Privacy policy conserning whistleblower channel

Privacy policy conserning whistleblower channel

The companies belonging to the Premico Group (“Premico”) are committed to processing personal data reliably, securely, and transparently. This statement describes how Premico processes personal data in connection with the processing of notifications received through the Group’s Whistleblower channel and the investigations initiated by them.

1. Controller

Premico Group Oy and the applicable companies belonging to the same group of companies from time to time.
Aleksanterinkatu 11, 00100 Helsinki
(herein ”we”, ”us”, ”our” or ”Premico”)

2. Contact person

Data Protection Matters
c/o Premico Group Oy
Aleksanterinkatu 11, 00100 Helsinki

3. Purposes of processing personal data and legal basis for processing

Premico may collect and process personal data for the following purposes, for example:

  • Processing, investigation and reporting of reports submitted through the Whistleblower channel
  • Monitoring and ensuring compliance with legislation, agreements and Premico’s internal regulations
  • Prevention, detection and investigation of criminal offences and other irregularities
  • Safeguarding legal rights
  • Compliance with legal obligations
  • The processing of personal data is based on contractual rights and obligations legitimate interests of Premico or fulfilling Premico’s obligations based on law. The legal basis for the processing of personal data is the fulfilment of legal obligations and Premico’s legitimate interest.

4. What data do we process?

Premico may collect and process the following personal data:

  • Identification information, such as name and personal ID
  • Contact information, such as address, phone number and email
  • Occupation and employer information
  • Information related to a suspected crime or misconduct
  • Image and video material
  • Other information provided by the notifier

Typically, the personal data processed concerns the person who submitted the notification or the person subject to it.

5. Storing personal data

We store personal data for as long as it is necessary to fulfil the purposes defined in this privacy statement, unless legislation requires us to store personal data for a longer period.

6. Regular sources of information

As a rule, we receive personal data from the whistleblower themselves through the Whistleblower channel. Anyone can submit a report in the reporting channel, such as Premico’s employees and representatives of Premico’s customers and other stakeholders.

Premico may also collect personal data from Premico’s internal systems, parties related to the notification and authorities.

7. Disclosure of personal data

As a rule, personal data will not be disclosed outside Premico. However, personal data may be disclosed to the following recipients, for example:

  • As required by law, in cases of suspected crime, to the police.
  • Within the limits permitted and obligated by current legislation, official regulations and guidelines issued by industry associations, for example to authorities.
  • In connection with mergers and acquisitions, potential buyers, financiers, and their advisors, if Premico sells or otherwise reorganizes its business.

If personal data is disclosed to a third party, we will ensure that the data is protected by appropriate contractual protections.

8. Transfer of data outside the European Economic Area

As a rule, we process personal data within the European Economic Area (“EEA”). Data may also be processed outside the EEA if it is necessary for the purposes of processing personal data mentioned in this privacy statement or for the technical or practical implementation of data processing, such as the location of servers.

If personal data is transferred outside the EEA, we will ensure that the transfer of data complies with the requirements of data protection legislation.

9. Security of processing personal data

When processing personal data, we ensure appropriate security and data protection of personal data, including the protection of personal data against unauthorized processing and accidental loss.

Personal data processed electronically is protected by firewalls, passwords and other means generally accepted in the field of information security. Personal data can only be accessed by identified Premico employees with access rights granted by Premico.

Premico’s reporting channel has been implemented with Suomen Tunnistetieto Oy’s DOKS® system.

10. Automated decision-making, including profiling

Premico does not use automated decision-making or profiling in connection with the processing of personal data described in this privacy statement.

11. Rights of the data subject

As a data subject you have the right to

  • know whether we process data concerning you and, if so, access it and information on the processing of personal data as required by law;
  • require us to correct any inaccurate or incorrect data concerning you and to have incomplete personal data completed;
  • obtain the erasure of personal data concerning you in accordance with law (for example, when data is no longer needed and there is no lawful ground to store such data);
  • withdraw or amend the consent you have possibly given for the processing of personal data;
  • request restriction of processing of your personal data in accordance with law and, for example, when you wait for a response to your request regarding correction of your data;
  • object profiling targeted at you and, in accordance with law, other processing of personal data where processing is based on the controller’s legitimate interest;
  • have your data transmitted to another system in situations regulated by the applicable law.

A data subject may also file a complaint with the competent supervisory authority if the data controller has not complied with the data protection legislation applicable to its operations. In Finland, compliance with data protection legislation is supervised by the Data Protection Ombudsman. If you want to file a complaint with the Data Protection Ombudsman regarding processing of personal data in Premico’s operations you can contact the Data Protection Ombudsman’s office as instructed in

12. Who can you contact?

Contacts and requests concerning the processing of personal data in Premico’s operations and this privacy policy must be made to the contact person named in section two (2).