The network’s Fiscal host Open Constitution S/I has implemented a whistleblower reporting mechanism that enables people to anonymously inform the Open Council of possible breaches of the Foundation’s Code of Conduct about human activity, concerning the projects and programs on the Open Constitution network. The Foundation’s Open Tribunal may impose sanctions for breaches, including a reprimand or a demand that a grant be repaid.

The purpose of the whistleblower policy and scheme is to promote transparency and increase accountability for the behaviour of the Foundation and its collaborators.

The members from the Open Council‘s Ethics, Observation and Legal Council manage the concerns reported under the whistleblower policy and scheme. The nature of the internal process then initiated depends on the nature of the concerns reported.

Privacy Policy for Whistleblower Reporting:

What information will be registered?

You can use the reporting system to report breaches or suspicions of breaches of our Code of Conduct.

Reports on matters such as dissatisfaction with wages, difficulties with cooperation between colleagues, etc. should be made via the usual Help Center channels. If they are made using this reporting system they will be immediately deleted and the report will be closed.

“Organisation” refers to the constitutional body (read Committee) of the Open Constitution that receives the report.

Logging The registration of reports takes place anonymously in the system and is passed through the network’s AI. The only thing that is registered is the report itself. There is no log made as to the IP address or machine ID of the computer on which the report is made. The network AI does not store the information concerning the identity of the machine. Correction of registered information If you realise that you have provided incomplete or incorrect information, just make a new report in the system in which you refer to the previous report and describe what should be corrected. If you, in connection with the creation of a report, have decided to create a secure post box, you can make the correction by logging in to the system using your case number and the password you had created. Transfers of registered information The information registered in the system is generally not transferred to a third party outside of the organisation. However, in the following circumstances, the information may be transferred onward:

• Transfer to an external attorney or auditor in connection with the case processing of the report.

• If the report results in a lawsuit.

• If the law so requires.

Your personal information (name, e-mail and telephone number) If you provide your personal information, be aware that the organisation can use your personal information when investigating the case, and also during any subsequent lawsuit. The organisation guarantees that your data protection rights will be respected without limitations and will only be used as described above. The organisation will not share your personal information with third parties outside of the or correct the cases as described above in the section ”Transfer of registered information”. Deletion of registered data Registered data may only be retained for as long as there is a need for it. When there no longer is a need to retain the registered information, the information is deleted. IT security The reporting system is hosted by Muellners ApS, Open Constitution network’s data processor and electronic lease processor, a party guaranteeing the system’s security and anonymity, as per the established contracts between Muellners Foundation and Muellners ApS, in regards to the whistleblower reporting framework of the network. Muellners ApS has taken the necessary technical and organisational measures to prevent personal data from being accidentally or unlawfully destroyed, lost or damaged and to prevent any unauthorised disclosure or misuse of the personal data. The processing of personal data is subject to strict controls and procedures and complies with good practices in the field. All data is transmitted and stored encrypted. No unencrypted information is sent over the open Internet. Anonymity The system does not log IP addresses and machine IDs and does not use cookies. If a report is made from a computer on the organisation’s network, there is a risk that the visited web pages will be logged in the browser’s history and/or the organisation’s log. This risk can be eliminated by submitting the report from a computer that is not connected to the organisation’s network.

If you upload documents, you should be aware that the documents can contain metadata which can compromise your identity. Therefore, you should ensure that any identifying metadata is removed from a document before it is uploaded. It is optional to make either an anonymous report or a report containing personal data. If a reporter chooses not to remain anonymous, the reporter’s identity will be known to the persons who handle the case. In this case, the reporter risks being called as a witness in any lawsuit, and the reporter’s anonymity thus can be lost. Be aware that if you choose to give further information when submitting the report from which you can directly or indirectly be identified, the organization will also process this information when handling the case. This also applies if you have chosen to remain anonymous.

What is the legal basis for the organisation’s processing of information in the system? The legal basis for the processing of your information is as follows:

• The processing is necessary for pursuing a legitimate interest in handling illegalities and this interest exceeds the interests of the registered person, cf. the European Data Protection Regulation article 6, number 1, letter f.

• The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. cf. the European Data Protection Regulation article 9, number 2, letter f.

• The processing is necessary for compliance with a legal obligation to which the organisation is subject. cf. the European Data Protection Regulation article 6, number 1, letter c.

• Any specific legislation on mandatory whistleblower solutions.

Your rights According to the European Data Protection Regulation, you have several rights. If you want to exercise these rights, you must contact the organisation.

The right to see information You have the right to see what personal data the organisation processes about you and several other information. However, this right may never violate other person’s rights or freedom rights.

The right of correction You have the right to have false personal data about you corrected.

The right of deletion In special cases, you have the right to have information about you deleted before the time of the ordinary general deletion occurs.

The right of restriction In special cases, you have the right to have the processing of your data restricted. If you have the right to have the processing restricted, the organisation is only allowed to process the information – except storage – with your consent or to establish, exercise or defend legal claims or to protect a person or a vital public interest.

The right of objection In special cases, you have the right to object to the organisation’s otherwise legitimate processing.

You can read more about your rights here: https://europa.eu/youreurope/citizens/consumers/internet-telecoms/data-protection-privacy/index_en.htm

Questions If you have any questions regarding personal data protection, you may raise a support ticket at the Help Center’s Open Access portal.

Muellners Foundation is the data controller for the processing of the personal data that you report and can be contacted through ordinary communication channels.

Complaint If you want to complain about the processing of your data, you are entitled to submit a complaint to the competent supervisory authority.

You can download a list of the European supervisory authorities here: https://europa.eu/youreurope/citizens/consumers/internet-telecoms/data-protection-privacy/index_en.htm