Whistleblower privacy policy statement

Finnish legislation law henkilötietolaki (523/1999) 10§ and 24§
EU General Data Protection Regulation (GDPR) article 30

1. Owner of the register

Name (business ID)

Raumaster Oy


Nortamonkatu 34, 26100 RAUMA

Additional contact information (for ex. phonenumber, email)

02 837 741

2. Point of contact


Data protection officer

Petri Laukkanen


Nortamonkatu 34, 26100 RAUMA

3. Name of the register

Personal register of the Whistleblower data warehouse of the M-Files document management system

4. Purpose of processing personal data

Processing and managing reports of unethical activities addressed to the Raumaster Group.

5. Information contained in the register

Groups of registrants are the notifiers and the persons mentioned in the notices.


E-mail address

6. Basis for processing


Legal obligation

7. Source of information

From the data subject

8. Is it a necessary requirement to provide personal data and the consequences of not providing data

Registrants can submit notifications anonymously, but in that case they will not receive a response to receive and process the notification if the email address is missing.

9. Period for which the personal data is stored

Notifications and reports of their solutions are kept for 8 years.

10. Is information from the register transferred outside the EU or EEA


11. Are automatic decisions being made based on the data


12. Right to withdraw consent

The notifier may withdraw her consent to process her notification by notifying the registrar through the Whistleblower portal.

13. Other rights of the data subject

Right to restrict processing of data

Right to check their information on the system

Right to rectification of data

Right to erasure of data

14. How can the data subject use their rights

The data subject may exercise the above rights by contacting the data controller through the Whistleblower portal.

14. Right to lodge a complaint

Every data subject has the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence or where he or she is employed permanently or where the alleged infringement of rights has taken place, if the data subject considers that his or her rights under the Data Protection Regulation have been infringed, without this limiting other administrative and judicial redress.