Table of contents
1 – Registry Holder (Controller) 2 – Registry Contact Person 3 - Personal Data 4 – Purposes and Grounds for Processing Personal Data 5 - Legitimate Grounds for Processing 6 - Rights of Users 7 – Processors of Personal Data 8 - Location and Transfer 9 - Lodging a Complaint 10 – Data Sources 11 – Automated Decision Making 12 - Retention of Information 13 - Contact 14 - ChangesWhistleblowing Privacy Policy
1 – Registry Holder (Controller)
Nomentia Oy
Linnoitustie 6
02600 Espoo
Finland
Company registration number: 2855557-7
VAT ID: FI28555577
2 – Registry Contact Person
Nomentia Data Protection Officer
E-mail address: privacy@nomentia.com
Mailing address:
Nomentia Oy
Linnoitustie 6
02600 Espoo
Finland
3 - Personal Data
3.1 Whistleblowers have the option to report anonymously, and we will take steps to ensure that their identity is not revealed unless required by law. We may collect personal data from whistleblowers in connection with their reports, such as their name, contact details, and any other information they choose to provide. Providing personal data is voluntary.
3.2 We will only collect and process personal data that is necessary for the purposes of investigating and addressing whistleblowing reports, and we will do so in accordance with applicable data protection laws and regulations.
3.3 We will only disclose whistleblowing reports and related information to third parties on a need-to-know basis, and only where permitted or required by law.
3.4 We will take appropriate technical and organizational measures to ensure the security of personal data collected from whistleblowers.
4 – Purposes and Grounds for Processing Personal Data
4.1 The purposes of processing personal data collected from whistleblowers include:
Investigating and addressing whistleblowing reports;
Ensuring compliance with applicable laws and regulations;
Protecting the legitimate interests of Nomentia
5 - Legitimate Grounds for Processing
5.1 We will only process personal data collected from whistleblowers where we have a legitimate interest in doing so, or where we have obtained the consent of the whistleblower.
5.2 Our legitimate interests for processing personal data collected from whistleblowers include:
Protecting the integrity and reputation of Nomentia;
Preventing and detecting fraud, corruption, and other illegal activities;
Ensuring compliance with applicable laws and regulations.
6 - Rights of Users
6.1 Whistleblowers have the right to:
Access their personal data collected by Nomentia;
Rectify any inaccuracies in their personal data;
Object to the processing of their personal data where they have a legitimate reason to do so;
Request the erasure of their personal data where it is no longer necessary for the purposes for which it was collected.
7 – Processors of Personal Data
The Registry Holder (Controller) limits the access to whistleblowing reports and related information to authorized Nomentia employees only, who have a need to know to carry out their duties and responsibilities, and as required by the applicable law.
Personal data is processed by the Registry Holder’s service provider to provide the Registry Holder with a technical platform for carrying out the processing of whistleblowing reports. The personnel of the technical platform service provider do not have access to whistleblowing reports.
Appropriate technical and organizational measures are implemented to ensure the confidentiality and security of personal data collected from whistleblowers, including measures to prevent unauthorized access, disclosure, alteration, or destruction.
Nomentia will only disclose whistleblowing reports and related information to third parties on a need-to-know basis, and only where permitted or required by law, provided that they are bound by confidentiality obligations and other appropriate data protection measures.
8 - Location and Transfer
8.1 Personal data collected from whistleblowers is processed within the European Economic Area (EEA).
8.2 If we need to transfer personal data outside the EEA, we will ensure that appropriate safeguards are in place to protect the privacy and security of the personal data, such as by entering into EU Standard Contractual Clauses with the recipient.
9 - Lodging a Complaint
9.1 Whistleblowers have the right to lodge a complaint with the relevant supervisory authority if they believe that their personal data has been processed in violation of applicable data protection laws and regulations.
10 – Data Sources
10.1 The data source is the individual who provides personal data when filing a whistleblowing report using the anonymous whistleblowing service.
11 – Automated Decision Making
11.1 The personal data in the register is not subject to automated decision-making or profiling.
12 - Retention of Information
12.1 We will retain whistleblowing reports and related information for as long as necessary to carry out our investigations and to comply with legal and regulatory requirements.
13 - Contact
13.1 If whistleblowers have any questions or concerns about our whistleblowing privacy policy or the processing of their personal data, they may contact us using the contact information provided under Registry Contact Person.
14 - Changes
This Privacy Policy is dated May 22, 2023. We may update this Privacy Policy at any time if required in order to reflect changes in our data processing practices, in personal data protection laws, or otherwise. For substantial changes to this Privacy Policy, we will use reasonable endeavors to provide notice thereof.