Whistleblowing privacy notice

PRIVACY NOTICE OF THE WHISTLEBLOWING CHANNEL

This Privacy Policy describes how Mipro collects, processes, and protects the personal data of persons who report a suspected violation via the whistleblowing procedure (the Whistleblower) and persons who are the subject of such a report (the Report Subject). If a report has been submitted anonymously, Mipro will not process the Whistleblower’s personal data.

DATA CONTROLLER

Data Controller (as it is defined in applicable privacy laws and regulations) is Mipro Group Ltd. Oy and its subsidiaries. Of these subsidiaries, Mipro Oy ensures that your personal data is being processed according to this policy, and applicable privacy laws are adhered to.

Contact information regarding the register

Mipro Oy, Kunnanmäki 9, 50600 Mikkeli

Contact for privacy inquiries: Kati Häkkinen, e-mail: privacy@mipro.fi

NAME OF THE REGISTER

Mipro Group Whistleblowing Procedure

BASIS AND PURPOSE OF THE PROCESSING OF PERSONAL DATA

The reporting procedures implemented are an integral part of monitoring the realization of Mipro´s ethical principles. The notification channel also serves as a whistleblowing reporting channel, based on the European Union’s Whistleblowing Directive. The relevant national whistleblower protection law (Act on the Protection of Persons Reporting Breaches of European Union and National Law 1171/2022) entered into force on 1st of January 2023.

The processing of personal data is primarily based on the controller’s legal obligation. Mipro also processes your data based on the legitimate interest of the controller or third party, for example, when processing of the personal data is necessary for handling abuses related to Mipro and its operations or are in connection with the preparation, presentation, or defense of a legal response. When the processing of personal data is based on legitimate interest, Mipro will always perform a balance test to evaluate that the legitimate interest does not override the rights and interests of the data subject.

The whistleblowing channel makes it possible to obtain important and systematic information on suspected misconduct or violations, and to react to them in a timely manner. The whistleblowing channel may be used when aconcern of suspected misconduct and violations arises, for example, breaches of ethical principles and legislation, financial matters, suspected corruption or money laundering, product safety and compliance, environmental matters, information security or data protection, improper treatment, harassment or discrimination, or personal matters. The existence of whistleblowing procedures supports a good corporate culture by providing employees with a channel for raising concerns. Reports can be submitted by the current and former employees of Mipro and other stakeholders. Mipro cannot separately ask for consent from persons who are the subject of a report.

The data is used to monitor and investigate irregularities. It is also used for the development and analysis on the controls related to ethical principles of Mipro. Data is used in such a way that the privacy of the individual is not compromised.

THE INFORMATION WE COLLECT ABOUT YOU

Reports can be created both anonymously, and under your own name. The report will always be treated confidentially, and the identity of the Whistleblower will be known only to the persons designated to deal with the reports, and to the persons invited as experts to examine the case.

The register contains personal data about the Whistleblower and the subject of the report, as well as other relevant persons, such as witnesses, depending on the information provided by the Whistleblower in the report.

If the Whistleblower has provided his/her personal data, the register contains the following information:

  • The name of the Whistleblower, the preferred contact channel and the e-mail address, telephone number or other contact information
  • The subject of the report
  • The Whistleblowers relation to the company
  • the information contained in the report, including all the information provided by the Whistleblower, such as the identity of the alleged offender, a description of the alleged misconduct and related justification, and any other relevant information. This information may include personal data of third parties.
    If the report is made anonymously, the following information will be collected through the whistleblowing channel:
  • The subject of the report
  • The Whistleblowers relation to the company
  • The information contained in the report, including all the information provided by the Whistleblower, such as the identity of the alleged offender, a description of the alleged misconduct and related justification, and any other relevant information. This information may include personal data of third parties.

Also, personal data of the users participating in report processing is stored. In these cases, their name, e-mail address, system user ID and login data are collected.

HOW WE COLLECT YOUR DATA

Personal data concerning data subjects are primarily collected from data subjects themselves when they have submitted a report using their name. Data on data subjects may also be collected from sources other than the data subjects themselves; for example, when a report submitted by another data subject contains personal data on another person. During the processing of reports, the controller may also become aware of other data concerning data subjects, which the Whistleblowers themselves voluntarily provide or which is obtained from other sources in a manner permitted or required by the applicable legislation.

WHO HAS ACCESS TO THE DATA AND DISCLOSURE TO THIRD PARTIES

Mipro has an independent team specifically appointed to receive and process reports. Depending on the nature of the notification, the number of processors may be increased on a case-by-case basis. Misuse of the whistleblowing channel may lead to legal action.

The personal data are accessed and processed by the Mipro employees who carry out and supervise the investigations related to the notifications. Access is only granted to persons who need the information for the aforementioned purposes. The Whistleblower’s identity, when known, shall not be disclosed to the persons against whom the allegations are made.

The identity of the Whistleblower shall be disclosed only if the Whistleblower consents to it or if the disclosure of the Whistleblower’s identity is required in criminal proceedings, or if Whistleblower has submitted a false report with malicious intent.  The personal data may be disclosed to third parties, such as the public authorities or external inspectors, when doing so is based on the applicable legislation or is essential for carrying out the actions necessitated by the report.

