Cookie Settings Our site uses cookies in order for the site to function properly and for your user experience to be even better. You can read more about them use and control their settings.

Privacy Policy for Genero’s Ethical Reporting Channel

Today, responsible business is essential. We maintain the trust of our stakeholders and create the conditions for Genero’s growth and good financial results only if we act ethically, responsibly, and in accordance with our values. We take all suspicions related to illegal or unethical activities seriously and encourage bringing them to our attention. We encourage our staff and stakeholders to raise cases where actions have been taken against Genero’s values, the law, or ethical guidelines.

We investigate all reports made in good faith impartially and take necessary actions based on the investigation. Genero’s Ethical Reporting Channel  provides an opportunity to report suspicions of misconduct that violate the law or Genero’s own code of conduct.

Reports can be made anonymously. Genero is committed to protecting the privacy of the person making the report and does not allow any retaliation against the informant.

This privacy statement concerns the processing of personal data in the context of reporting misconduct. We provide more details on the processing below.

1. Data Controller

The data controller relating to processing of personal data pursuant to this privacy policy is Genero Oy Ab (hereinafter also “Genero”, “us” or “we”):

Genero Oy Ab

Business ID: 2387598-5

Risto Rytin tie 33

00570 Helsinki

FINLAND

www.genero.fi

Email: tietosuojavastaava@genero.fi

2. Processed Personal Data

We process personal data for the investigation of allegations of misconduct received through Genero’s ethical reporting channel and for the implementation of any necessary measures, as well as for possible referral to law enforcement and monitoring of the stages of the investigation. Personal data is processed only to the extent necessary to achieve the purposes mentioned above.

Reports can be made anonymously. If the informant chooses to provide contact information, we process the informant’s name and contact information, as well as any other information provided by the informant.

Regarding the individuals subject to the report, personal data may include the names and contact information of individuals belonging to Genero’s personnel or stakeholders, information related to the suspected misconduct, and information related to the investigation.

All reports are treated with absolute confidentiality by Genero’s WhistleB system and authorized individuals. Authorized individuals conducting the investigation do not seek to determine the identity of the informant in any way if the report is made anonymously. If the report is made with the informant’s name, the informant’s identity is kept confidential throughout the investigation and after its conclusion.

3. Purposes of Processing Personal Data and Legal Basis for Processing

We process personal data for the handling of reports received through Genero’s ethical channel and the implementation of any necessary measures, as well as for possible referral to law enforcement and monitoring of the stages of the investigation. The legal basis for processing personal data is the statutory obligation based on Genero’s informant protection law to maintain the reporting channel and the legitimate interest in addressing allegations of misconduct within our company. We believe that the processing is not in conflict with the fundamental rights and freedoms of the data subject.

4. Storage Period for Personal Data

We retain personal data for as long as necessary for the purposes defined in section 3. Typically, we process reports of misconduct and related correspondence for two (2) months from the date of closing the case, after which the information is permanently deleted. However, if the information leads to legal proceedings or measures, we retain the information for as long as it is necessary for, for example, the legal proceedings, and there is no longer any possibility of appeal. Unfounded reports are anonymized immediately if personal information is provided in the report.

5. Data Subject Rights

In accordance with data protection legislation, the data subject has the right to:

  • Access personal data, provided that a copy does not adversely affect the rights and freedoms of others.
  • Rectify data, provided that the data controller processes incomplete or incorrect information.
  • Erase data, provided that the legal grounds for deleting the data specified in data protection legislation are met, and the data controller does not need the information, for example, to prepare, present, or defend against a legal claim.
  • Restrict processing, provided that the legal grounds for restricting processing specified in data protection legislation are met, and the data controller does not need the information, for example, to prepare, present, or defend against a legal claim.
  • Object to processing, except if the data controller can demonstrate that there is a compelling legitimate reason for the processing that overrides the data subject’s interests, rights, and freedoms, or if it is necessary for preparing, presenting, or defending a legal claim.
  • Lodge a complaint with the supervisory authority if the data subject believes that their personal data has been processed unlawfully.

To exercise the above rights, please contact the address provided in section 1.

6. Transfer and Disclosure of Personal Data

We use external service partners for the provision of system and support services. Only authorized individuals appointed by Legal Folks and Genero process personal data in the WhistleB system for the purposes outlined above in section 3. Additionally, we may disclose personal data internally or to third parties, for example, if required by the situation or severity assessment, or for the conduct of an investigation into misconduct, such as fraud, corruption, bribery, or other violations of the law. Personal data may be transferred outside the EU/EEA to the extent necessary for the technical implementation of the reporting channel.

7. Information Security

To ensure confidentiality, reports are processed in the system of an external service provider. The service provider does not store IP addresses or other information that could identify the sender of an anonymous report. Personal data processed in the system and reports are encrypted and only accessible to the parties handling the reports as described in section 2. The processing of the event and related discussions takes place securely within the system. Communication is fully encrypted during transfer and storage.

Persons handling suspicions of misconduct are bound by confidentiality obligations.

8. Changes to the Privacy Statement

We reserve the right to update this privacy policy, for example, due to justified changes in the processing of reports or compelling legislation.

We recommend regularly reviewing the content of the privacy policy.