Yle’s ethical reporting channel
Yle’s ethical reporting channel allows Yle employees, interest groups and partners to safely report any suspected cases of misconduct or other unethical activities.
Responsibility is at the core of Yle's public service activities, and we are committed to acting responsibly in all situations. We comply with Yle’s ethical principles (https://yle.fi/aihe/s/yle-code-conduct) and other internal Yle guidelines. In addition, we require our partners to comply with our Yle Supplier Code of Conduct (https://yle.fi/aihe/s/yle-supplier-code-of-conduct). However, if you notice any shortcomings in our activities, we encourage you to report them to us.
Your report can be related to unethical conduct or activities that violate the law, official regulations or Yle’s guidelines, such as non-compliance with public procurement regulations, disqualification in decision-making, bribery, personal data protection, inappropriate behaviour, or harassment.
Other feedback
Please note that this channel is not meant for customer feedback related to Yle’s contents, programmes or moderation decisions. You can find the correct channels for these types of reports in Finnish and Swedish: asiakaspalvelu.yle.fi (https://asiakaspalvelu.yle.fi/s/). In English you can send this type of report to yleinfo@yle.fi.
How we process reports
All reports of misconduct are treated confidentially and investigated independently. Our processing complies with the best data privacy practices. If necessary, you can submit your report anonymously.
Some reports may also fall within the scope of the EU Whistleblower Directive and the Act on the Protection of Persons Reporting Infringements of European Union and National Law, i.e. the Whistleblower Act, if the information concerning the misconduct was received in connection with a work performance. The Act’s exact scope of application can be reviewed here: Act on the Protection of Persons Reporting Infringements of European Union and National Law (https://www.finlex.fi/fi/laki/alkup/2022/20221171%23Pidm45053757341056) (Finlex, available in Finnish and Swedish).
However, the statutory protection of persons reporting infringements only applies to reports that fall within the scope of the Whistleblower Act. Any reports that do not fall within the scope of the Whistleblower Act will be reviewed in accordance with other valid laws applicable to the case and the principles of good administration, while using the best possible means to protect the person who submitted the report.
How we receive reports
Yle’s ethical reporting channel uses a platform provided by an impartial service provider. Yle or the service provider cannot identify the person submitting the report unless they provide their contact information. All reports are processed by a panel that is appointed by Yle and bound by strict confidentiality obligations. After receiving the report, the people reviewing it will assess the need for further investigation.
How we Investigate reports
The people reviewing the report will determine the appropriate investigation method. If necessary, they will ask follow-up questions through the anonymous reporting channel or be in contact through other means of communication provided by the person submitting the report. The people processing the report will determine whether it is
1) a report that falls within the scope of the Whistleblower Act,
2) some other report of misconduct;
3) a report that does fall within the scope of the reporting channel.
The report will not lead to an investigation if it is obvious that:
- the report does not fall within the scope of issues reported in accordance with this guideline, but is instead customer feedback related to Yle’s programmes, subscription services or moderation, or a possible request for rectification and response.
- there is not enough information available on the basis of the report or otherwise to allow for a more detailed investigation
- the reported matter has already been duly investigated, and the report does not contain any significant new information
The person who submitted the report will receive a response within seven (7) days after submitting their report. The response will also indicate which processing category the report belongs to. If the report is clearly incomplete or unfounded, the person who submitted the report will be informed that their report will not be referred for processing or further actions.
All reports are always reviewed confidentially and in a manner that protects the identity of the person who submitted the report. Depending on the case at hand, the investigation may also require the assistance of other specialists or the authorities. The investigation will never involve a person who is the subject of the investigation or anyone who is connected to it.
The people processing the report or any other persons participating in the investigative process will not attempt to identify the person who submitted the report. If the person who submitted the report provided their own name, it will only be disclosed to those who will process the report. However, in some situations (especially in HR-related reports), the investigation of the case may require disclosing information related to the case (including the reporting person’s identity) to other parties involved or assisting in the investigative process. These parties are also bound by confidentiality obligations.
If the suspected misconduct meets the characteristics of a criminal offence, the police will be notified of the matter. If the person submitting the report has disclosed their identity, they will be informed of the possibility that their identity may be disclosed in connection with the authorities’ pre-trial investigation and during any legal trials.
