Privacy statement for Eezy’s whistleblowing channel

15 December 2021

1 Controller

Eezy Plc (hereinafter referred to as “Eezy”)
business ID: 2854570-7
P.O. Box 901, FI-20201 Turku, Finland

2 Contact details of the person responsible for data protection

Lawyer Aino Nylander
c/o Eezy Plc
Itämerenkatu 3, FI-00180 Helsinki, Finland


3 Processor of personal data

Eezy has outsourced the processing of personal data as enabled by data protection legislation. The processor of reports submitted through Eezy’s whistleblowing channel is WhistleB Whistleblowing Centre Ab (World Trade Centre, Klarabergsviadukten 70, SE-107 24 Stockholm, Sweden). They are responsible for the whistleblowing application used by Eezy, including the processing of encrypted data, such as whistleblowing reports. WhistleB and its subcontractors are not able to decrypt the messages and read the reports.

4 Description of the privacy statement

This privacy statement in line with Articles 13 and 14 of the General Data Protection Regulation (679/2016/EU) explains how the controller processes the personal data of individuals who submit a report through the whistleblowing channel and the personal data of individuals targeted by or involved in the report (hereinafter jointly referred to as “data subject”).

5 Processed personal data

The identity of the whistleblower is primarily anonymised. The whistleblowing service may collect personal data when investigating suspected misconduct and/or inappropriate behaviour. Personal data may be collected:

  • from an individual specified in the report;
  • from the individual submitting the report (unless submitted anonymously); and
  • potential third parties when investigating suspected misconduct and inappropriate behaviour not in line with out ethical guidelines or internal rules.

Following types of personal data, for example, may be collected from a data subject:

  • the individual’s name, social security number, date of birth and contact information;
  • title and position in the organisation;
  • other background information included in the report and collected during the investigation (such as a description of the event and other additional information required for the investigation)

6 Regular sources of personal data

Personal data is primarily collected from the data subject. The personal data of the whistleblower are primarily collected from the whistleblowing feedback forms on the Eezy website that the whistleblower fills in, using their own name, for example. The data of a data subject can also be collected from sources other than the data subject, for example if a report submitted by another data subject includes personal data of other people. Eezy may also receive other personal data concerning the data subject when investigating the issue. This can be obtained from the data subject, the people participating in the investigation or public sources.

The whistleblower’s personal data can be collected and updated without the data subject’s consent when allowed and required by legislation.

7 Purpose and legal basis of processing personal data

Eezy processes the whistleblower’s personal data as part of investigating misconduct within the framework of the Whistleblowing directive and Finnish legislation. Investigating the issue is based on a suspicion of misconduct reported by the whistleblower, the events closely connected to the suspicion and the information of the event delivered by the whistleblower.

For this purpose, Eezy collect personal data of individuals who submit a report through the channel and of individuals concerned by the report submitted through the channel. The data subjects may be employees of Eezy and/or representatives of partners, for example. Personal data is processed in order to detect, investigate and prevent misconduct not in line with Eezy’s ethical guidelines, legislation or financial principles.

The processing of personal data is based on Eezy’s legal obligation (General Data Protection Regulation of the EU, EU directive on the protection of whistleblowers and Finnish legislation concerning whistleblowers) to set up and maintain a whistleblowing channel used to report misconduct. The processing is also based on Eezy’s legitimate interest in ensuring the ethical and legal activities of the controller’s employees and partners. Processing tasks can be outsourced to service providers external to the controller in line with and within the limitations set in data protection legislation.

8 Disclosure and transfer of personal data

Eezy stores the reports received through the whistleblowing channel with absolute confidentiality and as required by data protection legislation. Personal data may be disclosed between companies in the Eezy Group and to individuals with an employment or executive employment relationship with the Eezy Group in order to investigate misconduct. Moreover, personal data of the data subject may be disclosed to authorities (such as the police) so that they can manage their statutory duties in line with the applicable legislation.

Data will primarily not be transferred outside the EU or the EEA unless necessary for the purposes or technical implementation of the personal data processing, whereupon the requirements of data protection legislation will be complied with in the transfer of the data.

9 Protection of personal data

The controller uses appropriate technological and administrative measures to ensure the protection of the personal data. The personal data is stored both in electronic databases and manual archives. The electronically processed databases are protected with firewalls, passwords and other technological means generally accepted in the field of information security. Manually maintained and processed materials are located in facilities inaccessible to outsiders.

Only the specified and identified individuals whose work-related duties include processing the personal data stored in the data file have access to the personal data. These individuals access the system using their personal credentials, and each individual has concluded a special credential and Non-Disclosure Agreement on the use and disclosure of their credentials.

10 Automated decision-making

The data subject’s personal data will not be used for decision-making that may entail a legal and/or similar affect on the data subject.

11 Storage period of personal data

The collected personal data will be stored for as long as is necessary to investigate the reported misconduct or as is required by legislation and other deadlines set in regulations.

Personal data included in reports and investigation documents will be erased as the investigation is completed unless the retention of personal data is required in other applicable legislation. The data will be erased permanently within 30 days of the completion of the investigation. The archived investigation documents and reports are anonymised in line with data protection legislation so that they do not contain personal data that would allow the direct or indirect identification of the individual.

12 Rights of the data subject

The data subject has the following rights in accordance with data protection legislation:

  • The data subject has the right to request Eezy to rectify the data. The personal data rectification request must be specified so that the error in the personal data can be found and rectified easily.
  • The data subject has the right to request the erasure of personal data within the limitations of and in accordance with the applicable data protection legislation. The data subject’s request to erase the personal data from Eezy’s system while a misconduct investigation is underway may result in the termination of the investigation if the investigation is no longer possible.
  • The data subject has the right to request restriction of processing their personal data and object to processing within the limitations of and in accordance with the applicable data protection legislation.
  • The data subject has the right to data portability, in other words receive the personal data concerning him or her in a structured, commonly used format and transmit the data to another controller within the limitations of and in accordance with the applicable data protection legislation.
  • The data subject has the right to lodge a complaint with the national data protection authorities (in Finland, Data Protection Ombudsman) or other data protection authorities of the EU or the EEA if the data subject believes that their legal rights related to the processing of personal data have been violated.

The data subject may send the requests concerning the use of their aforementioned rights to the data protection contact person.

13 Amendments to the privacy statement

The controller is constantly developing its operations and, therefore, reserves the right to make amendments to this privacy statement by announcing them on its website at Changes in legislation may also result in the need to make amendments to the privacy statement. The controller recommends that data subjects reread the privacy statement regularly.