Data privacy notice for Whistleblower-channel

This notice concerns VTT's whistleblower channel and the related personal data processing activities. Reports to VTT's whistleblower channel can be made without name, and the reporter can choose whether to provide their own information or not. Reports can also be made about another person, in which case their personal data will be processed.

The privacy notice is based on the EU General Data Protection Regulation (2016/679, "GDPR") and the national Data Protection Act (1050/2018). The privacy notice may be updated from time to time, and data subjects are encouraged to follow the current information at the publication locations of this privacy notice.

VTT Technical Research Centre of Finland Ltd ("VTT"), Business ID: 2647375-4, Tekniikantie 21, 02150 Espoo

For information regarding this privacy notice, you can contact the data controller preferably by email at [email protected] or by mail at VTT Technical Research Centre of Finland Ltd, Kirjaamo, Kivimiehentie 3, 02150 Espoo.

Reports can be made without giving a name, in which case personal data will not be processed.

The individuals whose personal data may be processed belong to the following groups:

1. The person who made the report to the whistleblower channel, if they have provided their personal data in the report.
2. The person who is the subject of the report.
3. Other individuals mentioned in the report or during the investigation process (e.g., witnesses, interviewees, other third parties).

• The whistleblower channel may include:
  • The reporter's own contact information (name, phone number, email).
  • Personal data included in the description of the misconduct by the reporter.
• Personal data processed during the investigation process by the Compliance Committee.
  • The internal auditor may request information from VTT's information systems and from individuals involved in the investigation process.
• Personal data processed during the investigation process by the Sustainability Committee.
  • The Responsibility Team may request information from VTT's information systems and from individuals involved in the investigation process.

The data may include special categories of personal data (e.g., health information), criminal or misconduct information as they arise during the investigation process. As a rule, these categories of personal data are not processed. The whistleblower channel's guidance encourages the reporter to limit personal data to only what is necessary, but since the reporter can enter information themselves, the data controller has no way to restrict what personal data, including potentially special categories of personal data, is processed.

VTT processes only the necessary personal data for the investigation of the case and strives to minimize the data processed as needed.

The purposes of processing personal data are:

• Handling reports made to the whistleblower channel.
• Investigating reports during the Compliance Committee's investigation process.
• Investigating reports during the Responsibility Committee's investigation process.

Reports can be made without giving a name. In such cases, the identifying information of the person who made the report will not be processed unless the person later reveals their identity. Identification of the person may still occur based on the combination of information provided in the report.

VTT will inform the representatives of the following groups about the processing of their personal data within one (1) month of receiving the report and/or starting the processing of personal data. Notification may be waived if it is necessary to prevent or investigate crimes (Data Protection Act, Section 33).

Person Group

The person who made the report

Processing Activity

Handling the report and investigating the suspected misconduct

Legal Basis

The statutory obligation of the data controller. Providing the whistleblower channel and investigating reports is mandated by the Act on the Protection of Persons Reporting Violations of European Union and National Law 1171/2022.

The legitimate interest of the data controller to investigate misconduct if the matter is not within the scope of the statutory obligation.*

Revealing Identity to the Person Subject to the Report and Participants in the Investigation Process (e.g., Witness, Interviewee)

Consent**. In principle, VTT does not disclose the identity of the whistleblower and strives to ensure that the report does not provide information that would reveal the identity of the person who made the report. If the identity of the whistleblower is likely to be inferred when the investigation begins, the investigator will contact the whistleblower to confirm whether they wish to proceed with the investigation. (If the report constitutes a criminal offense, the investigation will be transferred to the authorities, and the whistleblower's name will be disclosed.)

Person Subject to the Report

Handling the report and investigating the suspected misconduct

The statutory obligation of the data controller. Providing the whistleblower channel and investigating reports is mandated by the Act on the Protection of Persons Reporting Violations of European Union and National Law 1171/2022.

The legitimate interest of the data controller to investigate misconduct if the matter is not within the scope of the statutory obligation.

