Privacy Policy
Whistleblowing procedure

Administer Plc and its group companies (collectively referred to as “Administer”) are committed to protecting privacy and processing personal data in accordance the applicable data protection legislation and good data protection practices. This Privacy Policy describes how Administer collects, processes and protects the personal data of persons who report a suspected violation via the whistleblowing procedure (“the Whistleblower”) and persons who are the subject of such a report. If a report has been submitted anonymously, Administer shall not process the Whistleblower’s personal data.

Administer and its group companies act as joint controllers. This Privacy Policy describes how personal data are collected and processed for joint purposes.  

1. The joint controllers and their contact details

This Privacy Policy applies to the whistleblowing procedure of Administer Plc and its group companies (collectively referred to as “Administer”).

Administer Plc is responsible for the administration of the data file described herein and also acts as a central contact point for questions concerning data protection.

Administer Plc
Itämerenkatu 5
FI-00180 Helsinki
Business ID 0593027-4
Telephone: +358 (0)20 703 2000

All of the joint controllers of the data file are specified on the Group’s website at https://administergroup.com/administer-konserni-yhtiolistaus/.

2. Contact persons for the data file

Administer Plc’s customer service is available in matters concerning the data file on weekdays between 9 a.m. and 4 p.m. by phone on +358 (0)20 703 2010. You can also send us your questions concerning the data file by e-mail to tiedotus@Administer.fi or by letter to Administer, Itämerenkatu 5, FI-00180 Helsinki, Finland.

If you have any questions concerning data protection, please contact the Group’s Data Protection Officer: Anja Hänninen, tel. +358 (0)40 5220 621.  You can also send us your questions concerning data protection by e-mail to tietosuoja@administer.fi or by letter to Administer, tietosuoja, Itämerenkatu 5, FI-00180 Helsinki, Finland.

3. Name of the data file

Administer Group’s whistleblowing procedures.

4. Basis and purpose of the processing of personal data

With regard to data on third persons, the processing of personal data is based on the controller’s legal obligation, the legitimate interest of the controller or a third party and, with regard to the Whistleblower’s data, on consent and the legitimate interest of the controller or a third party.

The reporting procedures implemented are a way of monitoring the realisation of Administer’s ethical principles. The whistleblowing channel makes it possible to obtain important and systematic information on suspected misconduct and violations and to react to them in a timely manner. The existence of whistleblowing procedures supports a good corporate culture by providing employees with a channel for raising concerns. Reports can also be submitted anonymously. Administer cannot separately ask for consent from persons who are the subject of a report. Reports can be submitted by the Group’s employees or other stakeholders, such as Administer’s customers and business partners.

Administer only processes personal data necessary for processing a whistleblowing report when potential misconduct or other reported activities are investigated on the basis of the received report. When a suspected incident of misconduct has been verified, the personal data are also used in the implementation of disciplinary and corrective measures. Abuse of whistleblowing practices (e.g. malicious false reporting) results in sanctions, such as disciplinary action.

5. The kinds of data we collect

Administer only collects personal data necessary for the investigation of a report. This data includes:

  • basic information, such as a person’s name, phone number, e-mail address, job title and position
  • the information contained in the report, including all of the information provided by the Whistleblower, such as the identity of the alleged offender, a description of the alleged misconduct and related justification, and any other relevant information
  • information necessary for investigative purposes collected in connection with the investigation of the alleged misconduct, such as information concerning the employment relationship, financial information, information from third-party reports and assessments, behavioural data and login data.

The Whistleblower may also submit a report anonymously, in which case it is not possible to link the report to any individual. 

Personal data deemed to be irrelevant or extraneous to the subject matter of the investigation shall be erased. Special categories of personal data are not generally processed in the whistleblowing process but, if such personal data are nevertheless processed, for example, in order to establish, present or defend a legal claim, the processing shall be carried out in accordance with the applicable data protection legislation.

6. Where data is collected from

Administer collects personal data provided by the Whistleblower through the whistleblowing system or other channels. In addition, during investigations, personal data are collected, if necessary, from Administer’s internal systems and from third parties.

Personal data concerning data subjects are collected from data subjects themselves when they have submitted a report using their name. Data on data subjects may also be collected from sources other than the data subjects themselves; for example, when a report submitted by another data subject contains personal data on another person. During the processing of reports, the controller may also become aware of other data concerning data subjects, which the Whistleblowers themselves voluntarily provide or which is obtained from other sources in a manner permitted or required by the applicable legislation.

7. Who has access to personal data and whether the data are disclosed to third parties

Administer has an independent team specifically appointed to process whistleblowing reports. This team receives and processes the reports. Depending on the nature of the report, the number of processors may be increased on a case-by-case basis. Misuse of the whistleblowing channel may lead to legal action.

