- What is whistleblowing?
- Whistleblowing channels
- Follow-up procedure
- Whistleblower protection
- Privacy and data protection
1. What is whistleblowing?
In execution of the EU Whistleblower Directive 2019/1937 and transpositions into national law by the EU Member States, the VPK whistleblowing system was created. This system contains internal reporting channels and is designed to facilitate and encourage employees and others associated with VPK (clients, suppliers, etc) to report unethical behaviour or violations of law in our organisation.
The whistleblowing programme is part of VPK's broader compliance strategy (code of conduct, labour code, antitrust guidelines, GDPR policy, safety trainings, …).
The system can be used to raise all serious concerns which fall within the scope of the legislation regarding protection of whistleblowers. Examples of relevant topics are:
- discrimination or harassment;
- anti-bribery and corruption;
- risk to employee or public safety;
- data protection and privacy;
- cyber security breaches;
- money laundering;
- protection of the environment;
- tax evasion.
For each report an assessment will be made whether the concern raised falls within the scope of the whistleblowing system. If the initial screening shows that the concern is not covered by the scope of the system, the concern will not be processed further and the whistleblower will be informed accordingly.
Employees should note that dissatisfaction with employment, such as salary and management style or other contractual terms and conditions, are not to be reported via the whistleblowing system. Instead, such matters are to be addressed through the usual channels, for example management or the HR department.
2. Whistleblowing channels
Reports can be made by email (email@example.com), by phone (+32 52 30 79 57) or anonymously through the form on the VPK website (www.vpkgroup.com). Upon request of the whistleblower, the organisation of a physical meeting will be considered. This will of course depend on practical circumstances, such as distance and timing.
Regarding anonymous reports through the website form, it is important to note that the IP address or the machine ID of the computer on which the concern is raised are not logged. Anonymous whistleblowers should be aware, however, that the investigation following the report may be hindered or delayed if they wish to insist on their anonymity throughout the investigation.
All reports shall be handled independently and impartially by the legal department at VPK Group NV, the parent company of the VPK Group. The legal department will cooperate with local staff of the VPK entity the report is connected to, who is specifically designated by the relevant Business Unit Manager to conduct investigations following a whistleblowing report. The list of such locally designated staff can be found via the whistleblowing section on SharePoint or can be retrieved from the Business Unit Manager or the legal department.
Whistleblowing is always confidential, i.e. the identity of the whistleblower, the subject of the report and other persons mentioned in the report, such as witnesses, as well as other personal data shall be kept confidential and will not be disclosed to other persons than the legal department, the relevant Business Unit Manager or the locally designated whistleblowing staff. During the investigation process, however, information and expertise can be requested from other persons within or outside VPK (e.g. lawyers or other experts), in which case, professional secrecy and confidentiality of processing shall be ensured. No person to whom the report relates or who has links to the suspected infringement will ever be involved in the handling and investigation of the report, unless explicitly allowed by the whistleblower
3. Follow-up procedure
In case the report is made by email or through the website form, the whistleblower will receive an acknowledgement of receipt of his/her report within 7 days.
Following the report, an independent and impartial investigation shall be conducted, taking into account all factual and legal aspects of the report. The investigation may require further questions being asked to the whistleblower. If the designated staff considers it necessary in light of the severity of the issue raised, the report might be escalated to the Business Unit Manager or to the Executive Committee of the VPK Group.
Within a maximum period of 3 months following the receipt of the report, the whistleblower will receive feedback regarding his/her report and the outcome of the investigation. Appropriate corrective measures, to the extent necessary, will always be based on the results of a thorough investigation.
All employees have a duty to cooperate in internal investigations and to provide truthful information when asked and the necessary documents when requested. All employees must keep confidential any information they obtain during an investigation.
4. Whistleblower protection
VPK welcomes concerns being raised in good faith, even if they end up being unfounded after investigation. VPK will not tolerate (attempted) retaliation against any person who in good faith reports suspected wrongdoing or participates in an investigation of such wrongdoing. VPK also strongly opposes any attempt to prevent a whistleblower from reporting a suspected wrongdoing.