Special categories of personal data: Processing is necessary for the establishment, exercise, or defense of legal claims.

Participant in the Investigation Process (e.g., Witness, Interviewee, Other Third Party Mentioned in the Report)

Handling the report and investigating the suspected misconduct

Providing the whistleblower channel and investigating reports is mandated by the Act on the Protection of Persons Reporting Violations of European Union and National Law 1171/2022.

The legitimate interest of the data controller to investigate misconduct if the matter is not within the scope of the statutory obligation.

*The legitimate interests of the data controller also include the following grounds: the right to ensure that the activities of the staff comply with the law and VTT's guidelines, the right to prevent financial losses and avoid reputational risks, the right to ensure the legal protection of the staff (e.g., protecting against unfounded accusations and reputational risks), and the right to improve VTT's compliance. In these situations, the legitimate interest of the data controller is considered to outweigh the rights of the data subject, particularly the right of the person subject to the report to decide on the processing of their personal data.

** The identity of the person who made the report will not be disclosed to the person subject to the report or to participants in the investigation process without consent. The whistleblower will be asked separately for consent to disclose their identity to the person subject to the report. This consent can be withdrawn only until the identity has been disclosed. Disclosure of identity without consent may also occur later in the process (i) for the legal protection of the person subject to the report or (ii) if the matter under investigation is significant and the investigation cannot be carried out without revealing the identity of the whistleblower.

In addition to the above, it should be noted that certain authorities, such as the police, customs, border guard, and tax authorities, have a statutory right to access information.

Data

Information in notification (Whistleblower channel)

Source of data

Notifications in Whistleblower channel.

Information in the investigation process of Compliance Committee

Information of a possible non-compliance incident related to VTT’s own operations is collected by a nominated person (most often Internal auditor) from VTT information systems (e.g., access control system, working time reporting system, travel expense control) as well as registered himself and possible persons nominated in the notification.

In case of suspected felony crime, investigation can be conducted without conducting or participating the involved person to protect investigation itself and evidence. The person nominated in notification is informed of processing personal data if it is not justified for crime prevention or investigation. (Data Protection Act (1050/2018) section 33)

Information in the investigation process of Sustainability Committee

Information of a possible non-compliance incident related to VTT’s value chain, but not directly to its own operations, is collected by a nominated person (most often a member of the Corporate Sustainability and Responsibility Team) from VTT information systems as well as registered himself and possible persons nominated in the notification.

In case of suspected felony crime, investigation can be conducted without conducting or participating the involved person to protect investigation itself and evidence. The person nominated in notification is informed of processing personal data if it is not justified for crime prevention or investigation. (Data Protection Act (1050/2018) section 33)

In case it is necessary to engage external expertise (e.g., legal services) in processing notification, VTT may forward personal data exceptionally to these counterparties.

Personal data is forwarded to external parties only for investigation of suspected misconduct. In crime suspicion cases investigation material can be forwarded to preliminary investigation authorities (police) or other competent authority.

Personal data is not transferred outside the EU or EEA. If, in an individual case, it is necessary to deviate from this, for example, due to the recipient of the specific case (section 67), the transfer will be based on the transfer principles of Chapter V of the GDPR, typically either on the European Commission's adequacy decision regarding the protection level of the destination country or on the European Commission's standard contractual clauses, in which case the legality of the transfer will be assessed.

Not done.

Data

Information in notification

Data archiving period

Personal data is retained only as long as and to the extent necessary. The data is used only for the processing purposes stated in this privacy notice.

If investigation process is not started, data is saved max 60 days from the decision. Due to potential retaliation claims, the identifying information from the report is retained considering the statute of limitations for such claims.

In case investigation process is started please see below.

Investigation material

Notification and investigation material is saved for five (5) years of receiving a report, unless further investigations are not completed or a longer storing time is not justified  for drawing up, presenting, or protecting law claims.

