Privacy statement of the whistleblowing reporting channel

Created on 9 February 2021, updated on 24 May 2024

1. Controller and contact details in matters of data protection

Lahti Energy Ltd

Kauppakatu 31
Postal address: P.O. Box 93, 15140 Lahti
Tel. 029 000 8000

Contact details of Lahti Energy Group’s Data Protection Officer:

Tel. 029 000 8000
Email: tietosuojavastaava@lahtienergia.fi

2. For what purposes and on what basis do we process your personal data?

The purpose of the whistleblowing procedure is to monitor the operations of the Lahti Energy Group and to ensure the protection of persons reporting infringements of European Union and national law. The processing of personal data is based on the law (Act on the Protection of Persons Reporting Infringements of European Union and National Law, sections 2 and 10). The whistleblowing channel enables Lahti Energy to monitor whether it complies with the rules and laws related to its operations, to protect those reporting unlawful activities and breaches and to guarantee the confidentiality of data processing. The data is used to monitor and investigate misconduct and, if necessary, to establish, file or defend legal claims. In addition, the data can be used for the development, analysis and compilation of statistics on monitoring.

Through the reporting channel procedure, a whistleblower who, in the course of their work, has observed or suspects that they are observing activities contrary to the European Union or national laws may, pursuant to the Whistleblower Act, report activities contrary to the public interest in the following areas: public procurement; financial services, money laundering and prevention of terrorist financing; product safety; road safety; environmental protection; nuclear safety; food and feed safety; animal health and welfare; public health; consumer protection; protection of privacy and personal data, security of network and information systems, taxation; grants and state subsidies and competition regulations.

3. What kind of personal data do we process and where do we collect the data from?

The register may contain the following types of personal data concerning the whistleblower and the subject of the report, as well as other persons involved in the matter, such as witnesses:

  • the whistleblower’s name, email address and phone number. The report can also be made anonymously;
  • information in the report, such as the name of the subject, information related to the unlawful activities (incl. place and time), witness information;
  • information related to the submission and processing of the report as well as messages (incl. the code and status of the report); and
  • any other information provided by the whistleblower.

In addition, information is stored about the persons processing the reports received through the channel, such as name, job title, email address, user credentials to the system and log data on the use of the system.

As a rule, we do not process personal data belonging to special categories of personal data (e.g. data revealing ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, health information or sexual orientation) in the reporting process, and we do not encourage the inclusion of any personal data belonging to special categories of personal data in the report. We process personal data belonging to special categories of personal data or data related to crimes and breaches only when it is necessary for the investigation of suspected misconduct.

The primary source of the data stored in the register is the whistleblower. In addition, the data consists of data stored in the process of processing reports of misconduct. Other data sources are used within the limits laid down by law.

4. To whom do we disclose or transfer data?

Lahti Energy does not regularly disclose the register data to parties outside the Group. However, data may be disclosed in accordance with the law, such as to police authorities for the purpose of investigating crimes.

Lahti Energy uses external service providers to manage the whistleblowing system and process reports. In this case, personal data is transferred to external service providers only to the extent necessary for the implementation of the whistleblowing reporting channel.

5. Do we transfer data outside the EU or EEA?

Personal data will not be transferred outside the EU or EEA.

6. How do we protect data and how long do we store it?

Only those persons who have the right to process the data for their work are entitled to use the system, and the processors are bound by a duty of confidentiality. Each user has their own username and password for the system. The data is collected in databases that are protected by firewalls, passwords and other technical means. The databases and their backups are located in locked rooms and the data can only be accessed by certain pre-designated persons. Lahti Energy ensures data protection through data processing agreements concluded with its service providers that process the personal data.

The data in the register is stored for as long as is necessary to fulfil the purpose of the monitoring or due to statutory obligations. As a rule, report data is stored for one year from the completion of the investigation related to the report, unless further storage of the data is necessary due to an ongoing criminal investigation, trial or investigation by the authorities, or in order to protect the rights of the person who made the report or the person who is the subject of the report. Personal data that is clearly not relevant for the processing of the report will be erased without delay.

7. Your rights as a data subject in relation to data processing

Requests concerning the rights of data subjects must be sent to the address mentioned in section 1. As a rule, as a data subject, you have the following rights under data protection legislation. Please note that certain information is necessary to comply with our statutory obligations, which may limit some of the rights described below. Furthermore, in certain situations, we may have the legal right to restrict the exercise of the rights listed below if, for example, this is necessary for the investigation of a crime or to protect the identity of the whistleblower.

  • Right of inspection and the right to demand the rectification and erasure of data as well as to object to the processing of data
    • You have the right to receive information about the processing of your personal data, the right to inspect the data about you stored in the personal register as well as the right to demand the rectification of incorrect data and the erasure of data. In addition, to the extent required by applicable data protection legislation, you have the right to object to the processing of your data.
  • Right to lodge a complaint with the supervisory authority
    • If you find that your legal rights have been infringed, you have the right to lodge a complaint with the competent authority. According to the General Data Protection Regulation, you can lodge a complaint in the EU Member State where your permanent place of residence or place of work is located or where the alleged infringement has taken place.