Privacy statement for Business Ltd’s whistleblowing channel

1. Controller

Business Turku Ltd
Joukahaisenkatu 3 A
FI-20520 Turku, Finland

2. Contact information for matters concerning the register

tietosuoja@businessturku.fi

3. Purpose of the processing of personal data

The purpose of the processing of personal data is the processing of notifications submitted through Business Turku Ltd’s whistleblowing channel. The purpose of the channel is to ensure that the Controller’s operations comply with the principles of good governance and secure appropriate methods of operation relating to financial safety, and prevention of fraud and abuse. Notifications may be submitted by the personnel of the group and external stakeholders. The data will be processed in the investigation of the cases submitted in the notifications and in the handling of possible consequences.

Notifications concerning the following subjects are processed through the whistleblowing channel:

4. The legal basis for the processing of personal data

Personal data are processed in order to comply with the Controller’s statutory obligations.

5. Personal data being processed

The register includes data provided by the personnel of Business Turku Ltd or other persons who are included in the stakeholders.
The data provided may include, for instance:

6. Disclosure and transfer of personal data

The service provider of the whistleblowing channel processes the personal data on behalf of the Controller.

As a general rule the data is not transferred to parties outside Finland. In individual cases, if so required by the investigation of the notification, data may be disclosed to parties outside Finland in the country of residence of the notifying individual and/or in the country to whose authorities the case is transferred.

7. The planned periods for the erasure of different data groups

The data will only be stored for as long and to the extent as is necessary for the implementation of the purposes determined in this privacy statement. After that the data will be erased, except if we are obliged to store the data according to the law or the rights and obligations based on or an agreement between the parties.

Notifications and any personal data related to the notifications shall be stored for two years after the closing of the investigation. If the case results in court proceedings, the data shall be stored for the period required by the proceedings.

8. Technical and organisational security measures

The physical data security is implemented by the service provider. The data can only be accessed by determined personnel of Business Turku Ltd whose job description includes the processing of notifications. Logging in the service is required for accessing the data. The connection is protected (https).