1 Controller

The Finnish Innovation Fund, Sitra (business ID 0202132-3) 

Address: Itämerenkatu 11-13, PO Box 160, 00181 Helsinki 
Phone: +358 294 618 991 
Email: kirjaamo@sitra.fi 

Data Protection Officer: 
Janika Skaffari 
Administrative Specialist 

2 Purpose of personal data processing 

    We process personal data for the purposes of the Whistleblower Protection Act (1171/2022). The whistleblowing channel can be used to report suspected misconduct or other unethical activities. The personal data collected in connection with the notification is processed in accordance with this policy. 

    The personal data contained in the reports is processed in accordance with the confidentiality provisions of the Whistleblower Protection Act. Personal data is not processed by means of automated decision-making. 

    3 Legal basis for processing 

      Personal data is processed on the basis of the controller’s legal obligation. 

      4 Processed personal data 

        We may process the following information: 

        5 Source of the personal data 

          Personal data is collected from the whistleblower in connection with the submission of the report. In addition, data may be collected from the controller during the processing of the report. 

          6 Personal data retention period 

            As a rule, Sitra retains reports and the personal data contained therein in the whistleblowing channel service for three (3) years from the end of the processing of the report, unless there are exceptional grounds to retain personal data for a longer period in accordance with the provisions of the Whistleblower Protection Act. According to the Whistleblower Protection Act, personal data must be deleted within five (5) years of the receipt of notification, unless its retention is necessary in exceptional situations provided for in the Whistleblower Protection Act. Personal data that is clearly not relevant to the processing of the report is deleted without undue delay.  

            7 Regular disclosure of personal data 

              Personal data contained in the register is not disclosed to third parties, unless required by law.  

              8 Transfer of data outside the EU or EEA 

                Personal data contained in the register is not transferred outside the EU or EEA. 

                9 Data protection principles 

                  Databases containing personal data are located on servers that are kept in locked, secure facilities and can only be accessed by authorised individuals whose duties require such access. The servers are protected by a firewall and other appropriate technical safeguards. 

                  Any physical data material containing personal data is kept in locked, secure facilities and can only be accessed by authorised individuals whose duties require such access, and who process this personal data as part of the performance of their duties. 

                  The databases and systems can only be accessed with separately issued personal usernames and passwords. Sitra has restricted the access rights and authorisations to data systems and other storage media so that the data can only be accessed and processed by individuals whose duties require it for lawful processing purposes. In addition, the database and system transactions are registered in the logs of Sitra’s IT systems. 

                  Sitra’s employees and other personnel are bound by a confidentiality obligation and are required to keep confidential any information received in connection with the processing of personal data.  

                  10 Rights of the data subject 

                    The data subject has the following rights under the EU General Data Protection Regulation: 

                    Requests concerning the implementation of the data subject’s rights should be directed to Sitra’s registry by email at kirjaamo@sitra.fi  

                    The data subject has the right to lodge a complaint with the Office of the Data Protection Ombudsman if they consider that the processing of their personal data infringes the EU General Data Protection Regulation.  

                    11 Changes to privacy policy 

                      We reserve the right to update this privacy policy by notifying any changes on our website. The updates may, for example, be based on changes in legislation.