Notes on Data Privacy
PROTECTING PERSONAL DATA AT LOWELL
The thorough processing and protection of your data are important to us. We also want to make sure that you know your rights related to the processing of personal data.
We take data protection and confidentiality very seriously and adhere to the provisions of the EU General Data Protection Regulation (EU-GDPR) as well as current national data privacy legislations. Please read this data privacy information carefully before submitting a report.
In this privacy policy, we describe how we process personal data in conjunction with the whistleblowing platform (BKMS® System) and procedure. The reporting system is operated by a specialised company, EQS Group GmbH, Bayreuther Str. 35, 10789 Berlin in Germany, on behalf of Lowell Nordic.
1. DATA CONTROLLER AND CONTACT INFORMATION
The data controller in the whistleblowing procedure is Lowell Nordics Oy, (2788135-4), PB 20, 20101 Turku, Finland Helsinki, Finland) on behalf of its own and the following subsidiaries:
- Lowell Suomi Oy (0140351-4), Helsinki, Finland
- Lowell Sverige AB (556209-5363), 412 93 Göteborg, Sweden
- Lowell Finans AS, (913 953 517), PB. 6354 Etterstad, 0604 Oslo, Norway
- Lowell Norge AS, (979 683 529), PB. 6354 Etterstad, 0604 Oslo, Norway
- Lowell Danmark A/S, (18457970), Langmarksvej 57 D, 8700 Horsens, Denmark
2. DATA PROTECTION OFFICER
Each Lowell entity has appointed a Data protection officer who can be contacted by post at Lowell Suomi Oy, Data Protection Officer, P.O. Box 20, FI-20101 Turku, Finland, or by e-mail at tietosuojavastaava@lowell.com.
Questions on data protection and privacy can also be sent to:
- Denmark: DPO.Denmark@lowell.com
- Sweden: DPO.sverige@lowell.com
- Norway: DPO.norge@lowell.com
3. PURPOSE AND LEGAL BASIS OF PROCESSING
We process the personal data received through the whistleblowing system (BKMS® System) or other channels to detect, investigate, and prevent misconduct in violation of the laws and the compliance rules of Lowell, in accordance with current legislation.
The processing of personal data is based on the legal obligation and legitimate interests of our company to detect, prevent, and investigate misconduct and thus avoid damage to Lowell, its employees, clients, and customers. Article 6 (1) (c) and (f) of EU-GDPR serves as legal basis for this data processing.
4. CATEGORIES OF DATA SUBJECTS AND DATA
In conjunction with whistleblowing cases, we may process personal data of the whistleblower, the person who is subject of the whistleblowing report and person who is found to be linked to suspected misconduct on the basis of the report.
Handling of whistleblowing reports may involve processing of special category and/or criminal offence data which is necessary for the establishment, exercise, defence, or settlement of legal claims.
Filing a whistleblowing report takes place on a voluntary basis. If you submit a report via the whistleblowing system, we collect the following personal data and information, if you chose to disclose them:
- your name
- your relationship with Lowell Nordic
Concerning the person who is subject to the whistleblowing report, we may process the following personal data, if you chose to disclose them:
- name
- contact information
- information about employment details
- information about the reported wrongdoing
- information about actions and observations based on investigation of the case
Concerning a person who is found to be linked to the suspected misconduct, we may process the following personal data, if you chose to disclose them:
- name
- contact information
- information about employer and profession
- information about the relationship with Lowell Nordic
As a basic principle we are bound by law to inform the accused persons that we have received a report concerning them, unless this threatens further investigations into the report. In doing so, the identity of the whistleblower is not revealed as far as is legally possible.
5. DATA SOURCES
Personal data is collected from the whistleblower and from the employees of the controller and companies belonging to the same group as the controller. In addition, personal data may be accumulated in the controller's own activities when processing the notification.
6. ACCESS TO AND DISCLOSURE OF PERSONAL DATA
Personal data and information entered into the reporting system are stored in a database operated by EQS Group in a high-security data centre. Only Lowell Nordic has access to the data. EQS Group and other third parties do not have access to the data. This is ensured in the certified procedure through extensive technical and organisational measures.
All data are stored encrypted with multiple levels of password protection so that access is restricted to a very small selection of expressly authorised persons at Lowell Nordic.
