CSC - Finnish IT Сentre for Science Ltd
P.O. Box 405 (Keilaranta 14)
FI-02101 Espoo
tel. 09 457 2821 (operator)
servicedesk@csc.fi

www.csc.fi

(hereinafter referred to as "we" or "CSC")

CSC Service Desk
tel. 09 457 2821 (operator)
servicedesk@csc.fi

The processing is carried out by: Director, Sustainablity and Risk management

Data Protection Officer: privacy@csc.fi

The Whistleblower system allows you and all CSC employees to report suspected abuses to CSC. The reports may concern a possible violation of the legislative areas referred to in the Whistleblower Act. Such legislative areas include the protection of personal data and competition laws.

In addition, the reports may concern activities that violate CSC’s Code of Conduct.

You can submit the report anonymously without any personal data. Anonymous reporting may interfere with our ability to investigate the reported matter thoroughly or to respond to your requests.

After receiving the report, we process personal data for the purpose of investigating the reported matter, responding to the person submitting the report and deciding on the follow-up measures that we consider justified on the basis of the report. Only information submitted and reported for Whistleblower purposes and relevant to the reported matter will be retained after the reception inspection of the report. We will send the person who submitted report an acknowledgement of receipt within seven days and a description of the follow-up measures taken within three months of receipt of the report. All reports are processed in strict confidentiality.

The purpose of the data processing is to promote the legal compliance of CSC’s operations by providing it with the opportunity to intervene in any detected shortcomings. We can use this information to investigate the matter, identify and correct deviations and develop processes that ensure compliance. In addition, we can use this information to establish, present or defend a legal claim or to protect our personnel from false accusations.

The processing of personal data is based on CSC’s statutory obligation (GDPR 6(1)(c)) to the extent that the reports concern violations of the laws referred to in the Whistleblower Act.

The processing is based on our legitimate interest (GDPR 6 (1)(f)) when the report concerns only breaches of our Code of Conduct. Such report may specifically concern violations of laws other than those referred to in the Whistleblower Act. Our legitimate interest is to be informed of such violations so that we can ensure that our operations comply with the law, industry standards and our own guidelines. The investigation of the issues specified in the report and the measures taken following the investigations will help us to combat financial losses and reputational risks. Our legitimate interests override the interests of the data subject, given that violations of the Code of Conduct are typically the most serious issues, such as discrimination, and that we have ensured the confidentiality of the processing.

It may also be necessary to process data belonging to special categories of personal data on a case-by-case basis in reports if this is necessary to investigate the matter. In this case, the legal basis for processing is Article 9 (2)(g) of the GDPR together with the Whistleblower Act.

The Whistleblower process can involve the processing of the personal data of several different data subjects:

• the person submitting the report
• the object of the report
• a person or other third party mentioned in the report who has further information on the matter
• persons processing CSC’s and its subcontractor’s reports.

If you use the Whistleblower system, you will be asked to provide the following information when submitting the report. However, only entries marked with (*) are mandatory:

• Do you wish to report anonymously*
• Language*
• Your name and contact information
• Free-form description of suspected misconduct (submitting attachments is also possible)
• Password you must set to log in to your report again

During the investigation, we may collect additional written or oral information from the person who submitted the report, the object of the report and other persons suspected of having information on the matter. The processing of the report ends with an evaluation and a decision on further measures. Drawing up further measures and the introduction of such measures may also require the processing of personal data.

In addition, logs of CSC’s and its subcontractor’s personnel processing reports are collected for access control in order to ensure the confidentiality and integrity of the information.

About the use of cookies and other technologies

The Whistleblower system will remember your language selection using a session cookie. The cookie will be deleted as soon as you close the browser.

The cookie is necessary for the provision of the service – we will not separately ask you to consent to using the cookie.

• Cookie name: Cookie for language setting
• Provider: EQS
• Validity: Session
• Purpose: Preserving language selection

Your personal data is processed by:

• Persons appointed to process reports at CSC and its subcontractor.
• Supplier of the electronic system used for processing reports. However, the supplier’s personnel do not have the right to view or edit personal data.
• Data may be disclosed to competent authorities, prosecutors or pre-trial investigation authorities in special situations referred to in the Whistleblower Act. The subject of the processing will be notified of such identity disclosure, unless this information endangers the investigation of the matter in an internal investigation, official investigation, pre-trial investigation or trial.

Personal data are not transferred outside the EU/EEA.

Your data may only be processed by CSC’s and its subcontractors’ designated personnel. The Whistleblower channel is maintained by a separate operator and meets the requirements to protect personal data and the identity of the whistleblower in accordance with Directive (EU) 2019/1937.

As a rule, all data related to the report are kept for five (5) years from the date of receipt of the report. Data may be stored in individual cases for a longer period if the data is needed for an existing or future judicial procedure or for an official investigation. In addition, necessary data on further measures, such as disciplinary measures, may be retained longer for human resources management purposes.  

However, any data unnecessary from the perspective of the report will be deleted without delay after it has become clear that the data are not needed for the purposes of the processing.

You have the following rights in relation to the processing of your personal data:

Access to your data: You have the right to be informed of whether we process personal data concerning you and have access to your personal data if this is not considered to endanger the investigation of the matter or the disclosure of the whistleblower’s identity. If we are unable to fulfil your request, we will justify the reasons for this decision, and you have the right to request the disclosure of your data to the Data Protection Ombudsman (see the contact details of the Data Protection Officer below).

Right to rectification: You have the right to demand that incorrect or incomplete information be rectified or supplemented. However, for investigative reasons, a request for rectification cannot usually be carried out in such a way that the previous data are deleted. Instead, you typically have the opportunity to provide additional data during the investigation. If you are the whistleblower, you can provide additional data in your report with your case number and password while the relevant processing is in progress.

Other rights

To the extent that the report concerns only activities that violate our internal guidelines, you have the right to object to the processing of your data for reasons arising from your special situation. After you object to the processing, we will delete your personal data unless we are able to provide compelling legitimate grounds for processing that override your interests, rights and freedoms. You also have the right to ask us to restrict the processing of your data while we evaluate your objection request. However, we want to emphasise that these rights do not exist to the extent that the processing is based on the obligations laid down in the Whistleblower Act.

As the processing is not based on consent, you do not have the right to transfer your data to another controller.

We will always do our best to process and resolve any requests or complaints you make regarding the processing of your data. In addition, you always have the right to contact the competent data protection authority regarding your request or to lodge a complaint:

• in your permanent place of residence in the EU/EEA
• at your place of work in the EU/EEA, or
• at the location of the suspected data breach in the EU/EEA.

The competent data protection authority for CSC − IT Center for Science Ltd. is:

Office of the Data Protection Ombudsman
Postal address: P.O. Box 800
FI-00531 Helsinki
https://tietosuoja.fi/en/contact-information

All enquiries and requests regarding this privacy policy should be made in writing or in person to the contact person specified in section two (2).

You can send us your request concerning your data subject’s rights by e-mail to servicedesk@csc.fi.