Skip to content

Register of Raisio Group for the notifications about infringements (whistleblowing channel)

Name of the register

Register of Raisio Group for the notifications about infringements (whistleblowing channel)

 

Controller

Raisio plc (Business ID 0664032-4) on its own behalf and on behalf of the Group companies
Address: Raisio plc, P.O. Box 101 (Raisionkaari 55), FI-21201 RAISIO, Finland
Telephone: +358 2 443 2111

 

Contact person in matters regarding the register

CLO Sari Koivulehto-Mäkitalo
Address: Raisio Oyj, P.O. Box 101 (Raisionkaari 55), 21201 RAISIO FINLAND
Telephone: +358 2 443 2111
E-mail: privacy@raisio.com

 

Purpose and legal basis for processing personal data

The purpose of personal data processing is to handle and process in accordance with applicable legislation the reports received through the Whistleblowing channel or otherwise.

Personal data is processed in order to comply with legal obligations, and on the basis of the data controller’s legitimate interest.

The procedure allows to report also anonymously suspicions or observations of misconduct, suspected violations related to financial markets and securities markets as well as suspicions regarding possible money laundering and terrorist financing.

 

Categories of personal data and content of the register

The personal data is relevant to the purpose of the register and relates to the person who has made the notification about an infringement and the subject of such notification, as well as persons, who are suspected to be involved in the alleged infringement based on the notification.

The register does not contain information about the data subject’s private life, which is not connected to his/her work duties or the notified infringement.

The register may contain sensitive data, if processing such data is necessary in order to draft, present, defend or solve a legal claim.

Basic personal data about the person who has made the notification and its subject:

  • first name and last name
  • employee’s name
  • job title
  • contact details (address, telephone number, e-mail address)

Data about the employment of the subject of the notification:

  • current and previous content of the employment
  • names of the superior and business unit

Information about the reports, such as:

  • date of filing the notification
  • date of the alleged incident/action
  • description of the alleged incident/action

Information about actions and consequences from the notification, such as

  • notice to the person who has filed the notification that his/her anonymity cannot be guaranteed in certain circumstances
  • decision of the controller about actions resulting from the notification
  • information about the criminal act, punishment or other consequence of the crime

 

Sources of information

Data is received from person, who has reported the infringement, as well as from the employees of the controller and the Group companies.

Personal data may also be gathered during the controller’s process.

 

Transfer and disclosure of personal data

The data can be disclosed to be used for pre-named persons within the controller’s organisation for closer inspection and as allowed and obliged by applicable data protection legislation, to the authorities (e.g. the police), where the controller is by law obliged to inform about infringements and to co-operate with the authorities.

By rule, the data are not transferred or disclosed outside the EU or European Economic Area (EEA). If such transfer outside the EU or the EEA were necessary, the transfer and processing will be made by means allowed in the applicable data protection legislation, such as the Standard Contractual Clauses approved by the EU:s Commission.

We use external service providers in the production of system and support services. Personal data can be transferred to said service providers in accordance with applicable legislation.

No automated decision-making or profiling is associated with the personal data processing.

 

Information retention

Personal data is is only stored for as long as, and to the extent that, it is needed, and the data controller will utilise it for actions related to the reported purposes of processing and in no case for more than five years, unless extension of this retention period is required because the process, court proceedings or investigations by the authorities are still in progress or in order to safeguard the rights of the person who has reported the infringement or is the subject of such report.

The need for retaining the data is evaluated after two years at the latest from the time of their last evaluation.

The above mentions time limits do not apply to any anonymized statistics drafted from the data.

Reports that contain no basis for investigation will be anonymized immediately if they contain any personal data.

 

Protection of personal data

Personal data is protected carefully throughout its entire life cycle, by employing the appropriate data protection and information security measures.

Personal data is stored in systems that can only be accessed by pre-named persons with the right to process the data based on their work duties. All those using the register data are bound by professional secrecy.

In principle, personal data is not stored as physical documents. Such material is at all times kept in locked storage protected by an access control system.

Electronic data are available in databases that are protected by firewalls, passwords and other technical means. Databases and their backups are in locked spaces and access to the data is limited to certain pre-named persons.

An external partner (WhistleB, Whistleblowing Centre) is responsible for the technical implementation of the notification channel. WhistleB processes personal data at secure server facilities. WhistleB does not store IP addresses or other information that could be used to identify the sender of a report.

 

Data subject’s rights

The data subject has the following rights:

  • Right to access personal data
  • Right to correction of data
  • Right to erasure of data
  • Right to restriction of processing
  • Right to object processing
  • Right to be informed of personal data breaches

The data subject’s right to gain access to personal data is not applied to all data in the register and especially not to the data about another person who has reported the infringement, if provision of such data would affect the prevention of or solving crimes or otherwise seriously endanger the right of another person.

In case some part of the data is left outside the scope of this right, the data subject is entitled to verify the remaining data concerning him/her.

The data subject is entitled to request rectification or removal of inaccurate or insufficient, unnecessary or outdated data concerning him or her, taking into concideration the above mentioned limitations of this right.

All requests should be sent in writing to the person responsible for the register. The data subject must prove his/her identity in an acceptable way. The controller will reply within a time frame of the personal data legislation (as a rule, within one month).

The data subject has the right to file a complaint with the supervisory authority if the data subject considers that his/her information has not been processed in accordance with this Privacy Statement or with current personal data regulations: Office of the Data Protection Ombudsman, P.O. Box 800, 00521 FI-Helsinki, Finland; tel: +358 29 56 66700; tietosuoja(at)om.fi.

 

Changes

Data controller reserves the right to change this Privacy Statement in order to develop its business operations or in case the legislation changes.

Search