Whistleblowing Channel Privacy Policy

Updated 15.12.2023

We care about your privacy!

We take seriously the protection of the privacy of those using the whistleblowing channel, and therefore the processing of all personal data is done in accordance with the laws that are currently active and especially in accordance with the EU General Data Protection Regulation (henceforth GDPR), as well as the Laki Euroopan unionin ja kansallisen oikeuden rikkomisesta ilmoittavien henkilöiden suojelusta. This privacy policy statement explains how we collect personal data, which data we process, and how we do it, and this document will also inform you about your rights.

1. Who are we?

The data controller is STR Global Group Oy (Business ID 2342164-1), which is a part of the STR Global Group Oy group.

STR Global Group Oy
Sarkiantie 409
38200 Sastamala

If there are any questions related to data processing and the data register, please contact our data protection officer by email (tietosuojavastaava@suomenterveysravinto.fi).

2. Where do we receive personal data from?

We receive personal data from those who make anonymous notifications through the whistleblowing channel. The personal data received is whatever information included in the notification contains personal information. We do not receive information on the informant unless they provide that to us separately.

3. What information do we have about you?

We only have whatever information is provided by an informant through the channel. This may include the name and contact information of a person(s) being reported on, as well as any other information possibly contained in the notification. (We may also have information on the informant if they have included personally identifiable information in their report.)

4. How long do we store your data?

We only store information for as long as legally necessary. In case of unwarranted notifications information can be anonymized or deleted immediately after review. In case of valid notifications the retention of information depends on the situation in question and if any actions are taken, such as pending legal action or notifications to relevant authorities.

5. How and why are we processing your personal data?

We process information provided in notifications due to national law (Laki Euroopan unionin ja kansallisen oikeuden rikkomisesta ilmoittavien henkilöiden suojelusta) implementing the Whistleblowing Directive. We process the data in accordance with national legislative requirements on processing of notifications and retention periods. The legal basis for this is legal obligation.

6. Disclosing and transferring information

Information provided through the whistleblowing channel is processed only by those selected to process reports. In cases where the contents of the report need to be shared with others in the company or with authorities this is done with great consideration and care according to the laws and regulations involved.

Reports made through the whistleblowing channel are processed in the EEA. In certain circumstances, personal information may be processed outside of the EEA (e.g. requests for access to information sent by email).

6.1. Transferring information to contractors (processors)

Contractors include the following:

  • Whistleblowing channel provider
  • Email service providers

Processors cannot use the data passed on to them for their own purposes in any situation. We have made appropriate contracts with these parties to ensure the adequate safety of personal data also in these systems.

6.2. Transferring data outside of the EEA

While the processing of information through the whistleblower channel is done in the EEA, there may be limited situations where certain data is processed outside of the EEA. Data may be transferred outside the EEA in cases such as a data subject access request requesting information be sent via email.

Transfers done to countries outside of the EEA are done based on one of the following: 1) European Commision’s adequacy decisions that a country’s data protection is at the same level as in the EEA, or 2) Standard Contractual Clauses, as well as possible supplementary measures, to ensure that the data is transferred and processed at the same level as within the EEA.

7. How do we protect your data?

We protect your data with technical and organisational acts that ensure that your data is safe in our systems. The company is responsible for the confidentiality, integrity, and legality of the data processing. The contractor in charge of the whistleblowing system is responsible for sufficient technical and organisational measures on their behalf that ensure the physical and technical protection of the system in question. The contracts with the contractor define what the contractor is able and unable to do with this data.

Regarding our own processing of potential personal information we have organisational measures in place so that only those selected to originally process the data in question are able to. Those selected have login credentials for their own use only and access rights are limited to their role in processing notifications. They have received instructions on using the channel and how to process notifications.

8. How can I exercise my rights to my personal data?

Due to the nature of the legislation regarding whistleblowing there are certain limitations regarding data subject rights to personal data. These are explained below. In any situation where you were to exercise your rights the requests will be examined on a case-by-case basis.

8.1 You have the right to access your personal data in our files

You have the right to ask for the data we have on you or you can specify specific data that you would like to access. The information can be delivered to you either over the phone, by email, encrypted email or mail (paper version). In the case of repetitious paper version requests, we charge reasonable fees based on administrative costs (EU General Data Protection Regulation article 15.3).

The right to access can be limited in certain situations where there are ongoing investigations into alleged activities and the provision of such personal information may hinder the investigation. Information will be provided in the amounts and scope that is allowed by law.

8.2 You have the right to demand correcting any erroneous information

If you notice that we have any erroneous or outdated information concerning you, please inform us and we will correct it. In certain cases it may not be legally possible to correct certain information, in which case we will inform you as to such limitations.

8.3 You have the right to erasure (the right to be forgotten)

You have the right to ask all your personal data to be deleted from our systems. This right is called ”the right to be forgotten.” In this case, we will delete as much of your personal data from all of our systems as possible given the situation.

Deleting personal data is not possible in some situations, for example, we cannot delete data that is currently a part of an ongoing investigation when law does not allow for the deletion of the information. Any laws requiring the retention of data may hinder the deletion of personal data.

We will provide the data subject with information as to which data could be deleted from which systems, as well as information on which data could not be (or in general that certain was not possible to delete at the current time, if we are not able to disclose the data in question).

8.4 You have the right to obtain a response to your question within the time frame defined by GDPR

We will reply to all questions concerning the processing of personal information within the scope of the whistleblowing channel ”without undue delay and in any event within one month of receipt of the request” (GDPR 12.3). Our aim, however, is to provide you with the requested information at a clearly earlier date.

8.5 You have the right to lodge a complaint about our activities to a Data Protection Authority

If you believe that we have violated your right to the protection of personal data, you have the right to lodge a complaint about our activities to the data protection authority.

As the data controller is based in Finland, you can make a notification to the Finnish Data Protection Ombudsman from the following link: https://tietosuoja.fi/en/notification-to-the-data-protection-ombudsman

9. Updating this privacy policy statement

We update this privacy policy document regularly so that we can take into account the advances in the laws and regulations, new circumstances, as well as changes in policies and procedures.

This privacy policy document is visible on our website, and it has a date indicating when it has been updated. Please stay up-to-date on changes in our privacy policy by regularly checking for updates on our website.