Whistleblowing and Investigations Data Protection Notice

The purpose of this Whistleblowing and Investigations Data Protection Notice is to provide persons involved in our whistleblowing or investigations processes with information of their personal data processing and protection. This Data Protection Notice provides a general description of such personal data processing. Therefore, all details provided in this Data Protection Notice may not apply to your case in particular.

Whistleblowing and Investigations Data Protection Notice

What personal data of mine is processed?

If you are a suspected person in an investigation:

a. Identification and General Personal Data;
b. Professional Data; and
c. Case Involvement Data.

If you are otherwise directly involved person in an investigation (such as alleged victim or witness):

a. Identification and General Personal Data;
b. Professional Data; and
c. Case Involvement Data.

If you belong to Konecranes management or act as an investigator:

a. Full name;
b. Role; and
c. E-mail address and other contact details.

If you have other investigation connection:

a. Full name;
b. Role;
c. Employer;
d. E-mail address and other contact details;
e. Case Involvement Data; and
f. Other information that may be necessary for the achievement of the purpose of the processing as specified under “Legal basis for the processing and purpose of use of the Personal Data”.

Examples of data attributes include:

Professional Data includes, for example:

Case Involvement Data includes, for example:

Who is responsible for processing my personal data?

Konecranes Plc (established in Finland and being the parent company of Konecranes Group) has the overall responsibility and supreme decision-making power. Konecranes Global Corporation (established in Finland) has the limited responsibility for Konecranes Group centralized IT systems/applications (incl. subcontracting) as well as international transfers of personal data outside EU/EEA.

You can contact us by sending an email to data.protection(a)konecranes.com

What permits the use of my personal data?

We rely on two lawful rights permitting and requiring us to use your personal data:

  • Fulfilment of our and your mandatory legal obligations and rights related to our and your position in an investigation; and
  • Our legitimate interest to use your personal data for the purposes related to our investigation (in such cases where investigation has to be executed on other grounds than fulfilment of mandatory  legal rights and obligations)

Why is my personal data processed?

Generally, we use your personal data to fulfil our data controller responsibilities as a publicly listed company (and related group of companies). We need your personal data also to fulfil our obligations and targets related to ensuring financial security in the international financial markets and in the auditing and reporting practices as well as the commitment to fight against bribery, banking and financial crime or insider trading.
In detail, we use your personal data for the following purposes:
1) Handling, conducting, management and execution of incident investigation;
2) Incident reporting (incl. creation, maintaining and distribution of individual violation reports and management reports);
3) Initiation, handling, management and execution of consecutive and corrective actions (i.a. legal proceedings, authority processes and/or other required or necessary actions) based on incident and/or violation report;
4) Protection of whistleblowers and other parties involved in an incident and/or violation report;
5) Archiving of non-active personal data in the scope of other purposes of uses and defined retention rules; and
6) Ensuring the integrity of KC Group business environment and processes (incl. system/security monitoring for the prevention or inspection of misuse as the case may require);

How do I benefit from my personal data processing?

Our use of your personal data enables and supports fair, efficient and legally compliant treatment of you in connection with our investigations.

Especially, if you are or become a suspect within our investigation, the proper and planned use of personal data serves an integral part in protecting your fundamental rights and freedoms (such as right to justice and right to neutral, objective and discrete investigation)

What rights do I have?

At any time, you have the right to:

  • Object the processing of your personal data which is based on our legitimate interest;
  • Require reprocessing of personal data processed by automated decision-making process in accordance with the law.

At any time, you have also the right to:

  • Gain access to your personal data;
  • Verify the accuracy of your personal data;
  • At your request, have your incomplete, inaccurate or outdated personal data modified or erased; and
  • Under certain circumstances, restrict the processing of your personal data;
  • Under certain circumstances, be forgotten by us; and
  • Lodge a complaint with a supervisory authority.

You can exercise these rights by sending us email to data.protection(a)konecranes.com or by filling out the form in

What adverse effects might the processing cause to me? How are these effects mitigated?

As required by mandatory data protection laws, we have completed a thorough analysis concerning the risks potentially caused by our personal data  processing to your rights and freedoms.

As with any data processing, certain risks are possible also in ours relating mainly to

  • the level of  confidentiality of your personal data;
  • general data security matters; and 

We mitigate these risks actively i.a.by:

  • continuously training our personnel,
  • providing and developing detailed instructions; and
  • implementing and enhancing our data security practices.

From where is my data collected and obtained?

Data subject reporting the Incident him-/herself, or as subject of the Incident and/or Violation Report.

Employees, managers, directors and third parties relating to the Incident, its investigation and Violation Report.

Internal and external systems and data bases (for example public registers, commercial data bases including information e.g. on politically exposed persons and individuals subject to trade sanctions and law enforcement activities).

Does my personal data leave from EU/EEA?

Yes, depending on the case we may transmit your personal data outside EU/EEA:

  • inside our group of companies but also to our external business partners who provide services to us or to whom the current investigation concerns.

Your personal data may be transferred to following countries for processing:

Who else processes my personal data?

We use reliable subcontractors to provide us e.g. with IT services enabling our personal data processing - these services include, without limitation, provision of different infrastructure, software and applications utilized routinely in contact data processing within global groups of companies.



Who else will receive my personal data?

As a rule, we do not disclose your data out of our effective control except if so required by the law in case a court or the police or other law enforcement agency has asked us for it.

Additionally, your data may be disclosed in a limited manner to our trusted business partners.

How is my data secured?

Your personal data is protected by technical and organizational measures against accidental and/or unlawful access, alteration, destruction or other processing including unauthorized disclosure and transfer of your personal data.

Such measures include but are not necessarily limited to proper firewall arrangements, appropriate encryption of telecommunication and messages as well as use of secure and monitored equipment and server rooms. Data security is of special concern when third parties (e.g. data processing subcontractors) providing and implementing IT systems and services are retained.

Data security requirements are duly observed in IT system access management and monitoring of access to IT systems. Personnel processing your personal data as part of their tasks is trained and properly instructed in data protection and data security matters.

How long is my personal data kept and used?

According to European Union Market Abuse Regulation ((EU) 596/2014) and Finnish Securities Market Act (746/2012, as amended), your personal data has to be deleted in five (5) years from the reporting, unless the data is needed for criminal investigation, pending litigation, authority investigation or for protecting the rights of the reporter and/or the person being target for reporting. Also other EU and/or local laws applicable to Konecranes may include relevant retention requirements, which will be complied with.

Additionally, Konecranes applies the same retention period also to such personal data that is processed based on Konecranes legitimate interest or on the grounds of other laws as those mentioned in the above paragraph.

Furthermore, retention of your personal data shall continue despite exceeding the five-year period in case of extended Konecranes justified internal investigation (e.g. on the grounds of breach of Konecranes Code of Conduct or internal policies).

Is it not possible to do business without processing my personal data?

In case of being under investigation as the subject of a Violation Report, applicable laws determine whether providing Personal Data is obligatory or voluntary.

When filing a Violation Report it is voluntary to provide any Personal Data.

However, please note that if the person chooses to access Whistleblowing Channel through Konecranes internal network, at least IP address is always collected (due to technical features related to e.g. firewall setup) – even in this case Konecranes does not in its own initiative process the IP address further.