Anonymous Reporting Portal
Privacy Notice
Effective Date: 10 February 2026
Last Updated: 11 February 2026
1. About This Notice
This privacy notice explains how the Anonymous Reporting Portal (the “Portal”) handles information submitted by users. It is provided in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”), the UK General Data Protection Regulation and Data Protection Act 2018 (“UK GDPR”), and applicable United States federal and state privacy laws.
The Portal is operated as a service that enables organisations (“Subscribing Organisations”) to receive anonymous reports of potential misconduct, compliance violations, or safety concerns from their employees, contractors, vendors, and other third parties. This notice applies to all individuals who use the Portal, regardless of location.
Each Subscribing Organisation acts as the data controller in respect of the report data it receives through the Portal. The Portal operator acts as a data processor on behalf of the Subscribing Organisation. Please refer to your organisation’s own privacy notice or whistleblowing policy for information about how it handles reports received through this Portal.
2. Our Commitment to Anonymity
The Portal is designed so that no personally identifiable information about the reporter is collected, stored, or transmitted. Specifically:
- We do not ask for or collect your name, email address, phone number, or any other contact information.
- We do not log, store, or forward your IP address.
- We do not set cookies, use browser local storage, or employ any client-side tracking technologies.
- We do not collect your browser type, operating system, device identifiers, screen resolution, or any other technical fingerprint.
- We do not embed any third-party analytics, advertising scripts, or tracking pixels on the Portal.
- We do not use Google reCAPTCHA or any other service that transmits your data to third parties.
Your report is anonymous. We cannot identify you from the information the Portal collects, and we have designed the system to ensure that we are unable to do so.
3. Information That Is Processed
Although the Portal does not collect personal data about reporters, the following information is processed when a report is submitted:
| Data Element | Source | Purpose |
|---|---|---|
| Report category | Reporter input | Triage and classification of the report |
| Description of the concern (free text) | Reporter input | Investigation and follow-up |
| Approximate date / time frame | Reporter input | Context for investigation |
| Location / business unit | Reporter input | Context for investigation |
| Randomly generated reference number | System-generated | Enables reporter to check for follow-up messages; not linked to any PII |
| Submission timestamp (UTC) | System-generated | Record-keeping and regulatory acknowledgement compliance |
| Follow-up messages (if any) | Reporter and/or reviewer input | Two-way anonymous communication regarding the report |
Important: The free-text description field and follow-up messages may contain personal data about third parties (e.g., the name of a person whose conduct is being reported). The Subscribing Organisation, as data controller, is responsible for the lawful processing of such data.
4. Information That Is Not Processed
To be explicit, the Portal does not process any of the following about the reporter:
- Name or identity
- Email address
- IP address
- Device or browser information (User-Agent, screen resolution, plugins, etc.)
- Location data (GPS, Wi-Fi, or network-derived)
- Cookies, session identifiers, or persistent identifiers of any kind
- Any information that could be used to identify or re-identify the reporter
5. Legal Basis for Processing
5.1 EU GDPR / UK GDPR
Because the Portal does not collect personal data about the reporter, GDPR processing obligations do not arise in relation to the reporter’s own data.
However, reports may contain personal data about third parties (e.g., individuals whose conduct is described in the report). The Subscribing Organisation, as data controller, is responsible for establishing an appropriate legal basis for processing this data. Typical legal bases include:
- Article 6(1)(c) — Legal obligation: Processing is necessary for compliance with legal obligations to which the Subscribing Organisation is subject, including obligations under the EU Whistleblower Protection Directive (2019/1937), national transpositions thereof, and the UK Public Interest Disclosure Act 1998.
- Article 6(1)(f) — Legitimate interests: Processing is necessary for the purposes of the legitimate interests pursued by the Subscribing Organisation, namely the detection and prevention of misconduct, fraud, corruption, and violations of law or organisational policy.
Where reports contain special category data (e.g., information revealing racial or ethnic origin, health data, trade union membership, or data concerning sex life or sexual orientation), an appropriate condition under Article 9(2) of the EU GDPR or UK GDPR must be relied upon by the Subscribing Organisation. This typically includes:
- Article 9(2)(g) — Substantial public interest: Processing is necessary for reasons of substantial public interest, on the basis of applicable EU or Member State law or UK law (including Schedule 1, Part 2, Paragraph 6 of the UK Data Protection Act 2018).
5.2 United States
In the United States, report data may be processed in accordance with applicable federal and state laws, including the Sarbanes-Oxley Act (Section 301), the Dodd-Frank Wall Street Reform and Consumer Protection Act, and applicable state whistleblower protection statutes. No personal data of the reporter is collected through the Portal.
6. How Report Data Is Used
Report data is transmitted to the Subscribing Organisation and is used exclusively for the following purposes:
- Receiving, reviewing, and triaging reports of potential misconduct, legal violations, or policy breaches.
- Investigating the matters raised in reports.
- Taking appropriate remedial, disciplinary, or corrective action where warranted.
- Complying with legal obligations, including obligations under the EU Whistleblower Protection Directive to acknowledge receipt of a report within seven days and to provide feedback to the reporter within three months.
- Defending or establishing legal claims, if necessary.
Report data is not used by the Portal operator for marketing, profiling, automated decision-making, or any purpose unrelated to the delivery of the Portal service to the Subscribing Organisation.
