Privacy Statement: The whistleblowing hotline

Oy Matkahuolto Ab has introduced a whistleblowing hotline. This service allows you to report any misconduct in violation of the law, financing irregularities or actions that are at variance with Matkahuolto’s Ethical Code of Business Conduct.

This privacy statement describes how Matkahuolto processes the personal data contained in the reports and provides a framework defining the conditions and extent to which Matkahuolto’s staff and the parties involved in data processing may process the personal data of (i) the persons filing reports and (ii) of the persons mentioned in the reports (hereinafter data subjects) so as to ensure that the legal requirements for the protection of the personal data and privacy of the data subjects are met and that the data subjects’ rights are not violated. The data subjects may be Matkahuolto employees or representatives of its partners. The service also makes it possible to file anonymous reports.

2 FILE CONTROLLER AND THE CONTACT DETAILS FOR REGISTRATION MATTERS

File controller
Oy Matkahuolto Ab
Business identity code: 0111393-9
Kaivokatu 10 A, PL 100, 00101 Helsinki
Telephone: 020 710 5000
tietosuoja@matkahuolto.fi

3 PURPOSE AND BASIS OF THE PROCESSING OF PERSONAL DATA

Personal data is processed for the purpose of detecting, investigating and preventing any misconduct in violation of the law, financing irregularities or actions that are at variance with Matkahuolto’s Ethical Code of Business Conduct.

The processing of personal data is based on the data controller's legal obligation to establish a whistleblowing hotline for reporting misconduct and on the data controller's legitimate interest of being informed of any misconduct related to the company and its activities in order to address such misconduct and ensure that the conduct of the data controller's employees and partners is ethical and lawful.

To the extent that it is necessary to process special categories of personal data for the purpose of investigating an instance of reported misconduct or infringement, such as information on a person's ethnic origin, political opinions or state of health, the processing of such data is in the public interest as provided in union law or national legislation on whistleblowing channels.

Processing tasks may be outsourced by the file controller to service providers in compliance with and subject to the restrictions set out in the data protection legislation.

4 DESCRIPTION OF THE FILE CONTROLLER’S LEGITIMATE INTEREST

Matkahuolto has a legitimate interest to learn about any misconduct related to the company and its activities in order to address such misconduct and ensure that the conduct of the data controller's employees and partners is ethical and lawful.

The whistleblowing hotline is a legally recognised way of monitoring the lawfulness of Matkahuolto’s practices and compliance with its Ethical Code of Business Conduct. The whistleblowing hotline makes it possible to obtain information about potential suspicions of misconduct and infractions and to respond to them in a timely manner, as well as to remedy any failures in Matkahuolto's operations in order to avoid similar cases in the future. The existence of the whistleblowing hotline contributes to an open and transparent corporate culture by providing employees with access to a system for voicing their concerns and reporting substantiated suspicions.

5 PERSONAL DATA TO BE GATHERED

Matkahuolto only seeks to collect the personal data necessary for investigating the reported cases. Such data may include

basic details such as name, e-mail address and position or title within the organisation;
the details of the report, which include all the information provided by the whistleblower, such as the identity of the alleged perpetrator, the identity of any witnesses to the alleged misconduct or other third parties involved in the case, the description and basis of the alleged misconduct, and any other relevant information; and
investigative information, which includes any information needed to investigate the alleged misconduct, such as employment data, audit and financial information, information available in third-party reports and assessments, as well as online conduct and log-in information.

The whistleblower exercises discretion as to what personal data he or she includes in the report. As there are optional fields for freely worded text in the reporting form, the whistleblower may also disclose personal data other than those listed above, including data falling into any of the special categories of personal data. Any personal data in the report that are clearly irrelevant to the investigation of the case are deleted without undue delay.

6 REGULAR SOURCES OF DATA

Matkahuolto collects personal data provided by the whistleblower via the whistleblowing hotline or other channels. If necessary, personal data is also retrieved from Matkahuolto’s internal systems and obtained from third parties during the course of investigation.

