Joo Group Logo

Privacy notice of the Whistleblowing channel

Last updated April 29, 2025

This privacy notice explains how Joo Group processes personal data contained in, or otherwise related to, reports submitted through the whistleblowing channel.

Data Controller:

Joo Group Oy

PL 196, 00101 Helsinki

tel. 020 766 1390

tietosuoja(at)joogroup.fi

1. What is a whistleblowing channel?

The whistleblowing channel is based on the requirements of the so-called EU Whistleblower Directive (EU 2019/1937), which aims to ensure that individuals can safely report suspected or observed violations of the public interest and EU legislation to the relevant organization without jeopardizing their own rights or interests.

Anyone who observes or suspects illegal activity or conduct contrary to Joo Group's values may submit a report through the organization's whistleblowing channel, either anonymously or under their own name.

2. What personal data is processed about the whistleblower?

The whistleblower may choose to submit a report anonymously or to include their name and contact details (phone number, email address, postal address) for potential follow-up communication.

If the whistleblower chooses not to provide their contact information, their personal data will remain undisclosed, and the report will be processed in full anonymity. In such cases, it is not even technically possible to trace the whistleblower, as the channel is designed to ensure complete protection and anonymity.

The identity of the whistleblower, even if voluntarily disclosed, is always treated as strictly confidential. It may only be disclosed to parties other than the report handlers when required by law or with the explicit consent of the whistleblower.

3. Can the report contain other personal data?

The report or its attachments may contain personal data about the individual(s) whose actions are being reported or who are otherwise identified as being connected to the suspected misconduct. These individuals are likely to be in an employment or similar relationship with Joo Group.

Typical personal data included in a report may consist of the person’s name, role or position, and a description of the alleged misconduct or non-compliant behaviour.

4. What is the purpose and legal basis for processing?

The purposes of processing whistleblowing reports and any related personal data are:

  • To detect, investigate, and respond to potential misconduct
  • To ensure and monitor compliance
  • To prepare, present, or defend against legal claims, where necessary

The processing is primarily based on Joo Group’s legal obligations under the whistleblowing legislation. In addition, processing for the purpose of investigating suspected misconduct may be based on other statutory obligations, such as employment law obligations and the employer’s legal duty to address any harassment or inappropriate conduct that may pose a risk to an employee’s health.

Furthermore, the processing is based on Joo Group’s legitimate interests in protecting its ethical values and preventing misconduct. In cases that may lead to legal claims, processing is also justified by the legitimate interests of safeguarding the legal rights of Joo Group or third parties.

5. Do you disclose or transfer the data?

We may disclose personal data to authorities if necessary for the investigation of suspected misconduct or crimes, within the limits permitted by law.

The whistleblowing channel is operated in collaboration with the service provider, Juuriharja Consulting Group Oy.

The service provider acts as a data processor on behalf of Joo Group and processes the data solely in accordance with the agreement between us and the instructions provided by Joo Group, and only to the extent necessary for delivering the service, in this case, maintaining the whistleblowing channel. The service provider is permitted to use subcontractors who are bound by the same obligations and meet the terms of the agreement, if needed, to provide the service.

Personal data is stored and processed within the EU/EEA.

6. How long do you store the data?

Joo Group processes and retains data only as long as necessary and to the extent required for the activities related to the given processing purposes.

All data will be deleted no later than five years after the report is made, unless retention for a longer period is necessary for criminal investigations, ongoing legal proceedings, government investigations, or to protect the rights of the whistleblower or the individual subject of the report.

The retention periods are based on whistleblowing legislation, statute of limitations under labor, criminal, and tort law, as well as our legitimate interest in investigating misconduct.

Reports and communications that are unrelated to the whistleblowing matter, along with personal data that is clearly irrelevant to the handling of the report, will be deleted without undue delay.

7. How is the data protected?

The security of the whistleblowing channel is ensured through appropriate technical and organizational measures. The channel is based on a secure and encrypted service provided by an external provider, and it is not connected to Joo Group’s internal systems.

The whistleblower’s personal data will not be disclosed unless they voluntarily include it in the report. The whistleblower's IP address is not stored or otherwise tracked, and the messages transmitted through the whistleblowing channel are encrypted.

All reports received through the whistleblowing channel are handled confidentially by individuals designated specifically for this purpose, following a clearly defined process.

8. What are my rights regarding my data?

Under data protection laws, individuals have rights which, in many situations, allow them to control their personal data. The extent of these rights is linked to the basis on which personal data are processed and varies slightly from one situation to another. Moreover, the exercise of these rights requires that the identity of the person making the request can be verified using reasonable means.

To exercise your rights, you can contact Joo Group by e-mail at tietosuoja(at)joogroup.fi. A response will be provided within one month of receiving the request.

The data protection rights granted to you under applicable law in relation to the processing of personal data through the whistleblowing channel are:

Right to access and rectify data

You have the right to request a copy of your personal data stored by Joo Group. If your data is incorrect or incomplete, we must correct it without delay.

Legislation, the rights and freedoms of other individuals, and other specific grounds may limit your right to access certain personal data about you. The right to access data may be partially or fully restricted if providing the information could hinder the prevention or investigation of crimes, or if disclosing the information could pose a serious risk to the rights of others.

Right to erasure and “to be forgotten”

In certain cases, the data subject has the right to have the controller erase data concerning him or her. This right is also known as the right to be forgotten. You have the right to have your data erased if the data has been processed unlawfully, or if the data is no longer needed for the purposes for which it was collected.

This right does not apply if the processing of your data is necessary for Joo Group to fulfil a legal obligation or to establish, present, or defend legal claims.

Right to object to processing

You have the right to object to the processing of your personal data when the processing is based on legitimate interests, if you have a specific personal reason related to your particular situation for doing so.

Right to lodge a complaint

If you believe your personal data is processed unlawfully or that Joo Group is otherwise acting in breach of its data protection obligations, you can file a complaint with the data protection authority. In Finland, the competent authority is the Office of the Data Protection Ombudsman.