Iivari Mononen Oy (0194622-8)
Länsikatu 15
80100 Joensuu
Suomi (UK)
None
None
WB reporting channel register
2023-12-08
Suostumus
Based on the contents of the report, the legal basis is one of the following:
– legal obligation (reported data falling under the scope of the directive) or 
– legitimate interest (reported data falling outside the scope of the directive).
Data processing is based on legislation on whistleblower protection and the so-called “whistleblowing directive” of the EU, and processing is carried out for the purposes of preventing and investigating malpractice, crimes and other similar breaches.
Legitimate interest is based on a relationship between the data controller and the data subject: the reporter is either an employee of the data controller, contractor or a stakeholder or similar as defined in the WB directive.
Name of the person being reported and other information on their conduct as well as the name of the reporter, unless the report was made anonymously.
The processing may involve a high risk, depending on the contents of the report. This risk has been assessed in more detail in the reporting channel register impact assessment, which can be found in the “impact assessments” section of the Easy GDPR service.
The data controller’s own personnel and, when required for more in-depth investigations, a dedicated external partner whose GDPR compliance has been assessed and with whom other measures in accordance with article 28 have been carried out.
 
Data may also be disclosed to the police or other authorities in situations where a crime has occurred or is suspected.
The register contains the following information:
– name of reporter
– name of person being reported
– information provided by the reporter in connection to the report.
Personal data that is clearly not relevant for the processing of the report will not be collected, or if such data is collected by mistake, it will be removed without delay.
From the data subjects themselves, meaning the reporters.
Data in the filing system are stored for as long as is required for providing proof of innocence for the data controller.
As a rule, data stored in the register are not disclosed to third parties, with the exception of specifically selected, GDPR compliant partners required for the investigation of reports with whom any measures required by article 28 have been carried out.
Data in the filing system will not be transferred outside the EU or the EEA.
Data related to the reporting channel register are primarily stored in an electronic format, and data are only processed electronically. Access to the data stored in the filing system is given only to such persons and in such scope that is required for the purposes of processing the reports, monitoring, or other tasks related to the reports. 
The protection of all data in the filing system is carried out in accordance with the regulations and principles of the Data Protection Act, regulatory provisions, and good data processing practices.
Access to the data stored in the filing system is given only to such persons and in such scope that is required for the purposes of processing the reports, monitoring, or other tasks related to the reports. 
The filing system is kept on a protected server which is located in Finland. 
The protection of all data in the filing system is carried out in accordance with the regulations and principles of the Data Protection Act, regulatory provisions, and good data processing practices.
The data are not used for automated decision-making or other similar assessment, and the processing does not cause any harm or consequences for the data subject.
The data subject who is the subject of a report does not have the right of access to their data if the provision of this data could hinder the investigation of suspected misconduct. 
If a phone line or other audio messaging system that does not contain a recording feature is used as a reporting channel, the data controller has the right to draw up detailed minutes on the discussion between the reporter and the person responsible for processing the report. In such a case, the reporter has the right to check and rectify the minutes drawn up of the discussion as well as to confirm them with their signature.
The data subject does not have the right to transfer data if the provision of this data could hinder the investigation of suspected misconduct or endanger whistleblower protection.
The reporter has the right to check and rectify, for example, the minutes drawn up of a discussion as well as to confirm them with their signature.
A request for rectification may also be denied. If a request for rectification is denied, the responsible person of the filing system will provide a written document stating the grounds for the denial of the request for rectification. The data subject concerned may then pass the matter along to the Data Protection Ombudsman.
The data subject has the right to request that the processing of their personal data is restricted, for example, if data stored in the filing system is erroneous, as long as this does not hinder the investigation of suspected misconduct or endanger whistleblower protection. In such a case, data processing is restricted until the data controller has verified the accuracy of the data.
The data subject does not have the right to object to data processing if this could hinder the investigation of suspected misconduct or endanger whistleblower protection.
If the data subject considers that an infringement of the General Data Protection Regulation has occurred in the processing of their personal data, they have the right to lodge a complaint with a supervisory authority. The complaint can also be lodged in a member state where the data subject is a permanent resident or where they are employed. 
Contact information for the national supervisory authority: 
Office of the Data Protection Ombudsman PL 800, Lintulahdenkuja 4, 00530 Helsinki tel. +358 29 566 6700 tietosuoja@om.fi www.tietosuoja.fi
The data subject has the right to prohibit the disclosure of processing of personal data for the purposes of direct marketing or other marketing, the right to demand the anonymization of data where applicable, as well as the right to be completely forgotten after employment is terminated, unless such a prohibition would hinder a criminal investigation or potentially endanger whistleblower protection.