TrustLine Privacy Notice

Data protection laws and regulations of some countries require that a person making a report to this service that contains personal data is provided with information about how their personal data is collected, processed, and retained. Below, we set out this information. If you do not feel comfortable using this service, please make a report directly to your supervisor or line manager or to a representative of the Human Resources, Ethics and Compliance, or Internal Audit Functions, as you feel is appropriate. References to “organization” in this Notice refers to Valmet Oyj and/or the relevant group member(s)/entities/associates, as applicable.

1. General

This service is a web and phone-based intake system provided by the organization to its employees, vendors, suppliers, and business partners (and those of its group member(s)/entities/associates) (“Reporters”) for reporting suspected violations of laws or regulations, or for certain matters specified in applicable whistleblowing laws, if they notice any violations of our Code, other misconduct, or unethical behavior. In some jurisdictions, suspected violations of the organization’s policies may also be reportable through this service. Depending on the jurisdiction, suspected violations of the organization’s policies might not fall into material scope of a specific whistleblower regulation. In such circumstances, such matters should be reported directly to your line manager or supervisor or a representative of the Human Resources, Ethics and Compliance, or Internal Audit Functions, as appropriate. In respect of the processing of personal data that you provide to the service, the organization is the controller, and NAVEX is a processor acting on behalf of the organization. You may contact the organization with any questions relating to this Notice or this service, at contact Valmet's Privacy Officer.

2. Use of this service

Use of this service is entirely voluntary. You are encouraged to report possible violations directly to your supervisor or line manager, or to a representative of the Human Resources, Ethics and Compliance, or Internal Audit Functions, depending on the nature of the possible violation. If you feel that you are unable to do so, you may use this service to make your report. Please be aware that the information you supply about yourself, your colleagues, or any aspect of the organization’s operations may result in decisions that affect others. Therefore, we ask that you only provide information that you believe is true. You will not be; subject to retaliation from the organization; or (as applicable) otherwise adversely affected in your employment, including in relation to employment opportunities and work security, for any report you make in good faith (except to the extent the report involves you blowing the whistle on yourself), even if it later turns out to be factually incorrect. Please be aware, however, that you must not knowingly provide false or misleading information and that there be consequences for doing so. The information you submit will be treated confidentially except in cases where this is not possible because of legal requirements or in order to conduct an effective and efficient investigation, in which case the information will be handled sensitively. We encourage you to identify yourself in order for us to follow up with questions we may have, but you are not obliged to do so unless required by applicable laws.

3. What personal data and information is collected and processed?

This service captures the following personal data and information that you provide when you make a report: (i) your name and contact details (unless you report anonymously) and whether you are employed by the organization; (ii) the name and other personal data of the persons you name in your report if you provide such information (i.e., description of functions and contact details); and (iii) a description of the alleged misconduct as well as a description of the circumstances of the alleged misconduct. Note that depending upon applicable laws, the report will not be able to be made anonymously; however, your personal information will be treated confidentially and only processed in accordance with this Notice. There may be instances in which the personal information that you provide to the service or that we collect is considered sensitive personal information. Sensitive personal information can mean personal information from which we can determine or infer your racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, membership in a trade union or professional, religious, philosophical, or political association, physical or mental health or condition, medical treatment, genetic data, biometric information, and information about an individual’s sexual orientation. In certain circumstances, you may also provide criminal offence data (for example, allegations or evidence of criminal activity). If we rely on consent to process this information, you have the right to withdraw that consent at any time. We only process this information if and to the extent permitted or required by applicable law (such as for compliance with employment law or regulatory obligations).

4. Legal bases for processing personal data

The data collected will be controlled by Valmet Oyj. The legal basis for the processing is a legal obligation based on EU Whistleblowing Directive or legitimate interests of the data controller if the report is not in scope of the directive. Reporting misconduct helps to secure lawfulness of Valmet’s operations and that the principles set in Valmet’s Code of Conduct truly apply throughout the organization.

The legitimate interests referred to above include the organization’s interests in:

• protecting against conduct which is contrary to the organization’s values, policies and code of conduct, acting ethically and responsibly as a business, complying with laws, and protecting the health and safety of its employees;
• using a centralized team to investigate reports on behalf of the organization, for impartiality and efficiency reasons; and
• in more limited circumstances, necessary to protect your interests (or someone else’s interests) or because it is needed in the public interest or for official purposes

5. Accessing information concerning the report

Subject to applicable laws, the organization will notify any person who is the subject of a report to this service except where notice needs to be withheld or delayed to ensure the integrity of processing of the report and the investigation into the matters raised, and preservation of relevant information. With some exceptions, the subject of the report may access information concerning the report (other than the identity of the Reporter, where the reporter opts to remain anonymous) and request correction of personal data that is inaccurate or incomplete in accordance with applicable law. Similarly, with some exceptions, Reporters may also access information about the report and request corrections of their personal data in accordance with applicable law.

See “Your rights” below for more information.

6. Retention of the report and of your data

Data will be retained for six (6) years (unless country specific law provides otherwise) after the closing of the investigation, unless the information may be relevant to any pending litigation, inquiry, or investigation, in which case the information may not be destroyed and must be retained for the duration of that litigation, inquiry, or investigation and thereafter as necessary to the extent permitted by country specific law.

7. Your rights

The organization will support you in exercising any rights you may have as a data subject under applicable law in respect of the personal data you provide to the service, for example, your rights under the GDPR and other privacy laws may include:

• right of access;
• right to rectification;
• right to erasure (“right to be forgotten”);
• right to ask for restriction (“blocking”) of processing;
• right to data portability;
• right to object to processing;
• right to withdraw consent to processing (where the processing is based on consent); and
• right not to be subject to automated decision-making including profiling (in fact NAVEX and the organization will not use your personal data or any information in your report for such decision-making).

Please note that these rights are not absolute under applicable law, and they may not always apply in your circumstances. We will only restrict any of the above rights if and to the extent that that is necessary and proportionate in order to safeguard any of the major public interests recognized in applicable law such as the protection of criminal investigations or public security, or to protect the fundamental rights and freedoms of others, including any person(s) incriminated in your report, in accordance with applicable law.  In addition to the rights listed above, you may also have the right to lodge a complaint about our processing of your personal data with the authority competent for supervising the processing of personal data (often referred to as the data protection authority) in the country where you live (if that is an EU/EEA Member State) or in the country your organization is based (if you live outside the EU/EEA). If you require assistance identifying your local data protection authority, please contact Valmet’s Data Privacy Officer through Valmet’s Privacy Web Form or your local Data Privacy Officer.

8. Transfers of personal data

Valmet’s data processor, NAVEX, and Valmet use EU Commission’s Standard Contractual Clauses as an appropriate safeguard when transferring personal data to third countries from within the EEA or Britain. The need for such a transfer may arise because of using an interpreter during a phone call or using a translator for a written report. It is also possible that Valmet personnel outside of the EEA and Britain may need to access the report.

9. Special country regulations

The laws of some countries, which may be applicable depending on the circumstances:

• restrict reports such that only employees in key or management functions may be the subject of a report;
• do not permit anonymous reporting, except under extremely restrictive circumstances and/or
• place restrictions on the topics you can report on.

Any issues or concerns you have relating to topics not in scope to be reported via, or cannot lawfully be reported via, this service should be reported directly to your line manager or supervisor or a representative of the Human Resources, Ethics and Compliance, or Internal Audit Functions as appropriate.