1 Introduction
Harboe Bryggeri A/S is committed to having an openness where wrongdoing or unlawful conduct can be reported if there is reasonable suspicion about Harboe’s activities, employees, management, suppliers, etc.

This whistleblower policy explains how to use the whistleblower scheme, the disclosures which can be reported, how whistleblower reports are handled, etc.

2 Who can blow the whistle?
The whistleblower scheme can be used by any person with a connection to Harboe or who possess knowledge that is relevant to be reported, e.g. partners, customers, suppliers, sub suppliers, consumers, advisors and board members, etc.

3 Which concerns can be reported?
There are three types of concerns which can be reported to the whistleblower scheme:
1) Serious offences
2) Serious wrongdoings
3) Violation of a number of EU rules

Serious offences include, for example, violation of a statutory duty of confidentiality, abuse of financial means, theft, fraud, embezzlement, extortion, forgery, bribery, hacking, illegal bugging, etc. as well as serious breach of occupational safety, breach of statutory obligations to act, etc.

Serious wrongdoings include all conduct, which are in the public interest to elicit, for example, discrimination, violence, harassment of a serious or recurring nature (including any form of sexual harassment). In addition, it includes all conduct which may pose a risk to human safety and health or other serious risks (such as serious errors or wrongdoing related to IT operations), whether or not the conduct is illegal.

Violation of EU rules in the following areas can be reported: public procurement, financial services, products and markets, prevention of money laundering and terrorist financing, product safety and compliance, transport safety, environmental protection, radiation protection and nuclear safety, food and feed safety, animal health, animal welfare and public health, consumer protection, protection of privacy and personal data, security of network and information systems, competition law and state aid and corporation tax law. Most of the EU rules above are implemented in Danish law as well.

Reported offence or conduct can be positively identified but does not have to be. Matters can also be reported when there is a reasonable suspicion of an actual or potential violation, violations that are highly likely to occur (in the future), attempts to conceal violations, or acts or omissions that make it possible to circumvent the purpose of the above rules.

It is not a requirement that the offence or conduct can be attributable to a single person. Conduct which cannot be attributable to a single person, but which, for example, are due to a fundamental (system) error within Harboe, can also be reported.

The reporting must always be reported in good faith. This means that there must be a reasonable ground to believe that the information reported is correct. Reporting conducted in good faith will not have consequences for the whistleblower. However, it may have consequences (including fines) if incorrect information is reported deliberately – especially if the purpose is to harass or harm employees, management, third parties, or Harboe in general.

4 Which concerns cannot be reported?
Less serious concerns or inconveniences such as dissatisfaction with pay, incompetence, general collegial difficulties, absence, private use of office supplies, violation of internal smoking policies, alcohol consumption or other inappropriate behaviour or conduct cannot be reported to the whistleblower scheme, unless they are of a serious or repetitive nature. The same applies to violation of formal rules, such as procedural rules, unless the violations are serious or repetitive.

Such less serious concerns or inconveniences should be reported through the usual channels, such as to HR, the direct supervisor or through the contact form on Harboes website. If less serious concerns or inconveniences are reported to the whistleblower scheme, the report will be rejected.

5 How do I blow the whistle?
Concerns can be reported in writing to DLA Piper Denmark Law Firm P/S, which administers the whistleblower scheme. Reporting can be done via a secure whistleblower platform that can be accessed via the following link:

Whistleblower scheme

In addition, reporting can be done by mail to:
DLA Piper Advokatpartnerselskab
Att. Marlene Winther Plas
Oslo Plads 2
2100 København Ø
Danmark

It is not a requirement to provide documentation for the reported concerns, but it will of course be a great help for the case processing if the reported issue is documented.

It is also possible to report your concern to the Danish Data Protection Agency. The Danish Data Protection Agency is a public authority which operates an external whistleblower scheme. It is optional whether you would like to report a concern to DLA Piper or to the Danish Data Protection Agency. However, we recommend that you use the reporting channels above if the concern can be effectively addressed by Harboe.

You can read more about the Danish Data Protection Agency’s whistleblower scheme and how to use it at the following link: https://whistleblower.dk/english

6 How whistleblower reports are handled
When a concern has been reported to the whistleblower scheme, the reports are received and registered by the law firm DLA Piper. A confirmation of receipt will be send within seven days of the reporting.

The recipient of DLA Piper will do a screening (initial assessment) of the report to determine whether it relates to a qualifying disclosure (see section 2- 4 above).