How we store data
The personal data in a report will be deleted when it is no longer needed for any investigative and enforcement purposes, generally no later than one month (30 days) after the completion of the investigation. The investigation documents are anonymised and all name and address information is deleted, as well as any other information that would allow for the identification of the person, either directly or indirectly. The personal data of the persons specified in the report is subject to data protection legislation. The information received through the report will be deleted no later than five years after the arrival of the report, unless there is a necessary reason for storing it.
Legislation affecting the processing of reports and the protection of persons who submit reports, and reports of misconduct that fall outside the scope of the law
Reports of misconduct under the Whistleblower Act
The Act on the Protection of Persons Reporting Infringements of European Union and National Law (1171/2022) (https://www.finlex.fi/fi/laki/alkup/2022/20221171), i.e. the Whistleblower Act, entered into force in Finland on 1 January 2023. The purpose of the Act is to implement the EU Directive on the protection of persons who report breaches of Union law (EU 2019/1937), i.e. the EU Whistleblower Directive. The Whistleblower Act provides protection for persons reporting certain types of misconduct who, in the course of their work, discover breaches of European Union or national law. This includes, for example, former and current employees as well as self-employed persons.
The scope of application of the Whistleblower Act is limited, and it can be used to provide protection to those who notice and report any misconduct related to, for example, public procurements, financial services, and consumer protection. The Whistleblower Act prohibits any retaliative measures against those who submit reports. For example, an employer cannot weaken the terms of an employee’s employment relationship or terminate their employment or lay them off as a result of a report that the employee has submitted.
Alternatively, if a report falls within the general scope of the Whistleblower Act and the scenarios described in section 8 of that Act, it can be submitted to the centralised reporting channel maintained by the Office of the Chancellor of Justice (https://oikeuskansleri.fi/en/whistleblower-protection). These include situations where the person submitting the report has a justified reason for believing that sufficient action has not been taken on the basis of the internal report within the prescribed time limit (section 16), that the infringement cannot be dealt with effectively on the basis of the internal report, or that the person who submitted the report has a justified reason to believe that they are at risk of being subjected to retaliation as a result of their report.
Other reports of misconduct
Yle’s ethical reporting channel can be used to submit other reports of misconduct in addition to those observed in connection with work performances or covered by the Whistleblower Act. These reports can be related to unethical conduct or activities that violate the law, official regulations or Yle’s guidelines, such as disqualification in decision-making, bribery, or inappropriate behaviour or harassment.
The Whistleblower Act does not apply to these reports, but they are investigated in accordance with other valid laws applicable to the case and with the best possible means of protecting the person who submitted the report. In general, most of these reports are processed in the same manner as reports filed under the Whistleblower Act, in compliance with the response times specified in the Act.
Updated 7th of August 2023
This privacy statement describes how we process your personal data to process notifications from the ethical reporting channel, investigate suspected abuses and carry out internal investigations.
1. The controller and the controller's contact details
Data controller
Yleisradio Oy, Uutiskatu 5, P.O. Box 76, FI-00024 Yleisradio
Persons in charge of the register
Päivi Stark, Compliance Officer
Telephone: +358 9 14 801
etunimi.sukunimi@yle.fi
Kirsi Hietanen, Data Protection Officer
Telephone: +358 9 14 801
tietosuoja@yle.fi
If you have any questions regarding the privacy practices of the ethical reporting channel or internal investigations, please contact us at the address below
tietosuoja@yle.fi
2. What is the legal basis for processing personal data and for what purposes is it processed?
You can report suspected abuse through the ethical reporting channel. Personal data need to be processed in order to investigate and prevent suspected abuses and to decide on and implement any resulting penalties.
Reports made through the channel may be related to suspicions of violations of the law or Yle's operating principles.
All notifications are processed confidentially by the notifier and the subject of the notification and other independent persons responsible for protecting the privacy of the persons concerned. The processing of personal data complies with the requirements of the General Data Protection Regulation (EU) 2016/679, the Act on the Protection of Privacy in Working Life (759/2004) and the Data Protection Act (1050/2018). Personal data received through the ethical reporting channel are only processed to the extent necessary to properly and adequately investigate the reported suspicion.
