WB reporting channel register

Privacy policy
Last updated
23.08.2024

Registrar

Teampac Oy (2729297-1)
Dunkatie 4
07880 Liljendal

Contact person in matters concerning the register

Jyri Temonen jyri.temonen@teampac.fi +358 400 620 974

Legal basis for processing

Legal Obligation

Purpose of personal data processing

Based on the contents of the report, the legal basis is one of the following: – legal obligation (reported data falling under the scope of the directive) or – legitimate interest (reported data falling outside the scope of the directive). Data processing is based on legislation on whistleblower protection and the so-called “whistleblowing directive” of the EU, and processing is carried out for the purposes of preventing and investigating malpractice, crimes and other similar breaches.

Basis of legitimate interest

Legitimate interest is based on a relationship between the data controller and the data subject: the reporter is either an employee of the data controller, contractor or a stakeholder or similar as defined in the WB directive.

The personal data groups in question

Name of the person being reported and other information on their conduct as well as the name of the reporter, unless the report was made anonymously. The processing may involve a high risk, depending on the contents of the report. This risk has been assessed in more detail in the reporting channel register impact assessment, which can be found in the “impact assessments” section of the Easy GDPR service.

Recipients and recipient groups

The data controller’s own personnel and, when required for more in-depth investigations, a dedicated external partner whose GDPR compliance has been assessed and with whom other measures in accordance with article 28 have been carried out. Data may also be disclosed to the police or other authorities in situations where a crime has occurred or is suspected.

Data content of the register

The register contains the following information: – name of reporter – name of person being reported – information provided by the reporter in connection to the report. Personal data that is clearly not relevant for the processing of the report will not be collected, or if such data is collected by mistake, it will be removed without delay.

Regular sources of information

From the data subjects themselves, meaning the reporters.

Personal data retention period

Data in the filing system are stored for as long as is required for providing proof of innocence for the data controller.

Regular transfers of information

As a rule, data stored in the register are not disclosed to third parties, with the exception of specifically selected, GDPR compliant partners required for the investigation of reports with whom any measures required by article 28 have been carried out.

Data transfer outside the EU or EEA

Data in the filing system will not be transferred outside the EU or the EEA.

Principles of register protection A: Manual material

Data related to the reporting channel register are primarily stored in an electronic format, and data are only processed electronically. Access to the data stored in the filing system is given only to such persons and in such scope that is required for the purposes of processing the reports, monitoring, or other tasks related to the reports. The protection of all data in the filing system is carried out in accordance with the regulations and principles of the Data Protection Act, regulatory provisions, and good data processing practices.

Principles of register protection B: Electronic material

Access to the data stored in the filing system is given only to such persons and in such scope that is required for the purposes of processing the reports, monitoring, or other tasks related to the reports. The filing system is kept on a protected server which is located in Finland. The protection of all data in the filing system is carried out in accordance with the regulations and principles of the Data Protection Act, regulatory provisions, and good data processing practices.

Automatic processing and profiling

The data is not used for automated decision-making or other similar assessment, and the processing does not cause any harm or consequences for the data subject.

Inspection right, i.e. the right to get access to personal data.

The data subject who is the subject of a report does not have the right of access to their data if the provision of this data could hinder the investigation of suspected misconduct. If a phone line or other audio messaging system that does not contain a recording feature is used as a reporting channel, the data controller has the right to draw up detailed minutes on the discussion between the reporter and the person responsible for processing the report. In such a case, the reporter has the right to check and rectify the minutes drawn up of the discussion as well as to confirm them with their signature.

The right to transfer data from one system to another

The data subject does not have the right to transfer data if the provision of this data could hinder the investigation of suspected misconduct or endanger whistleblower protection.

The right to demand correction of information

The reporter has the right to check and rectify, for example, the minutes drawn up of a discussion as well as to confirm them with their signature. A request for rectification may also be denied. If a request for rectification is denied, the responsible person of the filing system will provide a written document stating the grounds for the denial of the request for rectification. The data subject concerned may then pass the matter along to the Data Protection Ombudsman.

Right of limitation

The data subject has the right to request that the processing of their personal data is restricted, for example, if data stored in the filing system is erroneous, as long as this does not hinder the investigation of suspected misconduct or endanger whistleblower protection. In such a case, data processing is restricted until the data controller has verified the accuracy of the data.

Right to object

The data subject does not have the right to object to data processing if this could hinder the investigation of suspected misconduct or endanger whistleblower protection.

The right to file a complaint with the supervisory authority

If the data subject considers that an infringement of the General Data Protection Regulation has occurred in the processing of their personal data, they have the right to lodge a complaint with a supervisory authority. The complaint can also be lodged in a member state where the data subject is a permanent resident or where they are employed. Contact information for the national supervisory authority: Office of the Data Protection Ombudsman PL 800, Lintulahdenkuja 4, 00530 Helsinki tel. +358 29 566 6700 tietosuoja@om.fi www.tietosuoja.fi

Other rights related to the processing of personal data

The data subject has the right to prohibit the disclosure of processing of personal data for the purposes of direct marketing or other marketing, the right to demand the anonymization of data where applicable, as well as the right to be completely forgotten after employment is terminated, unless such a prohibition would hinder a criminal investigation or potentially endanger whistleblower protection.