PRIVACY POLICY OF THE ETHICAL CHANNEL I.E., WHISTLEBLOWER CHANNEL

Updated 30.06.2022 

1. Controller 

Trevian Asset Management Oy (Business ID 2507543-9) (“Trevian”) 

Erottajankatu 2, 3rd floor, 00120, Helsinki 

E-mail: tietosuoja@trevian.fi 

Phone: +358 10 581 3830 

Responsible person for the register: 

Kim Särs, Chief Compliance Officer 

Data Protection Officer 

Matti Tossavainen 

2. Name of the register  

Ethical Channel i.e., Whistleblower-channel (”Whistleblower channel”). 

3. The purpose of the personal data management 

Processing of notifications received through Trevian’s Whistleblower channel. The purpose of the notification channel is to ensure that the controller complies with the principles of good administration and to ensure appropriate practices in relation to financial security and the prevention of fraud and abuse. Through the Whistleblower channel, all Trevian employees and external stakeholders can report suspected misconduct anonymously. 

Legal basis for processing: 

The legitimate basis for the processing of personal data is the pursuit of the legitimate interests of the controller and the promotion and maintenance of good administration (e.g., compliance with rules and laws). Personal data will be processed based on a legitimate interest only if, as a result of a balance of interests, it has been established that the data subject’s rights and freedoms do not override Trevian’s legitimate interest. 

4. Information content of the register 

The register is anonymous, therefore by default no information other than what the web server stores the normal access log is left on the notifier. The IP address, time, and Internet browser used are left in this log 

The register may contain: 

  • Name and contact details of the notifier (if provided by the notifier) 
  • Identification of the subject (s) of the notification (to the extent provided) 
  • Information about the suspected person (s) subject to the report and any violation of this law or ethical principles 
  • An entry of the user ID is left in the audit log for the notification handler.  

5. Regular sources of the personal data 

The register contains information provided by the person himself or herself. In addition, during the investigation of the case, the controller may collect the necessary information related to the notification from the parties involved as well as from the persons and entities involved in the events. 

6. Transfer of the personal data 

The data is processed by limited number of controller’s employees. The information in the register is not disclosed regularly. Disclosure of information is in accordance with laws and regulations as well as instructions issued by the authorities. 

7. Data transfers within EU and outside the EU 

The data shall not be transferred outside the territory of the Member States of the European Union or the European Economic Area without the consent of the parties concerned. 

8. Protection of personal data and information security 

Personal data shall be accessed and processed by employees appointed by the controller who, as part of their duties, process notifications and investigate these reports. The identity of the parties and other information about them shall not be disclosed to third parties except to the extent necessary for an adequate investigation. 

The identity of the notifier (if provided by the notifier) shall be kept as confidential as possible for the purpose of clarifying the matter. Access to the notification channel is restricted to a limited number of designated employees of the controller. The controller’s staff is bound by confidentiality obligations. In addition, employees are committed to complying with internal information security guidelines. 

The Whistleblower channel is maintained by an external service provider (Suomen Tunnistetieto Oy). The controller has agreed that the service provider will process personal data obtained through the Whistleblower channel in accordance with data protection legislation. 

Personal data may be disclosed to third parties, such as public authorities or external auditors, in accordance with the law. 

9. Storage of personal data 

We retain information for as long as it is needed for the purpose for which it was collected and for which purpose it is processed, or for as long as required by law and regulations. 

10. The rights of the registered 

Every Data Subject has the right to know what personal data about him or her has been stored in the register or to find out whether he or she is in the register. In principle, the Data Subject has the right, in accordance with the applicable data protection legislation: 

  • to obtain information on the processing of their personal data; 
  • to have access to their own data; 
  • to require the correction of inaccurate and incorrect personal data; 
  • to request that the processing be restricted or that personal data be deleted;  
  • to withdraw his/her consent and to object the processing of his/her personal data to the extent that the processing of personal data is based on the Data Subject’s consent and there are no other grounds for doing so. 
  • the right to transfer data from one system to another, i.e., to obtain personal data about oneself in a structured and publicly available form, and to transfer the data to another controller. 
  • the right to lodge a complaint with the Office of the Data Protection Ombudsman (Finland) if the Data Subject’s statutory rights have been violated. 
  • the right to have his or her data deleted and forgotten. 

The address of the Office of the Data Protection Ombudsman: 

The Office of the Data Protection Ombudsman 

Address: PL 800, Ratapihantie 9, 00521 Helsinki, Finland 

Phone: 029 56 66700 

Email: tietosuoja@om.fi 

Website: www.tietosuoja.fi 

The Data Subject must submit a request for the right of inspection in writing, stating at least his or her name and e-mail address. The Data Subject concerned must make a request for inspection either by e-mail or by handwritten letter. Requests for verification and information are not received by telephone, but we always require a written request for verification of information. Necessary and appropriate measures to identify the Data Subject shall be taken prior to the investigation and / or disclosure to the Data Subject. 

11. Changes to this privacy policy 

The processing of personal data is subject to 

  • Act on the Protection of Privacy in Working Life (759/2004), 
  • the Data Protection Regulation (GDPR) (EU) 2016/679, 
  • the Data Protection Directive (EU) 2016/680, 
  • Act on the Protection of Privacy in Electronic Communications (516/2004) 
  • regulations of the authorities 

This privacy statement may be updated from time to time, for example as legislation changes.