1. General
In this Privacy Notice for Mandatum Group’s anonymous Whistleblowing channel, we describe the information required by the EU’s General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”) and other applicable data protection legislation concerning the processing of personal data carried out by the company.
We explain, for instance, the personal data that Mandatum Group companies (hereinafter also “Mandatum”) may process in the Whistleblowing channel and for what purposes, to whom we may disclose this information, as well as your rights regarding personal data that is processed in the Whistleblowing channel. We update this Privacy Notice from time to time as needed.
If you have more specific questions or requests related to this Privacy Notice, the processing of your personal data or your rights as a data subject, you may contact us via the channels mentioned below.
2. Controllers and contact details of the controllers
Mandatum Group’s Whistleblowing channel is used by all the Group companies. The controller in each case is the company whose operations an individual whistleblowing report concerns or to which it is linked, on the condition that the company has been identified in the report. In other cases, the controller is Mandatum plc.
Mandatum plc
Bulevardi 56, FI-00120 Helsinki
P.O. Box 627, FI-00101 Helsinki
Mandatum Life Insurance Company Limited (Mandatum Life)
Bulevardi 56, FI-00120 Helsinki
P.O. Box 627, FI-00101 Helsinki
Mandatum Incentives Oy
C/O Mandatum Life Insurance Company Limited
P.O. Box 627, FI-00101 Helsinki
Mandatum Life Services Ltd
Bulevardi 56, FI-00120 Helsinki
P.O. Box 1210, FI-00101 Helsinki
Mandatum Asset Management Ltd
Bulevardi 56, FI-00120 Helsinki
P.O. Box 1221, FI-00101 Helsinki
Mandatum AM AIFM Ltd
C/O Mandatum Asset Management Ltd
P.O. Box 1221, FI-00101 Helsinki
Mandatum Life SICAV-UCITS (fund company)
Mandatum Fund Management S.A. (fund management company)
53, Boulevard Royal
Luxembourg L-2449, Luxembourg
Mandatum Asset Management Palvelut Oy
C/O Mandatum Asset Management Ltd
P.O. Box 1221, FI-00101 Helsinki
3. Contact details of the Data Protection Officer
Mandatum Group’s Data Protection Officer
Email: dpo@mandatum.fi
Postal address: Mandatum, Data Protection Officer, P.O. Box 627, FI-00101 Helsinki.
4. Personal data to be processed and sources of personal data
We receive the personal data we process in connection with the Whistleblowing channel through the reports that are submitted through the channel. Personal data can also be collected and received due to a whistleblowing report, or in connection with the clarifications we request, obtain or otherwise receive to investigate a whistleblowing report; those clarifications can be obtained from sources applicable to each case as permitted by law.
The personal data that is processed in connection with the Whistleblowing channel is basically determined according to what information the whistleblower enters in the whistleblowing report, as well as what information may later emerge in connection with the investigation of the report. Such information can be, for example, the data subject’s basic personal details, such as their name, contact information, personal identity code and title or other position in the company.
The information may concern the whistleblower themself if they want to voluntarily state their identity when submitting the report, or the subject of the report or someone otherwise mentioned in the report, or a person who comes to light in connection with the investigation of a suspected violation.
5. Legal basis and purpose of processing personal data
The purpose of processing personal data related to the Whistleblowing channel is compliance with the legal obligations concerning Mandatum in accordance with the Act on the Protection of Persons Reporting Infringements of European Union and National Law (1171/2022, hereinafter the “Whistleblower Act”), the Act on Preventing Money Laundering and Terrorist Financing (444/2017), and other applicable legislation. In order to comply with our statutory obligations, Mandatum must have in place an independent whistleblowing channel, which can be used by Mandatum’s employees, agents and other parties to report suspected violations of legislation and the regulations and orders issued pursuant to it. The reports may also include personal data if the whistleblower includes information about themself or submits a report on someone else. The processing of such personal data may be necessary to process whistleblowing reports and to investigate, clarify and bring under a possible preliminary investigation by the authorities suspected violations that are the subject of the report, and to monitor the stages of the preliminary investigation. In this context, the personal data of the whistleblower may also be processed for the communication required to process the report and by the investigation.
