Whistleblowing channel
| Data controller | Digita Ltd, PO Box 99, 00521 Helsinki, Jämsänkatu 2, 00520 Helsinki tel. +358 20 411 711 Business ID 2488970-5 |
| Filing system name | Anonymous whistleblowing channel |
| Purpose for processing personal data | The anonymous whistleblowing channel can be used to report incidents without providing personal information that could be used to identify the person making the report. The system is not connected to Digita’s IT systems and does not store IP addresses or other information that could be used to identify the person who sent the message. If a person provides their personal information or files a report on another person, the personal data provided is processed to identify and investigate conduct that breaches Digita’s principles of responsibility, to establish a possible official preliminary investigation and monitoring the stages of the investigation. |
| Basis for processing personal data | Personal data is processed for the purposes of fulfilling statutory obligations and on the basis of the data controller’s legitimate interest. |
| Description of the data controller’s legitimate interest | The whistleblowing channel is a way of ensuring Digita’s principles of responsibility are observed and providing a channel for matters that fall under whistleblower legislation. The whistleblowing channel allows for the collection of important systematic information about any suspected and confirmed abuses and provides the ability to react to them in a timely manner. Digita cannot separately request consent from persons who are the subject of reports. Reports can also be filed anonymously. |
| Personal data processed | Digita only collects personal data that is essential to the investigation of the incident. This data includes basic information, provided the person gives said information via the whistleblowing channel. Basic information includes the person’s name, phone number or email. The information may also include the data of persons who are related to the report or who are the subject of the report, such as their name and position in the company. |
| Data source and description of data sources if data has been collected from public sources | Data is collected from an anonymous web-based whistleblowing channel. |
| Personal data recipients | Personal data is processed in electronic systems and services for the purposes specified in this policy. We use third-party service partners to produce system and support services. Personal data may be transferred to service partners who are employed for the current task to an extent appropriate to their participation in implementing measures relating to their assignment. We ensure our partners sufficiently protect personal data as required by law. If an anonymous report requires a more detailed investigation and the report provides personal data, said personal data may be disclosed to the designated parties within the organisation responsible for the internal investigation. Personal data may be disclosed to authorities as permitted and required by current legislation when, for example, responding to official information requests. |
| Transfer of personal data to third countries or international organisations and established safeguards | We do not transfer personal data to third countries outside the EU or EEA or to international organisations. |
| Personal data storage period and criteria by which the storage period is determined | The personal data specified in this policy is only stored to the extent and for the period said data is necessary and the controller utilises it for operations related to the specified processing purposes. Reports and personal data related to reports are generally stored for a period of two (2) years following the conclusion of the investigation. If the matter is elevated to a court of law and its processing in said court requires the data to be stored for a longer period, the data will be stored for the duration of the court proceedings. If groundless reports contain personal data, it is anonymised immediately. |
| The data subject’s rights | The data subject has the following rights: • Right to access personal data • Right to rectification • Right to erasure • Right to restrict processing • Right to object to processing • Right to be notified of any personal data security breaches If the data subject wishes to use their rights or receive additional information regarding the processing of their personal data, they may contact the data controller specified in this policy. The data subject also has the right to lodge a complaint with a supervisory authority if they believe that applicable data protection regulations are being breached in the processing of their personal data. |
| Significant information related to automated decision-making and profiling | The processing of personal data does not involve automated decision-making, and personal data is not used for profiling. |
| Effects of the processing of personal data and general description of technical and organisational security measures | We carefully protect personal data for the duration of its lifecycle using appropriate data protection and security measures. The anonymous whistleblowing channel’s system provider (WhistleB) processes personal data in data-secure server facilities. WhistleB does not store IP addresses or other information that could be used to identify persons who file reports. All reports are encrypted and can only be unencrypted by persons assigned to relevant duties. Access to reports is restricted, and persons who process reports are subject to an obligation of confidentiality. At Digita, we protect personal data using measures including proactive risk management, data communications security measures, continuous maintenance of information systems, data backups, secure hardware facilities, physical access control and security systems. The granting and monitoring of access rights is controlled. We provide Digita personnel who take part in processing personal data with regular training and ensure that our partners’ personnel also understand the confidential nature of personal data and the importance of secure processing. We select our subcontractors with care. We continuously update our internal procedures and instructions. If personal data is disclosed to unauthorised parties despite our security measures, it is possible that said personal data is misused. If we detect such an incident, we will investigate it without delay and attempt to prevent any damage. We will inform the necessary authorities and data subjects of any data security breaches as required by the law. |