Register and privacy policy
1. Data controller
NYAB AB
Varvsgatan 39
972 32 LuleƄ, Sweden
info(at)nyabgroup.com
2. Name of the register
Whistleblowing, i.e. anonymous reporting channel.
3. Purpose and legal basis for processing personal data
The purpose of processing personal data is:
Processing and investigation of notifications received via the reporting channel.
The legal basis for processing is the controller’s legal obligation. The provision of the reporting channel and the processing of notifications are regulated in the Act on the Protection of Persons Reporting Infringements of European Union and National Law (1171/2022).
If the matter does not fall within the scope of the statutory reporting channel, the processing is based on the controller’s legitimate interest in preventing and investigating misuse. The legitimate interests of the controller also include the following bases:
- the right to ensure that the operations of the personnel comply with legislation and NYAB’s guidelines,
- the right to prevent financial losses and to avoid reputational risks, and
- the right to ensure the legal protection of personnel.
In these situations, the legitimate interest of the controller is assessed to outweigh the right of the data subject, especially the subject of the notification, to decide on the processing of their personal data.
4. Information content of the register
The notification may contain the following personal data:
- Personal data of the subject of the notification, such as name and/or contact details and other possible information
- Personal data of the notifier, such as name and/or contact details
- Information on any other person (e.g. witness) that has come to light in the notification or during the investigation process
As a rule, data belonging to special categories of personal data are not processed.
It is possible to submit the notification anonymously. In this case, the personal data of the person submitting the notification will not be processed, unless the personal data is provided later. It may be possible to identify the person by combining the information provided by the person in their notification.
5. Regular sources of information
Personal data is obtained through the notification made to the reporting channel and possibly through the related investigation process.
6. Regular disclosure of data and transfer of data outside the EU or EEA
Data is not regularly disclosed to other parties. If it is necessary to use expert services (e.g. legal services) in the investigation process, personal data may be disclosed to a party acting on behalf of NYAB Plc. In this case, it is ensured that the data processing agreements required by data protection legislation have been concluded with the service provider.
Information received through the reporting channel may be disclosed to the competent authority. For example, suspected crimes and their investigation materials may be handed over to the pre-trial investigation authority.
As a rule, personal data is not transferred outside the European Union or the European Economic Area. However, if personal data needs to be transferred outside the European Union or the European Economic Area, NYAB will ensure an adequate level of protection of personal data, for example, by agreeing on matters related to the processing of personal data as required by data protection legislation, such as using standard contractual clauses approved by the European Commission.
7. Principles of register protection
Data security and protection of personal data are of paramount importance to us. We use appropriate technical and organisational safeguards to protect personal data. We also ensure the fault tolerance of our systems and data recovery capabilities. The right of access to personal data is restricted only to separately authorised parties. Parties processing personal data have a duty of confidentiality regarding matters related to the processing of personal data.
8. Rights of the data subject
Data subjects have rights to their personal data under data protection legislation. However, the application of rights in each individual situation depends on the purpose and situation of use of personal data.
- Right of access to personal data. The data subject has the right to obtain confirmation of whether the data subject’s personal data is being processed and other information on the processing of personal data in accordance with data protection legislation. The data subject has the right to receive a copy of the personal data. The afore-mentioned right of access of the data subject may be restricted regarding personal data provided under the Whistleblower Act if this is necessary and proportionate in order to ensure the investigation of the accuracy of the notification or to protect the identity of the notifier. The data subject has the right to be informed of the reasons for the afore-mentioned restriction and request that information will be provided to the Data Protection Ombudsman in accordance with section 34(3) and (4) of the Data Protection Act (1050/2018).
- Right to rectification of personal data. The data subject has the right, subject to certain restrictions, to demand the correction or erasure of incorrect or inaccurate data.
- Right to erasure of personal data. The data subject has the right, in accordance with the requirements of data protection legislation, to request the erasure of their personal data. Upon request, we will delete personal data, unless we are required by law or some other applicable exception under data protection legislation to retain personal data.
- Right to restriction of processing. In accordance with the requirements of data protection legislation, the data subject has the right to request the restriction of the processing of personal data in certain situations.
- Right to portability of personal data. The data subject has the right to request the transfer of their personal data to another controller. As a rule, the right to portability applies to personal data that the data subject has provided to the controller in a structured and machine-readable format and for which the processing is based on the data subject’s consent or agreement, and/or for which the processing is carried out automatically.
- Right to object to processing. The data subject has the right, in accordance with the requirements of data protection legislation, to object to the processing of personal data based on legitimate interests, including profiling. We may refuse the request if the processing is necessary to fulfill the compelling and legitimate interests of the controller or a third party. However, the data subject always has the right to object to the processing of personal data for direct marketing purposes and profiling related to direct marketing.
- Right to withdraw consent. If the processing of personal data is based on the consent given by the data subject, the data subject has the right to withdraw his or her consent to the processing of personal data concerning him or her. The withdrawal of consent has no effect on the processing carried out prior to the withdrawal.
Exercising your rights
We hope that you will contact NYAB if you have any questions regarding the processing of your personal data.
You can send a request concerning the rights of the data subject by letter or e-mail using the contact details mentioned in this privacy policy.
The identity of the person making the request may be verified before the request is processed. The request shall be answered within a reasonable time and, in principle, within one month of the request being made and the identity checked. If the request cannot be granted, the refusal will be notified separately.
8. Right to lodge a complaint with a supervisory authority
The data subject has the right to lodge a complaint with the competent data protection authority if the data subject considers that his or her personal data has been processed in violation of data protection legislation.
The contact information of the Finnish Data Protection Authority can be found here.
9. Changes to the Privacy Policy
This privacy policy may need to be amended from time to time. The changes may also be based on changes in data protection legislation. We therefore encourage you to regularly review the privacy policy to detect any changes. The latest version is available on our website.
This privacy policy has been published on 29 June 2023.