State Treasury reporting channel

1. Misconduct reports are made in writing

You can submit a report under your own name or anonymously. The system guides you in submitting the report, and you can be contacted via the system even if you submit a report anonymously. Your report can only be accessed by the persons responsible for the processing of the report.

The State Treasury primarily recommends using the technical reporting channel where you can submit a report, be requested for additional information and contacted otherwise in a secure way.

If using the technical reporting channel is not possible for you, you can also submit a report by sending email to ilmoituskanava@valtiokonttori.fi or by sending a letter to State Treasury/misconduct report, P.O. Box 14, FI-00054 State Treasury. Only the persons responsible for processing the aforementioned reports have access to these addresses.

Reports falling within the scope of the Whistleblower Act can be secondarily submitted to the centralised reporting channel maintained by the Office of the Chancellor of Justice in situations referred to in section 8 of the Whistleblower Act. These include situations where the whistleblower has a justified reason to believe that an internal report has not resulted in adequate measures (under section 16) within the time limit, or that the misconduct cannot be effectively addressed with an internal report, or if the whistleblower has a justified reason to believe that they are at risk of retaliation as a result of the report.

2. Receiving a report and assessing the situation

The reported matter is investigated by the necessary, limited group of persons appointed by the State Treasury. Under the State Treasury’s rules of procedure, these persons are the Head of Division in Administration and Development, the Head of Legal Affairs and the Director of Risk Management.

The persons appointed for the processing function may invite other State Treasury employees or external persons to handle an individual matter as experts on a case-by-case basis. If one of the appointed persons is disqualified, they will not participate in the processing of the matter.

If all persons appointed to the processing function are disqualified, the Director General of the State Treasury appoints new independent persons to be responsible for processing the matter. If the Director General is disqualified in the matter, the matter is transferred to the Ministry of Finance in accordance with the process determined by the Ministry of Finance.

The appointed persons responsible for handling the reports in the processing function are responsible for the preliminary processing of the report and the assessment of the situation. The processing function first makes a decision on whether the report falls within the scope of the Whistleblower Act, or if it is a misconduct report that will be processed under other valid legislation, or if the report is not appropriate for the reporting channel and should be directed to another process, such as customer feedback, request for an administrative review, development proposal or other feedback. In unclear cases, the person submitting the report is asked whether the report could be processed as customer feedback, for example, because the reporting person is not protected in these cases and their personal data is not confidential to the same extent as with misconduct reports.

3. Acknowledgement of receipt or other notification to the person submitting a report

The State Treasury will send an acknowledgement of receipt to the person submitting the report within seven days of receipt; the easiest and most secure method is to use the technical reporting channel.

If a report has been submitted in writing in another way, such as by email or letter, the acknowledgement is sent to the person submitting the report by using the provided contact information in a manner that is as secure as possible, for example by secure email or letter.

If a report is clearly not appropriate for the reporting channel as a misconduct report, the person submitting the report will be notified that the matter will be transferred to another processing process or another responsible party. These may include transferring customer feedback or requests for an administrative review to the correct process within the State Treasury or transferring citizens’ letters to another authority with competence in the matter in question.

If it is not pertinent to transfer a report to another processing process or responsible party, the person submitting the report is informed that no further action will be taken. Such reports may include ones that are wholly incomplete or clearly unfounded.

4. Evaluation of further investigative measures

In the case of a misconduct report appropriate for the reporting channel, the persons responsible for processing the matter appointed by the State Treasury will evaluate which further measures are needed for the investigation and, if necessary, invite some of the State Treasury’s employees or experts outside the State Treasury to investigate the matter as experts.

5. Investigation of the report

The appointed persons in the processing function responsible for processing reports are State Treasury personnel, and they coordinate the investigation. Experts invited to the investigation carry out the investigation of the report and, if necessary, request additional information from the person submitting the report. This is best achieved via the technical reporting channel, which includes an anonymous option. If the report proves to be correct, the persons responsible for processing it will report on the matter to the competent party within the agency according to the State Treasury’s rules of procedure so that measures can be taken to address the misconduct. The persons responsible for processing the report propose the necessary further action based on their findings.

