This privacy policy explains what personal data is processed, how, and for what purposes, in connection with the observation reporting platform (“Whistleblowing Channel”), which has been developed pursuant to European Union Directive 2019/1937, on the protection of persons who report breaches of Union Law (“Whistleblowing Directive”) and relevant national laws.
4finance Group, a closed limited liability company registered in Luxembourg, including all its directly or indirectly controlled legal entities, acts as personal data controller or co-controller, depending on relevant national laws. The process includes the Whistleblowing Channel and any reports submitted therein and the actions and investigations resulting therefrom, all in accordance with the General Data Protection Regulation (“GDPR”).
1. Controller
Where an observation relates to employees or other related persons of a 4finance Group subsidiary other than 4finance AS, processing of personal data in the context of that process will be controlled by 4finance AS.
4finance, AS
Brīvības iela 155A, Riga, LV-1012
privacy@4finance.com
2. Purpose
The purpose of processing personal data is to set up and maintain the Whistleblowing Channel and to receive, investigate and resolve any breaches, misconduct or other matters reported through the Whistleblowing Channel in accordance with Co-controller internal policies and the requirements of the Whistleblowing Directive and national laws. Although in the report 4finance Group may receive any kind of information, including incorrect or excessive, the aim is to establish evidence which then is reviewed.
3. Legal basis:
All processing is based on the Whistleblowing Directive transposed in the Whistleblowing law of Latvia and [Subsidiary whistleblowing law]. Further, the processing of personal data pertaining to the observation subjects, Whistleblowers and the observation investigators is based on the Controller’s legitimate interest of preventing, detecting, investigating and addressing wrongdoing. Without intention, the Co-controllers might be exposed to special categories of personal data contained in the Whistleblowing report according to exceptions permitted by Article 9 of the GDPR, such as in the field of employment and social security and social protection law (Art.9.2(b)) and for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity (Art.9.2(f)). Any irrelevant or excess personal data is deleted, according to Art. 17 of the Whistleblowing Directive.
4. Categories of data subjects and data Whistleblowers.
As a rule, the Whistleblower reports their observation anonymously. The Whistleblower may also include personal information (such as their name, location, department, age, gender, financial information etc.) if it assists the investigation. Information provided by the Whistleblower may also contain special categories of personal data (such as information about a person’s health, biometrics, beliefs, sexuality, criminal convictions).
The circumstances of the case may allow identifying the Whistleblower indirectly. They include employees of 4finance Group and external stakeholders, such as persons other than workers, who encounter the entity through their work-related activities, such as service-providers, distributors, suppliers, and business partners. Subjects of observations. Observations of misconduct may contain information about other relevant persons (e.g., name, surname, position, location, financial information, pictures, or video footage), their behavior and circumstances, and other personal information. Exceptionally, observations may contain special categories of personal data. Case managers. The person responsible for the investigation receives the information contained in the observation. These persons are employees specifically assigned by the Co-controllers to process the observation. Their name, title, username, and log data are processed.
5. Access to and disclosure of personal data
Only Case managers have direct access to personal data in observations. Personal data may be disclosed to third parties, such as the authorities or external auditors, in case of a legal obligation or legitimate interest. When reporting from a computer on a public or work network, the visited webpages are logged in the browser’s history and/or the system log, allowing deanonymization in exceptional circumstances, therefore, the Whistleblower is encouraged to use a private network and the browser in incognito mode.
6. Processing of personal data in EU/EEA countries
The administrator of the Whistleblowing Channel is an external service provider: Falcony Ltd., Finnish Trade Register business ID: 2900763-6, Annankatu 27 A, 00100 Helsinki, Finland, +358 20 131 0611, support@falcony.io, (Processor). The Co-controllers have the necessary agreements in force to ensure that the Processor only uses personal data collected by means of the Whistleblowing Channel as permitted by the applicable data protection laws. The Processor has a sub-contractor which provides technical data storage – Amazon AWS, Ireland (Sub-processor). The data is processed and stored only in the EU/EEA.
7. Data storage periods
The observation data is kept for no longer than two (2) years after the end of each investigation. Longer storage periods may be necessary due to mandatory legal obligations arising from, for example, criminal procedure, legal claims, occupational safety laws, etc.
8. Rights of the Whistleblower
The Whistleblower has the right to:
1. obtain from the Controller confirmation as to whether personal data concerning him or her is being processed, and, where that is the case, access to the personal data;
2. request from the Controller rectification of their personal data;
3. request from the Controller restriction of processing of their personal data in the circumstances referred to in Article 18 of the GDPR;
4. request from the Controller erasure of their personal data; or
5. object to the processing of their personal data in the circumstances referred to in Article 21 of the GDPR. These rights may be limited in specific circumstances, according to the GDPR.
9. Information security
All data is transmitted and stored encrypted. No unencrypted information is sent over the open Internet. The risk of breach and indirect identification is negligible.
10. Inquiries on personal data and the legal basis of the Whistleblowing Channel
Should you have any inquiries about the processing of personal data, please contact the 4finance Group Data Protection Officer at privacy@4finance.com. For questions regarding the legal framework of the Whistleblowing Channel and observation investigation, please contact 4financeGroup Compliance Officer: compliance@4finance.com. On matters of anti-money laundering framework, please contact 4finance Group Head of AML and DP: aml@4finance.com.