The purposes of the processing of personal data are:
- Maintaining the ethical reporting channel and processing reports, implementing and documenting internal reports. The processing of personal data is based on obligations under the Whistleblower Protection Act or labour law. In addition, the legal basis for the processing is the legitimate interests of occupational safety and well-being as well as the promotion of Yle's ethical principles and internal guidelines as well as responsible activities and the prevention of abuses. In addition, as an employer, Yle has a statutory duty to intervene and an obligation to deal with harassment or other inappropriate treatment that causes harm or danger to the employee's health that it becomes aware of and to take action to eliminate the problem.
- Demonstrating compliance with Yle's statutory obligations and drawing up and presenting a legal claim or defending such a claim. The processing is based on the legitimate interests related to the legal protection of Yle or a third party.
The channel does not set restrictions on what information an individual notification can contain. Any specific personal data, such as health information, or other sensitive information, such as information on criminal convictions or offences, are processed on the basis of obligations based on Yle's regulations on the protection of whistleblowers. In cases of harassment and inappropriate treatment or cases related to occupational safety, the processing of specific personal data is also necessary in order to comply with the controller's or the data subject's labour law obligations or rights. The processing of specific personal data may also be necessary for the establishment, presentation or defence of a legal claim.
Profiling and automated decision-making
Automatic decision-making is not used in the service.
3. What personal data do we process?
Notifier (Yle employee or stakeholder)
As a rule, notifications can be submitted either anonymously or by your name. The ethical reporting channel has been implemented in such a way that no technical identification data are collected on the person submitting the report.
The notifier may voluntarily add their personal data to the notification, such as
- Name
- Location information
- Contact information
- Financial information
- Behavioural information
- Picture or video.
In addition, the following is processed:
- Message content and other communication.
Even if the notification is made anonymously, the facts or other content of the notification may make it possible for the notifier to be indirectly identifiable on the basis of this information. However, no attempt is made to establish the identity of the person submitting the report.
Subject of the notification (Yle employee or stakeholder)
The notification may contain information about the behaviour and circumstances of the target of the notification, as well as other personal information, such as:
- Name
- Location information
- Financial information
- Behavioural information
- Image
- Videos
- Information related to internal reports.
External persons (other persons mentioned in reports or related to reports)
The notification may contain information about the behaviour and circumstances of the target of the notification, as well as other personal information, such as:
- Name
- Location information
- Financial information
- Behavioural information
- Image
- Videos
- Information related to internal reports.
Processors of the notification
The following personal data is collected on the processors of the notifications
- Name
- Job title
- Username and password
- Communications and notifications
- Email address
- Logging information
- Device ID
- Time stamp
- IP address.
4. Where is the data collected?
Personal data provided by the notifier is collected through Yle's ethical reporting channel or other communication channels if the notifier has submitted their contact details.
In addition, during internal audits and investigations, personal data is collected from Yle's internal systems and registers when necessary, such as access control, camera or payment traffic or information systems, and from third parties, such as partners.
5. To whom do we disclose personal data?
Authorities, internal audit and providers of investigation services for misconduct
We disclose information necessary for investigating suspected misconduct and criminal offences to the authorities and possibly to our internal audit partner or providers of misconduct investigation services.
The supplier of the ethical reporting channel Navex or its subcontractors do not have access to the information in the reporting channel.
6. In which countries can your personal data be processed?
Service provider: Navex (supplier of the ethical reporting channel)
Target country: EU/ ETA
United States*
Categories of personal data to be transferred: All data processed in the system
Data transfer method: Commission standard contractual clauses
Commission Decision (2021/914/EU) (https://eur-lex.europa.eu/legal-content/FI/TXT/PDF/?uri=CELEX:32021D0914&from=EN)
Service provider: Microsoft (supplier of the server environment)
* Under US intelligence law, information held by US companies may be requested to be disclosed to the US authorities even if the server environment is located in the EU or EEA.
We take protective measures to maintain the high level of protection of personal data required by European data protection legislation even after the transfer of personal data. In the ethical reporting channel, the data is encrypted using Yle's own encryption keys, and the provider of the ethical reporting channel or server environment does not have access to the data.
7. What kind of rights do you have in relation to your personal data?
Data protection legislation guarantees you different rights related to the processing of personal data. These rights are implemented at Yle in a centralised way through https://yle.fi/tietosuoja. When sending a request, the sender will undergo a strong identification process by using their online banking codes or a mobile certificate.
