Whistleblowing Service Privacy Notice

Your privacy with ICEYE Whistleblowing service

Last update: 7 May 2024

Scope and overview

ICEYE is committed to protecting the privacy and security of your Personal Data (“Personal Data”). ICEYE is the data controller of the personal data handled through whistleblowing service. The purpose of this Notice is to give you a better understanding of how ICEYE processes your Personal Data.

This notice has been prepared in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection legislation (“Data Protection Laws”).

Personal Data collected through whistleblowing service is handled to such extent as necessary to conduct an appropriate and sufficient investigation process.

What data do we collect and how?

The following type of Personal Data may be handled through the whistleblowing service:

  • name and contact details of the person who has submitted the message (if they have given such information);
  • identities of the persons named in the message (to the extent such information has been given);
  • information given in the message on the identified person and the actions of the person that are against the law or ethical principles; and
  • information on evaluating the person’s actions and the lawfulness or ethicality of such actions received in an internal investigation process.


Personal Data collection methods are as follows:

  • a message received through the whistleblowing service accessible on our website and possible additional information received from the person who has submitted the message; and
  • material received and/or reported in our internal investigation process.

The purposes of processing

A message can be submitted openly or anonymously through our whistleblowing service. If a person who has submitted a message tells their identity or submits a message concerning the actions of the other person, Personal Data is used for identifying and investigating the wrongdoings as well as possible investigation by the authorities and monitoring the phases of the investigation.

Legal basis for processing

The legal basis for processing are ICEYE’s legitimate interests and mandatory legal obligations to prevent reputational risks and to promote an ethical business activity.

How long do we retain your data?

Except as otherwise permitted or required by applicable law or regulation, we will only retain your Personal Data for as long as necessary to fulfill the purposes we collected it for. Personal Data included in whistleblowing messages and investigation documentation is deleted when the investigation is complete, with the exception of when Personal Data must be maintained according to applicable laws. Investigation documentation and whistleblower messages that are archived will be anonymized under GDPR; they will not include Personal Data through which persons can be directly or indirectly identified.

How do we protect and transfer your data?

We treat your Personal Data confidentially. Access to messages received through our whistleblowing service is restricted to appointed individuals with authority to handle cases. However, individuals who can add expertise may be included in the investigation process when needed.

Our external service provider WhistleB Whistleblowing Centre Ab (World Trade Centre, Klarabergsviadukten 70, SE-107 24 Stockholm) processes the Personal Data on our behalf and acts as a data processor. WhistleB is responsible for the whistleblowing application, including the processing of encrypted data, such as whistleblowing messages. Neither WhistleB nor any sub-suppliers can decrypt and read messages. As such, neither WhistleB nor its sub-processors have access to readable content.

Personal Data is not transferred outside of the European Union or European Economic Area.

Your rights

As a data subject, you have certain rights with regards to your Personal Data and as a data controller ICEYE is responsible for fulfilling these rights. We will respond to your requests in accordance with any applicable law, rule or regulation relating to the processing of your Personal Data.

Details of your rights are set out below:


Request access to your Personal Data (commonly known as a "data subject access request"). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.

We reserve the right not to complete the request if the request is manifestly unfounded or vexatious. Should you request multiple copies or should you submit more than one request per year, we may charge you a reasonable fee based on administrative costs for the execution of the request.


Request rectification of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.


Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.


Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation that makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.


Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios:

  • If you want us to establish the data's accuracy.
  • Where our use of the data is unlawful but you do not want us to erase it.
  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
  • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.


Right to lodge a complaint with the supervisory authority. 
Additionally, as a data subject you have the right to file a complaint with the competent Data Protection Authority regarding our processing of Personal Data.

Changes to this notice

This Privacy Notice was updated on 7 May 2024.

We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice when we make any updates. 

Contacts 

Data controller: 
ICEYE Oy 
Maarintie 6,  
02150 Espoo, Finland 

In all questions concerning the processing of Personal Data and situations related to exercising your rights, you should contact the data controller. You may exercise your rights by contacting privacy@iceye.fi.