Whistleblower protection allows people to safely report breaches. A report can be submitted using an internal or external whistleblowing channel. The internal whistleblowing channel of the Ministry of Economic Affairs and Employment is only available to people employed by the Ministry of Economic Affairs and Employment. Others, such as retired public officials or people employed by partners, may submit a report regarding the activities of the Ministry of Economic Affairs and Employment that they have observed in their work and that fall within the scope of the Whistleblower Act to the central external whistleblowing channel of the Office of the Chancellor of Justice.
Purpose of and grounds for the processing of personal data
Personal data is processed in connection with the tasks laid down in the Act on the Protection of Persons Reporting Infringements of European Union and National Law (1171/2022, the Whistleblower Act). Under section 30 of the Whistleblower Act, the controller may process data belonging to certain special categories of personal data and data related to criminal convictions and offences only if the processing is necessary for the purpose of the Act.
Personal data is processed in accordance with Article 6, paragraph 1, point (c) of the General Data Protection Regulation (processing is necessary for compliance with a legal obligation to which the controller is subject).
Reports processed in matters concerning whistleblower protection may contain any personal data that the whistleblower has appended to the report.
In matters concerning whistleblower protection, the personal data of the whistleblower is not stored in the contact information for the matter or document as the initiator of the matter, nor is the personal data of the reported person stored in the contact information for the matter or document. However, the personal data of the whistleblower and the reported person are processed in the documents concerning the report, such as the report itself.
The personal data of the whistleblower and the reported person under the Whistleblower Act are always treated as non-disclosable in their entirety.
Situations in which information on the identity of the whistleblower can be disclosed to another authority or to the reported person
Notwithstanding the non-disclosure obligation laid down in the Whistleblower Act, the person responsible for processing the report may disclose the identity of the whistleblower and other persons mentioned in the report, as well as any other information directly or indirectly indicating the identity of the persons, to a person appointed to verify the accuracy of the report, if this disclosure is necessary to verify the accuracy of the report.
In addition, notwithstanding non-disclosure provisions, the person responsible for processing the report may provide information on the identity of the whistleblower, the reported person and other persons mentioned in the report, as well as other information directly or indirectly indicating their identity, if it is necessary to provide this information:
- to the competent authority for the purpose of verifying the accuracy of the report;
- to the criminal investigation authorities for the purpose of preventing, detecting, investigating and considering prosecution of criminal offences;
- to public prosecutors for the purpose of performing the official functions prescribed in section 9 of the Act on the National Prosecution Authority (32/2019);
- to the reported person for the purpose of establishing, presenting or defending a legal claim in a court hearing or in out-of-court judicial or administrative proceedings.
Separate provisions on the right of a party to access non-disclosable information are laid down elsewhere in law.
The reported person has the right to disclose the identity of the whistleblower and to obtain information on the identity of the whistleblower from the authorities if this is necessary for establishing, presenting or defending a legal claim in judicial proceedings.
The person responsible for processing the report shall inform the whistleblower in advance of the disclosure of their identity, unless such information would jeopardise the verification of the accuracy of the report or a criminal investigation or trial related to the matter. The competent authority shall also provide the whistleblower with a written explanation of the grounds for the disclosure of non-disclosable information.
Processing of data is limited within the organisation and time-limited
In matters concerning whistleblower protection, personal data may only be processed by persons designated for the task in the ministry in question as referred to in the Whistleblower Act.
Documents submitted to and prepared by the ministry and the personal data contained therein shall be stored in accordance with the document storage periods specified in the information management plan. The provisions of section 29, subsection 2 of the Whistleblower Act have been taken into account when determining the storage periods.
Data stored in the case management system shall not be transferred to third countries or international organisations.
Rights of data subjects
The right of a data subject to restrict the processing of their data does not apply to matters of whistleblower protection, and the right of a data subject to access their data may be restricted if this is necessary and proportionate with respect to ensuring the accuracy of the report or in order to protect the identity of the whistleblower. If only a part of the data on a data subject is such that it falls within the restriction on the right of access, the data subject shall have the right to access the remainder of the data. The data subject has the right to be informed of the reasons for the restriction and to request that this information be provided to the Data Protection Ombudsman in accordance with section 34, subsections 3 and 4 of the Data Protection Act (1050/2018).
Any requests for information concerning personal data, requests to rectify or supplement personal data and requests to restrict the processing of personal data shall be addressed to the controller.