The personal data are accessed and processed by Administer employees who carry out and supervise the investigations. Access is only granted to persons who need the information for the aforementioned purposes. The Whistleblower’s identity, when known, shall not be disclosed to the persons against whom the allegations are made. The identity of the Whistleblower shall be disclosed only if the Whistleblower consents to it or if the disclosure of the Whistleblower’s identity is required in criminal proceedings, or if Whistleblower has submitted a false report with malicious intent. The personal data are disclosed to third parties, such as the public authorities or external inspectors, only when necessary.

8. Disclosures and transfer of data

The identity of the Whistleblower shall be disclosed only if the Whistleblower consents to it or if the disclosure of the Whistleblower’s identity is required in criminal proceedings, or if Whistleblower has submitted a false report with malicious intent.  The personal data may be disclosed to third parties, such as the public authorities or external inspectors, when doing so is based on the applicable legislation or is essential for carrying out the actions necessitated by the report.

9. Transfer of personal data outside the European Union/European Economic Area

Personal data reported in the EU or EEA shall not be transferred outside the EU or EEA.

10. Automatic decision-making or profiling

The processing of personal data does not involve automatic decision-making, and no profiling is carried out based on the personal data.

11. Retention of the data

Administer stores the personal data collected in the data file for only the period of time necessary – and to the extent necessary – and legally permissible for the original or compatible purposes for which the personal data were collected.

When the investigation is completed, the case is closed. In the whistleblowing channel, personal data are stored for a maximum of one (1) year from the last active event between Administer and the data subject. Material collected during the investigation shall be securely stored until the expiration of the period allowed for lodging the claim, after which the material shall be destroyed.

The retention period may vary in accordance with mandatory legal requirements, which may be based on legislation concerning occupational safety, corruption, ethics and accounting, for example. If the case goes to a court of law and the court proceedings require a longer retention period, the data shall be retained for the duration required by the court proceedings. If the claim is found to be unfounded, the data shall be destroyed without delay.

The key issue in terms of retention periods is the reverse burden of proof in relation to the prohibition of countermeasures. If the Whistleblower feels that they have been subject to countermeasures, the company has a duty to prove that this has not been the case. As the statute of limitations has not yet been specified at national level for claims concerning countermeasures, specifying a limit for the retention period of the material related to the processing of reports is not possible at this time. Administer shall comply with the national legislation concerning retention periods.

Secure practices are observed in the destruction and erasure of data in accordance with Administer’s erasure processes.

12. Protection of personal data

The whistleblowing channel is protected by technical means and the administrator of the whistleblowing channel does not have access to the reports or the Whistleblower’s data. The whistleblowing channel does not store IP addresses or other data that could identify the person who submits a report. The data security of the whistleblowing channel has been verified by an external auditor and it meets the statutory requirements set for it.

The system does not record any data on Whistleblowers that is not submitted by the Whistleblowers themselves. The Whistleblower receives a numeric code at the time of submitting the report. This code can be used to log in and monitor the processing of the report after its submission. This numeric code provided at the time of report submission is the only way to access the report afterwards. For this reason, the person must store the numeric code, as the unique numeric code is the only way to track the processing of the report or provide additional information regarding the report. If the numeric code is forgotten, the Whistleblower is required to submit a new report.

Personal data are protected from unauthorised processing. Only independent persons specifically appointed by Administer are authorised to process the data that is processed in connection with the processing of whistleblowing reports. Each person who processes a report has personal login details and two-step authentication is used. Each person who processes personal data has signed a data security and data protection commitment and received the necessary instructions and training for the processing of personal data.

13. How data subjects can influence the processing of their personal data

In accordance with the EU’s General Data Protection Regulation, each data subject has the following rights:

  • The right to access their personal data
  • The right to the rectification and supplementation of personal data in case of errors, inaccuracies or omissions
  • The right to request the erasure of their personal data
  • The right to restrict the processing of personal data
  • The right to object to the processing of personal data
  • The right to request their personal data in a machine-readable format in order to transfer the data to another controller

Administer may have the right to reject a request relating to the rights of a data subject. If a request is rejected, the data subject is always informed of the reasons for the rejection. Data subjects can send requests concerning their rights by e-mail to tietosuoja@administer.fi. The contact person for matters related to the rights of the data subject is the Data Protection Officer and the contact details are provided in this Privacy Policy in section 2: Contact persons of the data file.

The data subject has the right to lodge a complaint with a supervisory authority if they are of the opinion that the processing of their personal data violates the General Data Protection Regulation. A complaint can be made, for example, if Administer does not appropriately implement the data subject’s rights as laid out in the General Data Protection Regulation.  A notification of a fault in the processing of personal data can be submitted on the Office of the Data Protection Ombudsman website: https://tietosuoja.fi/en/report-of-fault-in-personal-data-processing.

14. Amendments to the Privacy Policy

Administer reserves the right to amend this Privacy Policy. Amendments to the Privacy Policy may also be based on changes in legislation.

This Privacy Policy was last updated on 22 November 2021.