When a whistleblower reports a suspected violation of law, not merely a suspected breach of an ethical code, covered by the applicable national whistleblowing legislation, then legal protection against retaliation will apply.
Abuse of this policy will not be tolerated. Maliciously making a false allegation will be treated as a disciplinary offence.
5. Privacy and data protection
5.1 Purpose of processing
The purpose of the processing of personal data is to implement VPK’s whistleblowing system and to process received reports. Personal data will be used to monitor and investigate misconduct and, where necessary, to prepare, present, or defend a legal claim.
All local VPK companies act as data controllers of the personal data processed via the VPK Group’s whistleblowing system. The VPK legal department at VPK Group NV acts as data processor. Data protection is ensured by concluding a data processing agreement between VPK Group NV and all other VPK entities.
5.2 Categories of personal data processed
A concern raised may contain personal data about the whistleblower in person, personal data regarding the person(s) about whom a concern is raised (the affected persons), if any, and even data about third parties. The collected data could be name, position and any other data on the affected person(s). A concern raised may include documents in the broad sense, including text, pictorial and video material.
All personal data collected through the whistleblowing system will be treated as confidential to the maximum extent possible.
5.3 Legal processing basis
It is necessary to process personal data in the whistleblowing system to investigate and prevent unethical behaviour or violations of law. Personal data is therefore processed (i) to comply with the legal obligation to install a whistleblowing system and (ii) to pursue a legitimate interest that is generally assessed to take precedence over the data subject's interest in protecting his/her personal data, see Article 6(1)(f) of the General Data Protection Regulation (GDPR).
Information about any (suspected) criminal offences will only be processed when the processing is authorised by European Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects, see Article 10 of the GDPR.
In some cases, a raised concern will contain sensitive personal data such as trade union membership, political opinion, religion, health status, sexual orientation and biometric data. Such data are only processed if, in addition to pursuing a legitimate interest, the processing is legal under Article 9 of the GPDR.
The persons named in the report will generally be notified about the concern raised, the outcome of any investigation, how they may exercise their rights of objection/correction, etc. If there is a concrete risk of the notification jeopardising the investigation of the report or the possibility of obtaining the necessary proof, it is possible, however, to postpone or not make the notification until the risk does no longer exist in compliance with the rules of Article 23 of the GDPR and national implementation thereof.
The persons whose personal data is processed have a right to get insight into the data that are being processed about them. However, this right is not absolute – the exercise and/or limitation of this right is governed by law and government regulations and guidelines, which are not exhaustively described in this document. For example, VPK has the right to limit the exercise of this right where this is necessary and proportionate to safeguard the investigation and follow-up of the report or to protect the identity of the whistleblower.
5.5 Storing and erasing personal data
Personal data processed in connection with reports are stored as long as necessary in the interests of the investigation and the further course of events. If the initial screening of the report shows that it is not covered by the VPK whistleblowing system or that there is no proof of the concern raised, VPK will erase the report and the personal data included as soon as possible.
5.6 Disclosing personal data
The legal department at VPK Group NV is in charge of the initial screening of the received reports. Generally, no disclosure of personal data collected through the whistleblowing system to third parties shall take place. However, the following types of disclosure could take place on a case by case basis:
- Disclosure to an external advisor, for example an attorney or auditor for the purpose of a detailed investigation of the concern raised;
- Transfer to relevant authorities, including the police and the prosecution service, in contemplation of any legal proceedings;
- Other disclosure required by law.
5.7 Contact details
Questions about the processing of personal data in relation to the whistleblowing system can be addressed to the VPK Data Protection Office (firstname.lastname@example.org).
Laatst herzien op: 21/03/2023
Make a report
You can choose to report either with disclosure of your name and contact details, either anonymously. In case you choose to disclose your name/contact details, your identity will only be known to those who receive and handle your report. In case of anonymous reporting, your identity will remain fully concealed, even to those receiving your report. It is recommended to report with disclosure of your name/contact details, as it provides the best possible case processing and ensures you the best possible protection.