Data protection policy – whistleblowing channel

1. Data controller company

Destia Oy, business ID: 2163026-3
Firdonkatu 2 T 151, FI-00520 Helsinki

You can contact the data controller company to ask for more information about the processing of your personal data and to exercise your rights as a data subject. You can contact us at tietosuoja@destia.fi and we will forward your enquiry to the right person. The enquiry and request can be informal.

2. Purposes of and legal bases for the processing of personal data

Destia may collect and process personal data for various purposes, including:

• Processing, investigation and reporting of notifications submitted through the whistleblowing channel
• Monitoring and verifying compliance with legislation, contracts and Destia’s internal regulations
• Prevention, investigation and prosecution of criminal offences and other misconducts
• Safeguarding of legal rights
• Fulfilment of legal obligations

The legal basis for processing personal data is the fulfilment of legal obligations and Destia’s legitimate interest.

3. Personal data processed

Destia may collect and process the following personal data:

• Identification data, such as name and social security number
• Contact details, such as address, telephone number and email
• Occupational and employer information
• Information relating to the suspected offence or misconduct
• Image and video material
• Other information provided by the person submitting the notification

The personal data processed typically concerns the person who submitted the notification or the person who is the subject of the notification.

4. Retention period

We will retain your personal data for as long as the data is necessary to fulfil the purposes set out in this data protection policy, unless the law obliges us to retain your personal data for a longer period of time.

5. Regular sources of information

Generally, we receive personal data from the person in question through the whistleblowing channel. Anyone can make a notification through the whistleblowing channel, for example, Destia employees and representatives of Destia’s customers and other stakeholders.

Destia may also collect personal data from Destia’s internal systems, parties related to the notification and authorities.

6. Disclosure of personal data

Personal data may be disclosed at Destia’s discretion to the extent permitted by the legislation in force at any given time. The disclosure of data may, in principle, take place only for legitimate purposes that support Destia’s mission statement, and where the purpose of processing of the data is compatible with Destia’s purposes.

Personal data may be disclosed, for example, to the following recipients:

• To the authorities at their request, when required by law and to exercise Destia’s rights
• To Destia’s owner to monitor the quality and legality of the process
• In the context of mergers and acquisitions to potential buyers, financiers and their advisors, if Destia sells or otherwise organises its business

If your personal data is disclosed to a third party, we will ensure that your data is protected by appropriate contractual protective measures.

7. Transfer of data outside the European Economic Area

Generally, we process personal data within the European Economic Area (“EEA”). Data may also be processed outside the EEA if it is necessary for the purposes of processing personal data mentioned in this data protection policy or for the technical or practical implementation of the processing, such as the location of servers.

If personal data is transferred outside the EEA, we will ensure that the requirements of data protection legislation are complied with in the transfer of data.

8. Safety of the processing of personal data

When processing personal data, we ensure appropriate security and data protection of personal data, including protection of personal data against unauthorised processing and accidental loss.

Personal data processed electronically is protected by firewalls, passwords and other commonly accepted means in the field of data security. On websites and other services, data is protected by a SSL-certified connection and other necessary means. Personal data can only be accessed by specific Destia employees with access right granted by Destia.

Destia’s whistleblowing channel has been implemented in the First Whistle system produced by Juuriharja Consulting Group Oy.

9. Automated decision-making including profiling

Destia does not use automated decision-making or profiling in connection with the processing of personal data described in this data protection policy.

10. Rights of the data subject

As a data subject, you have the right to:

• request access to the personal data relating to you; 
• request the rectification, erasure or restriction of processing of your data; 
• object to the processing of your data; 
• request the transfer of your data from one system to another; and 
• where the processing is based on your consent, withdraw your consent. Please note that this will not affect any processing prior to the withdrawal. 

You can exercise your rights under data protection legislation by contacting us at tietosuoja@destia.fi. We will evaluate the prerequisites for complying with your request as soon as possible and, if necessary, ask you for any additional information you may need. If we consider the request to be manifestly unfounded or unreasonable, we may charge a fee for the execution of the request or refuse to execute it.

If you believe that your personal data is not being processed lawfully, you have the right to lodge a complaint with the Data Protection Ombudsman.