Whistleblowing Channel Privacy Notice
Last updated: 12.11.2021
Your privacy is important to us. This privacy notice explains what personal data M-Files processes, how M-Files processes it, and for what purposes in connection with the M-Files Group’s Whistleblowing Channel, which has been implemented pursuant to Directive (EU) 2019/1937, on the protection of persons who report breaches of Union Law (“Whistleblowing Directive”) and its national implementing legislation.
References to the whistleblowing channel and whistleblowing processes include the whistleblowing channel implemented by M-Files Group and any reports submitted therein and the processes and investigations resulting therefrom.
M-Files Oy (primary responsible party)
Hermia 12, Hermiankatu 1 B
33720 Tampere, Finland
and our group companies
(hereafter ”we” or “M-Files”)
The Whistleblowing Channel infrastructure is provided by M-Files Oy for the use of the entire M-Files Group. Where a whistleblowing process relates to employees or other data subjects of a M-Files entity other than M-Files Oy, processing of personal data in the context of that whistleblowing process will be jointly controlled by M-Files Oy and the other M-Files entity or entities in question. The rights and obligations of the Group entities have been agreed upon and documented in M-Files Intra-Group Master Data Transfer Agreement.
2. Contact information for privacy matters
Data Protection Officer: [email protected], or
Hermiankatu 1 B
33720 Tampere, Finland
3. What is the purpose and the legal basis of processing personal data?
The purpose of processing personal data is to set up and maintain the M-Files’ Whistleblowing Channel and to receive, investigate and resolve any breaches or other matters reported through the whistleblowing channel in accordance with M-Files’ internal policies and the requirements of the Whistleblowing Directive and national implementing legislation.
The basis of processing personal data is to fulfil our legal obligation, i.e. comply with the obligations and requirements set out in national implementing legislation pursuant to the Whistleblowing Directive.
4. What data do we process?
Using the whistleblowing channel to submit a report does not require submitting any personal data. When you use the whistleblowing channel, you are assigned a unique case ID and password, that cannot be used to identify you. The whistleblowing channel is designed in such a manner that it can be used wholly anonymously.
However, in the event that a person making a report in the whistleblowing channel includes personal data pertaining to his-/herself or to another person, e.g. a person alleged of a wrongdoing, in the report, such personal data will be processed in accordance with this Privacy Notice. Where manifestly unnecessary or incorrect personal data is identified in a whistleblowing report or a case file, such personal data will be erased without undue delay by the persons authorized to access the report or case file in question in accordance with M-Files’ applicable internal policies. Thus, the personal data processed in connection with the whistleblowing channel could, without limitation, include for example:
- Identity of the person submitting a report
- Identity of an alleged wrongdoer
- Identity of person connected with the alleged wrongdoing
- Information relating to the alleged wrongdoing
- Any other personal data submitted in the whistleblowing channel
5. From where do we receive data?
Personal data processed in connection with the whistleblowing channel is, by default, received from the report made by the person using the whistleblowing channel. The whistleblowing channel can be used anonymously, but, at your own choice, you can provide information identifying yourself in the report. Moreover, personal data pertaining to you may be processed if another person has identified or otherwise indicated information relating to you in a whistleblowing report made by them.
Where applicable, information from other sources, as applicable, may be used to verify the accuracy of whistleblowing reports and where such a report leads to an investigation, additional personal data may be collected and processed in connection with the investigation. Such personal data may be collected from publicly available sources or based on information received from the authorities or other third parties within the limits of the applicable laws and regulations.
6. To whom do we disclose data, and do we transfer data outside the EU or the EEA?
We don’t disclose your personal data processed in connection with the whistleblowing channel to external parties except that on-going whistleblowing processes and the associated personal data may be disclosed to our subsidiaries and affiliates, or a subsequent owner, co-owner or operator of the Services and their advisors in connection with a corporate merger, consolidation, restructuring, the sale of substantially all of our stock and/or assets, or in connection with bankruptcy proceedings, or other corporate reorganization.