6. Notification of measures to the person submitting the report

The persons responsible for processing the misconduct report will inform the person submitting the report of any further measures within three months of the acknowledgement of receipt of the misconduct report.

The notification of measures is sent with the same method as the acknowledgement of receipt of the misconduct report or with another suitable data secure method, depending on whether the report was submitted in the technical reporting channel, by email or by letter and what kinds of contact details of the person submitting the report provided. Information on the measures is shared to the extent possible, taking into account the three-month time limit, confidentiality and other factors.

7. Findings of the investigation of the report, decision on further measures, corrective measures and closing of the processing

As a result of the investigation, the State Treasury decides, in accordance with its rules of procedure, on further measures and their implementation or concludes that the report will not lead to measures. Corrective measures may for example include the development of processes, controls or internal monitoring, contractual matters, personnel administration measures, reporting an offence, legal action, etc.

If a misconduct report concerns the Director-General, the investigation and decision-making of the report is transferred to the Ministry of Finance. Where possible, the person submitting the report is also informed at a later stage of the final outcome of the investigation.

 8. Notification of received misconduct reports to internal auditing

The persons responsible for processing the report also notify the State Treasury’s internal auditing of any received misconduct reports. Following its rules of procedure, internal auditing can assess, verify or audit operations in accordance with the professional standards of internal auditing.

9. Documentation, recording and archiving the processing of a matter concerning a report

The State Treasury is responsible for storing the material generated in the processing of a report in accordance with current legislation and the organisation’s archiving plan.

The persons responsible for processing the report create a summary file of the documentation in the reporting channel, and the file is archived in the case management system together with the decisions made on the matter.

After archiving, the documentation is removed from the technical reporting channel if the report has been made through it. The publicity of the material is determined in accordance with current legislation.

Misconduct reports under the Whistleblower Act

The Whistleblower Act (1171/2022) entered into force in Finland on 1 January 2023. The Act implemented the EU directive on the protection of persons who report breaches (EU 2019/1937), or the so-called whistleblowing directive. The Whistleblower Act provides protection for persons reporting misconduct who, in the course of their work, detect breaches of EU or national law. This for example includes former and current employees and self-employed workers.

The scope of application of the Whistleblower Act is limited, and protection under it can be granted if a person notices and reports misconduct concerning matters such as public procurement, financial services or consumer protection. The Whistleblower Act prohibits retaliation against the whistleblower. For example, an employer cannot weaken a whistleblower’s terms of employment, terminate their employment relationship or lay them off as a result of a report.

Other misconduct reports

The State Treasury has an ethical reporting channel whose scope goes beyond the Whistleblower Act; the channel also allows misconduct reports that are not detected in connection with work or within the scope of application of the Whistleblower Act. These reports may concern other suspected unethical or illegal activities, such as misuse of public funds, actions that violate guidelines or regulations, disqualification, vested interest, bribery or other offences.

The Whistleblower Act does not apply to these kinds of reports. Instead, they are investigated in accordance with other valid laws applicable to the case and the principles of good administration, with the best possible means of protecting the person submitting the report. Even these reports are mainly processed in the same way as reports under the Whistleblower Act, following corresponding deadlines.

Drafted 16 Dec 2023

1. Controller

State Treasury
Sörnäisten rantatie 13, P.O. Box 14, FI-00054 State Treasury
tel. +358 (0)295 50 2000
registry@statetreasury.fi

2. Contact person in matters related to the register

Tanja Stormbom
tel. +358 (0)295 50 2000
tanja.stormbom@valtiokonttori.fi

3. Data protection officer

Heikki Kangas
tel. +358 (0)295 50 2000
tietosuojavastaava@valtiokonttori.fi

4. Legal basis and purpose for processing of personal data

Purpose of processing
The State Treasury maintains an ethical reporting channel for reporting unethical actions and misconduct connected to the activities of the State Treasury. The reporting channel also serves as a whistleblowing channel whose maintenance is based on the Directive of the European Parliament and of the Council on the protection of persons who report breaches of Union law (EU 2019/1937) and on the Act on the Protection of Persons who Report Breaches of European Union and National Law (1171/2022, so-called Whistleblower Act). The Whistleblower Act entered into force on 1 January 2023. Under this act, a person who observes or suspects activities that are contrary to the public interest may submit a report. Reports can be submitted by the State Treasury’s current and former employees and stakeholders.

