HOUSEHOLDS COMPANIES
Log in
About us
Origin of electricity
Responsibility
Contact us
Invoicing information
Personnel
Search
EN
HOUSEHOLDS COMPANIES
Hae
HOUSEHOLDS COMPANIES
About us
Origin of electricity
Responsibility
Contact us
Invoicing information
Personnel

Whistleblowing Channel Privacy Notice

Updated on 31 July 2025. Lumme Energia reserves the right to make changes to this privacy notice. Changes to the privacy notice may also be based on changes in legislation.

1. CONTROLLER AND CONTACT PERSON

Lumme Energia Oy (hereinafter “Lumme Energia”)

Business ID: 2038931-6

Street address: Prikaatinkatu 3A, 50100 Mikkeli

Phone: 029 1800 056 (local network charge/mobile call charge)

Website: www.lumme-energia.fi

Joint controller: Suur-Savon Sähkö Oy

Contact person in register matters: Mikko Alftan; or tietosuoja@lumme-energia.fi or tel. +358 40 560 1240.

2. NAME OF THE REGISTER

Personal Data Register of the Whistleblowing Channel for External Stakeholders.

3. PURPOSE AND LEGAL BASIS OF PERSONAL DATA PROCESSING

The whistleblowing channel is used to monitor the implementation of Lumme Energia’s Supplier Code of Conduct. The purpose of processing personal data is to monitor and investigate suspected misconduct and unethical behavior. The data may also be used for the development, analysis, and statistical reporting of internal control and risk management.

The processing of personal data is based on Lumme Energia’s legitimate interest in obtaining information about misconduct related to the company and its operations in order to address such matters, as well as to ensure the ethical and lawful conduct of external stakeholders. As a result of a balancing test, it has been concluded that the rights and freedoms of data subjects do not override Lumme Energia’s legitimate interest.

Lumme Energia provides its personnel with an internal whistleblowing channel, which is accessible via the company’s intranet. In relation to this internal whistleblowing channel, the processing of personal data is also necessary for the data controller to comply with a legal obligation. The processing is based on the Whistleblower Act (Act on the Protection of Persons Reporting Breaches of European Union and National Law, 1171/2022). For the avoidance of doubt, when Lumme Energia’s personnel report suspected misconduct via the external whistleblowing channel, the legal bases for processing personal data are compliance with a legal obligation and legitimate interest.

4. CATEGORIES OF PERSONAL DATA

The content of the register is based on the information provided by the person submitting the report. The register may contain the following types of personal data concerning the whistleblower, the subject of the report, and other individuals involved, such as witnesses:

  • Name and contact details of the whistleblower (a report can also be submitted anonymously)
  • Details of the report, such as the name of the subject, information related to the alleged unethical or unlawful conduct (including place and time), and information on witnesses
  • Information related to the submission and processing of the report, as well as related communications (including the report code and status)
  • Any other information voluntarily provided by the whistleblower.

In addition, information is stored about individuals who process reports submitted through the whistleblowing channel.

The accuracy of the personal data contained in the reports cannot be verified in advance, but efforts are made to ensure their accuracy during the investigation of suspected misconduct. Personal data deemed irrelevant or excessive for the purposes of the case will be deleted. As a rule, special categories of personal data are not processed in connection with the whistleblowing procedure.

5. REGULAR SOURCES OF PERSONAL DATA

The primary source of personal data is the whistleblower. In addition, personal data may be collected and generated during the processing of whistleblowing reports. This may include information obtained from individuals potentially involved in the matter and data retrieved from relevant IT systems. Other sources of information may be used where permitted by applicable legislation.

6. REGULAR DISCLOSURES OF PERSONAL DATA

At Lumme Energia, personal data is processed exclusively by specifically designated individuals within the company's compliance and sustainability function. Reports and related investigations are carried out by a limited group of designated personnel. Personal data may be disclosed to third parties, such as authorities or external auditors, only on a legal basis as provided by applicable law.

7. DATA RETENTION

Personal data held in the whistleblowing channel is retained for a maximum of one (1) year from the last active event between Lumme Energia and the data subject. Personal data received through the whistleblowing channel, as well as data collected during the investigation, will be deleted five (5) years after the initiation of the handling process, unless retaining the data is necessary for the exercise or fulfillment of rights or obligations under the

Whistleblower Act or other applicable legislation, or for the establishment, presentation, or defense of a legal claim.

If the case proceeds to court, the data will be retained for the duration required by legal proceedings. The key consideration regarding retention periods is the reversed burden of proof related to the prohibition of retaliation. If the whistleblower alleges having been subjected to retaliatory measures, Lumme Energia has the obligation to demonstrate that no such retaliation has taken place.

Personal data that is clearly irrelevant to the processing of the report will be erased without undue delay. Likewise, any information related to a claim that has been found to be unfounded will also be erased without delay.

8. TRANSFERS OF PERSONAL DATA OUTSIDE THE EU/EAA

Personal data will not be disclosed or transferred outside the EU or the EAA.

9. PRINCIPLES OF REGISTER PROTECTION

Personal data in the register is protected in accordance with applicable legislation and with due regard to information security. The whistleblowing channel does not store IP addresses or other data that could be used to identify the whistleblower. In addition, a data protection impact assessment (DPIA) has been conducted for the whistleblowing channel. The system provider of the whistleblowing channel, Granite Partners Oy, has described its information security and data protection principles on its website.

10. RIGHTS OF THE DATA SUBJECT

As a data subject, you have various opportunities to influence the processing of your personal data. However, the processing of data falling within the scope of the Whistleblower Act is subject to certain restrictions described below. If you wish to exercise your rights, requests will always be assessed on a case-by-case basis in accordance with the legislation.

We will process the data subject’s request as soon as possible and without undue delay. If you wish to exercise the right of access, we ask that you use the information request form. The request form is available in Finnish and requires strong identification. Lumme Energia will fulfill the data subject’s request no later than one (1) month after receiving it and verifying the requester’s identity, unless there is a specific reason to extend the response time.

When the processing of personal data is based on the controller’s legitimate interest, the data subject has, under certain conditions, the following rights:

  • The right to be informed about the processing of personal data
  • The right of access
  • The right to rectification
  • The right to erasure (the right to be forgotten)
  • The right to restrict processing
  • The right to object to the processing of personal data.

The above-mentioned rights are subject to specific limitations when the processing of personal data falls within the scope of the Whistleblower Act.

The data subject does not have the right of access to personal data if disclosing the information could hinder the prevention or investigation of criminal offences, or if it could cause serious harm to the rights of another individual. If only part of the data is subject to such restrictions, the data subject has the right to access the remaining data concerning them.

The right to rectification or erasure applies only to data for which the right of access has not been restricted.

The right to restrict processing does not apply to personal data processing carried out under the Whistleblower Act.

To exercise your rights, please contact the data protection contact person referred to in Section 1 of this privacy notice.

If the data subject considers that their personal data has been processed in violation of this privacy notice or applicable data protection legislation, they have the right to lodge a complaint with the competent supervisory authority. The contact details of the Finnish Data Protection Authority are available at: www.tietosuoja.fi.