Whistleblowing Policy - Sambla Group 

Purpose and background

Sambla Group strives to maintain a transparent corporate climate, to observe a standard of business ethics and to always see opportunities for improvement.

Anyone who suspects an irregularity that is in breach of the law or that the disclosure of which may be in the public interest has the opportunity to speak out with protection against retaliation. You can choose to provide your information anonymously. The right to protection is regulated in the law “Protections for Persons Reporting Irregularities Act” (SFS 2021:890).

What can be reported?

·   The law applies when reporting a misconduct in a work-related context that there is a public interest in them coming to light.

·   The law also applies to the reporting of misconduct in a work-related context in accordance with Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.

If the report does not fall within the framework of the above, the case must be reported in accordance with Sambla Group’s internal guidelines, policies or procedures.

Who can submit a report?

All persons who, through their work, have come into contact with a suspected misconduct can submit a report, for example:

·   employees

·   volunteers and trainees

·   persons who are performing work under the control and management of a business operator (e.g. hired consultants)

·   shareholders who are actively involved in the company

·   self-employed persons

·   persons who are members of a company’s administrative, management or supervisory body

How can a report be made?

Option 1: Report to a manager within Sambla Group’s organisation or to the corporate group’s management

Option 2: Report anonymously through the reporting tool for whistleblowing in accordance with the instructions below

Reporting tool

To guarantee a whistleblower’s anonymity, a reporting tool is provided from an independent, external agent. The reporting channel is encrypted and password-protected. The whistleblower never needs to state their identity if they do not want to.

·    The whistleblower does not need to have evidence for their suspicions, but no accusations may be made with malicious intent or in the knowledge that the accusation is false.

·   It is important that the whistleblower describes all the facts in the report, including any circumstances that are believed to be less important. Statements should be carefully considered and all documentation that may be relevant should be attached.

Reporting via internal Whistleblowing channels

Reporting can take place in writing via the website wb.2secure.se or verbally by phone at +46 (0)771-77 99 77. You can choose to remain anonymous in both of these reporting channels. If you would like to report via an in-person meeting, this can be requested by registering a report on the website wb.2secure.se. The in-person meeting will be held by agreement either with a representative from Sambla Group or with Sambla Group’s provider of whistleblowing services, 2Secure.

When registering a new report on wb.2secure.se, you must state the company-specific code MAP686 to identify that the report is being made for Sambla Group. On the website, you will be asked to answer a number of questions about the matter to which the report relates. You can remain anonymous and are assigned a unique case number and password, which must be saved so that you can actively log in to the website, monitor the report and communicate with the case officer at 2Secure.

Once a report has been registered, it is processed by experienced case officers at 2Secure, who will contact Sambla Group’s primary contact person based on a predetermined contact list with several names. If the primary contact person is the subject of the report, another person on the contact list will be informed. It is always Sambla Group who ultimately assesses the report and decides what measures are to be taken.

When reporting orally, you have the right to control and correct potential errors in your report. As you report a case by phone you will receive login information to follow your case on wb.2secure.se. If you wish to control and possibly correct your report after registration, this can be requested through the web portal. You can also choose to sign the protocol of your report by requesting this in the web portal. An administrator from 2Secure will coordinate this. If you choose to sign the protocol from your registration, this means that 2Secure becomes aware of your name / identity. 2Secure protects your anonymity and will not disclose this information to the company. You can thus, even if you wish to sign the protocol from your registration, remain anonymous to Sambla Group.

Reporting via external whistleblowing channels

In addition to reporting to Sambla Group's internal whistleblower channel, you can report externally to a competent authority within a specific area of ​​responsibility or to one of the EU institutions, bodies and agencies. The following authorities have been appointed as competent authorities and established external reporting channels: Swedish Work Environment Authority, National Board of Housing, Building and Planning, National Electrical Safety Board, Swedish Economic Crime Authority, Swedish Estate Agents Inspectorate, Swedish Financial Supervisory Authority, Public Health Agency of Sweden, Swedish Agency for Marine and Water Management, Swedish Authority for Privacy Protection, Inspectorate of Strategic Products, Health and Social Care Inspectorate, Swedish Chemicals Agency, Swedish Consumer Agency, Swedish Competition Authority, Swedish Food Agency, Medical Products Agency, The county administrative boards, Swedish Civil Contingencies Agency, Swedish Environmental Protection Agency, Swedish Post and Telecom Authority, Government Offices, Swedish Inspectorate of Auditors, Swedish Tax Agency, Swedish Forest Agency, Swedish Gambling Authority, Swedish Energy Agency, Swedish Board of Agriculture, Swedish Board for Accreditation and Conformity Assessment, Swedish Radiation Safety Authority and Swedish Transport Agency. Go to the website of the Swedish Work Environment Authority for a summary of each authority's area of ​​responsibility and contact details: https://www.av.se/om-oss/visselblasarlagen/extern-rapporteringskanal/lista-over-myndigheter-med-ansvar-enligt-ansvarsomrade-enligt-forordning-2021949/

About statutory informant protection

In addition to the ability to report suspected irregularities in accordance with whistleblowing legislation, there is also a right to freedom of disclosure and acquisition in accordance with the Swedish Freedom of the Press Act and the Swedish Fundamental Law on Freedom of Expression. This means that it is possible for an employee (with certain exceptions) in both private and public sectors to submit with impunity otherwise confidential information for publication to mass media covered by the Swedish Freedom of the Press Act and the Swedish Fundamental Law on Freedom of Expression.