Incoming reports are received by a small selection of expressly authorised and specially trained employees of the Compliance department of Lowell Nordic and are always handled confidentially. The employees will evaluate the matter and perform any further investigation required by the specific case.
During the processing of a report or the conduction of a special investigation, it may become necessary to share reports with authorities (e.g., police) and additional employees of Lowell Nordic or employees of other group companies, e.g., if the reports refer to concerns in subsidiaries. Due to this, your personal data may be transferred to outside of the European Union and European Economic Area, as some of the Lowell Group's companies are located in the United Kingdom. Data transfer to the UK is based on the EU Commission adequacy decision.
All persons who receive access to the data are obligated to maintain confidentiality.
7. DATA STORAGE PERIODS
The data received through the reporting channel is retained according to the time periods stated below after receipt of report. The retention period is as stated below, unless the data received is necessary for the establishment, exercise, or defence of legal claims. Personal data that are clearly not relevant to the processing of the report are erased without undue delay.
The retention period is as follows for the respective countries:
- Finland: five (5) years
- Sweden and Denmark: two (2) years
- The retention period for Norway will be according to national legislation once it has been approved and adopted.
8. DATA SUBJECT´S RIGHTS
As a data subject related to whistleblowing procedure you have the rights to:
- Right to access the data. However, data subject's right of access may be restricted with regard to personal data reported whistleblower procedure if it is necessary and proportionate to ensure the accuracy of the report or to protect the identity of the whistleblower.
- Right to rectification of the data.
- Right to erasure of the data.
- Right to restriction of processing. However, data subject's right to restrict processing in whistleblowing context, maybe restricted by national legislation.
- Right of object processing. If the right of objection is claimed, we will immediately examine to what extent the stored data is still necessary for the processing of a report.
If you want to exercise your right to access your personal data, you can request your data from here:
- Finland: tietosuojavastaava@lowell.com
- Denmark: DPO.Denmark@lowell.com
- Sweden: DPO.sverige@lowell.com
- Norway: DPO.norge@lowell.com
RIGHT TO MAKE A COMPLAINT
You have the right to file a complaint if you believe that the processing of your personal data is not lawful. Please refer to the relevant data protection agency for the Nordic countries.
In Denmark, this authority is the Datatilsynet:
Office of the Datatilsynet, Exchange: +45 33 19 32 00, Street address: Carl Jacobsens Vej 35, 2500 Valby. Email: dt@datatilsynet.dk
In Finland, this authority is the Data Protection Ombudsman
Office of the Data Protection Ombudsman, Exchange: +358 29 56 66700, Street address: Lintulahdenkuja 4, 00530 Helsinki, Postal address: P.O. Box 800, 00521 Helsinki, Finland. Email: tietosuoja@om.fi
In Norway, this authority is the Datatilsynet:
Office of the Datatilsynet, Exchange: +47 22396900, Postal address: Postboks 458 Sentrum 0105 Oslo. Email: postkasse@datatilsynet.no
In Sweden, this authority is IMY:
Office of the IMY, Exchange: +46 (0)8 657 61 00. Postal address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden. Email: imy@imy.se
9. MISCELLANEOUS
Use of the reporting portal
Communication between your computer and the reporting system takes place over an encrypted connection (SSL). Your IP address will not be stored during your use of the reporting system. In order to maintain the connection between your computer and the BKMS® System, a cookie is stored on your computer that merely contains the session ID (a so-called session cookie). This cookie is only valid until the end of your session and expires when you close your browser.
It is possible to set up a postbox within the reporting system that is secured with an individually chosen pseudonym/ username and password. This allows you to send reports to the responsible employees at Lowell Nordic either by name or in an anonymous, safe way. This system only stores data inside the reporting system, which makes it particularly secure. It is not a form of regular e-mail communication.
Note on sending attachments
When submitting a report or an addition, you can simultaneously send attachments to the responsible employees of Lowell Nordic.
If you wish to submit an anonymous report, please take note of the following security advice: Files can contain hidden personal data that could compromise your anonymity. Remove this data before sending. If you are unable to remove this data or are unsure how to do so, copy the text of your attachment into your report text or send the printed document anonymously to the address listed in the footer, citing the reference number received at the end of the reporting process.
Date: March 2023