Our company strives to maintain a transparent business climate and high business ethics. We value the safety and respect of everyone affected by our business. You have a vital role in our success.
We want to do what is right
We want to maintain openness and trust in Renta’s operations. We are committed to conduct business ethically, with integrity and in accordance with applicable laws and regulations.
We want to prevent misconducts and unethical behaviour and therefore we encourage Renta’s employees and stakeholders to report any suspected misconducts or unethical behaviour.
Renta’s whistleblowing channel
Renta’s whistleblowing channel provides an opportunity to report suspected misconducts and unethical behaviour, e.g., corruption, bribery, harassment and other unethical behaviour as well as matters concerning the material scope of the whistleblowing legislation. The whistleblowing channel is not intended for processing reclamations or feedback from customers.
The whistleblowing channel is completely distinct from Renta’s IT environment and it is administrated by the external partner, Whistle B, Whistleblowing Centre AB. The reporting process is encrypted and secured to ensure whistleblower’s anonymity and data protection.
All reports will be taken seriously and are processed confidentially.
The whistleblowing channel is available online in 6 languages. You can submit a report here.
Date 15 October 2021
1. Data controller
Renta Group Oy
Business ID: 2732388-9
Address: Äyritie 12B, 01510 Vantaa
2. The person in charge of the register / contact person
Renta Group Oy
Äyritie 12B, 01510 Vantaa
3. Name of the register
Renta Group’s Whistleblowing Channel register.
4. The purpose and the legal basis for processing the personal data
By establishing and maintaining the Whistleblowing channel, Renta Group can fulfil its regulatory obligations.
The purpose of the register is to process reports received through Renta Group’s Whistleblowing channel. The purpose of the processing the personal data is to ensure and monitor that Renta Group operates in accordance with Code of Conduct and other internal guidelines, as well as legislation and Renta Group’s binding agreements. The objective of the Whistleblowing channel is to ensure that decision-making and internal control system function properly and the data controller complies with principles of good governance in its operations.
The objective of the Whistleblowing channel is to prevent and investigate possible misconducts or other unethical conducts in the operations of Renta Group and take the possible crimes and offences to the authorities when needed. The Renta Group’s channel enables to report suspected misconducts or other unethical conduct, for example corruption, bribery, harassment or other unethical conduct and in matters concerning the material scope of the whistleblowing legislation (for example public procurements, transport safety, consumer protection and protection of the environment).
Processing the personal data is necessary for Renta Group to be able to assess and investigate reported cases and conduct case-specific measures to investigate the matter and close the procedure.
The legal basis for processing the personal data is the legal obligation of the controller (General Data Protection Regulation, article 6.1.c).
In addition, the legal basis for processing the personal data is the legitimate interests of the controller (General Data Protection Regulation, article 6.1.f).
Processing the personal data is based on the EU directive 2019/1937 (Whistleblower directive) which requires Renta Group to establish and maintain an internal whistleblowing channel (Whistleblower directive, article 8.3).
5. Recipients of personal data
Deloitte Oy as an independent partner processes the reports received through the Renta Group’s Whistleblowing channel first. Renta Group’s CEO, CFO and country manager make decisions on further actions.
Renta Group’s Whistleblowing channel is a cloud service administrated by WhistleB Whistleblowing Centre AB.
Renta Group may, on a case-by-case basis, disclose information to external parties, such as authorities, in order authorities to perform their statutory task.
Data is not disclosed for commercial purposes.
6. Transfer of personal data outside the EU or the EEA
Personal data will not be transferred or disclosed to countries outside the EU or the EEA.
7. Data contents of the register and storage of the personal data
Register contains data given by Renta Group’s employees and stakeholders. The given data can concern for example:
Name and contact details of the reporter (if the reporter has given these)
Identification data concerning the subject of the report, such as name and branch (to the extent that these have been reported)
Information about actions adverse to the laws and the Code of Conduct such as informal description of the incident
Information about the investigation, follow-up and closure of the procedure of the matter.
If the reporter has not made the report anonymously, personal data concerning the reporter can be registered.
8. Data sources
Through the Whistleblowing channel, Renta Group’s employees and stakeholders can report both suspected misconducts and matters concerning the material scope of the legislation on the protection of persons who report.
9. Data retention period
Data will be deleted from the register when its processing is no longer necessary, related measures and/or processes are completed or obtained legal validity and retaining data is not required according to the legislation. Data will be deleted within 60 days after related investigations and processes are completed, unless otherwise stated in applicable laws.
10. Principles of protecting the register
The controller is responsible for data stored to the server to be handled according to standard information security practices and instructions given by the controller.
Personal data in the register is protected by technical and organisational measures and the data is stored in electronic systems. Renta Group’s Whistleblowing channel is a cloud service administrated by WhistleB Whistleblowing Centre AB. WhistleB Whistleblowing Centre AB is responsible for the technical protection of the data stored to the register. The technical protection includes e.g. internal information security of the service, access control, data security updates and back ups. In addition to internal tests, the service is regularly tested including penetration testing by external IT security experts.
Only designated and limited group of persons has the right to access the Whistleblowing channel and receive reports. This group contains designated professionals of Deloitte Ltd. who, as an independent partner and as the first instance, process the reports received through the Whistleblowing channel. Anyone who has access to the register’s data is bind by an obligation to maintain secrecy.
11. Rights of the data subject
Right of access: The data subject shall have right to receive confirmation from the controller on whether the controller is processing personal data that concerns them. If data concerning the data subject is being processed, the data subject has right to inspect what data about them is stored in the register. The right to access and right to inspect the data may be rejected based on legal grounds. The data subject may address a written request for the controller.
Right to the rectification of inaccurate data: The data subject shall have the right to demand the rectification of inaccurate personal data concerning them and to have incomplete personal data completed. The data subject may address a written request for the controller.
Right to request erasure of data: If the processing of personal data is no longer justified, the data subject shall have the right to request the erasure of personal data. The data subject may address a written request for erasure to the controller.
Right to restriction of processing: The data subject shall have the right to request the controller to restrict the processing of personal data concerning him or her if there are grounds for that. The data subject may address a written request for restriction to the controller.
Right to object to processing: The data subject shall have the right to object to the processing of his or her personal data if there are grounds for that. The data subject may address a written request for objection to the controller.
Right to data portability: The data subject shall have the right to receive the personal data that he or she has provided to a controller in a structured, commonly used and machine-readable format and, if desired, transmit that data to another controller. To use this right, the data subject is required to be in contact with the controller in writing.
Right to withdraw the consent to process personal data: The data subject shall have the right to withdraw the consent on what the processing has been based. The withdrawal of consent requires the data subject to address the written request to the collector.
Right to lodge a complaint with a supervisory authority: The data subject shall have the right to lodge a complaint with the controller, processor or supervisory authority (Data Protection Ombudsman in Finland) concerning the infringements in processing of personal data.
12. Automated decisions and profiling
Register’s data will not be used for automated decision-making or for profiling data subjects.