There is also extended protection for employees in public sector organisations or other operations where informant protection applies

in accordance with the Swedish Informant Protection in Certain Sectors of Economic Activity Act (SFS 2017:151)

or the Swedish Public Access to Information and Secrecy Act (SFS 2009:400). This extended protection relates to a prohibition against investigation and a prohibition against retaliation.

The prohibition against investigation means that a government agency or other public body may not, as a general rule, investigate who has submitted a notification for publication.

The prohibition against retaliation means that the general public may not take measures that have negative consequences for an individual because he or she has exercised his or her freedom of expression and disclosure.

Violations of the prohibitions against investigation and retaliation are punishable by fines or imprisonment for a maximum of one year (Chapter 3, Section 4 of the Swedish freedom of the Press Act and Chapter 2, Section 4 of the Swedish Fundamental Law on Freedom of Expression).

In organization’s where the Public Access to Information and Confidentiality Act (2009:400) is applicable, qualified confidentiality obligations may not be breached. Qualified confidentiality obligations usually relate to sensitive information regarding for example health and medical care or national security. An enumeration of the qualified confidentiality obligations and the meaning of each of these may be found in the Public Access to Information and Confidentiality Act. The freedom from liability is neither applicable in cases of disclosure of information regarding defence inventions. 

Who receives the report?

In whistleblowing matters, Sambla Group collaborates with 2Secure, which is an independent, external agent. All reports are received and handled by case officers at 2Secure. They have extensive experience of investigations and global capacity if necessary. 2Secure works in consultation with Sambla Group’s whistleblowing committee. All assessments and decisions on measures are made by Sambla Group’s whistleblowing committee.


After registering a report, the whistleblower can log in again using their login details to see any follow-on questions/comments from the case officer at 2Secure. The report can be followed up on via wb.2secure.se if the whistleblower has saved the case number and the password generated when the report was submitted.

Personal Data

You can remain anonymous when you use the whistleblowing service. Sambla Group takes the protection of personal privacy extremely seriously. Below is a summary of some important points regarding the General Data Protection Regulation.

Personal data

In all cases, Sambla Group is obliged to comply with legislation regarding the processing of personal data. It is important that you feel secure when you provide information about yourself and others in the whistleblowing system. We take the protection of personal privacy extremely seriously.


As a whistleblower, you can choose either to provide your contact details or to remain anonymous. All reports are taken seriously regardless. It can facilitate the continued work of our external case officers if we can contact you to obtain supplementary information. Your contact details will therefore be requested. But providing these details is always completely voluntary.

No IP addresses are registered and the system does not use cookies. If you are using a computer that is connected to Sambla Group, however, it may be recorded in the Internet log that you visited the website where reports are submitted. If you do not wish this information to be visible, use a computer that is not connected to Sambla Group’s network, or a personal smartphone or tablet.

Responsibility for personal data

Sambla Group and its respective subsidiaries where the person who is reported is employed are responsible by law for processing personal data.

Purpose of registration

The personal data will only be used to conduct an investigation into what has been reported to the whistleblowing system. You can read about which types of irregularities can be reported in the whistleblowing guidelines. The Swedish Privacy Protection Authority regulates when anyone other than government agencies may process personal data involving breaches of the law. If a report is received that cannot be processed in the whistleblowing service because of this, or if the irregularity is not sufficiently serious to be handled within the framework of whistleblowing, the case will be closed and all personal data will be erased. You will receive a message in the whistleblowing system stating that this assessment has been made, as well as information about where you can turn instead with your case.

Who has access to the personal data?

Personal data will only be used by the investigating function of Sambla Group’s whistleblowing committee/ethics committee and by the external company that has been assigned to deal with the report. The data are only accessible to people who are working on the report in question. The investigation may be handed over to the police or other authority such as the Swedish Economic Crime Authority.

What personal data are registered?

Initially, the data that you provide as a whistleblower are registered. In an investigation, the information that is needed to investigate the case will be registered, which primarily includes name, position and the suspected irregularity that forms the basis of the report. Information will then be obtained from sources that are deemed necessary for investigating the irregularity.

For how long are personal data kept?

The personal data are usually erased three weeks after the case has been closed, but no more than two years after closure if there are special reasons.

Information for the reported party

A person who is reported in the whistleblowing service will receive special information about this. If there is a risk that this may jeopardise the continued investigation, the information will not be provided until it is no longer deemed to be a risk. In addition, no register extracts are provided during this period.

Register extracts

As a whistleblower, you have the right to receive information about the personal data that is registered about you in the whistleblowing service. Such a request for register extract must be made in writing and signed. Please send it to 2Secure, Dataskyddsombud, Box 34037, 10026 Stockholm. If any of the details are incorrect, incomplete or misleading you have the right to request that they be corrected. A register extract sent to a reported person will not contain any information identifying you as the whistleblower. The information may therefore be provided in summarised form.