7. Who Has Access to Report Data
Access to submitted reports and follow-up messages is strictly limited to:
- Authorised personnel designated by the Subscribing Organisation (typically legal, compliance, or ethics department staff) who are responsible for receiving, reviewing, and investigating reports.
- External legal counsel, where engaged by the Subscribing Organisation to advise on or assist with an investigation, subject to professional obligations of confidentiality.
- Law enforcement or regulatory authorities, only where disclosure is required by law or court order.
The Portal operator’s access to report data is limited to what is strictly necessary for the provision, maintenance, and security of the Portal service, and is governed by a data processing agreement with each Subscribing Organisation.
8. International Data Transfers
The Portal infrastructure may involve the transfer of report data between jurisdictions. Where report data is transferred across borders:
- EU to UK: Transfers are made pursuant to the UK adequacy decision adopted by the European Commission.
- EU/UK to USA: Transfers are made on the basis of appropriate safeguards, including Standard Contractual Clauses (SCCs) adopted by the European Commission, the EU-U.S. Data Privacy Framework (where applicable), or other applicable transfer mechanisms under Chapter V of the EU GDPR or UK GDPR.
Subscribing Organisations are responsible for ensuring that any further transfers of report data comply with applicable data transfer requirements.
9. Data Retention
- Report content: Retained in accordance with the Subscribing Organisation’s data retention policy and applicable legal hold obligations. Reports that do not lead to an investigation are retained for a maximum of twelve (12) months from receipt, unless a longer period is required by law or the Subscribing Organisation’s retention policy.
- Follow-up messages: Automatically deleted after a configurable retention period (default: 12 months from the date of the last message), or upon manual deletion by an authorised reviewer, unless a legal hold or investigation requires longer retention.
- Reference numbers: Retained for the same period as the associated report. Reference numbers are not linked to any personal data of the reporter.
We do not retain any data that could identify the reporter, because no such data is collected.
10. Data Security
We implement appropriate technical and organisational measures to protect report data, including:
- Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
- Access controls restricting report data to authorised personnel only.
- Enforced HTTPS with HTTP Strict Transport Security (HSTS) headers on all Portal connections.
- Content Security Policy headers preventing execution of unauthorised scripts.
- No third-party scripts, analytics, or trackers on the Portal.
- Authenticated access to the reviewer administration interface with multi-factor authentication, session timeouts, and account lockout controls.
- Periodic technical audits to verify that no personally identifiable information about reporters is captured.
11. Your Rights
11.1 Reporters
Because the Portal does not collect or process any personal data about the reporter, the data subject rights under the EU GDPR and UK GDPR (including the rights of access, rectification, erasure, restriction, portability, and objection) do not apply to the reporter in connection with their use of the Portal — there is no personal data to access, correct, or delete.
If you choose to submit a confidential (non-anonymous) report directly to your organisation’s designated reporting contact, your personal data will be processed by that organisation. In that case, you should contact your organisation to exercise your data subject rights.
11.2 Individuals Named in Reports
If you are a person whose conduct is described in a report, you have data subject rights under the EU GDPR and UK GDPR, including the right to access, rectification, and erasure. However, these rights may be limited where exercising them would:
- Compromise the confidentiality of the reporter or the investigation.
- Prejudice the prevention, detection, or investigation of breaches of law or organisational policy.
- Impair the ability of the Subscribing Organisation to comply with its legal obligations.
Requests to exercise data subject rights should be directed to the relevant Subscribing Organisation.
11.3 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe your personal data has been processed in violation of applicable data protection law. Relevant authorities include but are not limited to:
- United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk
- Netherlands: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
- Sweden: Integritetsskyddsmyndigheten (IMY) — imy.se
- France: Commission Nationale de l’Informatique et des Libertés (CNIL) — cnil.fr
- Germany: Relevant state data protection authority (Landesdatenschutzbeauftragte)
- Belgium: Autorité de protection des données / Gegevensbeschermingsautoriteit — dataprotectionauthority.be
12. Non-Retaliation
Subscribing Organisations using this Portal are expected to maintain policies prohibiting retaliation against any individual who makes a good-faith report. This expectation is consistent with the protections afforded by the EU Whistleblower Protection Directive (2019/1937), national transpositions thereof, the UK Public Interest Disclosure Act 1998, the U.S. Sarbanes-Oxley Act, and the Dodd-Frank Act. Please refer to your organisation’s non-retaliation policy for specific details.
13. Processor and Sub-Processor Information
The Portal operator acts as a data processor on behalf of each Subscribing Organisation. The processing activities are governed by a data processing agreement that meets the requirements of Article 28 of the EU GDPR and UK GDPR. A list of sub-processors engaged by the Portal operator is available upon request from the Subscribing Organisation or by contacting the Portal operator directly.
14. Changes to This Notice
We may update this privacy notice from time to time to reflect changes in law, regulatory guidance, or the Portal’s functionality. The “Last Updated” date at the top of this notice indicates the most recent revision. Material changes will be communicated via the Portal itself.
15. Contact Us
If you have questions about this privacy notice or about how the Portal handles data, please contact the Portal operator at the details provided on the Portal’s contact page.
For questions about how a specific Subscribing Organisation processes report data, please contact that organisation’s data protection or compliance department directly.
This privacy notice is provided for transparency purposes and does not create any contractual or other legal rights or obligations beyond those established by applicable law.