B2 Impact makes this channel available for you to report in good faith existing, potential, suspected and/or alleged abuses, misconducts and/or breaches, which include both unlawful acts, omissions, and abusive practices

B2 Impact makes the WhistleB tool available to Whistleblowers to ensure a safe channel for reporting wrongdoings and Irregularities. Such Reports may also be filed anonymously. However, B2 Impact encourages Employees not to file anonymously in order to conduct the investigation in the most effective and accurate manner. 

Terms with initial capital letters shall have the meaning ascribed in the B2 Impact Group Whistleblowing Policy; in addition, B2 Impact ASA and its subsidiaries are jointly referred to as “B2 Impact” or the “Group” and local subsidiary referred to as “Business Unit”.

1. Basic information

a) Data Controller

The Data Controller will be the Business Unit to which the Irregularity is reported.

Additionally, in those cases where the Irregularity should be handled by B2 Impact ASA, following the allocation criteria of the Whistleblowing Policy, B2 Impact ASA will act as a separate Data Controller.

The Data Controller will also be defined by “We”.

b) Purposes of the processing and legal basis

Handling and resolving the Irregularities reported by the Whistle-blowers or third parties of B2 Impact with regards to wrongdoings or Irregularities.

The legal basis for processing is the legal obligation, legitimate interest, and consent when Whistleblowers decide to report the Irregularities by phone.

c) Recipients

The reported information and personal data may be disclosed to:

• External advisors of B2 Impact only for conducting the investigation purposes.
• Legal authorities, public bodies, or institutions when the investigation procedure is required by the applicable regulation.
• B2 Impact Employees engaged in the Whistleblowing process management and Irregularities’ analysis.

d) Data Subject Rights

Data subjects might exercise their data protection rights at any time at the Data Protection Officer of, B2 Impact ASA or Business Units, depending on where the Irregularity has been reported. 

e) Additional information

The details of the information included in this section are provided below.

2. Additional information

B2 Impact fully complies with the personal data protection regulations and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), and the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (“Whistleblowing Directive”).

As a consequence, information and personal data provided by the Whistleblower, any reported individual and other individual involved in the investigation process, obtained by them or and/or from third parties, in relation to the Irregularities reported as this term is described in the Group Whistleblowing Policy will be processed in compliance with the required guarantees set out in GDPR and the Whistleblowing Directive.

B2 Impact ensures the confidentiality of the information received and protects the identity of all the data subjects involved in the investigation process. 

B2 Impact also complies with the principle of data minimization: only process personal data, which is adequate, relevant, and necessary for the investigation process.

B2 Impact has implemented both organizational and technical security measures based on a risk assessment analysis of the Whistleblowing procedure in order to guarantee lawful and secure processing of personal information.

Access to information and personal data reported through this channel or by other means according to the Group Whistleblowing Policy will be restricted to persons within or outside B2 Impact.

Nevertheless, other persons within B2 Impact may have access to such data in cases in which this is necessary in order to conduct the investigation process in an effective manner. 

a) DATA SUBJECTS - How are considered data subjects in the Whistleblowing procedure? 

• Whistleblowers
• Suspects
• Witnesses
• Subject of concerns
• Whistleblowing Function
• Group Data Warehouse employees
• IT employees
• HR employees
• Any other employees of B2 Impact ASA or Business Unit who might have access to the reporting, for investigation purposes
• External advisors’ or legal authorities’ employees

b) DATA CONTROLLER - Who is responsible for your data?

The Business Unit to which the Irregularity is reported is the Data Controller and is responsible for your personal data. In those cases that the irregularity should be handled by B2 Impact ASA following the allocation criteria of the Whistleblowing Policy, such entity will act as a separate Data Controller.

Additionally, B2 Impact ASA and Business Units might collaborate as relevant parties in the investigation process, being separate Data Controllers.

External advisors might be Data Controllers, being responsible for the investigation process if B2 Impact ASA or the Business Unit outsources the investigation.