7 PROCESSORS OF PERSONAL DATA AND TRANSFER AND DISCLOSURE OF DATA

Personal data is accessed and processed by the Matkahuolto employees who carry out and oversee investigations. The personal data may be transferred to service partners used by Matkahuolto to the extent they participate in the implementation of the measures defined in their respective contracts. The system provider of the whistleblowing hotline used by Matkahuolto is WhistleB Whistleblowing Centre AB.

Access to the personal data is only enjoyed by people who need this data for the above-mentioned purposes. The whistleblower’s identity, if known, is not disclosed to the persons against whom the allegations are made. The whistleblower’s identity can only be disclosed with his or her consent, or if it is required for criminal proceedings or if the whistleblower files an ill-founded report with the intention of causing harm.

The personal data will be disclosed to third parties, such as public authorities or external auditors, within the limits permitted and required by applicable law, for example in response to requests for information from public authorities or if Matkahuolto has a legitimate interest in doing so for the purpose of a crime report, pre-trial investigations or court proceedings.

We have in place adequate safeguards for protecting the personal data of our partners as provided by law.

No personal data will be transferred outside the European Union or the European Economic Area.

8 RETENTION PERIOD OF PERSONAL DATA

The personal data within the meaning of this privacy statement will only be retained for as long and to the extent necessary, and the data will be used by the controller for the declared processing purposes.

Personal data will be deleted in accordance with the following practice, unless a longer retention period is required under legislation applicable to Matkahuolto:

no later than 60 days after the closure of the report unless it warrants an investigation;
no later than 60 days after the closure of the investigation unless it leads to sanctions;
no later than two years after the enforcement of the sanctions imposed as a result of the investigation; or
upon expiry of a maximum period of five (5) years or the period for filing action under the national whistleblower protection legislation, whichever shorter, if Matkahuolto has reasonable grounds to believe that the reversed burden of proof under the legal prohibition of retaliatory measures makes it necessary, under the circumstances, to retain the data beyond the deletion periods set out in paragraphs 2–3 above. Such reasonable grounds may include, for example, (i) the whistleblower’s announcement that he or she will invoke the company's reverse burden of proof in the future or the measures taken in preparation for such invocation; (ii) concrete plans (independently of the report) that could impact the whistleblower's work, employment or status; or (iii) situations where the whistleblower is a company employee and has received prior written or oral warnings concerning matters that may reoccur or have implications for his or her employment under labour law while the whistleblower continues to hold his or her current position.

If the case is taken to court and the court proceedings require a longer retention period, the data will be kept for the duration of the proceedings.

In case of a report that is not made in good faith and without intent to harm or harass in accordance with the purpose of the whistleblowing service, the personal data may be processed for the time necessary to investigate the matter and impose any sanctions, as well as for the statutory periods for filing action in such cases.

9 PROTECTION OF PERSONAL DATA

We protect all personal data with due care throughout its lifecycle by having in place appropriate data protection and security safeguards. The system provider of the whistleblowing hotline is WhistleB Whistleblowing Centre AB, which processes the encrypted personal data in secure server environments. WhistleB will not save IP addresses or any other information that could identify the person sending the report. All reports are encrypted and may only be decrypted by designated individuals. Access to the reports is limited and those processing the reports are required to hold them in confidence.

Personal data contained in the reports is accessed and processed by the Matkahuolto employees who carry out or oversee investigations. Access is only enjoyed by people who need this data for the above-mentioned purposes. The processors are bound by professional secrecy with regard to all reports filed in good faith. The processors have been issued with written instructions that they are required to comply with in the performance of their duties. Moreover, the processors have received training for their duties.

10 RIGHTS OF THE DATA SUBJECT

10.1 Right of inspection

Under Article 15 of the General Data Protection Regulation (GDPR), data subjects enjoy the right to check their personal data processed by Matkahuolto in its capacity as the file controller. The right of inspection ensures the transparency of the processing of personal data, and by exercising this right, the data subject can ascertain that the information in the file is correct and up-to-date. Under the right of inspection, the data subject is entitled to view his or her personal data processed by Matkahuolto and receive copies of the data upon request. However, the right to view the data processed by Matkahuolto may not adversely affect the rights and freedoms of others.

