Privacy statement of the internal reporting channel for whistleblowers

This privacy statement applies to personal data collected through the internal reporting channel of the Federation of Finnish enterprises and the processing of such personal data.

1. Joint controllers

The processing of personal data referred to in this privacy statement is jointly controlled by the following parties:

Suomen Yrittäjät ry (The Federation of Finnish Enterprises; business register ID 1030657-2) and Suomen Yrittäjien Sypoint Oy (business register ID 0581846-9)
Street address: Kyllikinportti 2, 00240 Helsinki
Postal address: P.o. Box 999, 00101 Helsinki
Telephone: 09 229 221
E-mail: jasenpalvelu@yrittajat.fi

The joint controllers determine together the purposes and means of the processing on personal data. The joint controllers are referred hereinafter as ”The Federation of Finnish Enterprises” or “we”.

2. Purposes and legal bases for processing of personal data

Reports regarding misconducts or faults can be done through the internal reporting channel. The report may contain personal data. Personal data is processed only to fulfil a statutory obligation of the Federation of Finnish Enterprises and Suomen Yrittäjien Sypoint Oy, to exercise the labour management and control right, and in the process of handling the received reports.

The processing of personal data of third persons, such as persons mentioned in the report, is based on the statutory obligation of the controller or on the legitimate interests of the controller or a third party and the processing of personal data of the reporting person is based on consent or on the legitimate interests of the controller or a third party. For the personal data of the individuals processing the reports, the processing is based on a legal obligation or legitimate interest.

Reports received by the Federation of Finnish Enterprises are processed by the handlers authorized by the Federation of Finnish Enterprises. The personal data included in the report can be used to investigate the matter reported.

3. How personal data is collected

When making a report, the reporting person provides information about the observed fault or violation. The report typically does not include personal data of the reporting person, unless explicitly provided by the reporting person. If the reporting person provides information about him/her, they will be treated as a registered person.

The report may contain personal data about individuals other than the reporting person if the reporting person deems it necessary for the report. Personal data may include, for example, photographs, videos, or texts uploaded to the reporting channel in connection with the report. Additionally, personal data may be collected during the processing of the report.

The controller collects personal data about the handlers of the reports for the purpose of processing and access control.

Personal data may contain, among others, name, address, telephone number, email address and position, and, if necessary, the position as a data processor.

The reporting channel does not collect data enabling the identification of the reporting person, such as IP addresses or cookies.

4. How personal data is processed

Personal data is processed for the purpose of handling the reports received through the reporting channel. Based on the reports, the controller takes necessary actions if required.

The personal data included in the report is securely stored in the database of the reporting channel system. The data is accessible only to the authorized handlers appointed by the controller. The controller may restrict access to reports based on different types of reports or the role of handlers. If necessary, the controller can transfer the data to the controller’s database for processing or archiving purposes. The data is kept in a secure format.

5. Transfer of personal data

Personal data is processed by the handlers authorized by the controller. Handlers do not disclose personal data to third parties except in situations based on law, such as if the processing of the report leads to an official investigation or if disclosure is necessary to implement measures required by the results of the report’s investigation.

Personal data may also be shared with third parties in situations where the impartiality of the processing of reports cannot be guaranteed due to affiliations of the handlers authorized by the controller. In such cases, to ensure impartial processing of the report, the controller may authorize an external processor(s) to handle the report in accordance with this privacy statement and legal requirements. Such an external processor may be, for example, an auditor, legal counsel, or another independent expert.

6. Transfer of personal data outside the EU

Personal data will not be transferred outside the EU.

7. The security of processing of personal data

The internal reporting channel of the Federation of Finnish Enterprises has been implemented in the First Whistle -system by Juuriharja Consulting Group Oy.

Only the authorized handlers appointed by the controller have access to information about the reports and can process the reports within the system. Each handler uses their individual user credentials when logging in to process the reports.

The reports and associated information are archived in a secure format. Access to archived data is granted to authorized handlers responsible for processing the reports.

8. Personal data retention period

Unless otherwise required by mandatory legislation, personal data will be retained for as long as necessary for the investigation or processing of the report.

Personal data will be deleted no later than two months after the closure of the report or, at the latest, two years after the sanction determined based on the investigation are enforced, unless longer retention is necessary for the exercise of rights or obligations established by law of for the establishment, presentation, or defense of a legal claim.

Personal data that clearly does not have significance for the processing of the notification will be deleted without undue delay.

9. Rights of the registered person

The registered person has the right to access the personal data collected, except when restricting access is based on the need to protect the essential rights if the data controller or a third party. Such a situation may arise, for example, if access to information would jeopardize the identity of the reporting person.

The registered person has the right to request the correction or deletion of the data collected about him/her. This right can also be restricted if the purpose of the restriction is to safeguard legal obligation of the data controller, especially the obligation to provide a reliable and impartial reporting channel.

The registered person has the right to request deletion of the personal data collected about him/her.

The registered person has the right to object the processing of personal data. If the controller processes the data based on a legitimate interest, the registered person has the right to object to the processing of personal data on grounds relating to his/her particular situation.

Should the registered person’s right been restricted by law to the extent necessary and proportionate to ensure the accuracy of the report or to protect the identity of the reporting person, the registered person has the right to be informed of the reasons for the restriction and to request the disclosure of the information to the Data Protection Ombudsman.

The registered person has a right to make a complaint to the Data Protection Ombudsman.

10. Automated decision-making and profiling

Neither profiling nor automatic decision-making is applied to the personal data related to the reporting channel and its processing.