Legal authorities will act as Data Controllers when they are informed by B2 Impact ASA or Business Units about the Irregularities.

For general information about the Business Units, see the B2 Impact website (https://www.b2-impact.com/Contact) 

c) DATA PROTECTION OFFICER DATA - Contact details of the Data Protection Officer (“DPO”) 

The Data Protection Officer is responsible for, among other obligations, overseeing compliance with GDPR.

You may raise your concerns and contact B2 Impact Group Data Protection Officer at dpo@b2-impact.com, or the relevant local Data Protection Officer.

d) PURPOSES AND LEGAL BASIS - Why B2 Impact processes your data?

In the context of the Whistleblowing channel, B2 Impact processes your personal data with the purpose of handling, investigating, monitoring, and disclosing to authorities (if needed) the Irregularities reported by the Whistleblowers.

The legal basis for processing your personal data are:

• Consent for processing the voice of Whistleblowers under art. 6.1. a) applies when the Whistleblower decides to report the Irregularity via phone;
• Complying with the legal obligation under art. 6.1 c) applies for the investigation process of the Irregularities set out in the Whistleblowing Directive and local transposition;
• Legitimate interest under art. 6.1 f) applies for investigating the Irregularities set out in the Group Whistleblowing Policy or those that breach the Code of Conduct or the group policies/procedures.

e) How B2 Impact collects your data? What Type of data is processed?

B2 Impact processes different categories of data, both as directly provided by the Whistleblower or otherwise collected in the context of the investigation process. B2 Impact may process the following categories of personal data.

Categories of data:

• Whistleblowers
• Witnesses
• Subject of concerns
• Whistleblowing Function
• Group Data Warehouse employees
• IT employees
• HR employees
• External advisors’ or legal authorities’ employees
• Any other employees of B2 Impact ASA or Business Unit who might have access to the reporting, for investigation purposes

 Type of data:

• Contact data: identification information, including among others name, surname, identification numbers, address, and contact details (email, telephone number, WhatsApp id)
• Voice when the Whistleblower decides to report the Irregularity via phone. Their voice will be immediately anonymized by WhistleB tool, and the recipients will only have access to an anonymized voice (transcription or voice distorter)
• Labour circumstances: employment status, salary, bonuses, other benefits, position in the company, employee ID, job title, tenure, seniority, education, employment time
• Behavioural information generated during the employment
• Special categories of personal data under art. 9 and 10 of the GDPR, gathered for investigation purposes, applying the GDPR minimalization principle
• Any other data that might be relevant for the investigation, applying the GDPR minimalization principle

f) RECIPIENTS - Who will have access to your data? 

In the context of the investigation process, the Data Controller may disclose personal data to any natural or legal person who might need access for investigation purposes, including:

• Whistleblowing Function.
• Internal employees.
• External advisors: when, for reasons of complexity, the Data Controller decides to outsource the investigation process.
• Legal authorities, public bodies, and institutions where the investigation process falls within their competence.

Notwithstanding the foregoing, the Data Controller will adopt the necessary measures to preserve the confidentiality of data and will apply the principle of minimisation to the disclosed data.

g) RECIPIENTS - Reinforcement of the duty of secrecy and confidentiality 

Employees of B2 Impact and external advisors who might have access to personal data in the investigation of Whistleblowing cases are obliged to ensure the strictest secrecy and confidentiality in processing such personal data.

h) Transfer of personal data outside the European Economic Area (EEA)

During the processing activity, personal data would be transferred outside the European Economic Area (EEA) to third countries, which are not subject to the European Commission adequacy decision. Additionally, under certain conditions, processors acting on behalf of B2 Impact may transfer personal data outside the EEA, as well. In such cases, the personal data will be transferred in compliance with the General Data Protection Regulation articles 46, 47, or 49(1), especially, Standard Contractual Clauses with further security measures applied. Any details about the transfer and applied security measures could be achieved from the Data Protection Officer.

i) RETENTION POLICY - How long B2 Impact will keep your personal data? 