In addition to our statutory obligations, we may also process your personal data by virtue of the legitimate interest of Mandatum or a third party, or with your explicit consent.
Mandatum has a legitimate interest to process personal data insofar as the matter concerns the data of a person who is the subject of a suspected violation or some other person mentioned in the report or a person linked thereto. Legitimate interest is applied as the legal basis for processing such information especially when the subject of the whistleblowing report is suspected of a violation that falls within the scope of laws other than those mentioned above. The Whistleblowing channel is an important means of monitoring and ensuring the fulfilment of regulatory obligations and requirements laid down by authorities, as well as Mandatum’s internal rules of procedure and principles in the company’s operations. The Whistleblowing channel enables access to information and appropriate responding to various suspicions of violations and abuse.
The processing of personal data can also be based on the data subject’s consent thereto, insofar as the matter concerns information indicating the identity of the whistleblower, the provision of which is otherwise voluntary. If you have given your consent to the processing of your personal data, you also have the right to withdraw your consent at any time.
6. Automated decision-making and profiling
The processing of personal data carried out in connection with the Whistleblowing channel does not involve automatic decision-making that would have significant legal effects or other similar significant effects, or profiling based on personal data.
7. Recipients and transfer of personal data
Disclosure of personal data
In principle, personal data related to the Whistleblowing channel is not disclosed by Mandatum to third parties, except when the processing, clarification or bringing under investigation of the whistleblowing report or, for example, a request for information from an authority necessarily requires it. In these cases, the data may be disclosed, within the limits permitted by law, to the preliminary investigation or other competent authorities insofar as is justifiably necessary.
Before disclosing data, we always make sure that there is a legal basis for the disclosure, and that the disclosure takes place in compliance with the applicable regulatory obligations.
Processors and data transfers outside the EEA
The Whistleblowing channel we use is managed by our external subcontractor WhistleB, which may also process personal data on behalf of Mandatum to the extent necessary to provide the service related to the Whistleblowing channel. In this case, the data processing activities apply to the personal data that emerges in connection with the whistleblowing report and any related clarifications and communication. Our subcontractor does not, however, process personal data for their own use.
Personal data processed in connection with the Whistleblowing channel is not, in principle, transferred outside the European Union or the European Economic Area. If a data transfer is necessary, e.g. in connection with an investigation related to a whistleblowing report or other follow-up measures, it will only be carried out if the conditions for data transfer set by data protection regulations are met. In this case, we base the transfer of personal data on the transfer mechanisms permitted by legislation, such as the European Commission’s determination of whether a recipient country offers an adequate level of data protection (see the latest list of adequacy decisions on the EC’s website) or the European Commission’s standard contractual clauses (see the standard contractual clauses on the EC’s website). We also supplement these as necessary with various additional safeguards, which help appropriately guarantee an adequate level of data protection.
8. Retention periods for personal data
We store personal data processed in connection with the whistleblowing channel for as long as necessary in order to comply with our statutory obligations or for as long as the data is otherwise necessary in relation to the purposes for which the data was collected or otherwise processed. We erase or anonymise the data when their retention period expires.
Information received via the Whistleblowing channel is stored for five (5) years, unless it is necessary to retain it for longer in order to fulfil the rights or obligations laid down in law, to prepare, present or defend a legal claim, or to protect pending court proceedings, official investigation or the rights of the whistleblower or the person who is the subject of a whistleblowing report.
Personal data that is clearly irrelevant to the processing of the whistleblowing report is erased without undue delay.
9. Protection and security of personal data
Mandatum Group’s Whistleblowing channel is anonymous and based on a secure and encrypted service that is managed by an external co-operation partner, WhistleB, which ensures the appropriate data protection and information security of the Whistleblowing channel, including ensuring the anonymity of the whistleblower. No information that could be used to identify the sender of the message is saved in the channel. The whistleblower may, if they wish, disclose their identity in the report.
