1. Data controller
Suomen Lähetysseura (FELM)
P.O. Box 56, 00241 Helsinki
Tel. +358 9 129 71
Business ID: 0116962-5
2. Name of the register
Reports of Past Misconduct
3. Contact person
Data Protection Officer Liisa Vuori‑Mattila
Maistraatinportti 2 A
P.O. Box 56, 00241 Helsinki
Tel. +358 40 658 3669
tietosuojavastaava (at) suomenlahetysseura.fi
4. Legal grounds and purpose of collecting and processing personal data
Personal data are processed based on the consent of the data subjects (informants) (Article 6(1)(a) of the EU General Data Protection Regulation).
The central legislation includes
- the EU General Data Protection Regulation (679/2016)
- the Finnish Data Protection Act (1050/2018).
The purpose of processing personal data is to provide those who have experienced misconduct, and who voluntarily wish to be heard and discuss the matter with the FELM, an opportunity to share their experiences. In addition, the information is used to develop the FELM’s operations and to improve the protection of individuals in vulnerable positions within its sphere of activity.
The controller does not intend to further process the personal data for purposes other than those for which they were collected. Any such change would require informing the data subject beforehand and providing all relevant additional information.
5. Provision of personal data
Providing personal data is voluntary for the data subject (informant). No identifying personal data are collected from anyone other than the informant.
6. Description of the data, data subjects, and categories of personal data
FELM requests information related to possible past misconduct or other mistreatment of children within the organisation. Reports are collected during the year 2026 for a review to be completed in 2027. Reports may be submitted verbally by phone, via text message, through the whistleblowing channel https://felm.ilmoituskanava.fi/, or by email created specifically for this purpose. Reports can be submitted anonymously or with name and contact information.
Reports are processed by FELM’s safeguarding specialist and an independent panel of experts which makes recommendations on how to proceed. When possible, the aim is to contact the informant to discuss the experience and possible next steps with them. If a report indicates suspected criminal activity, the matter is forwarded to the police.
The register may contain the following information:
• Name of the data subject (informant)
• Contact details
• Consent information
• The data subject’s wishes regarding how their matter should be handled
• The nature of data subject’s involvement to the event
• Description of the case (what kind of abuse has occurred, location, country, timeframe, information about those involved without identifying personal data).
Data may be highly sensitive and include special categories of personal data.
7. Retention period
Personal data are retained until the review has been completed and thereafter anonymized for a maximum of three years.
8. Sources of data
Data are obtained directly from the data subjects (informants).
9. Regular disclosures of data
Reports are handled by the independent panel of experts in its meetings. Data are not disclosed digitally or on paper.
10. Transfer of data outside the EU/EEA
No data are transferred outside the European Union or the European Economic Area.
11. Principles of protecting the data file
Security measures are based on FELM’s information security and data protection policies and its annual data inventory. Risks are assessed and appropriate technical, administrative, and organisational measures are taken to ensure compliance.
Personal data are processed only for the purpose for which they were collected. Only authorised persons may access the data. Access is restricted to the safeguarding specialist, the executive director responsible for the process, the independent panel of experts and system administrators. All individuals processing the data are bound by confidentiality.
Reports are stored in a document management system with access limited to the safeguarding specialist and the executive director. If processing is outsourced, the third party must provide equivalent data protection and security measures.
12. Automated decision‑making and profiling
No automated decision‑making or profiling is carried out.
13. Rights of the data subject
The data subject has the right to:
1) Access personal data concerning them
2) Request rectification of inaccurate data
3) Request erasure of their data
4) Restrict processing of their data
These rights can be exercised by contacting the register’s contact person. The controller must respond without undue delay.
If processing is based on consent under GDPR Articles 6(1)(a) or 9(2)(a), the data subject has the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Processing is based on consent.
14. Right to lodge a complaint with a supervisory authority
Data subject has the right to lodge a complaint with the supervisory authority if they believe their rights have been violated.