B2 Impact will apply different retention periods depending on the processed information.

• Cases that are not Whistleblowing cases are not further processed and should be deleted with undue delay unless these reports are relevant for Human Resources complaints. In these cases, they should be transferred to the competent department/function/body, e.g., Human Resources.
• Any personal data, especially sensitive, which is not relevant for the investigation is not further processed and deleted with undue delay.
• If it is concluded that it is a Whistleblowing case, data will be processed during the investigation and until the retention period. Once that the case is closed, the case will be archived, and the following rules of deletion will apply:
• As a general rule, the data will be deleted following the retention rules of the Whistleblowing Directive (within 60 days after the case has been definitely closed) and local regulation, which will prevail in any case.
• However, personal data that is necessary and relevant for the investigation shall be kept as long as necessary to process and investigate the report, or, if applicable, as long as necessary to initiate sanctions or to meet any legal or financial requirement as well as to meet legal obligations and liabilities arising from the Whistleblowing cases. The reports that are not followed up will be kept anonymous, and the personal data will be completely removed.
• In any case, the data will keep with limited access during the archiving period.

j) DATA SUBJECT RIGHTS 

The GDPR provides you with the following rights:

• Right to withdraw the consent at any time (Article 7.3) – when the Whistleblower decides to report the Irregularity via phone.
• Right to be informed (Articles 12, 13, 14) about how B2 Impact processes your data.
• Right of access to personal data (Article 15) – you may access a copy of your personal information.
• Right to rectification (Articles 16 and 19) – you have the right to rectify information you think is inaccurate or supplement information that is incomplete.
• Right of objection (Article 21) - you may object to the processing of your personal data based on B2 Impact legitimate interest.
• Right to a restriction (Article 18 and 19) - you may request a processing limitation in the following situations: 
• You contest the accuracy of your personal data process by B2 Impact and therefore, during the period required to verify the accuracy of your data;
• the processing of your personal data is unlawful, and you oppose the erasure of the personal data and requests the restriction of their use instead of restricted data processing.
• B2 Impact no longer needs your personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims.
• (d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
• Right to erasure (“right to be forgotten”) (Articles 17 and 19) – you may request the erasure of your data when
• Your personal data are no longer necessary in the context of the Whistleblowing procedure
• You object to the processing activity based on B2H Group legitimate interest.
• Your data has been unlawfully processed.
• Your data has to be erased for compliance with a legal obligation affecting the Data Controller.
• Right to complaint - you also have the right to lodge a complaint to the competent data protection authority if your data has been processed unlawfully. See the list of competent authorities (https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm) by country.

You may exercise your rights by sending a written notification to the following email address or web form, providing, in all cases, your ID. or official document evidencing the identity of the data subject.

Upon the receipt of your data subject right demand, B2 Impact or the Business Unit’s Data Protection Officer will respond within one month, or this deadline may be extended by further two months, in which case you will be informed about the reasons for such extension. 

Limitations to your data protection rights: 

In the context of Whistleblowing investigations, you should be informed that by virtue of Article 23 of the GDPR, your rights may be restricted for a temporary period of time inter alia on the grounds of the investigation of Whistleblowing cases. Any such restriction will be limited in time, proportionate, and respect the essence of the above-mentioned rights. It will be lifted as soon as the circumstances justifying the restriction are no longer applicable. You will receive a more specific data protection notice when this period has passed.

As a general rule, you will be informed of the principal reasons for a restriction unless this information would cancel the effect of the restriction as such.

You have the right to make a complaint to the supervisory authority (https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm) concerning the scope of the restriction. 

Under no circumstances will the Subject of concerns or any other third parties be able to exercise their rights of access to obtain information on the identity of the Whistleblower unless the latter has made an illicit report.

k) AUTOMATED DECISION-MAKING, INCLUDING PROFILING 

Neither B2 Impact ASA nor the Business Unit will profile your personal data or make a decision based on automated processing during the Whistleblowing process. 

