Privacy notice for Whistleblower at CSC

Valid from 17.12.2021

1. Controller

CSC - Finnish IT Сentre for Science Ltd
P.O. Box 405 (Keilaranta 14)
FI-02101 Espoo
tel. 09 457 2821 (operator)

(hereinafter referred to as "we" or "CSC")

2. Contact person for register-related matters

CSC Service Desk
tel. 09 457 2821 (operator)

Data asset owner: Chief Administrative Officer, BIS

Data Protection Officer:

3. Name of register

Whistleblower register

4. Purposes and lawful bases for processing personal data

Whistleblower system enables you and any CSC’s employees to alert CSC and report possible illegal activities or serious violations against our internal provisions. It is possible to report anonymously without entering any personal data. Reporting anonymously may hinder our ability to fully investigate a reported matter or answer your requests.

After receiving the report, CSC processes personal data in the context of the Whistleblower for the purpose of investigation and giving feedback for the reporter.  Only the information that is relevant in the scope of Whistleblower and to the reported matter will be kept after initial check. We will send an acknowledgment of receipt within seven days and feedback within three months from the acknowledgement to the reporter.

Personal data processing will be based on one of the following lawful basis:

  • Because it is necessary to comply with a legal obligation (GDPR 6(1)(c)), given the facts that

a) Whistleblower platform and process are mandatory for some alerts of law breaches and it is mandatory to give an acknowledgment of receipt within seven days and feedback within three months from the acknowledgement.
b) Investigatory measures may be necessary for the performance of employment relationships.
c) CSC is obliged to inform within one month form recording personal data the accused person about the allegations made and investigations carried out against him/her. That person must not be informed about the reporter’s identity and we will ensure that no conclusions about identity is possible. CSC is obligated to inform any person mentioned in the report about data processing within one month, if one’s personal data is stored after initial check.   
d) CSC has to answer for data subject’s requests.

  • We rely on our legitimate interests (GDPR 6 (1)(f)) to process data:

a) where the report falls or not under legal obligation to provide Whistleblower system and process. It is a clear benefit to us to ensure the conduct of our workers is in-keeping with what is required by law, by industry standards and by our internal provisions. Investigation and measures help us to prevent economic losses and damage to our reputation.
b) when it serves CSC’s interests in the form of assertion, defense and exercise of legal claims
c) to improve our compliance structures, when CSC may identify and eliminate possible weaknesses in its internal compliance
d) to support of data subjects to discharge form wrong accusations.

In the case of conduct which constitutes a criminal offence against the interests of CSC or which violates human rights, interests of CSC will outweigh the accused person’s right to informational self-determination.

  • Consent (GDPR 6 (1)(a)), if the reporter has given the explicit consent.
  • In general, specific categories of personal data are not processed in the Whistleblower process.  If received report would include special categories of personal data pursuant to GDPR 9 (1) and the processing would be necessary for the establishment, exercise or defense of legal claims, the legal basis is GDPR 9 (2)(f).
5. What data do we process?

The report and the feedback may include direct or indirect information about persons concerned.

If you register for using the Whistleblower, you will be asked to provide us with the following personal data, although only the data marked by an (*) are mandatory:

  • Whether you want to remain anonymous*
  • Language*
  • Your name and contact details
  • Any optional information you choose to submit
  • Any metadata existing in the documents, if not been deleted
  • Password you set for login to your report again

In the Whistleblower process, personal data from various data subjects may be processed:

  • a reporter
  • a person mentioned in the report
  • a person investigating an alert or making an investigation report
  • a person interviewed in an investigation
  • a person serving as a consultant in an investigation
  • a person mentioned in a statement or an interview

For the purposes mentioned above, we can collect and process during the Whistleblower process the following personal data:

  • based on a consent identity, job position and contact details of the reporter
  • identity, job position and contact details of the individual(s) mentioned in the report;
  • identity, job position and contact details of the individuals involved in the receipt or processing of the report
  • reported matters
  • elements gathered during the investigation of the reported facts
  • report of the investigative actions
  • outcome of the report

Information on the use of cookies and other technologies

The Whistleblower system uses a session cookie to remember your language selection. That cookie is deleted as soon as you close the browser.

  • Cookie name: Cookie for language setting
  • Provider: EQS
  • Validity: Session
  • Purpose: For language setting
6. Where do we get your data from? We may obtain your personal data in the context of the Whistleblower because you give them to us, because you are mentioned on a report or participating to an investigation or  information generated by using the platform (as time stamps).
7. Where do we transfer your data?

Your personal data may be processed by:

  • To the investigation and reporting nominated CSC’s employees
  • To the investigation and reporting by CSC nominated subcontractor’s employees
  • CSC’s subcontractor for the purpose of supporting the service used for the Whistleblower
  • In cases of alleged criminal offences, personal data may need to be disclosed during judicial proceedings. Person concerned will be notified of any such disclosure.

Personal data is not transferred to countries outside the EU/EEA.

8. How do we protect your data and how long we store your data??

The data submitted to the whistleblower system is encrypted and access to data is limited to a very narrow circle of expressly authorised persons.  The is no logging of personal data of visitors and reporters. The system is operated by an independent organisation.

Information which is not relevant to the investigation is deleted or anonymised after initial check.

The reporter’s personal data is retained as long as the data is required for investigation and to provide feedback. When such requirements no longer exist, the reporter’s personal data will be deleted within 60 days.

A report and given feedback will be stored for five (5) years from the end of closing year of the investigation. All personal data on those will be deleted or anonymised within 60 days of the end  of the investigation, unless legal proceedings have been started. In single cases the data collected are stored for a longer period, if judicial or disciplinary proceedings are initiated. In such cases the data will be stored until those proceedings are definitively closed.

9. What are your rights as a data subject?

With respect to the processing of your personal data, you have the following rights:

  • to request confirmation as to whether we are processing personal data concerning you and to access to your personal data as long as this does not disclose the identity of the reporter. If you are the reporter you have an access to your personal data with your case number and password.
  • to withdraw your consent
  • to demand the rectification or completion of inaccurate or incomplete data. If you are the reporter you have an access to update your information with your case number and password.
  • to request the erasure of data in certain cases
  • to request the restriction of processing, under certain conditions
  • to data portability, under certain conditions you may receive your data, which you have provided us with, in a structured, common and machine-readable format or have it transferred to another controller

You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you. We will then no longer process the personal data, unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. The right to object does not apply to legally required Whistleblower or data subject rights.

We will always use best efforts to address and settle any requests or complaints you bring to our attention. Besides contacting us you always have the right to approach the competent data protection authority with your request or complaint:

  • at your habitual residence in the EEA
  • at the place of your work in the EEA or
  • at the place of the alleged infringement in the EEA.

The data protection authority competent for CSC – IT Center for Science Ltd is:
Office of the Data Protection Ombudsman
Postal address: PL 800
00531 Helsinki, Finland

10. Who should you contact?

All enquiries and requests regarding this privacy notice should be made in writing or in person to the contact person specified in section two (2).
In order to exercise any of your data subject rights, you can send us a request, indicating the right you wish to exercise by e-mailing us at

11. Changes to this notice This privacy notice is current as of the date which appears at the top of the document. We may occasionally update this privacy notice. If there are material changes to this privacy notice or in how we will use your personal data, we will use reasonable efforts to notify you.