Whistleblowing data protection description

DATA PROTECTION DESCRIPTION

Last Modified: 22.10.2018

Data Controllers

1) Konecranes Plc, 0942718-2

Address: Koneenkatu 8 (P.O. Box 661), 05830 Hyvinkää, Finland
Telephone:  +358 20 427 11

2) Konecranes Global Corporation, 2711339-8

Address: Koneenkatu 8 (P.O. Box 661), 05830 Hyvinkää, Finland
Telephone:  +358 20 427 11

Contact Person in Matters Related to Data File

Lasse Toivonen (Data Protection Manager)
[email protected]

Address and telephone number as above.

Data File Name

Whistleblowing and investigations

Data Subjects

1) Suspected person(s): Natural persons who are or were suspected of wrongdoing, misconduct or noncompliance of applicable laws and regulations or Konecranes policies ("Incidents")

2) Directly involved person(s): Natural persons who have provided information including informants, whistleblowers, witnesses and persons who have provided statements or reported the above referred wrongdoing, misconduct or noncompliance (“Violation Report”)

3) Management and investigator(s): Natural persons belonging to senior management of Konecranes and persons who are involved in the investigation, enforcement, remediation and/or other consecutive activities related to Incidents and/or Violation Report; and

4) Other natural person(s) being in other manner connected to investigation, enforcement, remediation and/or other consecutive activities related to Incidents and/or Violation Report.

Natural persons referred to above may be Konecranes’ employees, managers, directors, external temporary labor, or employees of Konecranes subcontractors, contractors, agents, distributors, suppliers, or customers; as well as any third parties, such as authorities.

Legal basis for the processing and purpose of use of the Personal Data

Legal basis for the processing
Processing of personal data ("Personal Data") is generally and primarily based on:

1) Legal (i.a. securities markets legislation, market abuse legislation, employment and export control laws) obligations of the data controllers. Need to ensure financial security in the international financial markets and in the auditing and reporting practices as well as the commitment to fight against bribery, banking and financial crime or insider trading.

Secondarily, the processing of the Personal Data is based on:

2) Legitimate interests pursued by the data controllers – such as:

a. Possibility and need to conduct justified, sustainable, ethical and legitimate business according to business standards (incl. Konecranes internal and supplier codes of conduct);
b. Contract existing between a company belonging to Konecranes group of companies and a company represented by Data Subject, as the case may be;
c. Need to simultaneously observe and comply with non-EU legislative requirements, which may not be included as a direct legal data protection obligation of data controllers; and
d. Need to observe and comply with established good corporate governance principles recognized by major international organizations, such as OECD and European Union or implied from non-EU legislative requirements.

Purpose for Processing

The general purpose for processing and use of the Personal Data is to fulfill data controllers' responsibilities as a publicly listed company as well as to fulfil and comply with the obligations and targets set out above.

In detail, the purposes for processing and use of the Personal Data include the following items related to Violation Report and/or underlying Incident:

1) Handling, conducting, management and execution of Incident investigation;
2) Incident reporting (incl. creation, maintaining and distribution of individual Violation Reports and management reports);
3) Initiation, handling, management and execution of consecutive and corrective actions (i.a. legal proceedings, authority processes and/or other required or necessary actions) based on Incident and/or Violation Report; and
4) Protection of whistleblowers and other parties involved in an Incident and/or Violation Report.

Data Content

The data content varies depending on the Data Subjects relation to the Incident and the Violation Report:

1) Suspected person(s):
a. Identification and General Personal Data;
b. Professional Data; and
c. Case Involvement Data.
2) Directly involved person(s):
a. Identification and General Personal Data;
b. Professional Data; and
c. Case Involvement Data.
3) Management and investigator(s):
a. Full name;
b. Role; and
c. E-mail address and other contact details.
4) Other natural person(s):
a. Full name;
b. Role;
c. Employer;
d. E-mail address and other contact details;
e. Case Involvement Data; and
f. Other information that may be necessary for the achievement of the purpose of the processing as specified under “Legal basis for the processing and purpose of use of the Personal Data”.


Identification and General Personal Data includes, for example:
- Full name;
- Preferred name;
- Date of birth;
- Gender;
- Salutation (mr/ms);
- Nationality;
- Native language;
- Personal ID; and
- Acknowledgement of data protection documentation (for reporting persons).

Professional Data includes, for example:
- Work role;
- Work history;
- Employer;
- Training records;
- Log information;
- Passwords;
- Contact details; and
- IP address.

Case Involvement Data includes, for example:
- Summary information of reports;
- Information about the data subject role in relation to the Incident; and
- Any other case relevant information that the reporter, or any other third party gives and is gathered during possible investigation and that may be necessary for the achievement of the purposes of processing as specified under “Legal basis for the processing and purpose of use of the Personal Data”.

Regular Sources of Data

Data subject reporting the Incident him-/herself, or as subject of the Incident and/or Violation Report.
Employees, managers, directors and third parties relating to the Incident, its investigation and Violation Report.
Internal and external systems and data bases (for example public registers, commercial data bases including information e.g. on politically exposed persons and individuals subject to trade sanctions and law enforcement activities).

