1. Data controller

Kaarea Oy (2925981-7)
PL 180, 20101 Turku, Finland
Other contact details: www.kaarea.fi, tel. switchboard +358 20 764 9850

2. Contact person for matters concerning the register

Riikka Samuli
Postal address: PL 180, 20101 Turku, Finland
Visiting address: Lemminkäisenkatu 48, 20520 Turku, Finland
Email: riikka.samuli@kaarea.fi, tel. switchboard +358 20 764 9850

3. Name of the register  

Kaarea’s reporting channel register

4. Purposes and legal basis for processing personal data

Personal data is processed for the purpose of detecting, investigating, and preventing legislative and financial misconduct. The processing of personal data is based on the data controller’s legal obligation to maintain a reporting channel for reporting misconduct and the data controller’s legitimate interest in ensuring that the data controller’s employees act in accordance with the law.

Processing tasks may be outsourced to external service providers in accordance with data protection legislation and within the limits set by it.

5. Legitimate interests of the data controller or a third party

The data subject is or has been an employee of the data controller.

6. Data content of the register                

The following information about the data subject may be entered in the register:

• Name and contact details of the reporter (if disclosed by the individual)
• Identification details concerning the subject(s) of the report (to the extent provided by the reporter) 
• Information provided in the report concerning the suspected person(s) and illegal activity 
• Information obtained during the internal investigation regarding the conduct of the person subject to the report and the assessment of its legality

In addition to the above, personal data of the data controller’s designated report handlers is collected for access control purposes (user IDs)

7. Regular sources of information

The primary source of information is the report submitted through the reporting channel and, where applicable, additional information obtained from the reporter. In addition, material received and/or reported during the internal investigation of the matter is also used as a source of information.

8. Recipients of personal data

The data controller retains reports received through the reporting channel in strict confidence and in accordance with the Data Protection Act. Personal data may be disclosed to the data controller’s advisors acting as data processors. Personal data of report handlers is disclosed to the reporting channel service provider for access control purposes.

Personal data may be disclosed to authorities for the purpose of performing their statutory duties.

9. Transfers to third countries and related safeguards

No data will be transferred outside the EU/EEA.

10. Data retention period and applicable retention criteria

The data is stored in the reporting channel service for a limited period (18 months from the submission of the report). After this period, the data controller will delete the data from the reporting channel service and transfer it to a separate secure archive. Data stored in the secure archive is deleted no later than five years from the receipt of the report, unless retention is necessary to comply with legal rights or obligations or to establish, pursue, or defend a legal claim.

11. Principles of data protection

Access to the register’s data is restricted to certain individuals to the extent required by their duties. All individuals who use the employment register’s data have signed a confidentiality agreement and are bound by confidentiality obligations.

The data processed in information systems is protected from external use by means of information network access rights and user-specific access rights regulations.

Manually processed data is retained under supervision in files or filing systems and stored in locked cabinets with restricted and monitored access.

The information contained in the register is processed by a limited and designated group of processors. The identity of the persons concerned and other information relating to them is not disclosed externally except to the extent strictly necessary for the proper investigation of a report. The data controller does not have access to metadata or IP addresses that could be used to identify the reporter. The recipient of the report within the organisation will only be informed of the time and content of the report.

Access to the reporting channel is restricted to designated personnel. Employees of the data controller and advisors acting as report processors are bound by confidentiality obligations. In addition, employees are committed to complying with internal information security guidelines. The information system containing electronically stored data and its backups are located in locked and monitored premises. The electronic system hosting the register is protected by firewalls, database encryption, and other technical measures.

12. Rights of the data subject

Right of inspection: In accordance with Kaarea’s privacy policy.

Right to rectification: In accordance with Kaarea’s privacy policy.

The data subject may, at any time and on grounds relating to their particular situation, object to the processing of personal data concerning them. Requests for objection must be addressed in writing to the contact person for the register.

13. Automated decision-making and profiling

The register does not involve automated decision-making.

• Cookie Policy
• Personal data processing
  • Privacy policy for the customer register
  • Privacy policy for the feedback register
  • Privacy policy for the HR register
  • Privacy policy for the reporting channel
  • Privacy policy for the marketing and communication register
  • Privacy policy for the supplier register
  • Privacy policy for the job applicant register