Privacy policy for the Finland Chamber of Commerce’s notification channel

Privacy policy for the Finland Chamber of Commerce’s notification channel

This privacy policy concerns personal data collected through the Finland Chamber of Commerce’s notification channel (https://k3.ilmoituskanava.fi) and the processing of this data.

1. Controller

Keskuskauppakamari ry (business ID: 0201469–2) and Keskuskauppakamarin Palvelu Oy (business ID: 0427797–1) (hereinafter ‘Finland Chamber of Commer-ce’)

Address: Finland Chamber of Commerce
PO Box 1000, Alvar Aallon katu 5 C
00101 Helsinki, Finland
Telephone: +358 (0)9 4242 6200
E-mail: keskuskauppakamari@kauppakamari.fi

Please send any enquiries about data protection to tietosuoja@kauppakamari.fi.

2. Purposes of processing personal data

The notification channel can be used to submit reports of detected problems or vio-lations. Such reports can contain personal data. Personal data are only processed to fulfil the statutory obligations of the Finland Chamber of Commerce, exercise the right to supervise work and right of control, and process the reports received.

With regard to the data of third parties, such as the persons being reported on, the processing of personal data is based on the controller’s statutory obligation or the legitimate interest of the controller or a third party and, with regard to the data of the whistleblower, on consent or the legitimate interest of the controller or a third party. With regard to the personal data of those processing the reports, processing is based on a statutory obligation or legitimate interest.

Reports received by the Finland Chamber of Commerce are processed by proces-sors designated by the Finland Chamber of Commerce. Personal data included in a report can be utilised to investigate the case in question.

3. Collection of personal data

In a report submitted via the notification channel, the whistleblower provides infor-mation on an issue or violation they have detected. In principle, the report does not contain personal data pertaining to the whistleblower, unless the whistleblower explicitly provides them. The instructions pertaining to whistleblowing state that making a report does not require, for example, the provision of personal data. If the whistleblower provides their own personal data, they shall be treated as a data subject.

A report may include personal data pertaining to other individuals if the whistle-blower deems this necessary for the report. In addition, personal data may be col-lected in connection with the processing of the report.

The controller collects the personal data of those processing the reports for the purposes of processing and access management.

The personal data collected include a person’s name, address, telephone number, e-mail address and position and, if necessary, role as a processor of data.

The notification channel does not collect identifying data about the whistleblower, such as IP addresses or cookies.

4. Processing of personal data

The personal data are processed in order to process reports received through the notification channel. If necessary, based on the reports, the controller shall take action.

The personal data in the reports are protected before saving them in the whistleblowing service database. The data are only available to the designated report processors of the controller. The controller may restrict access to the reports based on different report types or processor roles. If necessary, the controller may transfer the data to the controller’s database for the duration of processing or for archiving. The data are stored in a secure manner.

5. Disclosure of personal data

Personal data are processed by report processors designated by the controller. The processors do not disclose personal data to third parties unless required by law, for example in a situation where the processing of a report leads to an official investigation or the disclosure of the data is necessary to implement the measures required in the light of the result of the investigation.

Personal data may be disclosed to third parties in a situation where the neutrality of the processing of a report cannot be guaranteed due to the liabilities of the report processors designated by the controller. In that case, in order to ensure the neutral processing of the report, the controller may authorise an external processor/processors to process the report in compliance with this privacy policy and relevant legislation. The external processor can be, for example, an auditor, lawyer or other independent expert.

6. Transfer of personal data outside the EU and protection of personal data

We do not transmit personal data outside the EU.

All reports are stored in a secure manner.

Only the controller’s designated report processors receive information on reports and are able to process the reports in the service. Each processor uses their personal credentials when logging in to the service. The individual in charge of the technical maintenance of the system does not have access to the reports database.

All reports and related data are archived in a secure manner. Only the designated report processors have access to archived data.

7. Retention of personal data

Personal data are erased and destroyed within five (5) years of the receipt of the report, unless their retention is necessary for the fulfilment of legal rights or obliga-tions or to prepare, file or defend a legal claim.

The necessity of continuing the retention of the data is assessed no later than within three (3) years of the last assessment. A note of the assessment shall be made for the data stored in the database.

Personal data that are not relevant to the processing of the report are erased with-out undue delay. The report shall remain in the notification channel for one (1) year as submitted by the whistleblower. The retention time in the notification channel may be extended for legal reasons. The report and the related personal data are deleted from the notification channel at the end of the retention period. When archiving the report, the processors shall erase personal data that are not relevant to the processing of the report.

The controller shall erase and destroy the data once the processing of personal data is no longer necessary.

8. Rights of the data subject

The data subject has rights regarding the processing of personal data. These rights may be restricted by law. All the restrictions on the data subject must be based on proportionate and necessary grounds, such as the protection of the determination of the accuracy of the report or the identity of the whistleblower, and may not restrict the rights of the data subject more than necessary.

In principle, the data subject has the right to access their own data, except where restricting access is based on a need to safeguard the fundamental rights of the controller or a third party. An example of such a situation would be one where access to the data leads to the whistleblower’s identity being in danger of being revealed.

The data subject has the right to request the correction or erasure of data pertain-ing to them. This right of the data subject may also be restricted if the purpose of the restriction is to secure the controller’s statutory obligation, in particular the obligation to provide a reliable and independent notification channel.

The data subject has the right to request the erasure of personal data pertaining to them, provided that one of the following requirements is met and other legislation or official regulation does not constitute an obligation to retain the data:

  1. the personal data are no longer needed for the purposes for which they were originally processed;
  2. the data subject objects to the processing of the personal data on the grounds of special personal circumstances, and there are no justified grounds for processing the data;
  3. the personal data have been processed illegally; or
  4. the personal data shall be erased in order to comply with the controller’s stat-utory obligation under European Union law or Finnish law.

The data subject has the right to object to the processing of personal data pertain-ing to them. If the controller processes data based on a legitimate interest, the data subject shall have the right to object to the processing of their personal data on the grounds of special personal circumstances.

If the data subject’s right has been restricted under law insofar as it is necessary and proportionate to the protection of the determination of the accuracy of the report or the identity of the whistleblower, the data subject shall have the right to know the grounds for such restriction and request the disclosure of the data to the Data Protection Ombudsman.

If the data subject’s rights have been restricted regarding only some of the personal data pertaining to the data subject, the data subject shall have the right to access other data pertaining to them.

In principle, the controller shall process the data subject’s request within one (1) month. Please send any enquiries about the rights of the data subject to the ad-dress mentioned in section 1 of this privacy policy.

The data subject has the right to lodge a complaint with the Data Protection Ombudsman.

9. Profiling

Personal data is not used for profiling.

10. Applicable law

Data are processed under Finnish law.