TRANSFER OF PERSONAL DATA

TRANSFERS OF YOUR PERSONAL DATA OUTSIDE EU OR EEA

Personal data reported in the EU or EEA shall not be transferred outside the EU or EEA.

AUTOMATIC DECISION MAKING OR PROFILING

The processing of personal data does not involve automatic decision-making, and no profiling is carried out based on the personal data.

HOW LONG IS YOUR DATA BEING STORED

In the whistleblowing channel, personal data are stored for a maximum of one (1) year from the date of the report’s submission. All the irrelevant information or the information not to be processed any more shall be deleted no later than five (5) years after the start of the processing. If the case goes to a court of law and the court proceedings require a longer retention period, the data shall be retained for the duration required by the court proceedings.

The key issue in retention periods is the reverse burden of proof on the prohibition of countermeasures. If the Whistleblower feels that they have been subject to countermeasures, the company has a duty to prove that this has not been the case.

If the claim is found to be unfounded, the data shall be destroyed without delay. The data will be destroyed in accordance with security practices.

HOW YOUR DATA IS PROTECTED

The personal data in the whistleblowing channel are protected by appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, disclosure, misuse, alteration, destruction or unauthorized access. Data is protected by firewalls and various encryption techniques, and the systems and devices involved in processing are secure and have appropriate access control. Data on the systems are backed up regularly.

Each person who processes personal data has signed a data security and data protection commitment and received the necessary instructions and training for the processing of personal data. Personal data is protected from unauthorized processing. Only independent persons specifically appointed by the company are authorized to process the data that is processed in connection with the processing of whistleblowing reports. Each person who processes a report is uniquely identified and authenticated.

The whistleblowing channel in use is protected by technical means and the administrator of the notification channel does not have access to the reports or the whistleblower’s data. The channel does not store IP addresses or any other information that could identify the Whistleblower. The security of the whistleblower channel has been verified by an external auditor and meets the legal requirements.

The system does not record any data on Whistleblowers that is not submitted by the Whistleblowers themselves. The Whistleblower receives a numeric code at the time of submitting the report. This code can be used to log in and monitor the processing of the report after its submission. This numeric code provided at the time of report submission is the only way to access the report afterwards. For this reason, the person must store the numeric code, as the unique numeric code is the only way to track the processing of the report or provide additional information regarding the report. If the numeric code is forgotten, the Whistleblower is required to submit a new report.

YOUR RIGHTS

As a registered user you have rights to influence the processing of your personal data. Below you will find information about your rights under the GDPR and how they are limited in relation to the processing of data covered by the Whistleblower Protection Act. If you wish to exercise your rights, requests will always be assessed on a case-by-case basis.

The data subject has the following rights in relation to the personal data in the register:

  • The right to access their personal data
  • The right to the rectification and supplementation of personal data in case of errors, inaccuracies, or omissions
  • The right to request the erasure of their personal data
  • The right to restrict the processing of personal data
  • The right to object to the processing of personal data
  • The right to be notified of a personal data breach.

Your rights as a data subject, as described above, are limited in the processing of data covered by the Whistleblower Protection Act in that you do not have the right to inspect all the data in the register where disclosure could harm the prevention or detection of a crime, or where disclosure could pose a serious risk to the rights of another person. If only part of the information about you is not subject to inspection, you have the right to access the rest of the information stored about you. The right to obtain the rectification or erasure from the register of data which are inaccurate, incomplete, unnecessary, or obsolete for the purposes of the processing in the register applies to data for which the right of access is not restricted. In addition, your right to restrict the processing of personal data does not apply to the processing of personal data within the meaning of the Whistleblower Protection Act. 

You can contact us at any time if you have any questions about your data protection and the processing of your personal data, or if you want to exercise your rights in relation to your personal data.  You can exercise your rights by sending us a written request to

Mipro Oy, Kunnanmäki 9, 50600 Mikkeli, Finland.

Add a comment to the envelope: Whistleblowing register / request

In addition to your name, you must provide sufficient identifying information in the request to allow the register to be checked, corrected, or deleted for you. If necessary, we may ask for more information, particularly if we are unable to identify you sufficiently based on your request and the information you have provided.

You can also perform the request personally at the data controller’s premises, Kunnanmäki 9, 50600 Mikkeli, Finland. Appropriate identification needs to be provided when performing the request in person.

Handling the requests is free, if more than 12 months have passed since the last inquiry. However, if a request for information is manifestly unfounded and unreasonable, in particular if the requests are repeated, Mipro may charge the administrative costs of providing the information. We will always inform you of any costs in advance, stating the reasons for them.

We will comply with your request as soon as possible without undue delay. The deadline for providing the information or additional information related to the request is one month from the date of receipt of the request. If the request for information is exceptionally complex and extensive, the deadline may be extended by two months. Generally, the information will be provided using the same method as the request for information was received from you.

The data subject has the right to lodge a complaint with a supervisory authority if they believe that processing their personal data violates the General Data Protection Regulation.

For more information, please contact privacy@mipro.fi.

CHANGES TO THE PRIVACY POLICY

Mipro reserves the right to amend this Privacy Policy. Amendments to the Privacy Policy may also be based on changes in legislation.

This Privacy Policy was last updated on 08.11.2023.