We strive to operate The Swedish Internet Foundation in a long-term and sustainable manner. We therefore place great importance on ensuring that any misconduct that could seriously harm the organization or our employees is identified and investigated as early as possible.
To facilitate the process for anyone wishing to provide information about misconduct that violates applicable legislation, we have established a whistleblowing solution. All reports are received and handled by an external party.
Please note that only individuals with a direct connection to The Swedish Internet Foundation’s operations are covered by the protection under the Whistleblower Act (Act 2021:890 on the Protection of Persons Reporting Irregularities). Read more on the Swedish Parliament’s website.
Reporting via internal whistleblowing channels
Reports can be made in writing via the website wb.2secure.se or orally by phone at 0771-77 99 77. You may choose to remain anonymous through both these reporting channels. If you wish to report via a physical meeting, this can be requested by registering a report on the website wb.2secure.se. The physical meeting will then be held either with a representative from The Swedish Internet Foundation or with the Foundation’s whistleblowing service provider 2Secure, as agreed.
When registering a new report on wb.2secure.se, you must enter the company-specific code IFS289 to indicate that the report is for The Swedish Internet Foundation. On the website, you will be asked to answer a number of questions related to your report. You can remain anonymous and will be assigned a unique case number and a password, which must be saved in order to actively log in to the website, follow your case, and communicate with the case handler at 2Secure.
Once a report has been registered, it is handled by experienced case managers at 2Secure, who contact The Swedish Internet Foundation’s primary contact person according to a predefined contact list with multiple names. If the primary contact person is the subject of the report, another person on the contact list will be informed. It is always The Swedish Internet Foundation that ultimately assesses the report and decides on the measures to be taken. When you report through The Swedish Internet Foundation’s internal reporting channels, you are entitled to protection under the law (2021:890) on the Protection of Persons Reporting Irregularities.
For oral reporting, you have the right to review and correct any inaccuracies in your report. When making a report by phone, you will receive login details to follow your case on wb.2secure.se. If you later wish to review and potentially correct your report, this can be requested through the web portal. If you wish to sign the record of your report, this can also be requested through the web portal. A case handler from 2Secure will coordinate this. If you choose to sign the record of your report, it means that 2Secure will know your name/identity. 2Secure, however, is committed to protecting your anonymity and will not disclose this information to the company. Thus, even if you wish to sign the record, you can still remain anonymous vis-à-vis The Swedish Internet Foundation.
Reporting via external whistleblowing channels
In addition to reporting to The Swedish Internet Foundation’s internal whistleblowing channel, you may report externally to a competent authority within a specific area of responsibility or to one of the EU’s institutions, bodies, or agencies. Even when reporting externally, you are entitled to protection under the law (2021:890) on the Protection of Persons Reporting Irregularities.
The following authorities have been designated as competent authorities and have established external reporting channels: the Swedish Work Environment Authority, the Swedish National Board of Housing, the Swedish National Electrical Safety Board, the Swedish Economic Crime Authority, the Estate Agents Inspectorate, the Swedish Financial Supervisory Authority, the Public Health Agency of Sweden, the Swedish Agency for Marine and Water Management, the Swedish Authority for Privacy Protection, the Inspectorate of Strategic Products, the Health and Social Care Inspectorate, the Swedish Chemicals Agency, the Swedish Consumer Agency, the Swedish Competition Authority, the National Food Agency, the Swedish Medical Products Agency, the County Administrative Boards, the Swedish Civil Contingencies Agency, the Swedish Environmental Protection Agency, the Swedish Post and Telecom Authority, the Government Offices, the Swedish Inspectorate of Auditors, the Swedish Tax Agency, the Swedish Forest Agency, the Swedish Gambling Authority, the Swedish Energy Agency, the Swedish Board of Agriculture, the Swedish Board for Accreditation and Conformity Assessment, the Swedish Radiation Safety Authority, and Swedish Transport Agency.
See the Swedish Work Environment Authority’s website for a compilation of each authority’s area of responsibility and contact details.
