NOTIFICATION CHANNEL DATA PROTECTION DESCRIPTION
(whistleblowing)

Last updated: 12 December 2025

1. Data controller

Lejos Oy
Business ID: 2777579-7
Address: Keilaranta 10 E, 02150 Espoo, Finland
Phone: +358 207 413 800

2. Contact person for data protection matters

Name: Lotta Mäkelä
Email: lotta.makela@lejos.fi

3. Personal data processed

The notification channel (https://lejos.ilmoituskanava.fi) processes data of the notifications,
which may include personal data concerning:
− The person making the notification (whistleblower)
− The subject of the reported issue
− Other individuals mentioned in the notification

In addition, the controller collects personal data of the handlers of the notifications for the
purposes of processing the notifications and managing access rights.

4. Purposes of processing

− Receiving and processing notifications
− Investigative and examination the reported issues
− Implementation of the organisation’s internal control processes
− Compliance with applicable legislation
− Reporting to authorities when necessary

5. Confidentiality of the whistleblower’s identity and security measures

Notifications can be submitted anonymously. The handlers of the notifications do not receive
metadata or IP addresses that could reveal the identity of the whistleblower. All reports are
encrypted at the time of creation using strong symmetric and asymmetric encryption
algorithms, which cannot be decrypted or altered afterwards. All traffic within the notification
channel is protected with an SSL certificate, and all sessions are forced to use the HTTPS
protocol.

Only authorised personnel have access to the contents of the notifications. Handlers only
receive information about the reporting time and the content of the notification. Each handler
uses their own unique login credentials.

The whistleblower may voluntarily provide their name and contact details. Such identifying
information will not be disclosed to third parties without explicit consent, unless this is
required for the appropriate handling of the report, such as in cases involving reporting to
authorities or similar actions.

The service provider of the notification channel, the Finland Chamber of Commerce, cannot
see the content of the notifications because all notifications are strongly encrypted.
Therefore, the service provider cannot determine which reports or attached files contain
personal data. The individual responsible for the technical maintenance of the system does
not have the right to access the notification database.

6. Legal basis for processing

The processing of personal data is based on the EU Whistleblower Directive and the Finnish
Whistleblower Protection Act (1171/2022).

− Legal obligation (GDPR 6.1.c): Compliance with whistleblowing legislation
− Legitimate interest (GDPR 6.1.f): Prevention of misconduct
− Special categories of personal data (GDPR 9.2.b, 9.2.f, 9.2.g): Processing of sensitive data
based on consent
− Data relating to criminal offences (GDPR 10): Processing within the limits permitted by law

The relationship between the Whistleblower Directive and the GDPR is addressed in Articles
13 and 17 of the Directive and in Recitals 83 and 84. As a general rule, the requirements of the
GDPR apply to whistleblowing processing as well.

7. Sources of data

− The whistleblower
− Information received from other individuals or systems during the investigation
− Other internal data sources of the company relevant to the investigation

8. Recipients of personal data

− Designated notification handlers
− Individuals appointed to the whistleblowing investigation team
− Authorities, where required

9. Data protection impact assessment

A Data Protection Impact Assessment (DPIA) has been conducted during the planning phase
of the notification channel and prior to its implementation.

10. Transfer of data outside the EU/EEA

All data stored in the notification channel service is kept within the EU. No data is transferred
outside the EU/EEA.

11. Storage period

Notifications are stored in the notification channel service for one (1) year and are not
archived afterwards. Notifications are stored in an encrypted format in the database.

12. Rights of the data subject

− A data subject has the following rights in relation to their personal data, where the
exercise of such rights does not compromise the anonymity of the whistleblower
− Right of access to personal data relating to themselves
− Right to request the correction of inaccurate or incorrect data
− Right to request the restriction of data processing
− Right to request erasure of data
− Right to lodge a complaint with the supervisory authority (Office of the Data Protection
Ombudsman)

The data subject’s rights may be limited to the extent and for as long as necessary to
safeguard the investigation related to the notification.

13. Voluntary provision of data

Submitting a notification is voluntary.

14. Prohibition of false notifications

Notifications must be made in good faith. The whistleblower must have reasonable grounds
to believe that the suspected misconduct is genuine. If the whistleblower intentionally
provides false or malicious information, this constitutes a serious violation, which may lead to
employment related, civil, or criminal consequences.