Updated: April 20th, 2023
Company: Oy Mapromec Ab
Address: Teollisuustie 10 65610 MUSTASAARI
The Finland Chamber of Commerce
Aleksanterinkatu 17, 00100 HELSINKI
09 4242 6200
Time of Assesment
April 20th, 2023
The purpose to which the processing of personal data is based on
The process is based on the European Union Directive on the Protection of Persons Who Report Breaches of Union Law, which was adopted October 23rd, 2019 (EU 2019/1937).
The directive requires companies to provide, for example, their employees with a reliable notification channel that enables reporting misconduct and unethical behavior. The processing of personal data is necessary to fulfill the obligations imposed by the directive.
Summary of the processing of personal data and its purpose
Personal data refers to information that can be used to identify an individual directly or indirectly. Personal data, data subject, controller and other key terms are defined in the General Data Protection Regulation (2016/679, "GDPR"). Oy Mapromec Ab complies with GDPR and other applicable national data protection laws in all handling of personal data.
The data processing is related to maintaining a whistleblowing notification channel provided by the Chamber of Commerce. The Chamber of Commerce offers client companies a Notification Channel platform that they can use for, for example, receiving reports made by their employees. The organization using the service is the data controller, and the Chamber of Commerce is the data processor. According to the GDPR, the data protection impact assessment is the responsibility of the data controller.
The reporting person can submit a notification anonymously and without including any personal data. If in an isolated incident the notifying person, for example, leaves their contact details on the notification form, the processing of personal data is based on the consent of the data subject.
How is personal data collected
The notifying person (data subject) provides information when making a report on malpractice or other unethical activity. The notification does not include personal information about the notifying person unless they explicitly provide it. The notification instructions state that providing personal information is not required when making a report.
The notification may contain personal information about a third party. This is the case, for example, if the notification contains an image file of a third party.
In addition to the above, personal data of the processors of the notifications are collected for access control (user names).
Personal data is not collected in any other way.
How is personal data processed
Personal data is processed for the handling of whistleblowing reports. With the help of these reports, the data controller also takes necessary measures. These obligations stem directly from legislation.
The personal data of the data controller’s notifications’ processors are processed for measures that are necessary for the Chamber of Commerce’s Notification Channel’s access control. The processing is based on implementing the contractually agreed obligations between the data controller and the data processor about the use of the Notification Channel service.
Where is the collected personal data stored
The notification information is stored in a database in an encrypted form. The data processor does not have access to the stored information, which is only accessible to the designated processors of the data controller’s notifications. The data controller can restrict access to the notifications based on different types of notifications.
The service’s subscriber information and processor information are stored in the data processor's CRM system for service-related communication, billing, and implementation of other contractual obligations.
Scope of processing of personal data
The following personal data is processed in the service:
- First names, surnames, e-mail addresses, public names and user IDs of those handling the notifications
- No personal data is collected from those submitting notifications, but the notifying people themselves may include their own or another person's/persons' information as part of a written notification or through metadata in attached files
Informing data subjects
To ensure that data subjects are aware of the purpose and scope of the processing of personal data, the data controller maintains a privacy statement on the Notification Channel service's website.
Assessment of the necessity and accuracy of personal data processing
Regarding third party personal information, the processing of personal data is based on the data controller's statutory obligation and the legitimate interest of the data controller or a third party. Regarding the notifying person, the processing is based on consent and the legitimate interest of the data controller or a third party.
The notification only contains the necessary information for processing the notifications. For example, the notifier does not provide their own contact information with the notification.
Notifications could also be collected in an alternative way, such as via e-mail or telephone, but these alternative methods clearly have greater deficiencies related to confidentiality and security. The Notification Channel service is a data-secure solution for receiving notifications.
The information is stored in the Notification Channel service for a limited time. The data controller deletes the information when the processing of personal data is no longer necessary.
Personal data is not processed outside the EU or EEA.
Only a limited number of individuals have access to personal data. Individuals who process personal data related to the Notification Channel service must be subject to appropriate confidentiality obligations.
Data subject risk assessment
The data subject has the right to access their own data unless limiting access is necessary to protect the essential rights of the data controller or a third party. An example of such a situation is when granting access to the data would lead to the risk of revealing the identity of the notifying person.
The data subject also has the right to request the deletion of their own data from the service. This right of the data subject can also be limited if the purpose of the limitation is to ensure the data controller's legal obligation, particularly the obligation to provide a reliable and impartial notification channel.
All limitations to the rights of data subjects must be based on appropriate and necessary reasons and must not restrict the rights of data subjects more than necessary to fulfill the rights of the data controller or a third party.
The data controller must consult the supervisory authority before processing if the data protection impact assessment indicates that the processing would pose a high risk if the data controller has not implemented measures to reduce the risk.
The probability of the mentioned risks materializing can be considered small. Personal data is protected in the manner required by the regulation through technical and organizational means, and access to the data is limited to a restricted number of persons authorized by the data controller.
The following risks of personal data processing are related to data loss or unauthorized access to data. The probability of the risk is assessed on a scale of 1–4 (1=very unlikely, 4=very likely), and the severity of the risk is described on a scale of 1–4 (1=not at all severe, 4=very severe).
|Risk||Risk probability||Risk severity|
|The data in the Notification Channel is accessed by an external party||1||1|
|The data is disclosed to individuals outside of the defined group||1||1|
Measures to reduce or eliminate risks to data subjects
The data controller ensures that persons receiving notifications are trained to process them appropriately and securely.
The security of the Notification Channel system has been tested/audited by a third party.
The data controller takes the following measures to reduce and eliminate risks:
|The data in the Notification Channel is accessed by an external party||Only authorized individuals have access to the system, the system is based on data-secure solutions and access to the information is restricted||The probability and the severity of the risk are significantly reduced|
|The data is disclosed to individuals outside of the defined group||Passwords have been created, IT department investigates the case if necessary and, if needed, contacts the police||The probability and the severity of the risk are significantly reduced|
Renewing the impact assessment
The controller will carry out a new impact assessment if it identifies a new type of risk or if the risk associated with the current processing operations changes.