Privacy notice for Whistleblower at CSC
Privacy notice for Whistleblower at CSC
Valid from 17.12.2021
CSC - Finnish IT Сentre for Science Ltd
(hereinafter referred to as "we" or "CSC")
|2. Contact person for register-related matters|| |
CSC Service Desk
Data asset owner: Chief Administrative Officer, BIS
Data Protection Officer: firstname.lastname@example.org
|3. Name of register|| |
4. Purposes and lawful bases for processing personal data
Whistleblower system enables you and any CSC’s employees to alert CSC and report possible illegal activities or serious violations against our internal provisions. It is possible to report anonymously without entering any personal data. Reporting anonymously may hinder our ability to fully investigate a reported matter or answer your requests.
After receiving the report, CSC processes personal data in the context of the Whistleblower for the purpose of investigation and giving feedback for the reporter. Only the information that is relevant in the scope of Whistleblower and to the reported matter will be kept after initial check. We will send an acknowledgment of receipt within seven days and feedback within three months from the acknowledgement to the reporter.
Personal data processing will be based on one of the following lawful basis:
a) Whistleblower platform and process are mandatory for some alerts of law breaches and it is mandatory to give an acknowledgment of receipt within seven days and feedback within three months from the acknowledgement.
a) where the report falls or not under legal obligation to provide Whistleblower system and process. It is a clear benefit to us to ensure the conduct of our workers is in-keeping with what is required by law, by industry standards and by our internal provisions. Investigation and measures help us to prevent economic losses and damage to our reputation.
In the case of conduct which constitutes a criminal offence against the interests of CSC or which violates human rights, interests of CSC will outweigh the accused person’s right to informational self-determination.
|5. What data do we process?|| |
The report and the feedback may include direct or indirect information about persons concerned.
If you register for using the Whistleblower, you will be asked to provide us with the following personal data, although only the data marked by an (*) are mandatory:
In the Whistleblower process, personal data from various data subjects may be processed:
For the purposes mentioned above, we can collect and process during the Whistleblower process the following personal data:
The Whistleblower system uses a session cookie to remember your language selection. That cookie is deleted as soon as you close the browser.
|6. Where do we get your data from?||We may obtain your personal data in the context of the Whistleblower because you give them to us, because you are mentioned on a report or participating to an investigation or information generated by using the platform (as time stamps).|
|7. Where do we transfer your data?|| |
Your personal data may be processed by:
Personal data is not transferred to countries outside the EU/EEA.
|8. How do we protect your data and how long we store your data??|| |
The data submitted to the whistleblower system is encrypted and access to data is limited to a very narrow circle of expressly authorised persons. The is no logging of personal data of visitors and reporters. The system is operated by an independent organisation.
Information which is not relevant to the investigation is deleted or anonymised after initial check.
The reporter’s personal data is retained as long as the data is required for investigation and to provide feedback. When such requirements no longer exist, the reporter’s personal data will be deleted within 60 days.
A report and given feedback will be stored for five (5) years from the end of closing year of the investigation. All personal data on those will be deleted or anonymised within 60 days of the end of the investigation, unless legal proceedings have been started. In single cases the data collected are stored for a longer period, if judicial or disciplinary proceedings are initiated. In such cases the data will be stored until those proceedings are definitively closed.
|9. What are your rights as a data subject?|| |
With respect to the processing of your personal data, you have the following rights:
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you. We will then no longer process the personal data, unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. The right to object does not apply to legally required Whistleblower or data subject rights.
We will always use best efforts to address and settle any requests or complaints you bring to our attention. Besides contacting us you always have the right to approach the competent data protection authority with your request or complaint:
The data protection authority competent for CSC – IT Center for Science Ltd is:
|10. Who should you contact?|| |
All enquiries and requests regarding this privacy notice should be made in writing or in person to the contact person specified in section two (2).
|11. Changes to this notice||This privacy notice is current as of the date which appears at the top of the document. We may occasionally update this privacy notice. If there are material changes to this privacy notice or in how we will use your personal data, we will use reasonable efforts to notify you.|