On the statutory protection of informants
The Whistleblower Act, Act (2021:890) on the Protection of Persons Reporting Irregularities, provides protection for whistleblowers under certain conditions. In addition to the possibility of reporting suspected misconduct under the Whistleblower Act, there is also a right to freedom to provide information and acquire information under the Freedom of the Press Act and the Fundamental Law on Freedom of Expression. This means that employees (with certain exceptions) in both the private and public sectors may, without penalty, disclose otherwise confidential information for publication to the mass media covered by these constitutional laws.
For employees in public operations or other operations where informant protection applies under the Act (2017:151) on Protection of Informants in Certain Private Activities or under the Public Access to Information and Secrecy Act (2009:400), there is also extended protection. This extended protection relates to prohibitions against investigation and reprisals.
The prohibition against investigation means that an authority or other public body, as a general rule, may not seek to find out who has provided a message for publication. The prohibition against reprisals means that public bodies may not take measures that negatively affect an individual because he or she has exercised freedom of expression and the right to provide information. Violations of these prohibitions are punishable by fines or imprisonment for up to one year (Chapter 3, Section 4 of the Freedom of the Press Act and Chapter 2, Section 4 of the Fundamental Law on Freedom of Expression).
In operations where the Public Access to Information and Secrecy Act (2009:400) applies, qualified obligations of confidentiality may not be breached. Which obligations these are is set out in the confidentiality provisions in the law, but generally concern sensitive information about health and medical care, national security, and crime prevention. Exemption from liability does not apply when disclosing information about defense inventions.
Personal data
When using the whistleblowing service, you may choose to remain anonymous. The Swedish Internet Foundation places great emphasis on protecting personal privacy. Below is a summary of some key points regarding data protection legislation.
Personal data
At all times, The Swedish Internet Foundation is obliged to comply with legislation concerning the processing of personal data. It is important that you feel secure when providing information about yourself or others in the whistleblowing system. We take the protection of personal privacy very seriously.
Anonymity
As a whistleblower, you may choose whether to provide your contact details or remain anonymous. In either case, all reports are taken seriously. For our external case handlers, it may facilitate their work if they can contact you for supplementary information; therefore, contact details will be requested. However, it is always entirely voluntary to provide this information.
No IP addresses are recorded, and the system does not use cookies. If you use a computer connected to The Swedish Internet Foundation’s network, it may appear in the internet log that you visited the page where the report was made. If you do not want this to be visible, use a computer that is not connected to the Foundation’s network, or a personal smartphone or tablet.
Data Controller
The Swedish Internet Foundation is responsible for the processing of personal data in accordance with the law.
Purpose of processing data
The personal data will only be used to conduct investigations into the matters reported via the whistleblowing system. The guidelines for whistleblowing describe the types of misconduct that can be reported. The Swedish Authority for Privacy Protection regulates when parties other than authorities may process personal data regarding violations of the law. If a report is received that cannot be handled in the whistleblowing service due to this, or if the misconduct is not serious enough to be managed under the framework of whistleblowing, the case will be closed and all personal data deleted. You will receive a message in the whistleblowing system informing you of this assessment and where you can instead turn with your matter.
Legal basis
The legal basis for the processing of personal data is The Swedish Internet Foundation’s legal obligation under the Whistleblower Act.
Who do we share your personal data with?
Personal data will only be used by the investigative function of The Swedish Internet Foundation’s whistleblowing committee and by the external company engaged to receive the reports. The data is only available to individuals working on the specific case. The investigation may be forwarded to the police or another authority, such as the Swedish Economic Crime Authority.
How long do we keep your personal data?
Personal data is usually deleted three weeks after the case has been closed, but no later than two years after closure if there are special reasons.
Information to the person reported
A person reported through the whistleblowing service will receive specific information about this. If providing this information could jeopardize the continued investigation, it will not be given until it is deemed that such a risk no longer exists. During this period, no register extracts will be provided either.
Extract from the register
As a reporting person, you have the right to obtain information about what personal data concerning you is registered in the whistleblowing service. Such a request for a register extract must be made in writing and signed. Send it to 2Secure, Data Protection Officer, Box 34037, 10026 Stockholm. If any data is incorrect, incomplete, or misleading, you have the right to request that it be corrected. A register extract to the reported person will not contain information that could identify you as the whistleblower. The information may therefore be summarized.
