Whistleblowing Privacy Statement - Updated March 2023
Why and how we process personal data?
- We at KPMG Oy Ab and KPMG Baltics OÜ (together “KPMG”, separately “KPMG Finland” and “KPMG Estonia”), process personal data only to the extent necessary for the purpose of carrying out our whistleblowing process which includes for example documenting and archiving the reports, investigating the reported matter and taking necessary steps to address it.
- Only certain authorized KPMG employees are authorized to handle whistleblowing reports as part of their tasks. These persons include reviewers of the report handling the matter but also persons acting as a “second pair of eyes” to ensure reports and the reported matter is handled appropriately and with care.
- Personal data is not mandatory to provide within the report, however this might affect the investigation process if we don’t have enough information to investigate the matter.
- Personal data is obtained from the reporter if they provide their personal data to us but also from other data subjects as part of their accounts of the matter, such as interviews.
- Personal data is stored for as long as necessary for investigating the matter, implementing any remedial measures or necessary follow-up actions. Personal data is however deleted at the latest five years after the report has been submitted, unless data retention is necessary to exercise rights provided in applicable legislation or to support any initiated legal proceedings. Any personal data deemed unnecessary for the purpose of processing the report will be deleted.
- We process personal data based on our legal requirement regarding having a whistleblowing channel in place and functioning as well as our legitimate interest in ensuring compliance with applicable laws.
What personal data do we process?
- Personal data within the reports: We processes any personal data that the reporter has provided within their report. This data may concern the reporter or other relevant persons.
- Reporter’s data (if provided): Reporters may provide their name and contact details at their own discretion – however an individual might be identified during the investigation process as a result of additional enquiries depending on the reported matter.
To whom personal data is disclosed?
- Personal data is not disclosed on a regular basis to third parties. However, our partner Clearview is responsible for technical implementation of the whistleblowing channel and therefore can in certain specific circumstances have access to personal data, such as technical support. Clearview however does not have direct access to personal data within the system by default. Personal data regarding whistleblowing reports may be processed only in certain predetermined systems.
- Disclosures may be necessary to authorities if required by law, for investigating possible suspicions of misconduct, to initiate an investigation, or if the report contains information that gives rise to a suspicion of a criminal offence.
- Personal data may be disclosed to other parties if necessary, e.g for legal proceedings or otherwise required under applicable law.
Is personal data transferred outside EU/EEA?
- Data processed in the whistleblowing channel is hosted within Canada which is recognized by the European Commission as a country providing an adequate level of data protection (adequacy decision). In addition, we have a contract in place which obligates Clearview to appropriate safeguards to ensure protection of your personal data.
- If the reporter uses KPMG International Hotline, personal data will be disclosed to the relevant employees at KPMG International processing whistleblowing reports. KPMG will ensure that any transfers are subject to adequate safeguards with respect to the protection of privacy and the fundamental rights and freedoms of individuals.
What data protection rights do you have?
- Data subjects have the right to access their personal data, request correction, removal and restriction of personal data and the right to object to the processing of your personal data. Please contact privacy@kpmg.fi for KPMG Finland and dpo@kpmg.ee for KPMG Estonia if you wish to exercise these rights.
- KPMG will fulfil your rights to the extent reasonably possible, since we must take into account the sensitive nature of whistleblowing reports and ensure investigations are not endangered. In other words, KPMG may have valid reasons to refrain from acting in accordance with your request for instance if you do not provide contact details or if fulfilling the request would endanger the course of a criminal or other investigation.
- You also have the right to lodge a complaint with the local supervisory authority (Finnish Data Protection Ombudsman for Finland and Estonian Data Protection Inspectorate for Estonia) if you think that your data protection rights have been violated.
What security measures do we have?
- Strict access control is implemented as described above.
- Reports are reviewed for any unnecessary personal data which will be deleted from the reports. Archived data will be stored in a separate secure system outside the channel to ensure integrity of the data.
- Clearview is contractually bound to implement and maintain adequate security measures.
- No automated decision-making exists, and every report goes through human eyes.
More information on data protection at KPMG can be found in our Privacy Statement.