Any request for the verification of data must be addressed to the person in charge of registration matters referred to in section 2 of this document.

Upon receipt of a request to check the data, Matkahuolto will, pursuant to Article 12 of the GDPR, inform the data subject – without undue delay or no later than one month after receiving the request – of the measures taken in response to the request for inspection. If necessary, Matkahuolto may extend the time limit by up to two months, if so warranted by the complexity and number of requests. If so, Matkahuolto will inform the data subject of any such extension within one month of receipt of the request, accompanied by an explanation of the reasons for the delay.

Matkahuolto will provide the information requested by the data subject in writing or, where appropriate, in electronic format. If so requested by the data subject, the information may be given orally, provided that the identity of the data subject is duly authenticated. If the data subject submits the request electronically, Matkahuolto will provide the information electronically where possible, unless the data subject requests otherwise. If Matkahuolto's execution of the data subject's request would adversely affect the rights and freedoms of others and Matkahuolto would therefore be unable to execute it as requested, Matkahuolto will provide the data subject with a written explanation of the reasons as to the extent to which the data subject's request cannot be executed.

10.2 Right to rectify incorrect information

Pursuant to Article 16 of the GDPR, the data subject has the right to request rectification of the data if they have checked the data or otherwise found them to be inaccurate.

Any request for the rectification of data must be addressed to the person in charge of registration matters referred to in section 2 of this document.

Upon receipt of a request for rectification, Matkahuolto will, pursuant to Article 12 of the GDPR, inform the data subject – without undue delay or no later than one month after receiving the request – of the measures taken in response to the request. If necessary, Matkahuolto may extend the time limit by up to two months, if so warranted by the complexity and number of requests. If so, Matkahuolto will inform the data subject of any such extension within one month of receipt of the request, accompanied by an explanation of the reasons for the delay.

10.3 Right to erasure

Pursuant to Article 17 of the GDPR, the data subject has the right to request, at any time, that Matkahuolto erase the personal data processed by it, and Matkahuolto has the obligation to erase this data if there is no longer any legal basis for processing it. The data subject’s right to erasure does not apply to data whose processing is deemed necessary for compliance with a legal requirement or for the establishment, exercise or defence of legal claims. Some personal data processed by Matkahuolto is subject to a legally binding data retention obligation, and therefore Matkahuolto cannot erase such data before the expiry of the legal retention period.

Any request for the erasure of data must be addressed to the person in charge of registration matters referred to in section 2 of this document. Upon receipt of a request for erasure, Matkahuolto will, pursuant to Article 12 of the GDPR, inform the data subject – without undue delay or no later than one month after receiving the request – of the measures taken in response to the request. If necessary, Matkahuolto may extend the time limit by up to two months, if so warranted by the complexity and number of requests. If so, Matkahuolto will inform the data subject of any such extension within one month of receipt of the request, accompanied by an explanation of the reasons for the delay.

If Matkahuolto cannot comply with the data subject’s request for a well-founded reason, Matkahuolto will provide the data subject with a written explanation as to why the representative’s request cannot be complied with.

10.4 Other rights of the data subject

In certain statutory cases defined in Article 18 of the GDPR, the data subject may have the right to demand that Matkahuolto limit the processing of their personal data.

Additionally, subject to certain conditions, the data subject may have the right to object to the processing of his or her personal data when processing is based on Matkahuolto’s or a third party’s legitimate interest, and Matkahuolto is required to comply with such a request unless Matkahuolto demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

To exercise the above rights, the data subject needs to contact the contact person referred to in section 2 of this document.

Additionally, the data subject has the right to lodge a complaint concerning the processing of personal data by Matkahuolto with the data protection authority. In Finland, complaints are submitted to the Data Protection Ombudsman in accordance with the instructions issued by the same. To access the Data Protection Ombudsman’s website, click here.