DATA PROTECTION NOTICE REGARDING NORMET WHISTLEBLOWING CHANNEL

1 GENERAL

The purpose of this notice is to provide privacy information required by the EU General Data Protection Regulation (hereinafter "GDPR") to the data subject.

2 THE DATA CONTROLLER

Normet Group Oy acts as the data controller in accordance with this data protection notice.

The contact person of the controller in relation to the whistleblowing channel:
Kimmo Karihtala, kimmo.karihtala@normet.com

3 THE NAME OF THE REGISTER

This notice covers personal data processing relating to Normet's whistleblowing channel. Data subjects with regard to this processing are the persons submitting reports via Normet group’s whistleblowing channel (whistleblowers) and the persons processing the reports.

4 THE PURPOSE OF PROCESSING AND APPLICABLE LEGAL BASIS FOR PROCESSING

Personal data may only be processed for meeting the controller’s legal obligations and for conducting appropriate investigation of the reports submitted via the whistleblowing channel. The processing of the personal data is based on the controller’s legitimate interest to investigate misconducts potentially occurred within its operations or other reported actions. As regards the personal data of the whistleblowers, the processing is based on the consent and the legitimate interests of the controller or a third party.

The following categories of personal data are processed in the whistleblowing channel service:

• first names, last names, email addresses, public names and usernames of the persons processing the reports; and
• no personal data of the whistleblowers are collected, but the whistleblower may decide to include in the report personal data concerning themselves or another person(s) as part of the written report or as metadata included in the attachment files.

5 RETENTION PERIOD OR THE CRITERIA USED TO DETERMINE THAT PERIOD

The data in the whistleblowing channel service is retained for a limited period of time. The controller deletes the data when the processing of the data is no longer required.
The data is removed from the whistleblowing channel within two years from the conducting of the investigation. If the investigation leads to further actions, the necessary documentation is stored in a separate archive for a period required by the actions taken. The retention period may, however, vary based on the requirements of the mandatory law.

6 RECIPIENTS OF PERSONAL DATA

Only a limited number of Normet group’s employees authorized to process the reports have access to the personal data. The persons processing the personal data in the whistleblowing channel are subject to a confidentiality obligation.
Personal data may be provided to third parties, such as public authorities or external inspectors, when such provision is based on law and is necessary for the performance of the actions required by the report.

7 TRANSFERS OF PERSONAL DATA

Personal data is not processed outside the EU or the EEA.

8 SOURCES OF COLLECTING PERSONAL DATA

Personal data is collected directly from the whistleblowing channel service. Personal data is not collected in any other manner.

9 RIGHTS OF THE DATA SUBJECT

9.1 Right of Access
The data subject has the right to receive confirmation from the data controller as to whether or not personal data concerning him or her is being processed, or whether personal data has been processed. Where the data controller processes personal data concerning the data subject, the data subject has the right to receive the information contained in this document and a copy of the processed personal data. The controller may charge a reasonable administrative fee for any additional copies requested by the data subject. If the data subject makes the request by electronic, the information shall be provided in a commonly used electronic form, unless otherwise requested by the data subject.

9.2 Right of Rectification, Right of Erasure and the Right to Object to Processing
The data subject also has the right to obtain from the controller the rectification or erasure of personal data concerning him or her. In certain cases, the data subject has also the right to request from the controller restriction of processing of personal data or otherwise object to processing.

9.3 Right to Withdraw Consent
In situations where the controller processes personal data of the data subject on the basis of his or her consent, the data subject has the right to withdraw his or her consent. The withdrawal of consent does not affect the legality of the processing that has happened prior to the said withdrawal.

9.4 Right to Lodge a Complaint to the Supervisory Authority
In the case that the data subject finds the processing of his or her personal data unlawful, he or she has the right to lodge a complaint with a supervisory authority.

9.5 Using the Rights
All the requests mentioned here shall be provided to the above-mentioned contact person of the controller.

10 SECURITY OF PROCESSING

The maintenance of the whistleblowing channel has been procured from an external service provider as a software service. The whistleblowing channel service is provided by the Finland Chamber of Commerce. This, on one hand, ensures that no one at Normet group has access to the data in the system in the development or maintenance role.

Only Normet group’s authorized employees have the access right to the system and are entitled to process the data in the system. Each of them has personal login details for the system. The system has been protected by technical and organisational measures also preventing the system admins from accessing the reports or the data of the whistleblowers.

No personal data of the whistleblower is recorded in the system, unless he or she decides to include the personal data in the report. When submitting the report, the whistleblower receives a numerical code with which he or she may log in and track the processing of the report after the report has been submitted. The code given in connection with the report is the only way to reconnect to the report afterwards.

The system admin (Finland Chamber of Commerce) is responsible for the data security and the meeting of the legal requirements applicable to the system.