you feel secure when you provide information about yourself and others in the whistleblowing system. We take the protection of personal privacy extremely seriously. Anonymity As a whistleblower, you can choose either to provide your contact details or to remain anonymous. All reports are taken seriously regardless. It can facilitate the continued work of our external case officers if we can contact you to obtain supplementary information. Your contact details will therefore be requested. But providing these details is always completely voluntary. No IP addresses are registered and the system does not use cookies. Responsibility for personal data NYORDA and its respective subsidiaries where the person who is reported is employed are responsible by law for processing personal data. Purpose of registration The personal data will only be used to conduct an investigation into what has been reported to the whistleblowing system. You can read about which types of irregularities can be reported in the whistleblowing guidelines. The Swedish Privacy Protection Authority regulates when anyone other than government agencies may process personal data involving breaches of the law. If a report is received that cannot be processed in the whistleblowing service because of this, or if the irregularity is not sufficiently serious to be handled within the framework of whistleblowing, the case will be closed and all personal data will be erased. You will receive a message in the whistleblowing system stating that this assessment has been made, as well as information about where you can turn instead with your case. Who has access to the personal data? Personal data will only be used by the investigating function of NYORDA’s whistleblowing committee and by the external company that has been assigned to deal with the report. The data is only accessible to people who are working on the report in question. The investigation may be handed over to the police or other authority. What personal data are registered? Initially, the data that you provide as whistleblower is registered. In an investigation, the information that is needed to investigate the case will be registered, which primarily includes name, position and the suspected irregularity that forms the basis of the report. Information will then be obtained from sources that are deemed necessary for investigating the irregularity. For how long are personal data kept? The personal data is usually erased three weeks after the case has been closed, but no more than two years after closure if there are special reasons. Information for the reported party A person who is reported in the whistleblowing service will receive special information about this. If there is a risk that this may jeopardise the continued investigation, the information will not be provided until it is no longer deemed to be a risk. In addition, no register extracts are provided during this period. Register extracts As a whistleblower, you have the right to receive information about the personal data that is registered about you in the whistleblowing service. Such a request for register extract must be made in writing and signed. Please send it to 2Secure, Dataskyddsombud, Box 34037, 10026 Stockholm. If any of the details are incorrect, incomplete or misleading you have the right to request that they be corrected. A register extract sent to a reported person will not contain any information identifying you as the whistleblower. The information may therefore be provided in summarised form.