-----

Bosnia and Herzegovina

Company name: B2Kapital d.o.o.
Address: Azize Šaćirbegović 1,Sarajevo 71000, Bosnia and Herzegovina
Webpage: http://www.b2kapital.ba
DPO: centar@b2kapital.ba

-----

Croatia

Company name: VERALTIS ASSET MANAGEMENT d.o.o. [Croatia]
Address: Radnička cesta 41, 10000 Zagreb, Croatia
Webpage: NA (when published, it will be updated)
DPO: zastita-osobnih-podataka@veraltis.hr

-----

Cyprus

Company name: B2Kapital Cyprus LTD
Address: 79 Spyrou Kyprianou, Potamos Germasogias, 4042 Limassol, Cyprus
Webpage: http://www.b2kapital.com.cy
DPO: dpo@b2kapital.com.cy

-----

Czech Republic

Company name: B2Kapital Czech Republic s.r.o.
Address: Burzovní palác Rybná 682/14, 110 00 Prague 1, Czech Republic
Webpage: http://www.b2kapital.cz
DPO: iva.a@b2kapital.cz

-----

Denmark

Company name: Nordic Debt Collection AS
Address: Bryggernes plads 14, 1799 København V, Denmark
Webpage: http://www.nodeco.dk
DPO: dpo@nodeco.dk

-----

Estonia

Company name: Ok Incure OÜ
Address: Mustamäe tee 16, 10617 Tallinn, Estonia
Webpage: http://www.okincure.ee
DPO: mail@okincure.ee

-----

Finland

Company name: OK Perintä OY
Address: Tegelbruksgatan 7A, 65100 Vaasa, Finland
Webpage: http://www.okperinta.fi 
DPO: privacy@okperinta.fi

-----

France

Company name: VERALTIS ASSET MANAGEMENT
Address: 37 boulevard Suchet, 75016 Paris, France
Webpage: https://www.veraltis.fr
DPO: dpo@veraltis.fr  

-----

Greece

Company name: Veraltis Asset Management S.A
Address: 1-3 Kifissias Avenue, 3rd Floor, 115 23 Ampelokipoi Athens, Greece
Webpage: https://www.veraltis.gr
DPO: dpo@veraltis.gr

-----

Hungary

Company name: B2Kapital Magyarország Zrt.
Address: Pauler u.tca 11, 1013 Budapest, Hungary
Webpage: http://www.b2kapital.hu
DPO: adatvedelmi_felelos@b2kapital.hu

-----

Latvia

Company name: Creditreform Group: Creditreform Latvija SIA, CREFO Rating SIA & AS Crefo Birojs
Address: Skanstes iela 50, Riga, LV-1013, Latvia
Webpage: http://www.creditreform.lv
DPO: datuaizsardziba@creditreform.lv

Company name: B2Kapital SIA
Address: Dzirnavu iela 41-10, Riga, LV-1010, Latvia
Webpage: N/A
DPO: support@b2kapital.lv

-----

Lithuania

Company name: B2Kapital UAB
Address: A. Menulio g..7, LT- 04326 Vilnius, Lithuania
Webpage: http://www.b2kapital.lt
DPO: dap@b2kapital.lt

-----

Luxembourg

Company name: B2Kapital Holding S.à r.l.
Address: 9, rue Joseph Junck, L-1839 Luxembourg
Webpage: N/A
DPO: dpo@b2upi.com

Company name: UPI (Luxembourg) S.A.
Address: 9, rue Joseph Junck, L-1839 Luxembourg
Webpage: N/A
DPO: dpo@b2upi.com

-----

Norway

Company name: B2 Impact ASA
Address: Cort Adelers gate 30, 7th floor, 0254 Oslo
Webpage: https://www.b2-impact.com
DPO: dpo@b2-impact.com

Company name: Interkreditt Kapital AS
Address: Cort Adelers gate 30, 7th floor, 0254 OSLO, Norway
Webpage: https://www.interkredittkapital.no
DPO: post@interkredittkapital.no

