Whistleblowing reporting channel for suspected malpractices – Privacy notice

This privacy notice applies to the whistleblowing reporting channel for suspected malpractices of the Ģ��ֱ��.

Please note that this reporting channel is not meant for reports on issues pertaining to labour law or inappropriate behaviour.

Published

23.8.2023

What should you know about the processing of your personal data?

The Ģ��ֱ�� collects personal data about you to carry out its duties. You have rights to this data, such as the right to access the data and the right to be sure that it is stored securely and only for the necessary time. Above all, you have the right to know the following:

what information we collect about youand why,
for how long, and where we keep this information, and
to whom we share this information.

All of these points are explained in this privacy notice.

How to find the information you are looking for?

We have created this privacy notice to be as easy as possible to use and understand. That is why you will find the key points summarised under each section. If you are interested in knowing more, please follow the links in the sections or contact the data protection officer of the Ģ��ֱ��.

Contact the data protection officer

Why we process your personal data?

Personal data is processed to detect, investigate, and prevent misconduct in violation of the law.

What data we process and how long?

The time we store your personal data is primarily five years at maximum. To get more information about what personal data we collect and how long we keep certain information, check the sections below.

Basic details such as name, e-mail address and position or title within the organization.

The details of the report, which include all the information provided by the whistleblower, such as the identity of the alleged perpetrator, the identity of any witnesses to the alleged misconduct or other third parties involved in the case, the description and basis of the alleged misconduct, and any other relevant information; and investigative information, which includes any information needed to investigate the alleged misconduct, such as employment data, audit and financial information, information available in third-party reports and assessments, as well as online conduct and log-in information.

The whistleblower exercises discretion as to what personal data he or she includes in the report. As there are optional fields for freely worded text in the reporting form, the whistleblower may also disclose personal data other than those listed above, including data falling into any of the special categories of personal data. Any personal data in the report that is clearly irrelevant to the investigation of the case is deleted without undue delay.

The personal data will only be retained for as long and to the extent necessary, and the data will be used by the controller for the declared processing purposes.

Personal data will be deleted in accordance with the following practice, unless a longer retention period is required under legislation:

upon expiry of a maximum period of five (5) years or the period for filing action

If the case is taken to court and the court proceedings require a longer retention period, the data will be kept for the duration of the proceedings.

In case of a report that is made in bad faith or with intent to harm or harass against the purpose of the whistleblowing service, the personal data may be processed for the time necessary to investigate the matter and impose any sanctions, as well as for the statutory periods for filing action in such cases.

What rights you have and how to exercise them?

You have the following rights:

Right of access

Under Article 15 of the General Data Protection Regulation (GDPR), data subjects enjoy the right to check their personal data processed by the data controller.

The right of the data subject may be restricted where it is necessary and proportionate to ensure the accuracy of the reported issue or to protect the identity of the data subject. If only part of the data subject's data is excluded from the right of access for the above reason, the data subject has the right to receive the part which is not under restriction. The data subject has the right to know the reasons for the restriction and to request the release of the data to the Data Protection Ombudsman.

Right to rectify incorrect information

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement

Right to erasure

The data subject’s right to erasure does not apply to data whose processing is deemed necessary for compliance with a legal requirement or for the establishment, exercise, or defense of legal claims. Some personal data processed by university is subject to a legally binding data retention obligation, so university cannot erase such data before the legal retention period expires.

Other rights of the data subject

Data subject does not have the right to obtain from the controller restriction of processing (article 18 GDPR).

Additionally, subject to certain conditions, the data subject may have the right to object to the processing of his or her personal data when processing is based on legitimate interest, and university is required to comply with such a request unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.

Data subject does not have right to data portability (GDPR article 20).

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (GDPR article 22).

You have a right to lodge a complaint with a supervisory authority especially with a locally relevant one in terms of your permanent place of residence or work if you regard that the processing of personal data violates the EU General Data Protection Regulation (EU) 2016/679. In Finland, the supervisory authority is the Data Protection Ombudsman. 

Updated contact information of the Office of Data Protection Ombudsman:  

You can exercise your rights by sending a request to the university's Registry Office. You can use the form on the Registry Office's website or send your request informally.

Get to know your rights

Use the form of the Registry Office

Send an informal request to the Registry Office

Who can access your personal data?

Personal data is accessed and processed by the Ģ��ֱ�� employees who have been appointed to carry out investigations.

The whistleblower’s identity is not disclosed to the persons against whom the allegations are made. The whistleblower’s identity can only be disclosed with his or her consent, or if it is required for criminal proceedings or if the whistleblower files an ill-founded report with the intention of causing harm.

Also, the service providers we use can access your personal data in their role as data processors. However, these providers do not actively process your personal data, but they have access to it for maintenance reasons.

The system provider of the whistleblowing hotline used by Ģ��ֱ�� is Certia and its sub-processor Efecte.

Learn more about data processors

To whom we transfer your data?

The personal data will be disclosed to third parties, such as public authorities or external auditors, within the limits permitted and required by applicable law, for example in response to requests for information from public authorities or if Ģ��ֱ�� has a legitimate interest in doing so for the purpose of a crime report, pretrial investigations, or court proceedings.

We have adequate safeguards for protecting our partners' personal data as required by law.

No personal data will be transferred outside the European Union or the European Economic Area.

On what basis we process your personal data?

We process your personal data based on legal grounds, agreements, or your consent. If you want to dive deeper into our legal bases, such as the relevant legal provisions, you can find more information through the menu below.

The processing of personal data is based on the data controller's legal obligation to establish a whistleblowing channel for reporting misconduct and on the data controller's legitimate interest of being informed of any misconduct related to it and its activities to address such misconduct and ensure that the conduct of the data controller is lawful.

To the extent that it is necessary to process special categories of personal data for the purpose of investigating an instance of reported misconduct or infringement, such as information on a person's ethnic origin, political opinions or state of health, the processing of such data is in the public interest as provided in union law or national legislation on whistleblowing channels.

How to contact us?

If you want more information about the processing of your personal data, do not hesitate to contact our data protection officer via email or phone (+358 40 805 3297).

Contact our data protection officer

Contact information of units

Below you find the contact information of the responsible unit. If you wish, you can directly contact the responsible unit instead of the data protection officer.

If you want to exercise your rights you can contact the Registry Office by email:

Send a request to the Registry Office

Ģ��ֱ��