In case personal data is not necessary for processing or investigation of the report, it is removed immediately. The notifications are inspected upon receiving, and unnecessary personal data is removed.

Processing of personal data received through Whistleblower channel and in investigation is confidential and processing takes place in data secured processing environment built especially for this purpose. Access to personal data is only for those VTT persons who are responsible for investigation or further actions. Access to Whistleblower channel is limited to nominated persons only (internal auditor, Head of HR Legal and People Services). For reports concerning parts of VTT's value chain other than VTT's own operations, access is granted to designated individuals (employees of the Corporate Sustainability and Responsibility team, and procurement and sustainability specialist) after a preliminary assessment by the internal auditor and/or Head of HR Legal and People Services.

The rights of the data subject vary according to the legal basis of the processing.

If the legal basis for processing is a statutory obligation, the data subject generally has the following rights:

• The right to receive information about the processing of personal data, unless an exception is provided by law.
• The right to access data.
• The right to rectify data.
• The right to restrict the processing of data.
• The obligation to notify about the rectification or restriction of processing of personal data.
• The right not to be subject to automated decision-making without a legal basis.
• The right to lodge a complaint with a supervisory authority.

If the legal basis for processing is the legitimate interests of the data controller, the data subject generally has the following rights:

• The right to receive information about the processing of personal data.
• The right to access data.
• The right to rectify data.
• The right to erase data (the "right to be forgotten").
• The right to restrict the processing of data.
• The right to object to the processing of data.
• The right to lodge a complaint with a supervisory authority.

If the legal basis for processing is the consent of the data subject, the data subject generally has the following rights:

• The right to receive information about the processing of personal data.
• The right to withdraw consent (and the right to erase data).
• The right to access data.
• The right to rectify data.
• The right to erase data (the "right to be forgotten").
• The right to restrict the processing of data.
• The right to data portability.
• The right to lodge a complaint with a supervisory authority.

The rights of data subjects may be deviated from and/or restricted in accordance with applicable legislation. Restrictions and deviations are checked on a case-by-case basis.

The data subject can exercise the above rights by contacting the data controller using the contact information provided in section 2, preferably by email.

Additional Information on Rights:

Right to Withdraw Consent If the processing is based on consent, the data subject has the right to withdraw their consent regarding the processing of their personal data. Withdrawal of consent is not possible after certain stages of the investigation process. For example, the identity of the whistleblower cannot be withdrawn after it has been disclosed to the person subject to the report. Processing may then also be based on another legal basis.

Right of Access The data subject has the right to obtain confirmation from the data controller as to whether personal data concerning them is being processed. The data subject also has the right to access their personal data and information about the processing of their personal data.

Right to Rectification The data subject has the right to have inaccurate and incorrect personal data concerning them rectified without undue delay and to have incomplete personal data completed.

Right to Erasure (the "Right to be Forgotten") The data subject has the right to have the data controller erase personal data concerning them without undue delay.

Right to Restrict Processing The data subject has the right, in certain situations, to require the data controller to restrict processing.

Right to Object to Processing The data subject has the right, in certain situations, to object to the processing of their personal data. In such cases, personal data will no longer be processed unless there is a compelling and legitimate reason for the processing that overrides the interests, rights, and freedoms of the data subject, or if the processing is necessary for the establishment, exercise, or defense of legal claims. The right to object does not apply to statutory processing.

Right to Data Portability The data subject has the right to receive the personal data concerning them, which they have provided to the data controller, and the right to transfer such data to another data controller to the extent that the processing is based on consent or contract, and the processing is carried out automatically.

Right to Lodge a Complaint with a Supervisory Authority The data subject has the right to lodge a complaint with the supervisory authorities if they believe that their rights have been violated under the EU General Data Protection Regulation:

Office of the Data Protection Ombudsman 
https://www.tietosuoja.fi/yhteystiedot 

Address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PL 800, 00531 Helsinki
Telephone exchange: 029 566 6700
Kirjaamo: 029 566 6768
Email (kirjaamo): [email protected]