Whistleblower protection in the case of non-anonymous whistleblowing
A person expressing genuine suspicion or misgiving according to these guidelines will not be at risk of losing their job or suffering any form of sanctions or personal disadvantages as a result. It does not matter if the whistleblower is mistaken, provided that she or he is acting in good faith.
Subject to considering the privacy of those against whom allegations have been made, and any other issues of confidentially, a non-anonymous whistleblower will be kept informed of the outcomes of the investigation into the allegations.
In cases of alleged criminal offences, the whistleblower’s identity may need to be disclosed during judicial proceedings.
This policy is based on the EU GDPR, EU Directive on whistleblower protection and national legislation on whistleblowing.
Personal data included in a whistleblowing messages and investigation documentation is deleted when the investigation is complete, with the exception of when personal data must be maintained according to other applicable laws. Permanent deletion is carried out 30 days after completion of the investigation.
Personal data controller
Elematic Group is responsible for the personal data processed within the whistleblowing service.
Personal data processor
Juuriharja Oy responsible for the whistleblowing application, including processing of encrypted data, such as whistleblowing messages. Neither Juuriharja or any sub-suppliers can decrypt and read messages. As such, neither Juuriharja nor its sub-processors have access to readable content.