Privacy Notice — Whistleblowing reporting channel

Updated 10.5.2023

This privacy notice outlines how we process your personal data for the purpose of managing whistleblowing reports, investigating allegations of misconduct, and conducting internal investigations.

 

1. Data controller and data controller’s contact details

If you have any questions regarding the data protection practices related to the whistleblowing channel or internal investigations, or if you wish to exercise your data protection rights, please contact us at the address provided below.

Avara Oy
Avara Rahastot Oy
Bulevardi 7
00120 Helsinki
tietosuoja@avara.fi

 

2. Why do we process your personal data and what is the legal basis for it?


You can use the whistleblowing channel to report your suspicions. Personal data is processed during the investigation of reported cases, as well as in evaluating and implementing any potential consequences.

All reports are treated confidentially and handled by independent responsible team, ensuring the privacy of the reporter, the subject of the report, and any other individuals involved in the case. The processing of personal data will comply with the requirements of the General Data Protection Regulation (EU) 2016/679, the Finnish Act on the Protection of Privacy in Working Life (759/2004), and the Finnish Data Protection Act (1050/2018). Personal data received through the whistleblowing channel will only be processed to the extent necessary for a thorough and sufficient investigation of the reported suspicion.

The purposes of data processing are:

  • Managing the whistleblowing channel, processing of reports, conducting internal investigations, and documentation. The processing of personal data is based on Avara’s legal obligations related to anti-money laundering regulations, the law concerning alternative investment fund managers, the Whistleblower Protection Act, and relevant employment laws. Additionally, the processing is based on legitimate interests in promoting workplace safety, employee well-being, upholding Avara’s ethical values, and preventing misconduct. Avara also has a statutory obligation as an employer to intervene and take appropriate measures to address any harassment or other inappropriate treatment that poses harm or danger to an employee's health, using all available means to rectify the situation.
  • Demonstrating compliance with Avaras's legal obligations and preparing, presenting, or defending legal claims. The processing is based on Avara's or a third party's legitimate interests related to legal protection.

The potential processing of special categories of personal data, such as data concerning health, or other sensitive information, such as criminal records, is based on the regulatory obligations of Avara mentioned above. In cases of harassment, inappropriate treatment, or workplace safety, the processing of special categories of personal data is also necessary for the compliance with Avara’s or the data subject's labor law obligations or rights. The processing of special categories of personal data may also be necessary for the preparation, presentation, or defense of legal claims.

 

3. What types of personal data do we process?



DATA SUBJECT

EXAMPLES OF PROCESSED DATA

Whistleblower

By default, reports can be made anonymously or with name. The whistleblowing channel is designed in a way that no digital identification data is collected about the whistleblower.

Whistleblower’s may voluntarily provide their personal information in the report, such as:

  • Name
  • Location information
  • Contact details
  • Financial information
  • Behavioral information
  • Image or video footage
  • Information related to the circumstances.

 Additionally, the following information is processed:

  • Content of the messages and other communications

 Although the report is submitted anonymously, the disclosed details or contents of the report may allow the whistleblower to be indirectly identified.

However, the identity of the whistleblower is not sought to be determined. According to the Whistleblower Protection Act, it is strictly prohibited to disclose the identity of the whistleblower, regardless of whether it is known.

Reported individual

The report may contain information regarding the behavior and circumstances of the reported individual, as well as other personal data, such as:

  • Name
  • Location information
  • Date and place of the incident
  • Financial information
  • Behavioral information
  • Image
  • Video footage
Other relevant details regarding the circumstances.

Other individuals mentioned in the reports

The report may contain information regarding the behavior and circumstances of third parties, such as:

  • Name
  • Location information
  • Date and place of the incident
  • Financial information
  • Behavioral information
  • Image
  • Video footage

Other relevant details regarding the circumstances.

Whistleblowing case managers

 

 

The following personal data is collected from the whistleblowing case managers handling the reports and investigations

  • Name
  • Title
  • User ID and password
  • Communications and notifications
  • Email address
  • Log information
  • Device identifier
  • Timestamp
  • IP address.

 

 

4. Where is your personal data disclosed by us?

Authorities, internal audit, and misconduct investigation service providers

We may disclose necessary information to authorities for the purpose of investigating misconduct and suspected criminal activities. This may include sharing information with our internal audit partner or misconduct investigation service providers.

The provider of the whistleblowing reporting channel, Navex or its subcontractors, does not have access to the information submitted through the reporting channel.

