Purso Group Whistleblowing channel

General Data Protection Regulation of the EU 2016/679

1. Controller

Purso Oy

Alumiinitie 1, 37200 Siuro, Finland

Business ID 2238041-1

2. Contact person for the data file

Marita Lehto

3. Name of the data file

Purso Groupin ilmoituskanava (‘Purso Group Whistleblowing channel’)

4. Purpose of the processing of personal data

The anonymous whistleblowing channel allows people to submit reports without providing any identifying information. If the whistleblower provides their personal information or submits a report on another individual, the personal data are processed in order to identify and investigate misconduct, bring the matter to potential preliminary investigation by the authorities and monitor the phases of the investigation.

5. Grounds for processing personal data

The personal data are processed to implement legal obligations and on the basis of the legitimate interest of the controller.

6. Description of the controller’s legitimate interest

The whistleblowing channel is a tool for monitoring the realization of Purso Group’s ethical principles. The whistleblowing channel enables the communication of important and systematic information on suspected misconduct and violations as well as a timely response to such activity. The process is based on the EU directive approved 23 October 2019 on the protection of persons who report breaches of Union law (EU 2019/1937). The existence of the whistleblowing channel supports a positive employer image and corporate culture by offering the employees a channel for reporting misconduct and suspicions. Purso Group cannot separately ask for consent from those targeted by the reports. Reports can also be submitted anonymously.

7. Personal data to be processed

Purso Group only collects the personal data necessary for investigating the case. These include basic information, such as name, telephone number or e-mail address, if the person provides the information in the whistleblowing channel. The data may also include the information of the individual potentially targeted by the report. In addition, the Controller collects the personal data of those processing the reports for purposes of processing.

8. Data source

The source of data is the anonymous online whistleblowing service.

9. Recipients of personal data

The personal data are processed in the electronic service for the purposes specified in this policy. We use an external partner in producing the system-related services. The personal data in the reports are encrypted before saving them in the whistleblowing service database. The data are only available to the designated report processors of the controller in the database. If necessary, the controller may transfer the data to the controller’s database for the duration of processing or for archiving. Only the controller’s designated report processors receive information on reports and are able to process the reports in the service. Each processor uses their personal credentials when logging in to the service. The individual in charge of the technical maintenance of the system does not have access to the reports database. Personal data may be transferred to partners insofar as they participate in the implementation of measures within the framework of a commission. We ensure the sufficient personal data protection of our partners as required by legislation. If an anonymous report requires more details and the report includes the data of an individual, the personal data may be disclosed to the organization’s designated parties in charge of internal investigations. We disclose data to authorities within the limits allowed and required by valid legislation, for example when responding to data requests from authorities.

10. The data in the whistleblowing service is stored in the EU.

11. Storage period of personal data or criteria for determining the storage period

The personal data in line with this policy are stored for only as long and only to the extent as is necessary, and the controller uses them for activities related to the specified purposes of processing. Primarily, the reports and potential personal data related to the reports are stored for 5 years after the end of the investigation. The need for additional storage period is reviewed after five years. If the case is brought to a court of law and the legal proceedings require a longer storage period, the data will be stored for the time required by the proceedings. Any unfounded reports containing personal data are anonymised. The data are stored in the whistleblowing channel service maintained by the Finland Chamber of Commerce for the first year, after which they are transferred to an encrypted electronic folder of Purso Group.

12. Rights of the data subject

Data subjects have the following rights: right of access right to rectification right to erasure right to restriction of processing right to object right to be informed of a personal data breach If a data subject wishes to exercise their rights or receive additional information on the processing of their personal data, they may contact the controller specified in this policy. The data subject also has the right to lodge a complaint with the supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the applicable data protection regulations.

13. Meaningful information in automated decision-making or profiling

The processing of personal data does not include automated decision-making or profiling.

14. Effects of processing personal data and a general description of technical and organizational protection measures

We diligently protect the personal data throughout their life cycle by using appropriate data protection and information security measures. The system supplier of the whistleblowing channel, the Finland Chamber of Commerce, processes the personal data in secure server facilities. The whistleblowing channel foes not collect identifying data of the whistleblower, such as IP addresses or cookies. All the reports are encrypted and can only be decrypted by individuals designated by Purso Group. Access to the reports is limited and the processors of the reports are subject to a confidentiality obligation.