Regular Disclosures of Personal Data and Transfer of Personal Data to countries outside European Union or the European Economic Area

Personal Data is not disclosed (to another controller for independent use unless required by the law such as to authorities) regularly except within companies of Konecranes Group and even then at all times in accordance with applicable laws.

Personal Data is transferred outside EU and/or EEA (incl. Switzerland) only as allowed by and in accordance with applicable laws. Due to absence of EU Commission adequacy decisions, EU Commission standard contractual clauses (e.g. of type controller to processor, EU Commission decision 2010/87/EU) are used as appropriate or suitable safeguards for these data transfers. Copies of the standard contractual clauses will be available through the contact details mentioned above.

If Personal Data is transferred to external data processors (subcontractors or vendors) appropriate contractual arrangements (Including EU Commission standard contractual clauses, as applicable), as required by the applicable laws, are executed to secure lawful and appropriate processing of Personal Data.

Personal Data belonging to special categories (i.e. health data) may in some cases be included in these transfers if the case so requires

Personal Data can be transferred to the following countries for processing:
o Australia
o Austria
o Bangladesh
o Belgium
o Brazil
o Canada
o Chile
o China
o Czech Republic
o Denmark
o Estonia
o France
o Germany
o Greece
o Hungary
o India
o Indonesia
o Italy
o Japan
o Korea
o Latvia
o Lithuania
o Malaysia
o Mexico
o Morocco
o Netherlands
o New Zealand
o Norway
o Peru
o Philippines
o Poland
o Portugal
o Qatar
o Romania
o Russia
o Saudi Arabia
o Singapore
o Slovakia
o Slovenia
o South Africa
o Spain
o Sweden
o Switzerland
o Thailand
o Turkey
o Ukraine
o United Kingdom
o United States of America
o United Arab Emirates
o Vietnam

Security Principles of Data File

Personal Data is protected by technical and organizational measures against accidental and/or unlawful access, alteration, and destruction or other processing including unauthorized disclosure and transfer of Personal Data.

Such measures include but are not necessarily limited to proper firewall arrangements, appropriate encryption of telecommunication and messages as well as use of secure and monitored equipment and server rooms. Data security is of special concern when third parties (e.g. data processing subcontractors) providing and implementing IT systems and services are retained.

Data security requirements are duly observed in IT system access management and monitoring of access to IT systems. Personnel processing Personal Data as part of their tasks are trained and properly instructed in data protection and data security matters.

Right to Object Data Processing

In accordance with the law the data subject has at any time the right to object the processing of Personal Data on grounds relating to his or her particular situation when lawfulness of processing is based on legitimate interest of the data controllers.

In order to use the right to object processing, the data subject shall contact the above-mentioned contact persons in writing. However, the request may be declined where allowed or required under law.

Other Rights of Data Subject

In accordance with the law the data subject has at any time the right to:

1) Access the Personal Data on him/her and at request, receive a copy of the Personal Data;
2) Request inaccurate Personal Data to be rectified and incomplete Personal Data to be supplemented;
3) Have outdated, obsolete or otherwise non-compliant, as specified by the law, Personal Data erased;
4) Restrict the processing of the Personal Data on him/her if:
a. Data subject contests the accuracy of the Personal Data;
b. The processing is unlawful and the data subject opposes the erasure of the Personal Data and requests the restriction instead;
c. The data controllers no longer need the Personal Data for the purposes of uses, but Personal Data are required by the data subject for the establishment, exercise or defense of legal claims; or
d. Data subject has objected to processing pursuant to reason explained above in the section "Right to Object Data Processing" and pending the verification whether the legitimate interests of the data controller override those of the data subject; and/or
5) Lodge a complaint with a supervisory authority (Finnish Data Protection Ombudsman);

In order to use the right to object processing, the data subject shall contact the above-mentioned contact persons in writing or use an electronic form located in Konecranes websites (incl. Konecranes intranet). However, the request may be declined where allowed or required under law.

The data subject should also note that applicable laws may contain restrictions and other provisions that relate to the above rights.

Retention period of Personal Data

According to European Union Market Abuse Regulation ((EU) 596/2014) and Finnish Securities Market Act (746/2012, as amended), the Whistleblower Personal Data has to be deleted in five (5) years from the reporting, unless the data is needed for criminal investigation, pending litigation, authority investigation or for protecting the rights of the reporter and/or the person being target for reporting. Also other EU and/or local laws applicable to Konecranes may include relevant retention requirements, which will be complied with.

Additionally, Konecranes applies the same retention period also to such Whistleblowing Personal Data that is processed based on Konecranes legitimate interest or on the grounds of other laws as those mentioned in the above paragraph.

In addition, retention of Personal Data shall continue despite exceeding the five-year period in case of extended Konecranes justified internal investigation (e.g. on the grounds of breach of Konecranes Code of Conduct or internal policies).

Provision of Personal Data

When filing a Violation Report it is voluntary to provide any Personal Data.

However, please note that if the person chooses to access Whistleblowing Channel through Konecranes internal network, at least IP address is always collected (due to technical features related to e.g. firewall setup) – even in this case Konecranes does not in its own initiative process the IP address further.

In case of being under investigation as the subject of a Violation Report, applicable laws determine whether providing Personal Data is obligatory or voluntary. The data controller shall provide this information case by case when questions are presented.