The Whistleblower Act is limited in scope. The Whistleblower Act applies to reports of offences, infringements, misconduct or other acts or neglect in relation to public procurement, financial services, money laundering and terrorist financing prevention, product safety, road safety, environmental protection, nuclear safety, food and feed safety, animal health and welfare, public health, consumer protection, privacy and personal data protection, and the security of network and information systems.

Misconduct reports not falling under the Whistleblower Act are processed by the State Treasury in accordance with other valid Finnish legislation and the principles of good governance. Their subject matter or the kinds of persons who can submit reports are not limited.

Legal basis for processing
For reports falling within the scope of the Whistleblower Act, the grounds for processing are in accordance with Article 6(1)(c) of the General Data Protection Regulation, as the processing of personal data is necessary in these cases to comply with the controller’s legal obligation.

For reports received in the reporting channel that do not fall under the Whistleblower Act, the State Treasury processes them in accordance with valid legislation and the principles of good governance. When processing the personal data included in these other reports, it is carried out in accordance with section 4(1)(2) of the Data Protection Act (1050/2018), due to the processing being necessary and proportionate in the activities of an authority for the performance of a task carried out in the public interest.

The personal data in all reports submitted to the reporting channel and the personal data revealed in the investigation of the reports are used to investigate and prevent possible misconduct.

5. Information content of the register

A report can be submitted anonymously or with one’s name. Regardless of this choice, reports are always processed in a confidential manner and the identity of the reporting person is only known to the persons appointed to the processing of the report and the persons invited to investigate the matter as experts.

Reports may typically include personal data, such as the name and contact details of the reporting person, the person the report concerns and other relevant persons, such as witnesses.

6. Regular sources of data

Data is collected from reports submitted to the reporting channel and, in connection with the investigation of the subject of the report, from the State Treasury’s internal data sources, such as persons potentially involved in the matter and, if necessary, using information from IT systems.

7. Disclosure of data

The processing of all misconduct reports received by the State Treasury through the reporting channel is the responsibility of a separately appointed processing function consisting of the Head of Division in Administration and Development, the Head of Legal Affairs and the Director of Risk Management, who have access to confidential information. If someone is disqualified, they will not participate in the processing of the report. If necessary, the Director General of the State Treasury appoints persons who are not disqualified in the matter.

Under the Whistleblower Act, a person appointed for the processing of a report may provide information on the identity of the person submitting the report and other persons mentioned in the report and other information that directly or indirectly discloses the identity of a person to another person designated for the purpose of determining the accuracy of the report if disclosing the information is necessary to establish the accuracy of the notification. In addition, the appointed person may disclose the same information when necessary to a competent supervisory authority for establishing the accuracy of the report, to a pre-trial investigation authority for the prevention, detection, investigation and prosecution of criminal offences, to a prosecutor for the performance of duties laid down in section 9 of the Act on the National Prosecution Authority (32/2019), or for the establishment, filing or defence of a legal claim in court, or in extrajudicial or administrative proceedings. The person responsible for processing the report at the State Treasury notifies the person submitting the report in advance of the disclosure of their identity, unless such information jeopardises the verification of the accuracy of the report, the pre-trial investigation or the trial. Misconduct reports other than those covered by the Whistleblower Act are processed in accordance with a similar process.

The Head of Internal Auditing at the State Treasury has access to the information provided through the reporting channel in connection with any auditing process when the processing and confidentiality of the matter related to a misconduct report has concluded.

The main reporting channel for all misconduct reports is a service provided and maintained by Webropol Oy. Webropol employees do not have access to the reports in the channel without the express consent of the State Treasury. Find Webropol’s general privacy statement at https://webropol.fi/tietosuojaseloste/.

8. Regular disclosures of personal data or transfer of data to outside the EU or the EEA

No data is disclosed to others or transferred outside the EU/EEA.

9. Principles for register protection

Due diligence is observed in the processing of the register, and data processed using information systems is appropriately protected. Misconduct reports received by letter and email are protected in a manner similar to those submitted via the technical reporting channel. The controller ensures that the stored data is processed in the confidential manner explained above.

