EU General Data Protection Regulation (2016/679), Articles 13 and 14
Date of drafting: 5th March 2018 Updated: 8.12.2020
We may update or revise this Information Notice at any time, with any notice to you as may be required under applicable law.
1. Controller / Company
Orion Corporation (Company Identification Number: 1999212-6) Orionintie 1
FI-02200 Espoo Finland
Tel. 010 4261
2. The person in charge / contact person
Contact person: Mikko Kemppainen, Head of Legal Affairs Address: Orionintie 1A, 02200 Espoo
Email address: firstname.lastname@example.org
Contact details of the Data Protection Officer: email@example.com
3. Name of the data file
Whistleblowing channel of Orion Corporation
4. The purpose for processing the personal data / recipients (or categories of recipients) of personal data / the legal basis for processing the personal data
The purpose for processing the personal data is to process notifications coming through Orion Group´s Whistleblowing channel. The purpose of the Whistleblowing channel is to ensure that good administration practices are followed in the controller’s operations and to ensure that appropriate policies regarding financial securities and in particular, prevention of fraud and irregularities are in place. Notifications relating to the following topics are processed through the Whistleblowing channel:
- Code of Conduct
- Prevention of bribery
- Financial irregularities (including the suspected violations of provisions and regulations of the financial market)
- Notable violations of environmental rules and pollution of the environment
- Serious forms of discrimination and harassment
The person reviewing the whistleblowing report will process the personal data together with the Legal Affairs of Orion Group. Access to Orion’s whistleblowing channel is provided only to Orion’s Head of Legal Affairs and a very limited amount of personnel from Orion’s internal audit service provider, Deloitte Oy.
The purpose of processing of personal data is the controller´s legitimate interests and developing and maintaining good administrative practices (e.g. compliance with the rules and laws). We only process personal data based on our legitimate interests, in case we have deemed, based on the balancing of interest test, that the rights and interests of the data subject will not override Orion Group´s legitimate interest.
5. Content of the file
The data file contains personal data provided by Orion´s personnel or by other
stakeholders. The collected data may include e.g. names, events or other personal data relating to the investigations.
6. Sources of information
Employees of Orion Group or other possible stakeholders, such as, partners or partner representatives of Orion Group´s companies.
7. Destinations of disclosed data and whether the data is transferred to countries outside the European Union or the European Economic Area
Personal data is processed only by the people mentioned in section 4. Personal data may be disclosed internally where the investigation requires this or data may be disclosed to third parties in order to carry out investigations concerning bribery, corruption, fraud, or other irregularities or violations of law, or in case a notification includes information which gives rise to suspicion of crime.
Personal data from the data file is not disclosed nor transferred to countries outside of the European Union or the European Economic Area without the data subject´s consent.
8. Protection of the transferred personal data
In special cases, personal data can be disclosed if data subject consents, in which case personal data is transferred only on the basis of such consent. Personal data is processed primarily in Finland and in other EU countries.
9. Retention period of the personal data
The controller retains the personal data for about 60 days after the personal data is no longer needed for the purpose of investigation or processing.
10. The principles how the data file is secured
The data file is protected technically and physically so that outsiders do not have access to it.
11. Right of access and realization of the right of access
The data subject shall have the right of access to the data on himself/herself in the data file. The data subject who wishes to use this right shall make a request to this effect to the local representative of controller mentioned in section 2.
12. Right to object to processing
In case the legal basis for processing the personal data is the legitimate interests of the controller, the data subject has the right to object to processing on grounds relating to his or her particular situation.
If the data subject wishes to object to processing, he or she shall make a request to this effect to the person in charge at the data controller by a personally signed or otherwise comparably verified document in writing to the local representative of the data controller named under section 2. hereinabove.
13. Rectification, restriction of processing and erasure
The data controller shall, on its own initiative or at the request of the data subject, without undue delay, rectify, erase or supplement personal data contained in the data file. If data subject has questions relating to the processing of personal data or questions relating to the circumstances relating to the use of his/her’s rights, the data subject should contact the controller through a written email. The contact information is found in section 2.
Under specific circumstances, the data subject has the right to obtain from the controller restriction of processing of his or her personal data.
If the data controller refuses the request of the data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal. In this event, the individual may bring the matter to the attention of the Data Protection Ombudsman.