1 Data controller
Technopolis Holding Plc, a Finnish public limited liability company with business ID 0487422-3, and the following companies belonging to the same group of companies ("Technopolis Group") may act data controllers or joint controllers as applicable in the respective jurisdictions:
Finland: Technopolis Oy (business ID 2992763-5)
Sweden - Göteborg: Technopolis Gårda AB (business ID 556970-1138)
Sweden - Kista, Stockholm: Technopolis Kista AB (business ID 559306-2572)
Norway: Technopolis Holding AS (business ID 912 237 885)
When Technopolis Holding Plc and a local group company act as joint controllers, Technopolis Holding Plc and the local group company in question together determine how the personal data is processed.
2 Contact details
Privacy Coordinator of Technopolis Group, email: firstname.lastname@example.org, tel: +358 46 712 0000 (customer service), address: Energiakuja 3, FI-00180 Helsinki
3 Name of register
4 Legal basis and purposes of processing your personal data
We process personal data only to the extent necessary and appropriate for the specific processing purposes. Please note that one or more of the following purposes and legal grounds may apply simultaneously.
Our whistleblowing service allows a whistleblower to report among others fraud, corruption, or serious wrongdoings in our organisation. We have implemented the whistleblowing service to prevent and detect misconduct, and to comply with our legal obligations. In certain jurisdictions our group company is required to maintain a whistleblowing channel and in addition we may have legal obligations to handle and investigate whistleblowing reports under applicable law.
We process any personal data related to the whistleblowing service and related investigation for the purposes of handling the whistleblowing reports as well as investigating and resolving the matters reported by using our electronic whistleblowing channel or via other means. and, where necessary, for the establishment, exercise or defense of legal claims and/or for participation in other administrative and legal proceedings or providing information to competent authorities and reporting.
In the whistleblowing channel we may collect personal data on the person specified in a message, the person submitting the message (if not sent anonymously) and any third person involved, in order to investigate facts on the declared misdeeds and inappropriate behaviour eligible under applicable laws, ethical codes, our code of conduct or internal rules.
The processing is based on statutory obligations and the legitimate interest of the controller or a third party to (i) ensure compliance with applicable laws and/or applicable company policies; and (ii) prevent reputational and other business risks and to promote ethical business activity by way of detecting and investigating such misconduct which could cause such risks or counteract to promotion of ethical business activity. When we process your personal data based on the legitimate interests, we weigh our own interests against your rights to privacy. You have the right to object processing of your data on the basis of legitimate interest. However, we can refuse such an objection in accordance with applicable legislation. For further information, please contact us.
Our whistleblowing channel can be used without providing a personal data as part of the report, using the anonymous report option. Unless otherwise required under applicable law, the provision of personal data is neither a statutory nor contractual requirement.
5 Types of your personal data we collect
We may collect and further process the following categories of personal data:
- The name, contact details, and role of you as the whistleblower.
- The name, contact details, and role of you as the person under investigation.
- The name, contact details, and role of you as the witnesses or other third parties involved in the report or investigation.
- The details of the alleged misconduct, such as the date, time, place, nature, and evidence and other related data of the wrongdoing.
- The status and outcome of the investigation, such as the actions taken, the sanctions imposed, or the closure of the case.
6 Regular sources of your personal data
Your personal data is regularly collected directly from you or from a third party making a report on you. During investigation of a report and strictly relating to the investigation your data may also be collected from other individuals, our IT systems, via the internet and from public and private data bases, such as the population register, data bases of other authorities, credit information companies or contact information providers, and other similar trustworthy parties which are reasonably available to us.
7 Regular disclosures and transfers of your personal data, and transfers outside the EU or EEA
We may share the personal data with the following recipients or categories of recipients, depending on the nature and severity of the report:
- The internal or external investigators, auditors, or authorities that handle the report, or has a need-to-know information from the report.
- The legal or other professional advisors or representatives of our organisation or third parties involved in the report.
- The competent authorities, courts or tribunals that deal with the report or any related disputes or other proceedings.
In addition, we use external subcontractors to perform tasks described in this policy, and in such cases, the subcontractors act on behalf of us. Subcontractors are recipients of personal data, and in addition to above parties they include for example whistleblowing channel service provider. When personal data is processed by third parties on behalf of us, we take appropriate contractual and organizational measures to ensure that personal data is processed in accordance with applicable laws.
Your personal data may also be disclosed and transferred to the subsidiaries and associated companies of Technopolis Group for their use, for the purposes specified in this policy.
Your personal data is not regularly processed outside the EU and the EEA. In case your personal data is processed outside the EU and the EEA we take necessary measures to ensure that the transfers of personal data are carried out in accordance with the requirements of the data protection legislation such as in compliance with the adequacy decisions adopted by the European Commission or, if necessary, by using Standard Contractual Clauses approved by the European Commission as well as supplementary safeguards. More information on the safeguards used in transfers of personal data shall be provided upon request.
8 Principles of protection of your personal data and data storage periods
The only persons who have access rights to the data system where your personal data is processed are our dedicated employees (including companies belonging to the Technopolis Group) or our subcontractors and their employees who have the right and need to process your personal data for the purposes described in this policy. Your personal data is protected by such technical and organizational measures that ensure a sufficient and appropriate level of security. More information on our dedicated whistleblowing team and investigation procedure is available on our Whistleblowing Guidelines on our website.
Your personal data is stored for as long as it is necessary to fulfil the purposes of the processing of your personal data. Please refer to our Whistleblowing Guidelines available on our website. We have the right to store or otherwise process your personal data after the period of storage in the circumstances permitted by the law in force from time to time.
We will regularly assess the need for the storage of your personal data and will also take reasonable measures to ensure that incompatible, obsolete or inaccurate personal data on you is not saved in the register.
9 Your privacy rights
As a data subject you have a set of rights provided for by the data protection legislation:
- Right to request access to personal data
- Right to request rectification of personal data
- Right to request erasure of personal data
- Right to request restriction of processing of personal data
- Right to object processing of personal data
- Right to data portability
- Right to withdraw consent
Please however note that the specific application of the rights depends on the processing situation. For example, national whistleblowing legislation may, in certain circumstances, restrict some of the rights for the purpose of protecting possible investigations.
Any such requests must be submitted by you in writing to email@example.com, and you must verify your identity.
In addition, if you consider that the processing of your personal data to be inconsistent with the applicable data protection legislation, you have the right to file a complaint against the processing of your personal data to the competent supervisory authority.
Updated 27 November 2023