Data privacy notice for Whistleblower-channel

Data privacy notice for Whistleblower-channel and process of Technical Research Centre of Finland Ltd (”VTT”) (version 1.0/1.3.2023)

In accordance with EU General Data Protection Regulation (2016/679, “GDPR”) and applicable national legislation (including Finnish Data Protection Act 1050/2018). The notice may by updated from time to time and the latest version will be published immediately.

1. Description of processing

Processing of personal data related of handling and processing Whistleblower notices. 

2. Data controller, data protection officer

Data controller:
Name: Technical Research Centre of Finland Ltd (”VTT”), Business ID: 2647375-4
Address: Tekniikantie 21, 02150 Espoo, Finland

Contact:
Name: Laura Puronen (Internal auditor), Heli Helenius (Compliance officer)
Address: Technical Research Centre of Finland Ltd, Tekniikantie 21, 02150 Espoo
e-mail for contact: [email protected]

Data Protection Officer:
Address: VTT Technical Research Centre of Finland Ltd., Register Office, Kivimiehentie 3, 02150 Espoo 
E-mail: [email protected] or [email protected] (DPO, data security and their substitutes)

3. Categories of the personal data

Persons whose personal data is processed are representing the following groups: 

  1. “whistleblower” is a person who makes a notice in the Whistleblower- channel
  2. The person who is mentioned in the notification
  3. Other person that is mentioned either in the notification or in the investigating process (for example a witness, or other person with the information about the notification)

Processing of personal data:

  • Whistleblower -channel:
    • information given by the ”whistleblower”  (typically name, telephone number, e-mail)
    • other personal data that are described in the notification 
  • Investigation process of the Compliance Committee
    • personal data mentioned in the Whistleblower notification.
    • Internal auditor may ask for more information from the persons involved the notification or data from VTT´s IT- systems. 

It is possible for the “whistleblower” to share personal data in the Whistleblower channel. The guidance is to avoid sharing any unnecessary or sensitive information and the data controller has no possibility to limit the form of personal data. The data controller will remove all un-necessary personal data from the channel and document this action in order to minimize collecting personal data. Normally the notices include such personal data as names and contact details, such as e-mail. Registered persons may represent VTT or its subsidiaries.

4. Purposes of processing personal data

Personal data is processed for purposes of VTT’s Whistleblower process. The process includes discovering, if possible, misconduct has occurred. The data in the Whistleblower channel is managed by the Internal Auditor and the Compliance officer of VTT. VTT´s Compliance Committee will then give its statement of the possible misconduct.

The notification is possible to leave without name. In case of nameless notifications, VTT will not process any identification factors of a person, unless the person wishes to share one’s name later. It is possible, that a person will be identified if the information in the notification includes such identification factors that will lead to identification of a person. 

VTT will inform the person groups mentioned below about processing their personal data in one (1) month after receiving the notification and/or when starting to process the personal data. Based on the Finnish Data Protection Act (1050/2018) section 33 providing notification is not relevant if it is justified for crime prevention or investigating crime.

Person group

Whistleblower

Processing the data

Processing notification and investigation of suspected misconduct 

Legal justification

A statutory obligation under the GDPR when processing is necessary to comply with the statutory obligations of the controller. Whistleblower channel and investigation of notification is based on national law: Laki Euroopan unionin ja kansallisen oikeuden rikkomisesta ilmoittavien henkilöiden suojelusta 1171/2022.  

Legitimate interest of controller to investigate misconduct, if the subject is not based on the law mentioned above.*

       

Revealing identity to person involved or a person participating the investigation (witness, party to be heard)

Consent **.  In principle VTT does not reveal person’s identity and  is taking necessary actions to ensure that notification does not provide information that would discover the identity of whistleblower.

Person involved 

Processing the notification and investigation of suspected misconduct

A statutory obligation under the GDPR when processing is necessary to comply with the statutory obligations of the controller. Whistleblower channel and investigation of notification is based on national law: Laki Euroopan unionin ja kansallisen oikeuden rikkomisesta ilmoittavien henkilöiden suojelusta 1171/2022
 
Legitimate interest of controller to investigate misconduct, if the subject is not based on the law mentioned above

Processing special categories of personal data:  processing is justified to draw up, present or protect law claims.