-----

Poland

Company name: Ultimo S.A.,
Address: Szczytnicka 11, 50-382 Wrocław, Poland
Webpage: https://ultimo.pl  
DPO: inspektor.danych@ultimo.pl

Company name: Kancelaria Prawna K. Buczek i Wspólnicy spółka komandytowa
Address: Szczytnicka 11, 50-382 Wrocław, Poland
Webpage: N/A
DPO: inspektor.danych@ultimo.pl

Company name: Ultimo TFI
Address: Szczytnicka 11, 50-382 Wrocław, Poland
Webpage: https://ultimotfi.pl/
DPO: kontakt@ultimotfi.pl

-----

Romania

Company name: B2Kapital Portfolio Management SRL
Address: 89-97, Grigore Alexandrescu Street,  7th floor, METROPOLIS CENTER Building A, District no.1, 010627 Bucharest, Romania
Webpage: https://www.b2kapital.ro
DPO: privacy@b2kapital.ro

Company name: B2 Kapital Finance I.F.N.S.A
Address: 89-97, Grigore Alexandrescu Street, 7th floor, METROPOLIS CENTER Building A, District no.1, 010627 Bucharest, Romania
Webpage: https://www.b2kapitalifn.ro
DPO: dpo@b2kapitalifn.ro 

Company name: Veraltis Asset Management SRL
Address: 89-97, Grigore Alexandrescu Street, 7th floor, METROPOLIS CENTER Building A, District no.1, 010627 Bucharest, Romania
Webpage: https://www.veraltis.ro
DPO: dpo@veraltis.ro

-----

Serbia

Company name: B2 Holding Kapital d.o.o.
Address: Vladimira Popovića 6, 11070 Novi Beograd, Serbia
Webpage: http://www.b2kapital.rs
DPO: zastita-osobnih-podataka@b2kapital.rs

Company name: VERALTIS ASSET MANAGEMENT d.o.o. [Serbia] as a branch office of VERALTIS ASSET MANAGEMENT d.o.o. [Croatia]
Address: Vladimira Popovića 6, 11070 Novi Beograd, Serbia
Webpage: https://veraltis.rs

For contact purposes, please reach the Croatian entity

Company name: VERALTIS ASSET MANAGEMENT d.o.o. 
Address: Radnička cesta 41, 10000 Zagreb, Croatia
Webpage: https://veraltis.hr
DPO: zastita-osobnih-podataka@veraltis.hr

-----

Montenegro

Company name: B2Kapital d.o.o. (Montenegro)-
Address: Trg Nezavisnosti 1/I, 81000 Podgorica, Montenegro
Webpage: http://www.b2kapital.me
DPO: office@b2kapital.me

-----

Slovenia

Company name: B2 Kapital d.o.o.
Address: Verovškova 64 A, 1000 Ljubljana, Slovenia
Webpage: http://www.b2kapital.si 
DPO: miha.dvojmoc@infocenter.si 

Company name: VERALTIS ASSET MANAGEMENT d.o.o. [Slovenia] as a branch office of VERALTIS ASSET MANAGEMENT d.o.o. [Croatia] 
Address: Verovškova 64 A, 1000 Ljubljana, Slovenia
Webpage: https://veraltis.si 

For contact purposes, please reach the Croatian entity

Company name: VERALTIS ASSET MANAGEMENT d.o.o.
Address: Radnička cesta 41, 10000 Zagreb, Croatia
Webpage: https://veraltis.hr
DPO: zastita-osobnih-podataka@veraltis.hr

-----

Spain

Company name: Confirmación de Solicitudes de Crédito Verifica, S.A.U.
Address: Calle Orense 81, 28020 Madrid, Spain
Webpage: https://www.verifica-sa.com
DPO: dpo@verifica-sa.es

-----

Sweden

Company name: Sileo Kapital AB
Address: Lilla Bommen 4B, 411 25 Göteborg, Sweden
Webpage: http://www.sileokapital.com
DPO: dataskydd@sileokapital.com

-----