Youpret’s Whistleblowing Policy and Privacy Policy Statement




1. Controller

Youpret Oy

Address: Kauppakatu 17 B, 80100 Joensuu, Finland

Contact person: Pekka Nurmela



2. Purpose and Legal Basis of Processing

The whistleblowing channel is designed to give all employees of Youpret, Youpret’s interpreter network, as well as external stakeholders a means to report suspected cases of wrongdoing anonymously. Personal data needs to be processed in order to investigate such reports and to decide on and implement any resulting penalties.

Abuse of the whistleblowing channel is prohibited and may result in legal action. The controller is committed to protecting the data subjects’ privacy and to only using personal data collected by means of the whistleblowing channel as permitted by data protection laws and good data protection practice.

Legal basis:

The processing of whistleblowers’ personal data is based on consent (GDPR, Art 6.1(a) and Art 9.2(a)).

The processing of personal data pertaining to the subjects of whistleblowing reports and the persons responsible for processing the reports is based on the controller’s legitimate interest (GDPR, Art 6.1(f)). All processing is based on Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (OJ L 305/34 of 26 November 2019), which is due to be transposed into Finnish law by the end of 2021. The processing of special categories of personal data is necessary for the purposes of carrying out the obligations of the controller in the field of employment law (GDPR, Article 9.2(b)).



3. Data Sources

Potential whistleblowers include employees of Youpret, Youpret’s interpreter network, as well as external stakeholders. The controller also collects information that is necessary for investigating reports of wrongdoing from the interested parties themselves as well as from other individuals or organizations that may be involved.



4. Categories of Data Subjects and Data

1. Whistleblowers

As a rule, whistleblowers report their suspicions anonymously. Some whistleblowers also include personal information (such as their name, location and certain financial information). Some reports contain pictures or video footage. Information provided by whistleblowers themselves may also contain special categories of personal data (such as information about a person’s health). The circumstances of the case may make it possible to identify the whistleblower indirectly.


2. Subjects of Reports

Reports of wrongdoing may contain information about the subject (such as their name, location, certain financial information, pictures or video footage), their behavior and circumstances as well as other personal information. Some reports also contain special categories of personal data (such as information about a person’s health).


3. Processors

The following personal data are collected from the persons responsible for processing whistleblowing reports:

  • Name, title, usernames, log data.



5. Access to and Disclosure of Personal Data

Only employees specifically assigned by the controller to process whistleblowing reports and investigate reported cases have access to the personal data relating to such reports. The administrator of the controller’s whistleblowing channel is an external service provider (GlobaLeaks). The controller and the service provider have signed an agreement to ensure that the service provider only uses personal data collected by means of the whistleblowing channel as permitted by the applicable data protection laws. Personal data may be disclosed to third parties, such as the authorities or external auditors, as per the law.



6. Transfers of Personal Data to Non-EU/EEA Countries

The external service provider, GlobaLeaks, acting as the administrator of the whistleblowing channel states that personal data is mainly processed in Italy and exclusively in the countries of the European Union. There is no transfer of Personal Data abroad to non-EU countries. Youpret Oy has implemented the appropriate contractual safeguards to ensure adequate protection of any data transferred to non-EU/EEA countries as well as compliance with the laws governing the processing of personal data and stipulated that the service provider incorporate the standard contractual clauses for data transfers adopted by the Commission as referred to in Article 46.2(c) of the General Data Protection Regulation into its own subcontracting agreements. The latest versions of the standard contractual clauses can be found on the European Commission’s website.



7. Whistleblowing Process

1. Whistleblowing Team

Access to messages received through our whistleblowing service is restricted to appointed individuals with authority to handle whistleblowing cases. Their actions are logged, and handling is confidential. Individuals who can add expertise may be included in the investigation process when needed. These individuals can access relevant data and are also bound to confidentiality. The whistleblowing team consists of Youpret’s management and designated person(s) from Youpret’s HR.


2. Receiving a Message

Upon receiving a message, the whistleblowing team decides whether to accept or decline the message. If the team accepts the message, it will take appropriate measures for investigation (section 4.3. “Investigation” below). The whistleblowing team may not investigate the reported misconduct if:

  • the message has not been made in good faith or is malicious;
  • there is insufficient information to allow for further investigation; or
  • the subject of the message has already been solved.

If the message does not belong to the scope of whistleblowing legislation but the message is appropriate, the matter will be handled as required by the guidelines and practices according to the nature of the matter. The person who has submitted the message will receive an acknowledgment of receipt of the report within 7 days. The whistleblowing team will send appropriate feedback within 3 months upon receiving the report.

Please do not include any sensitive personal data in your message unless such data is necessary for describing the concern. Sensitive personal data means data related to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or a person’s sex life or sexual orientation.


3. Investigation

All messages are treated seriously and in accordance with this whistleblowing policy. The following principles are being obeyed:

  • No one from the whistleblowing team, or anyone taking part in the investigation process, will attempt to identify the person who has submitted an anonymous message.
  • The whistleblowing team can, when needed, submit follow-up questions via the service for anonymous communication.
  • A message will not be investigated by anyone who may be involved with or connected to the wrongdoing.
  • Whistleblowing messages are handled confidentially by the parties involved.

If a person belonging to the whistleblowing team is identified in the message, the person in question will be excluded from the investigation, and their user rights to the management system of the cases will be removed.



8. Data Storage Periods

As a rule, data are kept for no longer than two (2) years after the end of each investigation. Longer storage periods may be necessary due to mandatory legal obligations arising from, for example, criminal procedure or occupational safety laws.



9. Rights of Data Subjects

Data subjects always have the right to:

1. Obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data;

2. Request from the controller rectification of their personal data;

3. Request from the controller restriction of processing of their personal data in the circumstances referred to in Article 18 of the General Data Protection Regulation; and

4. Lodge a complaint with the Data Protection Ombudsman.


Data subjects also have the right to:

5. Request from the controller erasure of their personal data; or

6. Withdraw their consent at any time, where the processing of the data subject’s personal data is based on their consent.


If the processing is based on the controller’s legitimate interest, data subjects have the right to object to the processing of their personal data in the circumstances referred to in Article 21 of the General Data Protection Regulation. Data subjects can request access to their data or exercise their other rights by contacting pekka.nurmela@youpret.com / Pekka Nurmela, Youpret Oy, Kauppakatu 17 B, 80100 Joensuu, Finland. Data can only be disclosed to individuals who are able to reliably prove their identity.

10. Enquiries Concerning Whistleblowing Policy and Data Protection

Should you have any questions about the processing of personal data, data protection or our whistleblowing policy, please contact

pekka.nurmela@youpret.com

/ Pekka Nurmela, Youpret Oy, Kauppakatu 17 B, 80100 Joensuu, Finland.