Privacy notice for the whistleblowing channel – Wihuri Group

This Privacy Notice explains how the personal data received through the whistleblowing channel of the Wihuri Group may be processed and how the privacy rights of individuals may be exercised.

The controller of your personal data is Wihuri Oy (“we” or “Wihuri”).

In case you have any questions or requests concerning your personal data or data protection, you may always contact us through the following email address:

data.protection@wihuri.com

We may periodically update this Privacy Notice by posting a new version of the Privacy Notice on Wihuri’s website.

Further Information on the Processing of Your Personal Data

Sources and Types of Personal Data

We will only process personal data that is strictly necessary for the purposes described below.

We may obtain your personal data in the context of the use of the whistleblowing channel. In particular, we may obtain your personal data because you provide it to us (e.g. by filing a report), because others provide it to us (e.g. because you occur in a report) or because personal data relating to you is generated by using the whistleblowing channel (e.g. because you are involved in the investigation of a report).

Personal data concerning various data subjects can be processed in the context of the whistleblowing channel, such as a person making a report, individuals mentioned in a report, a person investigating a report or a person serving as a witness or otherwise being involved in the investigation.

If you register for using the whistleblowing channel, the following personal data will be collected through the registration (only data marked by an (*) are mandatory):

  • Login credentials for the channel (*),
  • Whether you want to remain anonymous (*),
  • Your contact details (name, e-mail address, contact number), and
  • Any optional information that you record about yourself.

What Are the Purposes and Legal Basis for Processing of Your Personal Data?

We only process personal data when we have a legal justification to do so. In connection with the whistleblowing channel, we only process personal data for the purposes of reporting and investigating reports of alleged wrongdoings or violations related to our activities in accordance with our whistleblowing guidelines available on our website, as well as for the purposes of the subsequent processing of these reports and the reporting of the outcome to relevant parties.

The processing is based on the following legal grounds:

  • Because it is necessary to comply with our legal obligations, in particular, concerning mandatory whistleblowing systems, and
  • For the purposes of our legitimate interests, more specifically to monitor the compliance of our activities with applicable laws and our Code of Conduct. In this respect, we have assessed and deemed that our interests are not overridden by the interests, fundamental rights and freedoms of the data subjects involved.

With Whom May We Share Your Personal Data?

Other Wihuri Group companies: Personal data may be transferred between authorised representatives of Wihuri Group companies if necessary for conducting the whistleblowing process, at all times in compliance with the applicable confidentiality requirements regarding whistleblowing reporting. Some of these companies may act as an independent data controller for the personal data we provide them.

Third parties: We may disclose your personal data to government agencies and regulators, courts and other government authorities where there is a legal obligation to do so. We may also disclose your personal data to external advisors (e.g. lawyers).

Service providers and other partners: Wihuri contracts with third party service providers (e.g. IT systems and support providers), in particular external service providers hosting the whistleblowing channel. These partners process your personal data only at and according to Wihuri’s instructions to provide the services.

May There Be Any International Data Transfers?

Personal data is not transferred outside the EU/EEA.

How Do We Protect Your Personal Data?

Wihuri complies with all applicable data protection legislation and aims to ensure that your privacy is not infringed in any phase of the processing and that the applicable confidentiality requirements regarding whistleblowing reporting are ensured at all times.

We continuously develop and implement administrative, technical and physical security measures to protect your data from unauthorised access and against loss, misuse or alteration (e.g. encryption). The rights of access to the data are predefined and limited. We also require our service providers to implement all appropriate security measures to protect your personal data. External service providers hosting the whistleblowing channel have no access to readable content.

For How Long Do We Retain Your Personal Data?

We retain your data only for as long as it is necessary for the processing purposes stated above or as long as we have a legal obligation to do so. Please note that the data retention periods may vary by data category. Inaccurate or outdated data is deleted regularly.

Personal data will be kept as long as necessary to process and investigate a whistleblowing report, or, if applicable, as long as necessary to decide on and carry out sanctions or other measures in a specific matter. In any case, if judicial or disciplinary proceedings are initiated, the personal data provided will be kept until those proceedings are definitively closed; if such proceedings are not initiated, relevant personal data will be kept no longer than 30 days after completion of the investigation, with the exception of when personal data must be maintained according to applicable laws.

Your Rights and Options

You have the right to access your personal data and to correct your data. In some circumstances you may also have the right to have your unnecessary or inaccurate data deleted, to object to how we use or share your data, to restrict how we process your data, and to have your data transferred to another data controller.

You can exercise these rights by contacting Wihuri’s contact person in data protection matters through the contact details set out above.

Even though Wihuri seeks to resolve any privacy related disagreements in co-operation with you, you also have the right to lodge a complaint to a data protection authority about our processing of your personal data. For more information, please contact your local data protection authority.