Privacy statement – Whistleblower channel

Home / Privacy statement – Whistleblower channel

Privacy statement / Whistleblower channel.
Statement updated December 23th 2024.

1. Controller

INNOFLAME OY
Kornetintie 3
00380 HELSINKI, Finland
Tietosuoja@innoflame.fi

2. Purpose and legal basis of processing

The whistleblower channel allows employees and external stakeholders to anonymously report suspected misconduct. Personal data is processed when investigating reported cases and assessing and imposing possible sanctions.

The controller protects privacy and processes personal data collected in the whistleblower channel in accordance with data protection legislation and good data protection practices.

Legal basis:

Statutory basis: Act on the Protection of Persons Reporting Violations of European Union and National Law. 1171/2022.

3. Data sources

Whistleblowers may be employees or external stakeholders. In addition, while investigating the case, the controller collects the essential information related to the report from the parties concerned and the persons and parties involved in the events.

4. Groups of data subjects and data collected

Whistleblower:

As a rule, notifications are anonymous. The whistleblower may add personal data (such as their name, location, financial information, etc.) to the report. The report may contain images and other attachments. The data provided by the whistleblower may also include special categories of personal data (such as health data).

Subject of the report:

The report may contain data about the subject (name, location, image, financial information, position, etc.). The data may also contain special categories of personal data.

Report processors:

The following personal data are collected about the report processors and experts:
– Name, email address, telephone, log data, username

5. Access to personal data

The personal data can be accessed by the controller’s appointed report processors. Reports are in electronic format only.

The controller’s whistleblower channel is maintained by RESENI OY. The controller has made an agreement to ensure that the service provider processes personal data obtained from the channel in accordance with data protection legislation.

6. Disclosure of personal data

Personal data may be disclosed to third parties, such as authorities or auditors, but only on a statutory basis.

7. Transfer of data outside the EU or EEA

Data will not be transferred outside the EU or EEA.

8. Data retention period

The data collected in the register is retained only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data was collected. The data is erased five years after the report was received. Personal data that is clearly not relevant to the processing of the report is erased without undue delay.

9. Data subject’s rights

The data subject has the right to receive confirmation of whether personal data about them is being processed and, if so, the right to receive a copy of their personal data.

The data subject has the right to require Innoflame Oy to rectify inaccurate and incorrect information about the data subject without undue delay and the right to supplement incomplete information.

The data subject also has the right to:
– require the controller to restrict the processing of data in the situations referred to in GDPR Article 18
– complain to the Data Protection Ombudsman

The disclosure of information always requires the identity of the requesting party to be reliably verified.

10. Additional information

If a data subject wishes to know more about the processing of their personal data, they may contact the contact person mentioned in section 1.