The aim of the whistleblowing procedure is to reduce illegal and unethical activities in both the private and public sectors. Whistleblowing is intended for suspected violations of EU law. The suspicion may concern both a violation of an EU regulation, of national legislation that implements EU directives or of other national legislation. In this respect, EU law primarily refers to public procurement, financial services, products and markets, and prevention of terrorism, product safety, transport safety, protection of the environment, radiation protection and nuclear safety, food and feed safety, animal health and welfare, public health, consumer protection, protection of privacy and personal data, and security of network and information systems, breaches relating to the internal market, including breaches of Union competition and State aid rules, as well as tax rules.
If you suspect violation of EU law, submit your report through the whistleblowing channel below. You can also report orally by contacting the internal auditor or general counsel of Åbo Akademi University. Those reporting breaches of Union law are protected against retaliation and threats of retaliation. The aim is that it should be safe to confidentially report suspected inconveniences, without risking being subject to consequences (e.g. loss of salary increase, lay-off or dismissal) as a result of the report. A prerequisite for protection according to the legislation is that there is a justified ground to believe that the information about a violation and that the violation is covered by the scope of the legislation. A reporting person who knowingly reports false information may be liable for damages.
ÅBO AKADEMI UNIVERSITY
www.abo.fi
PRIVACY NOTICE
According to the EU General Data Protection Regulation GDPR (EU 679/2016), Art. 13-14
Whistleblowing (reporting violations)
Data controller
Åbo Akademi University
Tuomiokirkontori 3
20500 Turku
Finland
Åbo Akademi University is controller for the personal data collected and processed in the university’s activities – in teaching, guidance, research, administration, and cooperation, internally and externally.
Responsible unit for the processing that is described in this document:
University Services, Financial Services, Executive Administrative Office
Contact person: Camilla Engman, camilla.engman@abo.fi, +358 911 4358
Data Protection Officer at Åbo Akademi University: dataskydd@abo.fi, +358 2 215 31 (switchboard)
Why do we treat your personal data?
Personal data is processed for the purpose of detecting, investigating, and preventing violations of EU law. The processing of personal data is based on Åbo Akademi University’s legal obligation to establish a channel for reporting misconducts (Act on the Protection of Persons Reporting on Breaches of EU and National Law 2022/1171, hereinafter referred to as the Whistleblowing Act). Åbo Akademi University has a legitimate interest in obtaining information about violations related to its activities even by non-employed doctoral students and students.
According to GDPR there must always be a legal basis for processing personal data. The legal basis for processing your personal data is:
Legal obligation: Since the reporting channel and the investigation of breaches of EU law are based on law, the legal basis for the processing is a legal obligation (Art. 6.1c).
Public interest or official authority: Åbo Akademi University has statutory tasks of public interest and the right to exercise official authority according to the Universities Act. The channel can also be used by non-employees (e.g. students and non-employed doctoral students), as it comes to them the legal basis is Public interest (Art. 6.1 (e)). Public interest is also the legal basis for the processing of personal data arising from the report of breaches or misuse that cannot be considered a breach of EU law.
Personal data belonging to special categories of personal data may be processed in accordance with section 30 of the Whistleblowing Act. In cases where the legal basis of the processing is in the public interest (Art. 6(1)(e)), the processing of personal data relating to special categories of persons is based on art. 9.2 g.
Which personal data is processed and by whom?
We process contact information such as name, e-mail address, organizational position or title and possibly telephone number.
In addition, we process information that we receive through the report. The whistleblower chooses what kind of personal data they include in their report. This may include the alleged misconduct, the people involved in the case, the basis for the misconduct, etc. The report may also contain personal data belonging to special categories of personal data. Personal data that is not relevant to the investigation of the case will be deleted without undue delay.
To investigate the alleged misconduct and to verify the information in the report, we also use information that we have about data related to the work or behavior of the persons concerned such as employment-related information, financial information, information about reports and assessments, login information, etc.
Only the employees of Åbo Akademi University who have been appointed to be responsible for handling the reports or who have been specifically chosen to experts on a case-by-case basis to investigate the accuracy of a particular report can get access to and are able to process the data.
The identity of the whistleblower will not be disclosed to the persons whom the allegations are directed to unless the whistleblower expressly consents to this. The identity can be revealed if the whistleblower makes a false report with the intention of causing harm.
Personal data is disclosed to third parties, such as authorities or external inspectors, within the limits permitted and required by applicable legislation, for example when responding to requests for information from authorities or when the academy’s legitimate interest so requires, for example to report crimes, during preliminary investigations or in court proceedings.
