Privacy Statement for Whistleblowing Channel

Data controller:
Oy Apotti Ab
Valimotie 17–19
FI-00380 Helsinki, FINLAND

 

1. What personal data do we collect?

Reports can be made anonymously or in your own name. Reports are always handled confidentially, and the identity of the reporting person is only known to those designated to process the report and to experts called in to investigate the matter.

The register may contain the following personal data:

  • the name and contact details of the reporting person, if they have provided the information in the report (the report can always be made anonymously);
  • identifying information provided in the report about the suspected person(s) and about their actions that violate the law or ethical principles;
  • information provided in the report about the witness(es) to the event, to the extent to which it was provided in the report;
  • information collected in connection with the internal investigation concerning the conduct of the suspected person and the assessment of the legality/compliance of the conduct;
  • details of persons processing the reports, such as their name, job title, and email address; and
  • technical information related to the use of the register, such as user IDs and application logins (logs) for the systems in use.

In general, special categories of personal data are not processed in the context of the whistleblowing process.

2. For what purposes do we process personal data?

Personal data may only be processed for the purpose of fulfilling the legal and ethical obligations of Oy Apotti Ab and for the proper investigation of the reports received.

The processing of personal data is necessary for compliance with the data controller’s legal obligation and on the grounds of the legitimate interests of the data controller or a third party. The processing of data is based on the Whistleblower Protection Act (Act on the Protection of Persons Reporting Infringements of European Union and National Law 1171/2022). In addition, Oy Apotti Ab has a legitimate interest in obtaining information about misconduct related to the company and its operations in order to intervene in it and to ensure the ethical and legal conduct of Oy Apotti Ab’s employees and partners.

The reporting channel is a legally recognized way of monitoring the legality of Oy Apotti Ab’s operating practices and the implementation of ethical principles. The reporting channel allows for obtaining information about alleged misconduct and violations and reacting to them in a timely manner. Allegations and observations may concern, for example, activities that violate ethical principles or the law. The reporting channel supports an open and transparent corporate culture. Reports can be submitted by Oy Apotti Ab’s employees and other people.

Personal data is used in the investigation of the reported case and, if the allegation is confirmed, in the implementation of disciplinary and corrective measures. The data may also be used for supervisory development, analysis, and statistics.

3. Who has access to personal data and is it disclosed to third parties?

Oy Apotti Ab has designated persons who carry out or supervise the investigations, and they process personal data. Personal data is only accessible to those who need the data.

The maintenance of the Apotti reporting channel has been purchased from an external service provider as SaaS service. The EmCe whistleblowing service is provided by Administer Oyj.

Personal data is disclosed to third parties, such as authorities or external auditors, only when there is a legal basis for doing so.

4. Regular sources of information

The primary source of information in the register is the reporting person and the information they have given in the report as well as the details received via related requests for additional information. In addition, information is collected in the register from various parties involved in the investigation in connection with the internal investigation of the report. Other sources of information are used within the limits set by law.

5. To which countries do we transfer data?

Personal data is only processed in Finland.

6. How do we protect personal data?

Personal data in the register is protected in accordance with the requirements of legislation, with due regard for data protection. The company has implemented appropriate technical and organisational measures to protect personal data from accidental or unlawful loss, disclosure, misuse, alteration, destruction, or unauthorized access. The data is protected by firewalls and various encryption techniques, and the equipment spaces selected for use are secure and have appropriate passage control. The data in the systems is backed up regularly.

The reporting channel is protected by technical means, and the administrator of the reporting channel does not have access to the reports or the details of the person who made the report. The reporting channel does not store IP addresses or other information that could identify the sender of the report. No personal data about the reporting person will be stored in the system unless they themselves provide the data. When making the report, the reporting person is given a number code that they can use to log in and keep track of the further processing of their report. The number code is the only way to access the report afterwards, so the reporting person must make a note of the code. If the code is lost, they will have to make a new report.

Only persons designated by Oy Apotti Ab who need the data for their work are authorized to access the system and process the data therein. The use of personal user ID’s is required. Oy Apotti Ab’s whistleblowing officers work confidentially.

7. How long do we keep personal data?

Personal data is stored in the reporting channel for a maximum of one (1) year from the last active event between Oy Apotti Ab and the data subject. As a rule, data is stored for a maximum of two (2) years after the end of the investigation. However, the storage period may vary due to mandatory regulations. If the matter proceeds to court and the court proceedings require a longer storage period, the data will be stored for the period required by the legal proceedings.

8. What are the data subject’s rights?

Below, we explain your rights under the General Data Protection Regulation and how the rights are limited in respect of the processing of data reported under the Whistleblower Protection Act. If you wish to exercise your rights, the requests will always be assessed on a case-by-case basis.

You can contact us by email at tietosuoja@apotti.fi at any time if you have questions about your privacy and the processing of your personal data, or if you wish to exercise your rights regarding your personal data. In order to respond to your request, we may ask you for additional information if necessary. This may be the case, for example, if we are unable to sufficiently identify you based on your request and the information you have provided us with.

We will respond to your request as soon as possible without undue delay. The deadline for providing the information or additional information related to the request is one month from the date of receipt of the request. If the data request is exceptionally complex and extensive, the deadline may be extended by two months. As a rule, the data will be provided to you in the same way as your data request was received. We will agree on the method of providing the data with you in more detail.

The data is usually provided free of charge. However, if the data request is manifestly unfounded and unreasonable, in particular if data requests are made repeatedly, Oy Apotti Ab may charge for the administrative costs incurred in providing the information. We will always inform you in advance of any costs and provide justification for them.

According to the General Data Protection Regulation, the data subject has the following rights:

  • Right to gain access to personal data
  • Right to have data rectified
  • Right to have data erased
  • Right to restrict processing
    • Right to object to processing
    • Right to data portability

Please note that not all the rights of the data subject are unlimited. Your rights as a data subject described above are limited with regard to the processing of data falling within the scope of the Whistleblower Protection Act in such a way that you do not have the right to inspect all data in the register if providing access to the data could hinder the prevention or investigation of crime, or if providing access to the data could seriously jeopardise the rights of another person. If only some of the data concerning you is excluded from your right to inspect data, you have the right to access all other data that has been stored about you. The right to require the rectification or erasure of incorrect, incomplete, unnecessary or outdated data in the register applies to data for which the right to inspect is not restricted. Furthermore, your right to restrict the processing of personal data does not apply to the processing of personal data referred to in the Whistleblower Protection Act.  If you need further information, please contact us at tietosuoja@apotti.fi

If you are not satisfied with the way we process your personal data and the related dispute between you and Oy Apotti Ab cannot be settled amicably, you have the right to refer the matter to the data protection authority for resolution. In Finland, the data protection authority is the Office of the Data Protection Ombudsman. You can report a fault in personal data processing on the Data Protection Ombudsman’s website: https://tietosuoja.fi/en/report-of-fault-in-personal-data-processing.

Subscribe to our newsletter