Register and privacy policy

1. Data controller

NYAB AB
Varvsgatan 39
972 32 Luleå, Sweden
info(at)nyabgroup.com

2. Name of the register

Whistleblowing, i.e. anonymous reporting channel.

3. Purpose and legal basis for processing personal data

The purpose of processing personal data is:

Processing and investigation of notifications received via the reporting channel.

The legal basis for processing is the controller’s legal obligation. The provision of the reporting channel and the processing of notifications are regulated in the Act on the Protection of Persons Reporting Infringements of European Union and National Law (1171/2022).

If the matter does not fall within the scope of the statutory reporting channel, the processing is based on the controller’s legitimate interest in preventing and investigating misuse. The legitimate interests of the controller also include the following bases:

In these situations, the legitimate interest of the controller is assessed to outweigh the right of the data subject, especially the subject of the notification, to decide on the processing of their personal data.

4. Information content of the register

The notification may contain the following personal data:

As a rule, data belonging to special categories of personal data are not processed.

It is possible to submit the notification anonymously. In this case, the personal data of the person submitting the notification will not be processed, unless the personal data is provided later. It may be possible to identify the person by combining the information provided by the person in their notification.

5. Regular sources of information

Personal data is obtained through the notification made to the reporting channel and possibly through the related investigation process.

6. Regular disclosure of data and transfer of data outside the EU or EEA

Data is not regularly disclosed to other parties. If it is necessary to use expert services (e.g. legal services) in the investigation process, personal data may be disclosed to a party acting on behalf of NYAB Plc. In this case, it is ensured that the data processing agreements required by data protection legislation have been concluded with the service provider.

Information received through the reporting channel may be disclosed to the competent authority. For example, suspected crimes and their investigation materials may be handed over to the pre-trial investigation authority.

As a rule, personal data is not transferred outside the European Union or the European Economic Area. However, if personal data needs to be transferred outside the European Union or the European Economic Area, NYAB will ensure an adequate level of protection of personal data, for example, by agreeing on matters related to the processing of personal data as required by data protection legislation, such as using standard contractual clauses approved by the European Commission.

7. Principles of register protection

Data security and protection of personal data are of paramount importance to us. We use appropriate technical and organisational safeguards to protect personal data. We also ensure the fault tolerance of our systems and data recovery capabilities. The right of access to personal data is restricted only to separately authorised parties. Parties processing personal data have a duty of confidentiality regarding matters related to the processing of personal data.

8. Rights of the data subject

Data subjects have rights to their personal data under data protection legislation. However, the application of rights in each individual situation depends on the purpose and situation of use of personal data.

Exercising your rights

We hope that you will contact NYAB if you have any questions regarding the processing of your personal data.

You can send a request concerning the rights of the data subject by letter or e-mail using the contact details mentioned in this privacy policy.

The identity of the person making the request may be verified before the request is processed. The request shall be answered within a reasonable time and, in principle, within one month of the request being made and the identity checked. If the request cannot be granted, the refusal will be notified separately.

8. Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with the competent data protection authority if the data subject considers that his or her personal data has been processed in violation of data protection legislation.

The contact information of the Finnish Data Protection Authority can be found here.

9. Changes to the Privacy Policy

This privacy policy may need to be amended from time to time. The changes may also be based on changes in data protection legislation. We therefore encourage you to regularly review the privacy policy to detect any changes. The latest version is available on our website.

This privacy policy has been published on 29 June 2023.