Sitra’s reporting channel for reporting misconduct pursuant to the Whistleblower Act – register’s privacy policy
1 Controller
The controller of the register is:
Sitra, the Finnish Innovation Fund (business ID 0202132-3).
Contact person in matters concerning the register:
Ruija Rantala-Saajo
General Counsel, Legal Affairs
Sitra, the Finnish Innovation Fund (hereinafter referred to as “Sitra”)
Address: Itämerenkatu 11-13, PO Box 160, FI-00181 Helsinki
Tel: +358 29 461 8991
Email: kirjaamo@sitra.fi
Data Protection Officer:
Janika Skaffari
kirjaamo@sitra.fi
2 Name of the register
Sitra’s reporting channel for reporting misconduct pursuant to the Whistleblower Act – register.
3 Purpose of personal data processing
The so-called Whistleblower Act (Laki Euroopan Unionin ja kansallisen oikeuden rikkomisesta ilmoittavien henkilöiden suojelusta (1171/2022), or “ilmoittajansuojelulaki” in Finnish) requires that Sitra maintains a reporting channel where reporting persons can submit reports, as required by the Act, concerning suspected breaches and misconduct they observe in the course of their work, duties or assignments. Sitra processes personal data for the purposes laid down in the Whistleblower Act, for example, while internally surveying and inspecting misconduct reports and deciding on related follow-up measures.
After the reception of a misconduct report, personal data is processed in an electronic reporting channel provided by Sitra’s subcontractor. Sitra’s Legal Affairs function is responsible for the handling of the reports submitted to Sitra’s reporting channel. In addition, in accordance with the Whistleblower Act, experts and other handlers may be assigned on a case-by-case basis to process the reports.
The personal data contained in the reports is processed in accordance with the Whistleblower Act’s confidentiality provisions.
4 Legal basis for personal data processing
Sitra processes personal data identified in section 5 of the privacy policy on the basis of the controller’s legal obligation.
5 Data content of the register (processed personal data categories)
The register contains personal data included in the misconduct report, which may include, for example:
(a) the reporting person’s (data subject) basic information, such as the name, contact information, i.e. telephone number, email address,
(b) basic information of the person the misconduct report concerns (data subject), such as the name, contact information, i.e. telephone number, email address,
(c) basic information of third parties specified in the report (data subjects), for example witnesses, such as the name, contact information, i.e. telephone number, email address,
(d) other personal data provided by the reporting person about themselves, subject of the report and a third party related to the report, such as a witness or the whistleblower’s assistant,
(e) other personal data accumulated to Sitra through the dialogue between the parties and possible hearing of the parties.
6 Regular data sources
Personal data is collected from the reporting person, person subject to the report and third parties related to the report, such as witnesses, in connection with the report and its processing.
7 Personal data retention period
As a rule, Sitra retains the reports and included personal data in the reporting channel service for three (3) years after the end of the processing, unless there are exceptional reasons to retain the personal data for a longer period in accordance with the Whistleblower Act provisions. According to the Whistleblower Act, personal data must be erased within five (5) years after the arrival of the report, unless their longer retention is necessary in the exceptional situations laid down in the Whistleblower Act. Personal data which are clearly irrelevant in terms of the processing of the report are erased without undue delay.
Sitra regularly assesses the necessity of data retention through its internal code of conduct and applicable legislation. In addition, Sitra performs all possible and required measures to ensure that such personal data that are inaccurate, erroneous or outdated for the purposes of processing are deleted or corrected without delay, unless otherwise stated in the Whistleblower Act.
8 Recipients of personal data (recipient categories) and the regular disclosure of data
The personal data contained in the register are not disclosed to third parties, unless otherwise stated in the legislation.
9 Transferring data outside of the EU or the EEA
The personal data contained in the register are not transferred outside of the EU or the EEA.
10 Register protection principles
Databases containing personal data are located on the service provider’s servers in a data centre with high level of security. Databases are encrypted. Traffic between the service provider’s servers and the browsers of the users is encrypted with encryption algorithms.
The reporting channel system can only be accessed by the handlers appointed in accordance with the Whistleblower Act and parties mentioned in section 3 above with separately granted personal user IDs and passwords. Sitra has restricted the access rights and the authorisations to access the data systems and other mediums in such a way that the data can only be accessed and processed by persons who need to access the data for its lawful processing.
Sitra’s employees and other persons acting on behalf of Sitra have undertaken to comply with the obligation of secrecy and to keep confidential the information they receive in connection with the personal data processing.
11 Rights of the data subject
As a rule, the data subject has the following rights laid down in the EU’s General Data Protection Regulation, unless otherwise provided for in the Whistleblower Act:
(a) the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, when that is the case, access to the personal data and the following information:
(i) the purposes of the processing;
(ii) the categories of personal data concerned;
(iii) the recipients or recipient groups to whom personal data have been disclosed or will be disclosed;
(iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(v) the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(vi) the right to lodge a complaint with a supervisory authority;
(vii) where the personal data are not collected from the data subject, any available information as to their source; and
(viii) performance of automated decision-making and relevant information about the logic of this kind of a processing as well as significance of the said processing and its envisaged consequences for the data subject;
(b) The right to demand that the controller rectify without undue delay any inaccurate and erroneous personal data on the data subject and the right to have incomplete personal data completed;
(c) The right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the grounds defined in the EU’s General Data Protection Regulation applies;
(d) The right to file a complaint with the supervisory authority if the data subject considers that the processing of the personal data concerning him or her violates the EU’s General Data Protection Regulation.
Requests concerning the realisation of the data subject’s rights should be addressed to Sitra’s registry office.
12 Amendments to this privacy policy
We reserve the right to amend this privacy policy. Such amendments may be based on regulatory changes, for example. We recommend that those concerned read the content of this privacy policy regularly.