We use subcontractors to provide the whistleblowing channel. The subcontractors are used to provide the whistleblowing platform and other services that are required to comply with the requirements of the Whistleblowing Directive and its national implementing legislation. All subcontractors are bound by adequate data processing and confidentiality agreements, and only process personal data to the extent necessary to fulfill the purposes set out in this Privacy Notice.
Your personal data may also be disclosed between the M-Files Group entities, depending on which employees from which legal entities make a report, are indicated in a report or are responsible for receiving and handling the report and associated procedures in accordance with M-Files’ internal policies.
Where an M-Files employee or an entity outside the EU/EEA is indicated in a whistleblowing report or an employee outside the EU/EEA is designated responsibility for handling the report and associated procedures, any personal data contained within a report may be processed outside the EU/EEA. When personal data is processed outside the EU/EEA, we make sure that any transfers are covered by the EU Commission’s standard contractual clauses or by another appropriate safeguard as described in Article 46 of the GDPR.
7. How do we protect the data and how long do we store them?
Only those of our employees, who due to the nature of their work are designated responsibility for overseeing whistleblowing cases, are entitled to use the system and access case files containing the personal data related to the whistleblowing process, and only to the extent the whistleblowing case in question has been determined to fall within their specific responsibility under M-Files’ internal policies. Each user has a personal username and password to the systems used to process personal data. The data is stored in systems that are protected by firewalls, passwords and other technical measures. Save for situations where a whistleblowing report would lead to further measures (e.g., a criminal investigation), all personal data will be exclusively processed using such systems and is not stored or transferred elsewhere, apart from responsible employees accessing the data in the systems to handle their designated responsibilities.
The personal data we collect is retained for the period necessary to fulfil the purposes outlined in this Privacy Notice unless a longer retention period is required by law, or by us to protect our legal rights. Any personal data will be deleted after the whistleblowing process in question is finally resolved, unless further measures, such as criminal investigation, requiring the further processing of the data are necessary and result from the whistleblowing process.
We estimate the need for data storage regularly, taking into account applicable legislation. In addition, we take care of such reasonable actions that ensure no incompatible, outdated or inaccurate personal data is stored taking into account the purpose of the processing. We correct or erase such data without delay.
8. What are your rights as a data subject?
You have the right to inspect the personal data stored concerning yourself and the right to demand rectification or erasure of the inaccurate, outdated, unnecessary and unlawful data. You have the right to request the rectification of the data pertaining to you that is processed insofar as such data would be inaccurate, outdated, unnecessary or unlawful. Where you would contest the accuracy or other aspects of the data, you also have the right to request the restriction of processing of your data until a decision on whether to rectify your data is made (i.e. until it is verified whether the data is inaccurate, outdated, unnecessary or unlawful with respect to whistleblowing process in question).
On grounds relating to your particular situation you also have the right to request the deletion of your data.
Ensuring the integrity of the whistleblowing processes, i.e. complying with Whistleblowing Directive and implementing national legislation, may require limiting the extent to which you as a data subject can exercise your rights with respect to your personal data that is processed in the whistleblowing channel. Where such situations arise that it would be necessary to limit your rights, the M-Files Data Protection Officer will be consulted to carry out a case-by-case assessment, taking into account both your rights and M-Files’ legal obligations, on the matter, before final decision on whether or not to fulfill your request is made.
You also always have the right to lodge a complaint with the supervisory authority.
9. Children’s privacy
Our services are not directed to children and we do not intend to collect personal data from children in connection with the whistleblowing channel. We ask you not to use the services and not to provide any information about yourself to us if you are below the age of majority, defined in your jurisdiction, and require parental consent or authorization for processing of personal data.
10. Who can you be in contact with?
All contacts and requests concerning this Privacy Notice should be submitted in writing to the address mentioned in section two (2) “Contact information for privacy matters”.