Processing of personal data in the whistleblowing channel

In accordance with the EU General Data Protection Regulation, a person must be given information if his personal data is recorded in a personal register. Personal information includes, for example, name and address information. The registered person must also be informed about the purpose of personal data processing, where the data is regularly disclosed and about the rights of the registered person.

This document outlines how the City of Vantaa processes your personal data in the whistleblowing channel.

Updated 29.3.2023

Notification channel and more information about suspected abuse: Whistleblowing channe


1. For what purpose are personal data processed?  

Personal data are processed in connection with determining the truthfulness of suspected misconduct reported in the reporting channel system. Personal data are processed only when necessary and used as specified in the appropriate legislation. 

The data will not be used for any other purposes, such as direct marketing or commercial purposes.  

2. The basis of data processing 

The processing is based on the national Act on whistleblower protection to implement the European Union’s Whistleblower Protection Directive.  

Legal basis for data processing: 

Article 6(1)(c) of the EU General Data Protection Regulation (2016/679):  

Section 6 of the Data Protection Act (1020/2018) 


3. What personal data are being collected, and who provides such data? 

The data collected includes the whistleblower’s name, telephone number, email address, and other personal data stated in the report. Such other personal data may include, for example, information about the whistleblower, the subject of the report or other persons as disclosed by the whistleblower.   


4. Is the provision of personal data necessary? 

It is not necessary to provide personal data; the report can also be made anonymously. 


5. Are personal data disclosed to third parties? 

The person responsible for processing the report may disclose the identity of the whistleblower and other persons mentioned in the report and any other information from which their identity may be directly or indirectly deduced to a person designated to verify the accuracy of the report if it is necessary to verify the accuracy of the report. If necessary, information may also be disclosed to authorities under the conditions laid down by law.  


6. How are personal data protected? 

Data security and data protection have been secured by various technical and organisational measures to ensure your privacy. For example, personal data may be processed only by persons who need it to perform their work or official duties and only to the extent required by an individual task. In the client data system, this is monitored, among other things, by using log information. Paper documents are kept in city archives in a safe place that no outsider can access. 

Staff is bound by the obligation of professional confidentiality and will continue to be bound by it also after the end of their employment. 


7. Are personal data transferred outside the EU or EEA? 

Personal data will not be processed outside the EU or EEA. 


8. What does the city do in case of a security breach? 

Despite the protection measures, it is possible in exceptional cases that your personal data may be subject to a security breach or end up in the hands of a third party. In these cases, we will take immediate measures to rectify the situation. If the breach causes a risk to you, we will notify the Data Protection Ombudsman. The notification shall be made no later than 72 hours after discovering the breach. If the security breach poses a high risk, we will also notify you of the security breach.   


9. How long are the data kept? 

The data are saved in the system when the suspected misconduct is reported. The data shall be deleted, in accordance with legislation, five years after the receipt of the report unless their retention is necessary for the performance of rights or obligations provided by the appropriate law or other law or for the establishment, exercise or defence of legal claims. Personal data that are clearly irrelevant to the processing of the report shall be deleted without undue delay. 


10. Will the data be used for profiling or automatic decision-making? 

Your information will not be used for profiling or automatic decision-making.   


11. What rights does a data subject have, and how can the rights be exercised? How long does processing a case take? 

Data subject means the person whose personal data are being processed. If we process your personal data, you have the right to check which data are being processed. 


We recommend submitting an access request via a separate form available through the website and Vantaa Info desks. If you would like more information about the processing of personal data or your rights, please contact the contact person listed in section 15 below. The statutory requirements regarding exercising your rights will be confirmed on a case-by-case basis once your identity has been verified.  


We will fulfil the requests without undue delay, but in any case, no later than within one month of receiving each request. If necessary, the deadline may be postponed by a maximum of two months based on the complexity of the request and the quantity of the information. If the deadline is postponed, you will be notified. 


13. Is there a fee for the exercise of one’s rights?  

As a general rule, exercising one’s rights is free of charge. However, we may collect a reasonable fee corresponding to the administrative costs or refuse a request if the request in question is clearly unfounded, unreasonable or recurring. We will contact you if we intend to collect a fee for completing your request. If we refuse to complete your requested measure, you will be informed in writing of the grounds for the refusal and your right to refer the matter to the Data Protection Ombudsman or resort to other legal remedies. 


14. How can I make a complaint to the supervisory authority? 

If you suspect that your personal data is being processed unlawfully, you can submit an appeal to the Data Protection Ombudsman. More information and instructions on submitting an appeal are available from the contact person specified in section 15 and on the website of the Office of the Data Protection Ombudsman and the office’s telephone guidance service: 


Office of the Data Protection Ombudsman/ 

Visiting address: Lintulahdenkuja 4, FI-00530 Helsinki 

Postal address: PO Box 800, FI-00531 Helsinki 

Email: tietosuoja(at)  

Tel. (exchange): +358 29 566 6700 

Tel. (helpline for private individuals): +358 29 566 6777 


15. Where can I request more information, and who is the controller? 

For more information on the processing of personal data, please contact the contact person listed below. Please note that email is not a safe medium for processing personal data. As such, please do not send sensitive information, such as your personal identity code, via email. 


Contact person 

Pentti Asumus 

Audit Director 

City Strategy and Management/Internal Audit 


tel.: 0400-701970 



City of Vantaa                      

Business ID 0124610-9   

Asematie 7, FI-01300 Vantaa             


Data protection officer 


Registry office     

Postal address: PO Box 1100, FI-01030 Vantaan kaupunki 

Visiting address: Vantaa Info Centre Tikkurila, Dixi, Ratatie 11, 2nd floor, 01300 Vantaa. 

Tel. (exchange): 09 839 11 

Fax +358 9 8392 4163, email: kirjaamo(at)     


Data protectionInformation requests