Last updated 8 June 2023

We want to do what is right – Our whistleblowing service

At Lumene Group reliability and long-term success are built on ethically sustainable operations, the basic principles of which are documented on our Code of Conduct. 

The whistleblowing service provides an opportunity to our employee or external party to communicate anonymously and confidentially on suspected wrongdoings or illegal activities affecting people, our organisation, society, or the environment. The whistleblowing service makes wrongdoings less likely to occur in the first place and shows our commitment to operate in a fair way.

You can raise your concern anonymously or openly by using our Reporting channel, managed by a third-party, WhistleB. You do not need proof of your suspicions, but all messages must be made in good faith.

Access to reporting channel, allowing anonymous messaging and dialogue here.

Whistleblowing reports are available to the Lumene whistleblowing team and other selected and trusted parties, when necessary. Cases are handled taking the interests of all the persons involved into account. Personal data is deleted or anonymised when the case is closed or no longer needed.

The Reporting channel can be reached on any device, including smart phones.
For more information, please see:


Lumene Oy (“Lumene”) or Cutrin Oy (“Cutrin”), (each also a “Controller”, “we”, “us” or “our”) acts as a controller to the personal data that is collected and processed through the Lumene Group’s whistleblowing system. The controllership between Lumene and Cutrin is determined based on to which of the two companies the report submitted through the whistleblowing system relates.

As a controller, we carry the ultimate responsibility for the processing of personal data processed in connection with the whistleblowing process. Privacy is about trust, and protecting the privacy and personal data of the data subject whose personal data we process is of utmost importance to us. Therefore, we collect personal data only to the extent we need the data to investigate the matters reported through our whistleblowing system.

This Privacy Notice describes the means and purposes of processing of personal data within our whistleblowing process, considering both the whistleblower who reports a matter through the whistleblowing system and the person subject to such whistleblowing notification as well as other persons involved in the process (such as witnesses). Please note that if the notification is made on anonymous basis, we do not process the personal data concerning the whistleblower, unless the notification includes such data which could lead to indirect identification and is considered as personal data in that sense.


Lumene Oy PL 27 02781 Espoo FINLAND  Cutrin Oy PL 27 02781 Espoo FINLAND
Kirsi Utti
+358 509114883
kirsi.utti (at) lumene.com
Kirsi Utti
+358 509114883
kirsi.utti (at) lumene.com


The purpose of the whistleblowing system is to obtain information on any occurred or alleged violation or misconduct within the Lumene Group. The related personal data is used to investigate the matters reported through the whistleblowing system and, when allegation is validated to be true, to execute the required measures to rectify the circumstances and to seek for remedies.

Processing is conducted on the following legal bases:

  • processing is necessary for compliance with our legal obligations to which the communication is related,
  • processing is necessary for the purposes of legitimate interests pursued by the Controller when a communication on alleged misconduct is submitted, and to ensure the lawful and ethical conduct of our employees, suppliers, business partners and other third parties with whom we conduct business, and
  • processing is necessary for the performance of a task carried out in the public interest (such as reports of breaches of laws in the areas serving an important objective of general public interest).


The Controller collects personal data provided in the whistleblowing communications made via the whistleblowing system, by phone or by e-mail. In addition, during any investigation of the matter, personal data are collected, to the extent necessary, from our internal systems and from third parties, such as authorities, our customers and cooperation parties, encompassing also information that is given prior to the investigation and relates to the alleged misconduct.

We process only personal data that is necessary for investigating of the reported matters, including:

  • Basic information, such as name and other identifying information, contact details, and position within or association with the Controller,
  • Reported information that includes all information provided in the whistleblowing notification, such as the subject of the notification, description of alleged misconduct, basis for such allegation and any other information related thereto, and
  • Investigation information that means any information required to investigate the alleged misconduct.

If the notification includes clearly unnecessary information, we process such information solely for its erasure.

No sensitive personal data (such as racial or ethnic origin, religious or similar beliefs, sexual life and orientation, health, political affiliations, trade union membership) is generally processed in connection with the whistleblowing procedure. In case any sensitive data is to be processed, the processing is carried out in accordance with the local and EU laws, for example if the processing is necessary for the establishment, exercise or defence of legal claims.


4.1 Disclosures of Personal Data

Within the Controller, the personal data is accessed and processed by employees who are in charge of or conduct the investigations. Such access is limited to persons who have a strict need-to-know basis for the processing of personal data for the abovementioned purposes. Our aim at all times is to ensure as far as possible the confidentiality of the information received and to protect the whistleblower’s identity and all other persons involved.

We may transfer personal data to other companies within the Lumene Group or to external service providers, such as entities providing the whistleblowing system to us, legal advisors and external auditors. We will only provide these parties the information they need to deliver the services agreed, and we require that these parties agree to process personal data based on our instructions and in compliance with this Privacy Notice. We use a third-party vendor for technical implementation of the whistleblowing system. We have concluded data processing agreements with our data processors to ensure data protection.
We may disclose your personal data for example to the competent authorities without notice if we are required to do so by law or if we in good faith believe that such action is necessary to conform to the provisions of the law or comply with legal process served on us; to protect and defend the rights or property of the Lumene Group; or to act in urgent circumstances to protect the safety of the public.

4.2 International Transfers of Personal Data

We use partners in business activities requiring the processing of personal data, and in this context, we or our partners may, in accordance with applicable legislation, process personal data anywhere in the world and thus transfer the personal data also outside EU or EEA area. In regard to transfers of personal data to countries where the local data protection legislation does not provide adequate level of data protection, the transfers are based on appropriate safeguards, such as the standard contractual clauses approved by the European Commission or a competent supervisory authority.

More information about the appropriate safeguards we use is available by email from the contact person above.


After the investigations are completed and the case is definitively closed, the material gathered during the investigation is safely stored until the relevant claim period pursuant to law has expired, after which the material is destroyed. As a general rule, the data will be retained for up to two (2) years as of the completion of the investigation. To ensure integrity of data and non-discrimination the same general rule is applied to all notifications. The information may be retained for a longer period if necessary to comply with any mandatory legal requirement, such as laws regarding safety at work, corruption, ethical matters and accounting or due to an ongoing criminal or disciplinary investigation, trial or authoritative investigation or to safeguard the rights of the whistleblower or the person subject to the notification.

In case the allegations are entirely unsubstantiated and without merit, the data regarding the subject of the communications will be deleted without undue delay.


Each whistleblower and person whose acts have been reported have a right to:

  • Obtain from us confirmation as to whether or not personal data concerning him/her are being processed, and a copy of such personal data,
  • request from us rectification of data concerning him/her, in case there are errors or if the data is inaccurate or deficient,
  • request from us personal data concerning him/her to be erased, and
  • obtain from us restriction of the processing his/her personal data.

Please note that the aforementioned rights are subject to preconditions provided by law, and we may have right to refuse a request, for example if it could adversely affect the rights and freedoms of others, such as encumber the investigation of suspected infringements. In case the request is refused, the requestor shall be informed of basis for such refusal.

The request on aforementioned rights must be in writing and sent to the contact address above. The requestor should be prepared to provide evidence on his/her identity.

In addition, each data subject has the right to file a complaint with the competent supervisory authority (in Finland, the Office of the Data Protection Ombudsman) regarding our processing of personal data.


We reserve the right to update and modify this Privacy Notice. Unless otherwise provided by mandatory applicable legislation, we may not personally post changes to this Privacy Notice to the data subjects in person.

If for some reason you believe that we have not adhered to the foregoing, please notify us by email to the contact address above, and we will do our best to determine and correct the problem promptly.