Balmuir front page
Stores and opening hours

Season sale 50% off | Shop your favorites | Valid until August 10th

Privacy policy for Balmuir Oy’s whistleblowing channel

1. Data Controller

Balmuir Oy Business ID: 2131329-2

2. Contact information regarding the register

If your matter concerns the processing of personal data or the exercise of rights under the EU General Data Protection Regulation in Balmuir Oy’s whistleblowing channel, you can contact Balmuir Oy’s data protection Officer by email at dataprotection@balmuir.com.

3. Name of the register

Privacy policy for Balmuir Oy’s whistleblowing channel.

4. What data do we process?

Balmuir Oy strives to collect only the necessary personal data for investigating cases reported via the whistleblowing channel. Balmuir Oy may collect and process the following personal data included in a report:

· First and last name

· Date of birth

· Personal identity number

· Street address, postal code and city

· Email address

· Phone number

· Gender

· Preferred language for communication

· Occupational and employer details

· Any information included in the report concerning the suspected misconduct or criminal offense

· Images and video material

· Other data included in the report

The personal data processed typically concern the person submitting the report or the person who is the subject of the report.

The reporter decides which personal data to include in their report. Due to the free-text fields in the report form, the reporter may also disclose data beyond the types listed above, including special categories of personal data. Any personal data contained in the report that clearly have no relevance to the investigation of the matter will be deleted without undue delay.

Reports may be submitted anonymously via Balmuir Oy’s whistleblowing channel. Anonymous reporting reduces the amount of personal data processed in the report. However, anonymity may delay or complicate the investigation of the reported matter.

5. Purpose and legal basis for processing personal data

The purpose of processing personal data is to handle reports received through the whistleblowing channel. The data is processed for investigating incidents reported and for handling any potential sanctions.

Balmuir Oy may collect and process personal data described in this privacy policy for the following purposes, among others:

· Handling, investigation, reporting and decision-making based on reports submitted via the whistleblowing channel

· Monitoring and ensuring compliance with legislation, contracts and Balmuir Oy’s internal guidelines and regulations

· Preventing, detecting, and investigating crimes and other misconduct

· Safeguarding the protection of legal rights

· Fulfilling legal obligations.

The legal basis for processing personal data is compliance with legal obligations and the legitimate interest of Balmuir Oy’s.

6. Where do we collect data from?

Personal data is primarily obtained from the reporter itself via the whistleblowing channel. Reports may be submitted by Balmuir Oy’s personnel or external stakeholders.

Balmuir Oy may also collect personal data from its internal systems, parties related to the report and authorities, when necessary to ensure proper investigation of the reports.

7. Recipients of personal data

Only designated employees of Balmuir Oy are authorised to process personal data.

Data from the register may be disclosed to third parties, such as authorities or external auditors, within the limits permitted and required by law. This includes responding to official requests or when necessary to protect the legitimate interests of Balmuir Oy, for example, in connection with criminal reports, preliminary investigations or court proceedings.

8. Transfers of personal data outside the EU/EEA

The data in the register are not transferred outside the EU or EEA.

9. Principles regarding the protection of personal data and retention period

Only designated employees of the data controller have the right to access the register and process reports based on access rights granted by the controller. Those handling the notification are bound by confidentiality obligations. The register and reports are protected with standard firewalls and/or passwords.

The proper security and protection of personal data, including protection against unauthorized processing and accidental loss, is ensured by using a secure whistleblowing reporting channel provided by Webropol Oy and by training the designated employees of the data controller in the secure handling of reports.

Personal data is retained only as long and to the extent necessary to fulfil the purposes defined in this privacy policy. Information received via the whistleblowing channel is deleted five (5) years after receipt of the report, unless retention is necessary for fulfilling legal rights or obligations or for establishing, exercising, or defending

legal claims. Personal data contained in the report that clearly have no relevance to the investigation of the matter will be deleted without undue delay.

10. Rights of the data subjects

The data subjects have the right to check what information is stored about them and to access their personal data.

The data subjects also have the right to request rectification or erasure of their data. Personal data will be deleted if there is no longer a legal basis or obligation for its processing.

Under certain conditions, the data subjects may also have the right to request restriction of the processing of their personal data or to object to the processing.

The data subjects can exercise their rights under applicable data protection legislation by contacting dataprotection@balmuir.com in an informal manner.

Balmuir Oy will assess as soon as possible whether the conditions are met to fulfil the requests referred to in this section 10. Balmuir Oy may also request additional information from the data subject if necessary.

Balmuir Oy may charge a fee for fulfilling the request or refuse to comply, if the request is deemed manifestly unfounded or excessive.

11. Information about automated decision-making and profiling

Balmuir Oy does not use automated decision-making or profiling in connection with the processing of personal data described in this privacy policy.

12. Right to lodge a complaint with a supervisory authority

If the reporter or another individual believes that Balmuir Oy is not processing their personal data in accordance with the EU General Data Protection Regulation, the individual can lodge a complaint with the supervisory authority in the EU Member State where the individual has their habitual residence or place of work or place where the individual considers the violation to have occurred. In Finland, this authority is the Data Protection Ombudsman.

Office of the Data Protection Ombudsman

Visiting address: Lintulahdenkuja 4

00530 Helsinki

Postal address: P.O. Box 800

00531 Helsinki

Phone (switchboard): +358 29 56 66700 Email: tietosuoja@om.fi