 

5. Is the data transferred outside the European Economic Area?

           

Provider

Location

Data categories

Data transfer mechanism

Navex - the provider of the WhistleB system.

Microsoft - hosting the WhistleB system on its servers.

EU/ ETA
USA*

All processed data in the WhistleB system.

Commission’s Standard Contractual Clauses (SCC)

 

* According to US intelligence legislation, information held by US companies can be requested to be disclosed to US authorities, even if the data center is in the EU area.

 

We implement protective measures to ensure that the high level of personal data protection required by European data protection laws is maintained even after the transfer of personal data. In the WhistleB system, the data is encrypted using Avara's encryption keys, and WhistleB and its subcontractors do not have access to the data. Personal data is effectively protected for international transfers through additional technical safeguards.

 

6. What are your rights regarding your personal data?

The General Data Protection Regulation grants you several rights as a data subject related to processing of your personal data. If you wish to exercise the rights described below, you can send a specific request to the address mentioned in section 1.

However, we would like to point out that these rights ensured by the law are not absolute. For example, we cannot delete your data in situations where applicable legislation requires the retention of personal data or exercise the right to access in relation to the information provided through the reporting channel in situations where disclosing the information would violate another person's protected rights or interests or jeopardize the investigation related to the report.

Right to access: You have the right to receive confirmation on whether we process personal data related to you. If we process your personal data, you have the right to access and obtain a copy of your data. We may ask you to specify your request if needed, such as providing details related to the delivery of the information. We cannot fulfill your right of access in situations where disclosing the information would violate another person's protected rights or interests or jeopardize the investigation or subsequent actions related to the whistleblowing report.

The right to rectify your personal data. If you believe that the personal data, we process is incorrect, incomplete, or outdated, you can request us to rectify such personal data.

The right to erasure of your personal data. In certain situations, you have the right to request the deletion of personal data concerning you. However, please note that we may not be able to delete certain information if there is a justified need for its retention, such as a specific legal obligation or another compelling reason, such as an ongoing misconduct investigation or documentation of the investigation.

The right to object to and restrict the processing of your personal data. You are entitled to exercise your right to object to the processing of your personal data. It is important to note that this right is not absolute and applies specifically to situations where the processing is based on legitimate interests. We reserve the right to continue processing your personal data despite your objection, if we can demonstrate compelling legitimate grounds for the processing, such as the investigation of alleged misconduct.

Furthermore, you have the right to request the restriction of the processing of your personal data. This right can be exercised in various circumstances, including situations where you contest the accuracy of your personal data.

The right to lodge a complaint to a supervisory authority. If you suspect that we have processed your personal data unlawfully, you have the right to file a complaint with a supervisory authority, the Office of the Data Protection Ombudsman, whose contact information can be found here: https://tietosuoja.fi/en/home

 

7. How do we ensure the confidentiality and security of personal data?

We respect your privacy, and the secure storage and processing of your personal data are our high priority. We protect your personal data appropriately through technical and organizational measures to prevent unauthorized or unlawful processing, accidental loss, destruction, or damage.

Examples of the measures we have implemented to ensure the protection of your personal data:

Access restrictions: Personal data processing is only permitted for designated and authorized individuals whose job responsibilities require access. Access to personal data is granted only with appropriate user permissions.

Agreements: Personnel handling the data are bound by confidentiality obligations and have signed confidentiality agreements. Our contracted partners who may process personal data also commit to handling the data confidentially.

Staff training and guidance: We provide comprehensive data protection training and guidance to our entire staff.

Technical safeguards: All communication within the whistleblowing system is encrypted end-to-end, and the system's data is encrypted with Avara's encryption keys. The whistleblowing channel is designed in a way that no identifying information about the whistleblower is collected.

 

8. How long do we retain your personal data?

Data is typically retained for a period of up to five (5) years from the date of the report.

Data may be retained beyond the five-year period if its continued storage is necessary for the purposes of a criminal investigation, ongoing legal proceedings, regulatory investigation, or to safeguard the rights of the whistleblower, the subject of the report, or Avara.

The retention periods are based on anti-money laundering regulations, the law governing alternative investment fund managers, whistleblower protection regulations, statutory limitations periods under labor, criminal, or tort law, and our legitimate interest in conducting investigating misconduct.

 

9. Can changes be made to this privacy notice?

The processing practices outlined in this statement are subject to change, and as such, this privacy notice may be revised accordingly. Modifications may also be prompted by changes in legislation. We are committed to keeping this statement current, and we encourage regular review of its contents.