Person participating to investigation process 

Processing notification and investigation of the suspected misconduct

Whistleblower channel and processing is based on the law: Laki Euroopan unionin ja kansallisen oikeuden rikkomisesta ilmoittavien henkilöiden suojelusta 1171/2022

Legitimate interest of controller to investigate misconduct if the subject is not based on the law.

* Legitimate interest of controller is higher than the registered person in case where VTT needs to investigate suspected misconduct (for example in non-compliance actions against VTT´s guidance, right to prevent financial losses and other risks that could harm VTT´s business or reputation).

** The whistleblower will remain nameless during the investigation process if one doesn't give consent to share their personal data for the people mentioned in the notification. The consent is possible to withdraw only before the personal data is shared with the persons involved in the notification. It is also possible to reveal the personal data of the Whistleblower if it is necessary for legal protection of person involved or in a significant matter, which cannot be investigated without revealing the Whistleblower´s name. 

5. Data sources of personal data

Data

Information in notification (Whistleblower channel)

Source of data

Notifications in Whistleblower channel.

Information in the investigation process of Compliance Committee

Information of a possible non-compliance incident is collected by a nominated person (most often Internal auditor) from VTT information systems (e.g., access control system, working time reporting system, travel expense control) as well as registered himself and possible persons nominated in the notification.

In case of suspected felony crime, investigation can be conducted without conducting or participating the involved person to protect investigation itself and evidence. The person nominated in notification is informed of processing personal data if it is not justified for crime prevention or investigation. (Data Protection Act (1050/2018) section 33)

6. Persons or groups receiving personal data

In case it is necessary to engage external expertise (e.g., legal services) in processing notification, VTT may forward personal data exceptionally to these counterparties.

Personal data is forwarded to external parties only for investigation of suspected misconduct. In crime suspicion cases investigation material can be forwarded to preliminary investigation authorities (police) or other competent authority.

7. Transfer of personal data outside of EU or ETA

Personal data is not transferred outside of EU or ETA. In case it is necessary to make an exception in an individual case,(e.g., law claims outside EU) the transfer is based on Data protection act section V. 

8. Automated decision making

Not done.

9. Storing personal data

Data

Information in notification

Data archiving period

If investigation process is not started, data is saved max 60 days from the decision. Notification metadata is saved for a period of time for filing a retaliation claim. In case investigation process is started please see below.

Investigation material

Notification and investigation material is saved for five (5) years of receiving a report, unless further investigations are not completed or a longer storing time is not justified  for drawing up, presenting, or protecting law claims.

In case personal data is not necessary for processing or investigation of the report, it is removed immediately. The notifications are inspected upon receiving, and unnecessary personal data is removed.

10. Principles of protecting personal data

Processing of personal data received through Whistleblower channel and in investigation is confidential and processing takes place in data secured processing environment built especially for this purpose. Access to personal data is only for those VTT persons who are responsible for investigation or further actions. Access to Whistleblower channel is limited to nominated persons only (internal auditor, Compliance officer). 

11. Rights of data subject

Right of data subject vary on the legal basis.

The data subject has the following rights (section 11), which may be restricted according to the GDPR and applicable legislation. The data subject may exercise these rights by contacting the controller, preferably in writing and by e-mail using the contact information provided in section 2.

11.1 The right of access

The data subject has the right to obtain from the controller, upon request, confirmation as to whether or not personal data concerning him/her is being processed, and access to his/her personal data, and information concerning the processing of his/her personal data.

11.2 Right to rectification

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate and incorrect personal data concerning him/her, and the completion of incomplete personal data. 

11.3 Right to erasure

The data subject may ask the data controller to remove personal data related to the them, for instance, in following situations: (i) they are no longer required for the purposes for which they were collected or otherwise processed, (ii) the data subject withdraws consent of processing and no other grounds for processing exist; (iii) personal data has been unlawfully processed; (iv) the personal data must be removed in order to comply with statutory obligations applicable to the controller; or (v) the data subject objects to processing under the legitimate interest of the data controller. The request should be addressed to the contact information in section 2.

11.4 The right to lodge a complaint with supervisory authority

The data subject has the right to lodge a complaint with a supervisory authority if he/she considers that the processing of personal data beaches his/her rights pursuant to applicable law. Office of the Data Protection Ombudsman, Ratapihantie 9, 00520 Helsinki, [email protected].