Luxid Group Ltd (2496380-5)
Läntinen Rantakatu 3
20100 Turku
Eija Väliranta, Luxid Group Ltd, Läntinen rantakatu 3, 20100 Turku, Finland. eija.valiranta@luxidgroup.com, +358-40-3509449
Legal Obligation
Based on the contents of the report, the legal basis is one of the following: – legal obligation (reported data falling under the scope of the directive) or – legitimate interest (reported data falling outside the scope of the directive). Data processing is based on legislation on whistleblower protection and the so-called “whistleblowing directive” of the EU, and processing is carried out for the purposes of preventing and investigating malpractice, crimes and other similar breaches.
Legitimate interest is based on a relationship between the data controller and the data subject: the reporter is either an employee of the data controller, contractor or a stakeholder or similar as defined in the WB directive.
Name of the person being reported and other information on their conduct as well as the name of the reporter, unless the report was made anonymously. The processing may involve a high risk, depending on the contents of the report. This risk has been assessed in more detail in the following reporting channel register impact assessment. Assessment of the risks concerning the rights and freedoms of data subjects The following risk management chart has been used in evaluating potential risks to the rights and freedoms of data subjects: Probability P: 1–4 1 = unlikely, 2 = possible, 3 = likely, 4 = almost certain Severity/scale S: 1–4 1 = minor, 2 = moderate, 3 = significant, 4 = critical The risk number describes the total risk 1. Personal data breaches Risk number - system breach P2 S4 8 - data breach to the notification channel server P1 S4 4 - hacking of the www server P1 S3 3 - workstation breach P2 S4 8 - data breach in case handling processes P2 S4 8 - data breach for the www browser P1 S3 3 - burglary committed to the investigating outsourcing partner P2 S4 8 2. Mistakes made by data controller or data processor - non-compliance with data protection principles P2 S3 6 - risk to whistleblower protection P2 S4 8 - loss of investigation material P2 S4 8 3. Risks related to the processing of reports - risk to whistleblower protection P2 S4 8 - retaliation against the reporter P1 S4 4 - intentional data leak P1 S4 4 - unintentional data leak P1 S3 3 - unintentional deletion of data P1 S3 3 - disclosure of data by the reporter P2 S4 8 4. Risks not related to human action - power failure P1 S2 2 - fire in server room P1 S3 3 - natural disasters P1 S1 1 5. Data transfer, risks related to partners - partner changes P2 S1 2 - device failure in virtual platform P2 S3 6 - failure in backing up data P1 S2 2 - software issues P1 S2 2 - connection failure in server room P1 S2 2 6. Criminal activity related to personal data - identity theft P1 S4 4 - confidentiality breach P2 S4 8 7. Risks related to the use of personal data - unauthorised processing P2 S4 8 - unauthorized use of electronic services using illegally obtained usernames and passwords P2 S4 8 - misuse of reported data P2 S3 6
The data controller’s own personnel and, when required for more in-depth investigations, a dedicated external partner whose GDPR compliance has been assessed and with whom other measures in accordance with article 28 have been carried out. Data may also be disclosed to the police or other authorities in situations where a crime has occurred or is suspected.
The register contains the following information: – name of reporter – name of person being reported – information provided by the reporter in connection to the report. Personal data that is clearly not relevant for the processing of the report will not be collected, or if such data is collected by mistake, it will be removed without delay.
From the data subjects themselves, meaning the reporters.
Data in the filing system are stored for as long as is required for providing proof of innocence for the data controller.
As a rule, data stored in the register are not disclosed to third parties, with the exception of specifically selected, GDPR compliant partners required for the investigation of reports with whom any measures required by article 28 have been carried out.
Data in the filing system will not be transferred outside the EU or the EEA. However, if the report pertains to, for instance, a US colleague and the issue undergoes investigation in the USA, the collected data will then be transferred to the United States. For a comprehensive understanding of data transfer, please refer to chapter 4 of Luxid’s Privacy Policy titled "International transfers of your personal data." We maintain offices and facilities in Finland, the United Kingdom, and the United States. The European Commission has granted an "adequacy decision" concerning the data protection laws of each of these countries. Any data transfers to these countries are safeguarded by suitable measures, specifically the utilisation of standard data protection clauses adopted or approved by the European Commission. A detailed version of these clauses can be accessed at: https://edps.europa.eu/data-protection/data-protection/reference-library/international-transfers_en.
Data related to the reporting channel register are primarily stored in an electronic format, and data are only processed electronically. Access to the data stored in the filing system is given only to such persons and in such scope that is required for the purposes of processing the reports, monitoring, or other tasks related to the reports. The protection of all data in the filing system is carried out in accordance with the regulations and principles of the Data Protection Act, regulatory provisions, and good data processing practices.
Access to the data stored in the filing system is given only to such persons and in such scope that is required for the purposes of processing the reports, monitoring, or other tasks related to the reports. The filing system is kept on a protected server which is located in Finland. The protection of all data in the filing system is carried out in accordance with the regulations and principles of the Data Protection Act, regulatory provisions, and good data processing practices.
The data is not used for automated decision-making or other similar assessment, and the processing does not cause any harm or consequences for the data subject.
The data subject who is the subject of a report does not have the right of access to their data if the provision of this data could hinder the investigation of suspected misconduct. If a phone line or other audio messaging system that does not contain a recording feature is used as a reporting channel, the data controller has the right to draw up detailed minutes on the discussion between the reporter and the person responsible for processing the report. In such a case, the reporter has the right to check and rectify the minutes drawn up of the discussion as well as to confirm them with their signature.
The data subject does not have the right to transfer data if the provision of this data could hinder the investigation of suspected misconduct or endanger whistleblower protection.
The reporter has the right to check and rectify, for example, the minutes drawn up of a discussion as well as to confirm them with their signature. A request for rectification may also be denied. If a request for rectification is denied, the responsible person of the filing system will provide a written document stating the grounds for the denial of the request for rectification. The data subject concerned may then pass the matter along to the Data Protection Ombudsman.
The data subject has the right to request that the processing of their personal data is restricted, for example, if data stored in the filing system is erroneous, as long as this does not hinder the investigation of suspected misconduct or endanger whistleblower protection. In such a case, data processing is restricted until the data controller has verified the accuracy of the data.
The data subject does not have the right to object to data processing if this could hinder the investigation of suspected misconduct or endanger whistleblower protection.
If the data subject considers that an infringement of the General Data Protection Regulation has occurred in the processing of their personal data, they have the right to lodge a complaint with a supervisory authority. The complaint can also be lodged in a member state where the data subject is a permanent resident or where they are employed. Contact information for the national supervisory authority: Office of the Data Protection Ombudsman PL 800 Lintulahdenkuja 4 00530 Helsinki tel. +358 29 566 6700 tietosuoja@om.fi www.tietosuoja.fi
The data subject has the right to prohibit the disclosure of processing of personal data for the purposes of direct marketing or other marketing, the right to demand the anonymization of data where applicable, as well as the right to be completely forgotten after employment is terminated, unless such a prohibition would hinder a criminal investigation or potentially endanger whistleblower protection.