Data protection statement to the channel for reporting misconduct

EU general data protection regulation, articles 13 and 14, drafted on 1 February 2023.

Controller

University of the Arts Helsinki
Telephone: +358 294 47 2000 (switchboard)
Postal address: P.O. Box 1, 00097 UNIARTS

Entity and person in charge of processing personal data

Development services, Planning Manager Alina Savolainen
Email: firstname.lastname@uniarts.fi, telephone: +358 400 792 089

Contact persons for processing personal data

Development services, Planning Manager Alina Savolainen
Email: firstname.lastname@uniarts.fi, telephone: +358 400 792 089

Legal services, Legal Counsel Titti Luukkainen
Email: etunimi.sukunimi@uniarts.fi, telephone: +358 50 570 3211

Data Protection Officer

Legal Counsel Minna Eskola acts as Data Protection Officer at the University of the Arts Helsinki.
Email: privacy@uniarts.fi
Telephone: +358 40 720 0588
Postal address: P.O. Box 1, 00097 UNIARTS

Register name and brief description

A personal data register related to the reporting channel.

This data protection statement describes the University of the Arts Helsinki’s data protection practices concerning personal data processed in the reporting and investigation process regarding omissions and abusive practices referred to in the Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law and in the Act on the Protection of Persons Who Report Breaches of the European Union and National Law (1171/2022, so-called the Act on the Protection of Whistleblowers).

This data protection statement supplements the data protection statement for the employee register.

The legal basis for processing of personal data is the controller’s legal obligation. As provided in section 10 of the Act on the Protection of Whistleblowers, the University of the Arts Helsinki is obliged to establish and introduce a reporting channel because it is a legal entity governed by public law. The University of the Arts Helsinki processes personal data of employees that are a party or subject to reports on omissions and misconduct in order to comply with our legal obligations.

Personal data collected through the reporting channel, that is, the whistleblowing channel, is processed to the extent necessary for the appropriate and adequate processing of a matter reported through the reporting channel (Webropol form).

Investigation of suspected misconduct may require hearing of individuals, documentation of hearings/investigations and decisions on measures to be taken as a result of the investigation. Personal data is processed using the University of the Arts Helsinki’s tools, applications and storage space.

We only process data that is directly necessary for the investigation tasks.

When processing personal data, we do not utilise automated decision-making nor profiling referred to in the GDPR.

What data do we process?

The categories of personal data processed under the GDPR are:

  • Basic information on the whistleblower (for example, the whistleblower’s name, email address and any other personal information of the whistleblower provided in the report if the whistleblower has provided it).
    • The information contained in the report (to the extent the information is provided), which includes all information provided by the whistleblower, such as the identity of the alleged wrongdoer, location information, a description of the alleged misconduct and related argumentation, receipts, documents, pictures, possible audio or video recordings and any other relevant information, including any information on third parties or other interested parties.
    • Information necessary for the investigation that is collected in connection with the investigation of alleged misconduct, such as employment information; financial information; information from third party reports and assessments; user, behaviour and login information; and information concerning possible third parties.

The whistleblower exercises decision-making power over the type of personal data concerning the subject of the report or third parties involved in the case.

The data processed may contain data that must be kept secret on different grounds provided in section 24 of the Act on the Openness of Government Activities.

Where do we get information?

Information is primarily obtained from reports made to the reporting channel. During the investigation, we will possibly collect additional information from the whistleblower, employees, the University of the Arts Helsinki’s employee register and other internal sources through the electronic systems currently in use.

Information on an employee is also collected through, for example, electronic service requests, access control, working time monitoring and camera surveillance.

For the purposes described in this data protection statement, personal data may also be collected and updated from the University of the Arts Helsinki’s employees, publicly available sources and authorities or from other third parties within the scope of legislation applicable to the collected data. The updating of such data is carried out by manual or automated means.

Under an exemption based on the law (section 31(1) of the Act on the Protection of Whistleblowers), an employee will not be notified of the information we have received until it may be used in decision-making concerning the employee for the purpose specified in the law.

To whom do we disclose and transfer data, and do we transfer data outside the EU or EEA?

Only designated persons responsible for the reporting channel, or specialists separately designated to investigate an individual report in accordance with the University of the Arts Helsinki’s designation process, and IT administration representatives who, within the scope of their duties, have the right to process the reporting channel’s technical implementation with the University of the Arts Helsinki’s tools and the parties’ personal data in the storage space.

We disclose personal data to specialists designated for the investigation and, in a manner permitted and obligated by current legislation, to parties that have a legal right to obtain data from the register, such as the police or other competent authorities.

How do we protect data and for how long do we store it?

Your data is processed only by the employees of the University of the Arts Helsinki or by the persons working under the mandate of and on behalf of the University of the Arts Helsinki who have the right to process personal data.

In the role of the data controller, the University of the Arts Helsinki has taken the necessary technical and organisational measures and also requires the service providers it uses to do so.

We use subcontractors in the processing of personal data, and we have concluded agreements for the processing of personal data with them.

Retention periods for personal data saved in the system and documents produced in investigation processes are determined based on legislation and the University of the Arts Helsinki’s information management plan. The data will be deleted no later than five (5) years after the report has arrived unless the retention of the data is necessary for the enforcement of rights or obligations laid down by law or for the preparation, presentation or defence of a legal claim. Personal data that is clearly not relevant for the processing of the report are deleted without undue delay.

We do not retain any unnecessary data on our current or former employees. Personal data is retained for as long as is necessary for the purposes of personal data processing or for compliance with the statutory obligations of the controller. Thereafter, the data is destroyed or anonymised unless there is a legal basis for continued processing of the data. Retention periods take into account, for example, the limitation of action based on legislation and obligations of the employer.

In addition, we take reasonable steps to ensure that the data subject’s personal data being stored in the register is not outdated, erroneous or incompatible with the purpose of processing. We immediately correct or erase such data.

What are your rights as a data subject?

The data subject’s right to restrict the processing of their personal data does not apply to the processing of reports received through the reporting channel. The data subject’s right of access to the data may be restricted with regard to the reported personal data if it is necessary and proportionate for ensuring that the accuracy of the report can be investigated or to protect the identity of the whistleblower. With regard to data collected from elsewhere than from the employee, the employee will be informed of the data received before it is used in decision-making concerning the employee.

If the data subject is not satisfied with the manner in which the university has processed their personal data, the subject can appeal to the national data protection supervisory authorities for an inquest into the matter. In Finland, the national data protection supervisory authority is the Data Protection Ombudsman, whose contact details are available at https://www.tietosuoja.fi/en.

Who can you contact?

All questions on the processing of personal data as described in this data protection statement are to be asked by getting in touch with the contact person named in section 3 who will forward the matter to the data protection officer if necessary. In case you feel that your rights as mentioned in section 11 are not respected, you may directly contact the university’s data protection officer named in section 4.

Your responsibility

You are responsible for the information that you deliver or make available to the University of the Arts Helsinki. You must make sure that the information is true and accurate and in no way misleading. Please make sure that the information you give does not contain material that violates the rights of a third party or material that is harmful to the University of the Arts Helsinki.

Amendments to the data protection statement

This data protection statement is not part of an employee’s employment contract or other agreement, and we update it when deemed necessary. When this data protection statement is updated, the date of the new version will be edited to the beginning of the statement. If we amend the content of this data protection statement, we may take appropriate measures to inform you in a manner appropriate for the significance of the amendments.