Whistleblower Policy

Last updated 2024-01-10

Background

At Thermo-Calc, we strive to have an open and transparent workplace, where malpractice does not occur. It is therefore important to us that there is clear information on how to report malpractice confidentially and securely. In the event of suspicion of ongoing or previous malpractice, resources must therefore be available to disclose them. By making it easy to report, we work together to promote the trust of employees, customers and the general public in us.

Our cases are initially handled by the Law Firm Lindahls to guarantee independent handling of cases. Our Internal Contact Persons may come to handle the case after the Law Firm. See more information and contact details under “6.1 Contact information for Visslan (The Whistle Compliance Solutions AB).”

This whistleblower policy covers the legal entities Thermo-Calc Software AB.

Definitions

GDPR: General Data Protection Regulation, which is a European regulation governing the processing of personal data and the free movement of such data within the European Union.
The Whistleblower Directive: EU Directive 2019/1936 on the protection of persons reporting irregularities in Union law.
Whistleblower Act: National implementation of the Whistleblower Directive in EU Member States.
Visslan: The Whistle Compliance Solutions AB’s service Visslan, which enables digital reporting of misconduct: https://visslan.com/
Misconduct: Acting or omissions that have emerged in a work-related context that there is a public interest in it occurring.
Reporting: Written or verbal submission of information about misconduct.
Internal reporting: Written or verbal provision of information about misconduct within a company in the private sector.
External reporting: Written or verbal provision of information about misconduct to the competent authorities.
Publication or to make public: To make information about misconduct available to the public.
Reporting person: A person who reports or publishes information about misconduct acquired in connection with his work-related activities.
Retaliation: Any direct or indirect act or omission which occurs in a work-related context and which is caused by internal or external reporting or by a publication, and which gives rise to or may give rise to unjustified injury to the reporting person.
Follow-up: Any action taken by the Case Manager(s) of a report to assess the accuracy of the allegations made in the report and, where appropriate, to deal with the reported infringement, including through measures such as internal investigations, investigations, prosecutions, actions to recover funds and to close the procedure.
Feedback: providing reporters (“whistleblowers”) with information on the actions planned or taken as a follow-up and on the grounds for such follow-up.

1. Who can report?

You can report and receive protection from the Whistleblower Act if you are an employee, volunteer, trainee, active shareholder, person who is otherwise available for work under our control and management or is part of our administrative, management or supervisory body.

Contractors, subcontractors and suppliers to us who have found out about malpractices within the company can also report. The fact that you have ended your work-related relationship with us, or that it has not yet begun, is not an obstacle to reporting malpractice or receiving protection for reporting malpractice externally.

2. What can I report?

In case of suspicion of possible misconduct, law and/or regulation violation, we urge you to report this to us as a whistleblowing case. When reporting, it is important that you at the time of reporting had reasonable grounds to believe that the information about the misconduct that was reported was true. Assessing whether there were reasonable grounds, circumstances and information that were available to you at the time of reporting should be the basis for whether you may have assumed that the misconduct was true. In addition, it is also important that it can actually be considered a violation that can be reported, and thus give you protection against retaliation.

Before you blow the whistle, read 5 questions to determine if you are protected by the Whistleblower Act.

2.1 Malpractice in the public interest

You can report information about misconduct that has emerged in a work-related context that there is a public interest in it coming to light. In the event of other types of personal complaints that do not have a public interest in them coming to light, such as disputes or complaints regarding the workplace or the work environment, we encourage you to contact your immediate manager, HR or one of our safety Representatives. This is to ensure that these matters are prepared in the best possible way.

Examples of malpractices of a serious nature that should be reported:

Deliberately incorrect accounting, internal accounting control or other financial crime.
Incidence of theft, corruption, vandalism, fraud, embezzlement or hacking.
Serious environmental crimes or major deficiencies in workplace safety.
If someone is exposed to very serious forms of discrimination or harassment.
Other serious misconduct affecting the life or health of individuals.

2.2 Misconduct contrary to EU law

In addition, there is the possibility to report information about misconduct that emerged in a work-related context that is contrary to EU laws or regulations. If you suspect that this occurs, then please read the scope of the Whistleblower Directive in Article 2 and Annex Part 1 for applicable laws.

3. How do I report?

3.1 Written reporting

For written reporting, we use Visslan, which is our digital whistleblowing channel. It is always available through https://thermocalc.visslan-report.se. On the website, you choose to “report” in order to then be able to describe your suspected misconduct. Please describe what happened as thoroughly as possible, so that we can ensure that adequate measures can be applied. It is also possible to attach additional evidence, in the form of, for example, written documents, pictures or audio files, even though this is not a requirement.

3.1.1 Sensitive personal data

Please do not include sensitive personal information about people mentioned in your report unless it is necessary to be able to describe your case. Sensitive personal data is information about; ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, health, a person’s sexual life or sexual orientation, genetic data, biometric data used to uniquely identify a person.

3.1.2 Anonymity

You can be anonymous throughout the process without affecting your legal protection, but you also have the opportunity to confess your identity under strict confidentiality. Anonymity can in some cases complicate the report’s follow-up possibilities and the measures we can take, but in such a case we can also later ask you to reveal your identity later, again in strict confidentiality to the Case Manager(s).

3.1.3 Follow-up & login

After you have reported, you will receive a sixteen-digit code, which you will in future be able to log in to Visslan with from https://thermocalc.visslan-report.se. It is very important that you save the code as otherwise, you will not be able to access your report again.

