Privacy policy – whistleblowing channel

Controllers

Proventia Oy
Business ID: 0961194-0

Proventia Group Corporation
Business ID: 1612236-0

Address of both companies mentioned
above: Tietotie 1, 90460 Oulunsalo
Telephone: +358 20 7810 200, switchboard

Contact person in matters related to the register

Kaisu Kivioja, Director, Development, HR & ICT
Telephone: +358 50 327 5774
Email: kaisu [dot] kivioja [at] proventia [dot] com
Postal address: Tietotie 1, 90460 Oulunsalo

Data protection officer

Proventia Group Corporation and Proventia Oy have decided not to select any data protection officer, as the core operations of neither company include such processing that would require the regular and systematic monitoring of data subjects on a large scale or concern special categories of personal data. Tasks related to data protection are included in the tasks of Director, Development, HR & ICT. Contact details are presented in Section 2.

The purpose of and grounds for the processing of personal data

Personal data may be collected and processed for the following purposes:

  • processing, investigating and reporting notifications submitted through the whistleblowing channel;
  • monitoring and ensuring compliance with law, agreements and the con-troller´s guidelines;
  • preventing and investigating crime and other misuse, and reporting them for investigation; and
  • protecting rights and fulfilling obligations based on law.
    Personal data is processed on the grounds of fulfilling statutory obligations and the controller´s legitimate interest.
    The controller will not carry out any profiling.

Data content of the register

Notifications can be submitted through the whistleblowing channel anonymously or by entering the submitter´s name. Notifications submitted in both ways will be processed confidentially. The identity of persons who submit notifications by entering their own name will only be known to designated individuals and everyone who is invited to investigate the matter as specialists.

The personal data processed in the register mainly concerns those who submit notifications or whom such notifications concern.

The following data about data subjects can be saved:

    • personal data: first name, last name, email, telephone number, address;
    • data about occupation and employer;
    • data related to suspected crime or misuse; and
    • other data provided by the person who submitted the notification.

Regular sources of data

Data is collected from notifications submitted through the whistleblowing channel and the controller´s internal data sources when investigating notifications, including the persons concerned and IT systems.

The controller may collect personal data from its internal systems, parties related to notifications, and the authorities.

Principles of register protection

Data will only be printed out from the register if required. Any data in paper format are kept in a locked space or locked cupboards, which can only be accessed by separately authorised persons. Printed data will be destroyed after it has been used.

Personal data processed in electronic format are protected by firewalls, passwords and other means accepted generally in information security sectors. Personal data can only be accessed by individuals who are designated by the controller and are committed to storing and processing personal data as required by the EU General Data Protection Regulation (GDPR) and ensuring that it is processed securely.

The whistleblowing channel is a service provided and maintained by Webropol Oy. Webropol´s employees cannot access any notifications in the channel without the controller´s express consent. Webropol´s general privacy policy is available at https://webropol.co.uk/privacy-policy/.

Disclosure of data

The controller can disclose personal data within the limits of valid legislation. For example, personal data can be disclosed to the authorities.

If personal data are disclosed to third parties, the controller will ensure that the data are protected appropriately.

Transfer of data outside the EU or EEA

As a rule, the controller processes personal data in the European Union (EU) and the European Economic Area (EEA). Data may also be processed outside the EU and EEA if this is necessary for the purposes of the processing of personal data defined in this privacy policy or the technical or practical implementation of data processing, including the location of servers. If any personal data is transferred outside the EU or EEA, the requirements set out in data protection legislation will apply to the transfer.

Right of access

Data subjects have the right to check what data about them has been saved in the register.

In addition, they have the right, after submitting a sufficiently accurate and detailed request to access their data, to access other data about them and contained by recordings. The request to access data must be submitted in writing or by other verifiable means to the address mentioned in Section 2.

If required, the controller may request the data subject to specify their request in writing, and the data subject´s identity may be verified before taking any other action.

The right of access can be rejected on grounds laid down by law. As a rule, the right of access can be exercised free of charge.

Right to rectification and erasure

Data subjects can request any incorrect, unnecessary, incomplete or outdated data to be rectified or erased or their processing to the restricted. Data subjects must submit such a request to the controller to the address mentioned in Section 2 or by emailing rekisterit [at] proventia [dot] com.

Other rights related to the processing of personal data

Data subjects have the right:

  • on certain grounds to object to processing;
  • on certain grounds to have their data transferred from one system to another; and
  • withdraw their consent, when processing is based on consent, at any time without this affecting the lawfulness of any processing carried out based on consent before such withdrawal, provided that processing was based on consent.

Data subjects must submit their request to exercise their rights in writing or by other verifiable means to the address mentioned in Section 2 or by emailing rekisterit [at] proventia [dot] com.

Right of data subjects to file a complaint with the supervisory authority

Data subjects have the right to file a complaint with the supervisory authority if the controller has not complied with the applicable data protection regulations in its activities.

Erasure of personal data and the retention period

Personal data will be retained for as long as is necessary to fulfil the purposes defined in this privacy policy, unless personal data need to be retained longer by law.

Amending this privacy policy

The controller reserves the right to amend this privacy policy by giving a notification on its website.