All reports are processed in confidence, regardless of whether the whistleblower’s identity has been disclosed or not, and the processing of reports submitted through the whistleblowing channel as well as any personal data they may contain is permitted only for a work-based reason. Access to whistleblowing reports and information in the Whistleblowing channel is strictly limited only to a limited group of separately appointed people who have the right and obligation to process the whistleblowing reports.
The user rights for accessing systems that contain personal data are personal, and the use of the rights is monitored. Mandatum’s employees that process personal data are bound by, in addition to the statutory obligation of secrecy, a separate non-disclosure agreement. Personal data that is no longer needed is erased in a secure manner.
Besides the special protection measures related to the Whistleblowing channel, we use technical and administrative information security means that are necessary, appropriate and in line with the best practices to protect personal data and other information. Such means include, for instance, the use of firewalls, strong encryption technologies and secure IT hardware areas, access control, storage of physical materials in locked premises, restricted granting of user rights, providing instructions and training to personnel participating in personal data processing and careful selection of subcontractors. In addition to applicable legislation, the subcontractors commit to comply with Mandatum’s data protection principles and guidelines.
Despite careful protection and appropriate information security, data processing always involves a risk. If, in spite of our measures, a personal data breach occurs that is likely to result in a high risk to your privacy or your other rights, we will contact you as soon as possible.
10. Your rights
You have the right to receive confirmation from Mandatum as to whether we process your personal data. If your personal data is processed, you have the right to receive a copy of the data and to inspect the data. If you make the request electronically, we will provide you the data in a commonly used electronic format unless you request otherwise. Legislation, the rights and freedoms of other individuals and other special grounds my limit your right to access some of the personal data that pertains to you. The right to access the information can be partially or completely restricted if and to the extent that is necessary and proportionate to ensure the accuracy of the report or to protect the identity of the whistleblower, or if providing the information could hinder the investigation into the crimes or abuses.
If you consider your personal data that we process to be incorrect or inaccurate, you have the right to request Mandatum for rectification of such personal data and to have incomplete personal data completed.
You also have the right to request Mandatum to erase your personal data and, insofar as the processing of your personal data is based on consent, to withdraw your consent. If you request the erasure of your data, we will erase the data from our systems unless there is another legal basis for the processing of the data or unless we have a statutory obligation to retain the data. Please note, however, that Mandatum may have a legal obligation or other weighty reason to store personal data obtained via the Whistleblowing channel, and we may therefore have a justified need to continue to process your personal data even if you request the erasure of the data. In any case, we will erase your data once the retention period as specified by us or provided for by law has elapsed.
Where the conditions set in legislation are met, you may have the right to request that we restrict the processing of your personal data. As far as processing in accordance with the Whistleblower Act is concerned, the data subject’s right to restrict processing does not, however, apply to the processing of personal data referred to in the law.
You also have the right to object to the processing of your personal data on grounds related to your personal situation with respect to data processed on the basis of the fulfilment of Mandatum’s or a third party’s legitimate interests. We assess the application of that right on a case-by-case basis in relation to Mandatum’s legitimate interest.
Insofar as the processing of your personal data is based on consent or a contract, you have the right to receive the personal data you have provided us in a structured and commonly used format and the right to have the data transferred to another controller.
Exercising your rights
You can exercise your rights described above by contacting our customer service in an online message through Mandatum’s Web Service, by calling +358 200 31100 (lnc/mnc) Mon-Fri 9am–5pm, by mailing Mandatum, Asiakaspalvelu, PL 627, 00101 Helsinki, or by visiting our office nearest you. You can find the contact details and opening hours of our offices on our website.
Right to lodge a complaint with a supervisory authority
In matters related to the processing and protection of your personal data, and if you have any questions, please first contact Mandatum’s customer service as described above, or Mandatum Group’s Data Protection Officer, whose contact details are included above in Section 3 of this Privacy Notice.
If you are dissatisfied with a response you received from us, or if you believe our processing of your personal data does not comply with data protection legislation, you can contact the competent supervisory authority, i.e. the Office of the Data Protection Ombudsman.
In addition, in situations where you request access to your personal data, but we have to limit your right for the reasons described above, e.g. to ensure that the whistleblowing report is correct, you can request that your information be given to the Data Protection Ombudsman.
Updated 16.9.2024