If it is a qualifying disclosure, DLA Piper will forward it to a trusted employee of Harboe who is specially designated to handle such reports. A minimum of two trusted employees are always appointed to ensure that the whistleblower report is never forwarded to a person to whom the report relates.

The trusted employees of Harboe are:
Simon Andersson, CFO (primary trusted employee)
Søren Malling, CEO (primary trusted employee)

The concern reported will then be investigated and, if necessary, handled by the trusted employee. Within three months after the concern has been reported, feedback, including measures introduced or to be introduced, as well as the reasons behind them will be send to the whistleblower.

7 Confidentiality and anonymity
DLA Piper Denmark Law Firm P/S and Harboe treat all information received through the whistleblower scheme with confidentiality and discretion.

Reports are protected by statutory confidentiality. The whistleblower’s identity will thus be kept secret by those handling the report. If and when needed, assistance can be obtained from other external trusted advisers for the handling of the concern.

However, the whistleblower’s identity may be disclosed if express consent is given to it or it is required by law. It may also be disclosed if it is necessary for the persons named in the report in order for them to defend themselves in a lawsuit (but in that case prior informed will be given to the whistleblower).

The information in the report, which cannot directly or indirectly disclose the identity of the whistleblower can also be disclosed, if necessary, to handle the report or prevent an offence.

It is also possible to report a concern anonymously to the whistleblower scheme. If possible and appropriate, we generally advise not to report concerns anonymously since concerns raised anonymously can be difficult to follow up on if, for example, there are questions about the content of the report.

8 Protection of whistleblowers and reported persons
Persons who make a report (the whistleblower) are legally protected against any kind of retaliation (negative consequences), including threat of or attempt of retaliation as a result of a reported concern, as long as the concern is reported in accordance with this whistleblower policy.

In addition, reporting of information which the whistleblower has authorized access to is always permitted. Report of such information will not be considered a breach of law or an agreement (for example, the information is protected by statutory confidentiality, the Copyright Act, the Trade Secrets Act, or the like).

If a person is mentioned in a report (i.e. under suspicion), the identity of this person will be protected as part of the handling of the reported concern – at the same level as the whistleblower’s identity (see section 7 above).

In addition, this person will at any time have the right to defend themself if a case is filed against them, which includes the registration of all information in the case. In addition, there is a right to request insight, correction or deletion of personal data to that extent the rules under GDPR or the data protection law entitles to.

9 Information on personal data (GDPR)
The data controller for this whistleblower scheme is:

DLA Piper Denmark Law Firm P/S
CVR nr. 35 20 93 52
Oslo Plads 2
2100 København Ø
Denmark

The personal data processed in connection with the whistleblower scheme most often relates to the following areas:
• identification information relating to persons who report a concern and other information provided in connection with the report or at a later stage in the process.
• information contained in reports about persons who are included in the reports, including typically identification information and information about the accused persons’ involvement in the reported activities.

The information is processed for the purpose of administering the whistleblower scheme as described in this whistleblower policy.
The legal basis for the processing is section 22 of the Whistleblower Act, cf. Article 6(1), para c, of GDPR.

The personal data will be passed on to law enforcement authorities and others which will assist with the investigation and prosecution of reported criminal offences in case of violation of the law. In addition, the information will be shared with the trusted employees of Harboe, as described in section 6 above.

Information which is reported and clearly is not relevant for handling of the concern of a specific report (including whistleblower reports rejected cf. section 4 above) is deleted after 7 days. Reports, which are further investigated, are normally deleted 18 months after completing the investigation. However, data may be retained for a longer period of time if it is necessary to comply with the law or for a legal claim to be determined, defended or enforced.

As a data subject, you have certain rights under GDPR: the right to request insight, correction or deletion of your personal data and the right to object to the processing of personal data and have the processing of personal data restricted.
These rights may be subject to conditions or limitations and in some cases, the request may therefore be rejected. However, there is always the right to lodge a complaint with the Danish Data Protection Agency.

Above rights can be exercised by contacting DLA Piper (see below).

10 Questions
Please address all questions regarding the whistleblower scheme in writing to DLA Piper Denmark Law Firm P/S by email to whistleblowerordning@dk.dlapiper.com or to Sarah Paustian Sander on sarah.sander@dk.dlapiper.com or to Marlene Winther Plas on marlene.plas@dk.dlapiper.com.