Privacy Notice – SpeakUp reporting channel

13.03.2024

1. Intro

Polestar is committed to fostering a speak up culture characterised by openness, integrity and accountability, to be able to identify, act on and prevent unethical behaviour or misconduct. Polestar has implemented a group-wide reporting channel or grievance mechanism called SpeakUp to help internal and external individuals to report concerns. 

This document describes how Polestar processes your personal data when you report a concern in Polestar SpeakUp, using any of the available channels.

Polestar SpeakUp is intended for concerns related to severe violations of Polestar Code of Conduct, corporate policies and directives, and applicable legislation, including issues such as bribery or corruption, fraud, competition law infringements, use of child or slave labour or other human rights violations, discrimination, harassment, bullying, leakage of confidential information or theft. The scope of Polestar SpeakUp is described in Polestar’s Corporate Speak Up Policy. SpeakUp is designed as a last resort communication tool.

Anonymous reports are possible, where permitted under local laws. Anonymity may, however, affect our possibility to investigate your concern effectively. If you choose to provide identifying information in your report, we will treat your information confidentially and securely.

Polestar does not tolerate any retaliation against anyone for raising concerns in good faith, regardless of whether those allegations result in a substantiated investigation.

2. Who we are

Polestar Automotive Holding UK PLC and Polestar Performance AB, hereinafter referred to as “Polestar”, “we” and “our”, act as joint controllers when processing your personal data as described below. The Speak Up reporting channel, and any compliance investigations, are managed by the HQ functions in Polestar Performance AB. Polestar Automotive Holding UK PLC and its Board of Directors is responsible for group-level supervision and management of the Speak Up reporting system and compliance investigations.

3. What personal data we collect and why

When you submit a report in Polestar SpeakUp, we process the following types of personal data about you:

  • Language, country and type of issue reported, as selected by you when submittinga report.
  • Information that you provide in the free-text fields in the report, including your identifying information and whether you are employed by the Polestar group if you choose to write it.
  • Voice message, if you choose to submit a report via phone.
  • E-mail address (voluntary; only for provision of notifications of new messages; e-mail address not available to Polestar)
  • IP address and other technical data

It is possible to continue a conversation in the SpeakUp reporting system, in which case we will also process such further information you choose to write in the conversation.

The SpeakUp reporting system is not designed to collect or process your sensitive data, although you may disclose this to us voluntarily in the free-text fields in your report.

We use your personal data for the purpose of reviewing your report and to investigate suspected severe violations of Polestar Code of Conduct, corporate policies and directives, or applicable legislation.

If you choose to submit a report via phone, the voice message will be transcribed to us into the SpeakUp reporting system.

The legal bases for our processing of your personal data are:

  • Fulfilment of our legal obligations (from e.g. the US Securities & Exchange Commission, the US Nasdaq, and legislation implementing the EU Whistleblowing Directive (2019/1937)) (GDPR Article 6(1)(c)).
  • Our legitimate interest in ensuring that we comply with applicable legislation and our Code of Conduct and corporate policies/directives throughout all our group operations and in facilitating the possibility for other persons to report such suspected severe violations (GDPR Article 6(1)(f).
  • If you provide us with sensitive personal data about you, we will process it on the basis of GDPR Article 9(2).

4. How long we keep your data

We will retain your personal data for as long as necessary to fulfil the purposes for which it was collected and processed, including for purposes of any legal obligations.

Your personal data is deleted or anonymised within two years from the date on which the investigation is concluded, except for if the severity of the allegation, a legal obligation or legal or disciplinary proceedings require us to store your data longer.

If you have chosen to submit a report via phone, the voice message is stored for 14 days after translation job closure plus a further 90 days for the data backup. The technical data is stored for 90 days, except in cases of established malicious activity.

5. Disclosure of your personal data

The identity of individuals who submit reports in the SpeakUp reporting system is treated as confidential information, and we take all reasonable steps to limit the disclosure of your identity and personal data.

However, some of your personal data may be necessary to disclose to others who are specifically authorized to process data on our behalf or engaged to investigate suspected severe violations or misconduct.

  • Polestar affiliates: Specifically authorised individuals in the Polestar group only, as necessary for the investigation following a report.
  • External legal counsel, independent external investigators and/or statutory auditors
  • Processors (Service providers and other parties): The SpeakUp reporting system is provided by People Intouch B.V. (Netherlands). People Intouch B.V. uses subprocessors based in the EU and the UK for data hosting and translation services.
  • Authorities: In certain circumstances, we may be legally required to disclose information to government or law enforcement authorities, e.g. the police, the privacy protection authority, public courts, authorities for official registering of the vehicle, or enforcement agencies. This may be in response to valid and lawful requests, such as subpoenas, court orders or other legal processes. We may also disclose information when necessary to protect the rights, property, or safety of you, us, or others. We comply with all applicable laws and regulations regarding the disclosure of information to government authorities. We carefully review each request to ensure its validity and legality, as well as the impact of the data disclosure on the subjects concerned by the request before disclosing any information. We strive to protect your privacy and rights to the extent permitted by law. In the event of a government request for information, we will make reasonable efforts to notify you unless prohibited by law or court order.  If you have any questions or concerns about our practice of disclosing information to authorities, please contact us.  

6. Transfer of your personal data

We strive to process your personal data within the EU/EEA area. However, your personal data will be transferred outside the EU/EEA in some situations, such as when we share your information with an affiliate, business partner or subcontractor operating outside the EU/EEA. 

Within the scope of the SpeakUp reporting channel, we transfer personal data to the following countries outside of the EU/EEA: the United Kingdom (where Polestar Automotive Holding UK PLC is incorporated).

We always ensure that the same high level of protection applies to your personal data according to the GDPR, even when the data is transferred outside of the EU/EEA. As regards the United Kingdom, the Commission has decided that it ensures an adequate level of protection (article 45 of the GDPR. In addition, we take additional technical and organisational security measures when needed, such as encryption (TLS) and pseudonymisation.

Depending on the nature of your report, it may also be necessary to transfer your data to other countries outside of the EU/EEA. If we do so, we will ensure to take additional adequate measures to protect the data, e.g. to ensure that the recipient is bound by the EU Standard Contractual Clauses (the EU Model Clauses).

7. Your rights

You have specific legal rights granted by the General Data Protection Regulation relating to the personal data we process about you. You can withdraw your consent or object to our processing of your data, access the data we hold about you, ask for rectification or restriction of your data, request to have your data ported to another entity, request that we delete your data, and finally you can file a complaint with a data protection supervisory authority. For more information about your rights, see our Customer Privacy Policy

In order to exercise your rights, please use this web form. If you have any other questions regarding the subject matter of personal data protection, you can contact us or our Data Protection Officer on the contact details stated on polestar.com/privacy-policy.

8. Contact information

Polestar Automotive Holding UK PLC is a company incorporated in England & Wales with company registration number 13624182 and with registered address at The Pavilions, Bridgwater Road, Bristol, England, BS13 8AE.

Polestar Performance AB is a Swedish legal entity with company registration number 556653-3096 with address Assar Gabrielssons Väg 9, SE-405 31 Gothenburg, Sweden.

9. Changes to our Privacy Notice

We reserve the right, at our discretion, to modify our privacy practices and update and make changes to this privacy notice at any time. For this reason, we encourage you to refer to this privacy notice on an ongoing basis. This privacy notice is current as of the date which appears at the top of the document. We will treat your personal data in a manner consistent with the privacy notice under which they were collected, unless we have your consent to treat them differently.