If you lose the code, you can submit a new report referring to the previous report.

Within seven days, you will receive a confirmation that the Case Managers has received your report. The Case Managers is/are the independent and autonomous party that receives reports in the reporting channel, whose contact information is attached in “6.1 Contact information for Visslan (The Whistle Compliance Solutions AB)”. In case of questions or concerns, you and the Case Managers can communicate through the platform’s built-in and anonymous chat function. You will receive feedback within three months on any measures planned or implemented due to the reporting.

It is important that you, with your sixteen-digit code, log in regularly to answer any follow-up questions Case Manager(s) may have. In some cases, the report can not be taken forward without answers to such follow-up questions from you as the reporting person.

3.2 Verbal reporting

In addition, it is also possible to conduct a verbal report by uploading an audio file as an attachment when creating a report at https://thermocalc.visslan-report.se. You do this by selecting that you have evidence for the report, and uploading an audio file there. In the audio file, you describe the same facts and details as you had done in a written case.

In addition, a physical meeting with the Case Manager(s) can be requested via Visslan. This is most easily done by either requesting it in an existing report, or creating a new report asking for a physical meeting.

3.3 External reporting

We urge you to always report malpractice internally first, but in the event of difficulties or it is considered inappropriate, it is possible to conduct external reporting instead (or after internal reporting without results). We then refer you to contact the competent authorities or, where applicable, to EU institutions, bodies or agencies.

4. What are my rights?

4.1 Right to confidentiality

During the handling of the report, it will be ensured that your identity as a reporting person is treated confidentially and that access to the case is prevented for unauthorized personnel, i.e. Case Manager(s). We will not disclose your identity without your consent if applicable law does not compel us to, and we will ensure that you are not subjected to retaliation.

4.2 Protection against reprisals or retaliation

In the event of a report, there is protection against negative consequences from having reported misconduct in the form of a ban on reprisals and retaliation. The protection against this also applies in relevant cases to persons in the workplace who assist the reporting person, your colleagues and relatives in the workplace, and legal entities that you own, work for or are otherwise related to.

This means that threats of retaliation and attempts at retaliation are not permitted. Examples of such are if you were to be fired, have been forced to change tasks, imposed disciplinary measures, threatened, discriminated against, blacklisted in your industry, or the like due to reporting.

Even if you were to be identified and subjected to reprisals, you would still be covered by the protection as long as you had reasonable grounds to believe that the misconduct reported was true and within the scope of the Whistleblower Act. Note, however, that protection is not obtained if it is a crime in itself to acquire or have access to the information reported.

The protection against retaliation also applies in legal proceedings, including defamation, copyright infringement, breach of confidentiality, breach of data protection rules, disclosure of trade secrets or claims for damages based on private law, public law or collective labour law, and you shall not be held liable in any way a consequence of reports or disclosures provided that you had reasonable grounds to believe that it was necessary to report or publish such information in order to expose a misconduct.

4.3 Publication of information

The protection also applies to the publication of information. It is then assumed that you have reported internally within the company and externally to a government authority, or directly externally, and no appropriate action has been taken within three months (in justified cases six months). Protection is also obtained when you have had reasonable grounds to believe that there may be an obvious danger to the public interest if it is not made public, for example in an emergency. The same applies when there is a risk of retaliation in the case of external reporting or that it is unlikely that the misconduct will be remedied in an effective manner, for example in the event that there is a risk that evidence may be concealed or destroyed.

4.4 The right to review documentation at meetings with Case Managers

If you have requested a meeting with the Case Manager(s), they will, with your consent, ensure that complete and correct documentation of the meeting is preserved in a lasting and accessible form. This can be done, for example, by recording the conversation or by keeping minutes. Afterwards, you will have the opportunity to check, correct and approve the protocol by signing it.

We recommend that this documentation is kept in Visslan’s platform by the whistleblower creating a case where the information can be collected in a secure way, with the option to communicate securely.

5. GDPR and handling of personal data

We always do our utmost to protect you and your personal information. We therefore ensure that our handling of these is always in accordance with the General Data Protection Regulation (“GDPR”).

In addition to this, all personal data without relevance to the case will be deleted and the case will only be saved for as long as it is necessary and proportionate to do so. The longest a case will be processed is two years after its conclusion. For more information about our handling of personal data, refer to Thermo-Calc Software´s policy on personal data, available on the company intranet.

6. Additional contact

If you have further questions regarding how we handle whistleblower cases, you are always welcome to contact Case Managers.

For technical questions about Visslan’s platform, feel free to create a case at https://thermocalc.visslan-report.se. Should this not be possible, contact Visslan. Contact information for both can be found below.

6.1 Contact information for Visslan (The Whistle Compliance Solutions AB)

Email: clientsupport@visslan.com
Phone number: +46 10-750 08 10
Direct number: +46 73 540 10 19

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_ga_EFQJ4VC68W	2 years	This cookie is installed by Google Analytics.
_gat_UA-40903030-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
undefined	never	Wistia sets this cookie to collect data on visitor interaction with the website's video-content, to make the website's video-content more relevant for the visitor.

Cookie	Duration	Description
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_cfuvid	session	Description is currently not available.
DEVICE_INFO	5 months 27 days	No description
ln_or	1 day	No description
loglevel	never	No description available.
TESTCOOKIESENABLED	1 minute	Description is currently not available.
wp10786	1 year	No description