Data protection notice - Whistleblower reporting channel
On the Whistleblower channel, the reporting agent’s identity is protected throughout the processing and settlement process and the notifier does not need to disclose his identity when making the notification.
Data controller
University of Oulu
Pentti Kaiterankatu 1
P. O. Box 8000, 90014 OULU
Unit in charge of the processing:
University of Oulu Document Services and Legal Services
Document Manager Katariina Alha, E-mail address: kirjaamo(at)oulu.fi and
Essi Kiuru, Director of Administration
University Data Protection Officer: dpo(at)oulu.fi
Purpose of processing personal data and legal basis for processing personal data
The purpose of the processing of personal data is to enable the reporting channel by which an employee, former employee or other person of a university may anonymously disclose the offence, abuse, other act or omission he or she has discovered.
The processing of personal data for the reporting channel is based on the law. The law on the protection of persons reporting breaches of European Union and national law (1171/2022) requires private and public legal entities with at least 50 permanent employees to establish an internal reporting channel for the anonymous reporting of unethical or unlawful activities
Personal data to be processed
Basic information, such as
- the name of the notifier,
- the object of the notification,
- the email address of the notifier and
- the username of the notifier.
Personal data originates from a data subject who reports an offence or irregularity he or she has detected. It is not necessary for the notifier to provide any personal data on its own by means of a notification form. According to the decision of the notifier, the notification may contain personal data of the object of the notification. If necessary, the controller may request additional information from the notifier. The controller may also supplement the notification of personal data for the purposes of processing the notification with additional information on other registers of the controller.
Personal data contained in the notification which are not clearly relevant to the investigation of the case shall be deleted without undue delay.
Recipients or categories of recipients of personal data
Personal data can be accessed and processed by employees of the University of Oulu who have been designated separately.
System editor of the notification channel used by the University of Oulu: Certia and its subprocessor Efecte Oy. The notifications received through the channel are registered in the University's case management system, which is provided by Innofactor Oy.
Personal data shall be disclosed to third parties, such as public authorities or external inspectors, within the limits permitted and required by the legislation in force.
Data transfers
Personal data will not be transferred outside the EU or the EEA.
Data storage time
Personal data relating to the notification shall be processed during the period during which the notification is relevant to it’s legal content. Other material resulting from the notification (e.g. reports, sanctions documents) is retained or deleted in accordance with the University’s information management plan. The notification and associated personal data shall be deleted when the notification no longer has any relevance to the legal requirement. The notification will be deleted within five years of its arrival.
The definition of retention periods is based on, for example, the Archive Act (831/1994), the Information Management Act (906/2019) and the Criminal Code (39/1889).
Data subject rights
You have the following rights as a data subject:
- Right to access your data
- Right to have inaccurate data corrected (make sure to keep your contact information up to date)
- In certain situations, the right to have data erased ("right to be forgotten")
- In certain situations, the right to restriction of processing
- In certain situations, the right to object to processing
- In certain situations, the right to have data transferred from one system to another if the processing is based on consent or agreement and is performed automatically.
Please note that the applicability and scope of your above-mentioned rights will be specified on a case-by-case basis in accordance with the EU General Data Protection Regulation, depending on e.g. the grounds for processing the data, and that you do not have the above-mentioned rights in all cases.
If you have any questions about your rights, you can communicate with the University's Data Privacy Officer or the contact person of the responsible unit.
If you want to use the above-mentioned rights, please send a request to the University’s registry office: kirjaamo(at)oulu.fi, where you will get the necessary additional instructions.
Right of appeal to the supervisory authority
In addition to the rights mentioned above, you have the right to file a complaint about the processing of your personal data with the Office of the Data Protection Ombudsman as the supervisory authority. The contact details and opening hours can be found on the website of the Data Protection Ombudsman.
General description of the technical and organisational protection measures
The University as the Data Controller uses appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against damage or loss of personal data. Such measures in connection with the notification channel include access authorization management, which allows only authorized persons to process notifications submitted through the reporting channel and the personal data contained therein. The report based on the notification will be handled by a pre-defined internal processing group of the University of Oulu. All participants have received training in the processing of information received through the reporting channel.