However, we would like to point out that these rights guaranteed by legislation are not entirely unrestricted. Requests related to the rights of the data subject are processed on a case-by-case basis, and their implementation will take into account the possible impact on the processing of the notification and the safeguarding of the investigation. For example, we cannot delete your data if the legislation applicable to us requires the retention of personal data or enforces the right to check personal data with regard to the data in the reporting channel in cases in which providing the data violates another person's protected right or interest or endangers the investigation of the report.
Right to access your data. You always have the right to receive confirmation of whether we process your personal data. If we process your personal data, you always have the right to access and the right to receive a copy of this data. We may ask you to clarify your request if necessary, for example regarding the details of providing the information.
We cannot exercise your right of access when the provision of information violates another person's protected right or interest or compromises the investigation or follow-up of the notification.
Right to rectification of your personal data. If you feel that the personal data we process are incorrect, incomplete or outdated, you can ask us to correct such personal data.
Right to delete your personal data. In certain situations, you can ask us to delete personal information about you. Please note, however, that we may not be able to delete information that still needs to be stored e.g. due to a certain statutory obligation or other particularly weighty reason, such as an ongoing investigation of misconduct or documentation of an investigation.
Right to object and restrict the processing of your personal data. You have the right to object to the processing of your personal data. However, this does not mean a general right to oppose all processing of your personal data, but is limited to situations when the processing is based on a legitimate interest. We have the right to continue processing personal data despite your opposition if we have a particularly weighty reason for the processing. Such reasons may include investigating suspected abuse.
You also have the right to request that the processing of your personal data be restricted, for example, when you dispute the accuracy of your personal data.
Right to lodge a complaint with the supervisory authority. If you suspect that we have, for example, unlawfully processed your personal data, you always have the right to submit a notification to the supervisory authority. The legality of the processing of personal data in Finland is supervised by the Office of the Data Protection Ombudsman, whose contact details can be found here: https://tietosuoja.fi/en/home
8. How long do we store your personal data?
As a rule, the data is stored for a maximum of five (5) years from the date of the notification. Before archiving a case, unnecessary information is removed from the notifications.
The data will be stored after five years if it is necessary to retain the data in order to safeguard the rights of criminal investigations, pending legal proceedings, official investigations or the person making the report, the person subject to the notification or Yle.
Retention periods are based on the provisions on the protection of whistleblowers and statutes of limitations in accordance with labour, criminal or damages legislation as well as our legitimate interest in investigating abuses.
9. How do we ensure the confidentiality and security of personal data?
The reporting channel has been implemented so that no technical identification data are collected on the person submitting the report. We also do not monitor the use of the service or clicks to the address in question. If desired, the notification can be anonymously submitted, which means that we cannot determine the identity of the sender of the notification. All communications in the ethical reporting channel are encrypted with end to end encryption, in addition to which the information in the system is encrypted using Yle's own encryption keys.
10. Can changes be made to this privacy statement?
The processing methods presented in this privacy statement may change and thus this privacy statement may be updated. The changes may be based on changes in legislation. We will keep this statement up to date and recommend that you review its contents regularly.
How to submit a report
If you wish to report a suspected case of misconduct, visit Yle’s ethical reporting channel through the link below. The report can be submitted under your own name or anonymously. The report can also be submitted by phone. After submitting your report, you will receive a code that you can use to return to the service. The system guides the person submitting the report, and it can also be used to communicate with the person who submitted the report, even if they submitted it anonymously.
Reports concerning the protection of personal data or the security of network and information systems can also be submitted to this address instead of the ethical reporting channel: tietosuoja@yle.fi. However, in this case, we will not be able to ensure the protection of the reporting party described in the Whistleblower Act.
How we will respond to a report
We will respond within seven (7) days, and we will also inform the person who submitted the report of the processing category that the report falls under. If, however, the report is clearly incomplete or unfounded, we will respond that no further action will be taken. We may send the person additional questions through the reporting channel in the course of the investigation.
In addition to the aforementioned, if the report falls within the scope of the Whistleblower Act and the person who submitted the report disclosed their identity, we will notify them of any follow-up measures within three months. In the event that the investigative process exceeds this period, we will keep them informed of the investigation’s progress and conclusion.
The person who submitted the report will be informed of the results of the investigation into the allegations in the appropriate manner, taking into account the privacy of the individuals against whom the allegations have been made and any other issues related to confidentiality.