Only individuals separately appointed and authorised by the controller have access to the data processed within the information system. Access rights are kept up to date by regular checks. The information network and terminals containing the register are protected using technical measures.

10. Data storage period / criteria for determining storage period

Information received through reporting channels must be deleted five years after receiving a report, unless it is necessary to keep the information for the purpose of fulfilling the rights or obligations laid down in the Whistleblower Act and in other acts or for the purpose of drawing up, presenting or defending a legal claim. Personal data that would clearly not be relevant for the processing of a report is deleted without undue delay. The corresponding storage periods apply to notifications not falling under the Whistleblower Act unless otherwise provided in applicable legislation.

Webropol Oy stores verifications for two weeks.

11. Information about automatic decision-making (e.g. profiling) and information about the logic of data processing and its impacts on the data subject

No automatic decisions or profiling are carried out using the data.

12. Right of access to data (GDPR Article 15)

The right of access of the data subject under Article 15 of the General Data Protection Regulation may be restricted with regards to personal data reported under the Whistleblower Act if this is necessary and proportionate in order to ensure the accuracy of the report or to protect the identity of the person submitting the report. If only part of the data concerning the data subject is excluded from the above-mentioned right, the data subject has the right to access any other data concerning them. The data subject has the right to be informed of the reasons for the above-mentioned restriction and to request that the other information be disclosed to the Data Protection Ombudsman under section 34, subsections 3 and 4 of the Data Protection Act (1050/2018).

In the case of reports not covered by the Whistleblower Act, the data subject’s right of access to the data collected on them may also be restricted by the corresponding justifications and procedures laid down in section 34 of the Data Protection Act. Data access requests are addressed to the State Treasury registry office at kirjaamo@valtiokonttori.fi.

13. Rectification (GDPR Article 16) and erasure (GDPR Article 17) of data

The data subject only has a limited right of access to the recorded data concerning them (see section 12 of this privacy statement) with regard to reports covered by the Whistleblower Act and other misconduct reports. If such other data concerning the data subject can be disclosed to the data subject without jeopardising the processing and investigation of the report, the data subject may request rectification or erasure of the data. Requests should be sent to the State Treasury’s registry office at kirjaamo@valtiokonttori.fi.

14. Right to object to the processing of data (GDPR Article 21)

With regard to reports falling under the Whistleblower Act, the State Treasury processes personal data in order to carry out its statutory duties and the data subject does not have the right to object to the processing of their personal data.

In the case of other misconduct reports, data is processed for the performance of a task carried out in the public interest and the data subject may object to the processing on grounds relating to their particular personal situation. In this case, the processing of the data must be discontinued unless the State Treasury can prove that there is a significant and justified reason for the processing that supersedes the interests, rights and freedoms of the data subject, or the processing is necessary to establish, present or defend a legal claim.

15. Right to restriction of processing (GDPR Article 18)
Article 18 of the General Data Protection Regulation on the data subject’s

right to restrict processing does not apply to the processing of personal data referred to in the Whistleblower Act.

In addition, there is no right to restriction for misconduct reports not falling under the Whistleblower Act as the processing of personal data is based on the State Treasury’s statutory task and the right to access information under Article 15 of the GDPR, the right to erasure of data under Article 17 of the GDPR or the right to object to the processing of data under Article 21 of the GDPR does not apply. However, if other data concerning the data subject can be disclosed to the data subject without jeopardising the processing and investigation of the report, the data subject may request that the processing of their data be restricted. Requests should be sent to the State Treasury’s registry office at kirjaamo@valtiokonttori.fi.

16. Right to lodge a complaint

The data subject has the right to lodge a complaint with a supervisory authority if the data subject believes that their rights have been infringed by the actions of the controller and the controller has not reacted to the matter. The data subject’s rights can be checked at https://tietosuoja.fi/ilmoitus-tietosuojavaltuutetulle

17. Other rights

Personal data is not used or disclosed for use outside any absolutely necessary statutory official activities. Customers can report any data security risks or issues to the State Treasury by email at tietosuojavastaava@valtiokonttori.fi.

18. Use of cookies

Webropol Oy only uses cookies that are mandatory for the use of the service and they are not used for any other purpose. For more information about the cookies on the State Treasury website, see valtiokonttori.fi tietosuojaseloste.