Articles 12, 13, 14 and 19 of the General Data Protection Regulation 2016/679 of the European Union
Name: Econia Oy
Business ID: 1054184-7
Postal address: Peltotie 20, 28400 ULVILA
Telephone: +358 2 630 5300
2. Contact details of the data protection officer
Name: Katri Randell
Postal address: Peltotie 20, 28400 ULVILA
Telephone: +358 44 982 8697
3. Register name
4. Purpose of processing personal data
The purpose of Econia Whistle is to provide an anonymous channel to give information about a problem. If the whistle-blower provides information or reports another person, personal data processing is carried out to identify and investigate actions in breach of ethical principles, and potentially to initiate a pretrial investigation and follow up on how the investigation is proceeding.
5. Basis for processing of personal data
Personal data is processed to fulfil legal obligations and on the basis of the controller’s legitimate interest.
6. Description of the controller’s legitimate interest
The whistle-blower channel provides the means to monitor compliance with Econia’s ethical principles. The whistle-blower channel can provide important and systematic information about any suspected abuses and breaches and the means to react to them. The whistle-blowing mechanism is a key part of the UN’s principles concerning businesses and human rights. The existence of a whistle-blower channel supports a good employer image and corporate culture by enabling employees to voice grievances and doubts.
7. Personal data to be processed
Econia only collects personal data that is necessary to investigate any particular case. This includes basic data if the person gives it through the whistle-blower channel, such as name, telephone number and email address.
It may also include data about the person being reported, such as name and position in the company.
8. Data source and description of the data sources if the data is public information
The data source is an anonymous whistle-blower channel and related telephone service.
9. Recipients of personal data
We ensure that our partners have a sufficient level of personal data protection, as specified by law.
If an anonymous report requires further investigation and the report contains data about a person, such personal data may be handed over to parties in charge of internal investigations.
We hand over data to the authorities within the limits permitted and required by law, for example when answering data requests made by the authorities.
10. Transfer of personal data to a third country or international organisation, and safeguards applied
We do not transfer personal data to third countries outside the EU or EEA, nor to international organisations.
11. Period for storing personal data, and criteria for determining this period
As a rule, reports and any personal data related to such reports are stored for two years after the conclusion of any investigation. If the matter is taken to court and the processing in the court requires a longer storage period, the data is stored for as long as the legal proceedings require. Groundless reports are anonymised immediately if the report contained any personal data.
12. Rights of the data subject
The data subject has the following rights:
- Right to access personal data
- Right to rectification
- Right to have data erased
- Right to restriction of processing
- Right to object to processing
- Right to be notified of a personal data breach
A person also has the right to file a complaint with the supervisory authority if they consider that processing of their personal data is in breach of the applicable data protection legislation.
13. Relevant data related automated decision-making or profiling
No automated decision-making is applied when processing personal data, and personal data is not used for any profiling.
14. Impact of personal data processing and general description of technical and organisational safeguards
We protect personal data carefully throughout their life cycle by means of appropriate data protection and data security measures. Econia Whistle does not store IP addresses or any other data that could be used to identify the whistle-blower. All reports are encrypted and only designated persons can decrypt them. Access to the whistleblowing reports is limited and the persons who process them are bound by secrecy.