From where do we collect your personal data and how is the data processed?
Most of the data is collected from the report received through the whistleblowing channel (e-lomake). If a person wants to report orally, the information is entered into the reporting channel by those who are responsible of handling the reports.
ÅAU’s existing registers of personnel and students are also used when investigate the case. Information can also be obtained in correspondence between the whistleblower and the persons that ÅAU has appointed to handle the case.
Communication between the whistleblower and the administrators takes place through ÅA’s e-mail or through encrypted e-mail if the whistleblower does not have access to ÅA’s e-mail address. The e-mails are transferred to ÅAU’s dedicated servers and deleted from the e-mail boxes over time.
At the latest when the case is resolved, all information is stored in a secure area on ÅAU’s dedicated servers. Only the persons responsible for handling the reports have access to the information.
As it is stipulated in section 29 of the Whistleblowing Act, personal data that clearly has no significance in the processing of a report is deleted without unjustified delay. The relevance of the personal data for the processing of the case is considered in connection with the handling of each case. After the case is closed, a further assessment is made about the relevance of the collected personal data before storing the case and the personal data.
Only those persons appointed by ÅAU as responsible for the processing of reports have access to the reporting channel and storage areas. According to the Whistlerwlowing Act the persons are bound to secrecy and violations of the confidentiality clauses have been sanctioned in the act.
Personal data will be deleted within 5 years unless it is necessary to retain the data in order for rights or obligations under the Whistleblowing Act or any other law to be fulfilled or fulfilled, or to settle, make or defend legal claims.
Personal data that is not relevant to the investigation of the case will be deleted without undue delay.
Is your personal data transferred to a third party (outside Åbo Akademi University) for processing?
No, personal data will not be transferred for processing outside Åbo Akademi University.
Is your personal data transferred to a third party (outside Åbo Akademi University) for the needs of the third party?
Personal data is disclosed to third parties, such as authorities or external inspectors, within the limits permitted and required by applicable legislation, for example when responding to requests for information from authorities or when the academy’s legitimate interest so requires, for example to report crimes, during preliminary investigations or in court proceedings.
Is your personal data transferred outside EU/EEA?
No, personal data is not transferred outside EU/EEA.
What rights do you have when Åbo Akademi University processes your personal data?
Åbo Akademi University is responsible for taking appropriate technical and organisational measures to protect personal data against unauthorized or illegal processing and against damage to or loss of personal data. Personal data must always be processed in a fair and transparent manner in accordance with applicable data protection regulations
According to the EU General Data Protection Regulation GDPR, you have the right to
- get transparent information on how your personal data is processed and how you can exercise your rights (Art. 12)
- get access to your personal data at Åbo Akademi University and information on the processing of data (Art. 15)
This right is restricted under section 31 of the Whistleblowing Act if it is necessary and proportionate to secure the investigation of the accuracy of the report or to protect the identity of the reporting person. - have your personal data corrected (Art. 16). Note that employees and students at Åbo Akademi University can in most cases correct their own data according to the instructions on the intranet.
- have your data erased (“the right to be forgotten”) in certain situations (Art. 17). According to section 29 of the Whistleblowing Act, the information should be stored for at least 5 years. If the data subject can demonstrate that the data has no bearing in the processing of the report, the data will be deleted without undue delay.
- restrict the processing of your personal data in certain situations (Art. 18). This right does not apply to the process concerning whistleblowing (Section 31 of the Whistleblowing Act).
- have your personal data transferred between systems in certain situations (Art. 20)
- object to the processing of your personal data in certain situations (Art. 21)
This right does not apply when the legal basis of the processing is a legal obligation (6.1c). You may be given the opportunity to object to the processing of your data if a report contains information that obliges ÅA to start any other process besides the one that is referred to in the Whistleblowing Act and the basis for processing your personal data is public interest is art. 6.1(e) and Art. 9.2(g). - not be subject to automated decision-making, with certain exceptions (Art. 22)
You have also the right to be informed of a personal data breach involving a high risk for your personal data (Art. 34).
If you have questions about your rights, you can contact the responsible contact person (see above) or the ÅAU Data Protection Officer (dataskydd@abo.fi). See also the overall information on the processing of personal data on the ÅAU website.
You have the right to lodge a complaint with the data protection authority if you believe that the processing of your personal data is an infringement of the General Data Protection Regulation (GDPR).
Contact information to the data protection authority
Office of the Data Protection Ombudsman
PL 800
00531 Helsinki
+358 29 566 6700 (switchboard)
tietosuoja@om.fi
tietosuoja.fi