Data protection
Privacy notice of the register of the Notification Channel
1. Controller
GRK Infra Oyj (business ID: 0533768-1)
Address: Jaakonkatu 2, 01620 Vantaa
Phone: +358 10 321 4110
Email: tietosuoja@grk.fi
2. The name of the register
Register of the Notification Channel
3. Purposes and legal grounds for processing personal data
The controller processes the personal data of data subjects in accordance with applicable data protection legislation, including the EU General Data Protection Regulation (2016/679) and national data protection legislation.
The controller processes personal data in the register of the Notification Channel on the legal basis of Article 6 of the EU General Data Protection Regulation:
- The legal obligation of the controller to establish a whistleblowing channel based on the national Whistleblower Protection Act (1171/2022).
- The legitimate interest of the data controller to be informed of abuses relating to the data controller and its activities in order to address such abuses and to ensure the lawful and ethical conduct of the data controller’s employees and partners (such as suppliers and subcontractors).
The controller processes personal data for the following purposes:
- To detect, investigate and prevent breaches of the law and of the controller’s ethical principles.
- To develop monitoring, analysis and statistics.
The controller processes personal data for the following purposes:
The Notification Channel is a mandatory tool that allows the controller to monitor the lawfulness of its practices and compliance with ethical principles. The Notification Channel can be used to collect information on potential abuses and violations so that they can be responded to in a timely manner. The aim is to promote openness and transparency by giving whistleblowers the opportunity to raise reasonable doubts about any illegal or unethical behaviour they have observed.
Reports to the Notification Channel can be made by current and former employees of the controller, representatives of stakeholders (such as suppliers, subcontractors), shareholders, members of the board of directors or supervisory board and the CEO.
4. Categories of personal data processed
The register may contain the following personal data, according to and to the extent that the data subject has provided them. The whistleblower may make the report anonymously. The report may contain personal data other than those listed below, if the whistleblower has provided them. If the report contains personal data which, in the opinion of the controller, are clearly not relevant to the investigation of the reported case, the controller shall delete such data without undue delay.
- Name and contact details of the person who made the report, if provided by the whistleblower
- Information on the subject or subjects of the report and their conduct in violation of the law or ethical principles to which the report relates.
- Information on witnesses to the event which is the subject of the report
The register may contain the following personal data for the purpose of processing reports:
- Information gathered in the course of an internal investigation on the conduct of the person or persons subject to the report and an assessment of the legality or compliance of that conduct.
- Information on the persons handling the reports
- Information on the persons responsible for the technical maintenance of the controller’s Notification Channel (such as name, job title, e-mail address, telephone number)
- Technical information related to the use of the register (such as user IDs, login and log data)
5. Regular sources of personal data
As a rule, personal data is obtained from reports made to the Notification Channel and from any requests for additional information. In addition, personal data is obtained from the controller’s internal systems and from third parties involved in the investigation of the case, if the report leads to an investigation.
6. Disclosure and transfer of personal data
Personal data is processed only by designated employees of the controller who are responsible for carrying out and managing the investigations and who need the data for these purposes.
If the identity of the whistleblower is known, it will not be disclosed to the persons subject to the report. The identity of the whistleblower may be disclosed only with the consent of the whistleblower or if required in criminal proceedings or if the whistleblower makes a false report with intent to cause harm.
Personal data will be disclosed to third parties, such as public authorities or external auditors, within the limits permitted and required by applicable law. This may occur, for example, in response to requests for information from public authorities or where the controller has a legitimate interest, such as in connection with a criminal complaint, a criminal investigation or a court case.
The provider of the technical system for the Notification Channel is the Central Chamber of Commerce. The service provider will process personal data under the responsibility of the controller in accordance with the data processing agreement and the controller’s documented instructions, as required by the applicable data protection legislation.
Personal data will not be transferred outside the European Union or the European Economic Area.
7. Retention of personal data
The controller must erase personal data obtained through the Notification Channel five years after receipt of the report, unless their retention is necessary for the exercise of rights or obligations under the Whistleblower Protection Act or other laws or for the establishment, exercise or defence of legal claims. Personal data which are clearly irrelevant to the processing of the report shall be deleted without undue delay.
8. Protection and security of personal data
The controller has provided its employees and service providers with binding written instructions and provisions on the processing of personal data and data protection, which they have undertaken to comply with.
The security of information systems is adequately ensured, including through encryption and other technical safeguards.
We regularly review our personal data processing activities and the systems and devices used in them, including assessing the risks inherent in our personal data processing activities, for example when new technologies are introduced.
9. Automated processing of personal data and profiling
The controller does not use automated decision-making, such as automated profiling, as part of its personal data processing activities.
10. Rights of the data subject
The data subject has rights under the EU General Data Protection Regulation.
| Right | Description |
| Right of access to personal data | The data subject has the right to obtain confirmation from the controller that personal data concerning him or her are or are not being processed. If personal data are processed, the data subject has the right of access. However, the right of access must not unduly prejudice the rights and freedoms of others. In addition, the right of access to personal data may be limited in relation to personal data disclosed under the Whistleblower Protection Act if this is necessary and proportionate to ensure the accuracy of the report or to protect the identity of the whistleblower. |
| Right to request rectification, erasure or restriction of processing | The data subject has the right to request the controller to rectify inaccurate data concerning him or her and to erase any personal data concerning him or her on the grounds provided by law. The data subject’s right to erasure does not apply to data for which processing is necessary for compliance with a legal requirement or for the establishment, exercise or defence of legal claims. Some personal data processed by the controller are subject to a legal retention obligation and the controller cannot therefore erase such data before the expiry of the legal retention period. The right to restrict processing does not apply to the processing of personal data under the Whistleblower Protection Act. |
| The right to object | The data subject has the right to object to the processing of his or her personal data on grounds relating to his or her particular situation, where the controller processes the personal data on the basis of a legitimate interest. |
| Right to file a complaint to the supervisory authority | Without prejudice to any other administrative or judicial remedy, the data subject shall have the right to submit a complaint to a supervisory authority, in particular in the Member State where he or she has his or her habitual residence or place of work or where the alleged breach has occurred, if he or she considers that the processing of personal data concerning him or her infringes the GDPR. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, whose contact details and instructions can be found at www.tietosuoja.fi. |
Exercising the rights
The data subject may exercise his or her rights by contacting the controller’s representative using the contact details provided in section 1. The controller will endeavour to respond to the request as soon as possible and, if necessary, provide further instructions or ask further questions about the request.
Before executing the request, the controller has the right and the obligation to verify the identity of the person making the request, which is why the controller must be able to identify the person making the request in an appropriate manner.
If the request is clearly unjustified or unreasonable, the controller may either charge a reasonable fee based on administrative costs for carrying out the requested action or refuse to carry out the requested action.
11. Further information
For further information on the processing of personal data, please contact us using the contact details provided in section 1 of this privacy notice. The controller may update this privacy notice from time to time. This privacy notice was last updated on 19 June 2024.