Whistleblowing Transparency Notice

This Notice  applies to all individuals submitting a whistleblowing report or whose personal data is processed in connection with a report.

1. Who we are

Controller is Patria Plc Address Arkadiankatu 2 FI-00100 Helsinki, Finland.
Data Compliance Manager Azahara González Compliance Manager for Internal Controls [email protected]. Address Hatanpään Valtatie 30 FI-33100 Tampere, FINLAND.
Whistleblowing Channel access can be made via channel access is: https://patria.speakup.report/en-GB/patria/home

2. Purpose of the whistleblowing channel

We operate a whistleblowing channel to:

  • Receive, assess, and investigate reports of suspected misconduct
  • Comply with EU and applicable national whistleblowing legislation
  • Prevent and detect unlawful, unethical, or improper conduct
  • Protect whistleblowers against retaliation

The whistleblowing channel is not intended for general HR grievances, unless required or permitted by applicable local law.  We ensure appropriate handling, investigation, and retention of whistleblowing reports in accordance with the Speak Up Procedure and applicable local law.

3. Who can use the whistleblowing channel

Reports may be submitted by individuals who fall within the personal scope of applicable whistleblowing laws, including:

  • Employees, former employees, and job applicants
  • Contractors, consultants, agency workers, and temporary staff
  • Shareholders, board members, and trainees
  • Suppliers and other business partners
  • Any other person protected under applicable whistleblowing legislation

4. Categories of personal data processed

Depending on the nature of the report, we may process the following categories of personal data:

a) Data relating to the reporting person

  • Name and contact details (unless reporting anonymously)
  • Employment or professional relationship
  • Information voluntarily provided in the report

b) Data relating to persons concerned by the report

  • Name, job title, function, and organisational role
  • Description of alleged conduct and related factual information

c) Other data

  • Witness statements
  • Supporting documentation
  • Technical metadata (e.g. dates, times, system identifiers)

Reporters are strongly encouraged not to include unnecessary personal data, in particular special category data, unless strictly relevant to the report.

5. Legal basis for processing

Personal data is processed on the basis of:

  • Article 6(1)(c) GDPR – compliance with a legal obligation under EU and national whistleblowing laws
  • Article 6(1)(f) GDPR – legitimate interests in preventing misconduct, ensuring compliance, and protecting the organisation and individuals
  • Article 6(1)(e) GDPR, where applicable, where the organisation performs tasks in the public interest

Where special category data is processed:

  • Article 9(2)(g) GDPR – substantial public interest
  • Article 9(2)(f) GDPR – establishment, exercise, or defence of legal claims

6. Confidentiality and anonymity

  • Reports are handled only by authorised and trained personnel
  • The identity of the reporting person is kept confidential and disclosed only where legally required
  • Anonymous reporting is permitted where allowed or required by national law
  • Any form of retaliation against whistleblowers is strictly prohibited

External reporting and escalation

Where required or permitted under applicable national law, reporting persons may have the right to:

  • submit a report to an independent internal recipient designated under local law; and/or
  • make a report to competent external authorities where internal reporting channels are unavailable, inappropriate, or ineffective.

In certain circumstances defined by national law, reporting persons may also be entitled to make a public disclosure, including where there is an imminent or manifest danger to the public interest or where external reporting has not led to appropriate action.

The availability, conditions, and procedures for external reporting or public disclosure vary by jurisdiction.

Further information is provided in the relevant country-specific annex.

7. Use and investigation of reports

Personal data is processed in order to:

  • Assess the admissibility of the report
  • Investigate the reported concerns
  • Take appropriate corrective or disciplinary measures where justified
  • Fulfil legal reporting or cooperation obligations
  • Establish, exercise, or defend legal claims

No automated decision-making or profiling is carried out in connection with whistleblowing reports.

8. Recipients of personal data

Access to personal data is strictly limited to:

  • Internal compliance, legal, audit, or HR functions on a need-to-know basis
  • External investigators, auditors, or legal advisers engaged under confidentiality obligations
  • Competent authorities, courts, or regulators where required by law

9. International data transfers

Where whistleblowing data is transferred outside the EEA:

  • Transfers are safeguarded using EU Standard Contractual Clauses
  • Supplementary technical and organisational measures are applied where required
  • Transfers occur only where lawful and necessary

10. Retention of personal data

Whistleblowing reports and associated personal data are retained only for as long as necessary, in accordance with:

  • the purpose of processing the report,
  • applicable whistleblowing and data protection laws,
  • the Patria Speak Up Procedure, including the documented description of data processing activities, and
  • any applicable jurisdiction‑specific retention requirements set out in Section 13 (Annexes).

Different retention criteria apply depending on how a case is handled

a) Speak Up Channel cases resolved without further investigation

Reports that are:

  • assessed and resolved within the Speak Up Channel, and
  • not escalated to a formal investigation, audit, or Board‑level process,

are retained in accordance with the retention period defined in the Speak Up Procedure and supporting records of processing activities.

Once the matter is closed and no further action is required, personal data is deleted or anonymised without undue delay, unless retention is required by applicable law.

b) Cases requiring deeper investigation or escalation

Reports that:

  • require a formal investigation,
  • involve external investigators or consultants,
  • lead to an additional investigation report, and/or
  • are escalated to Audit Committee or Board level,

may be retained for a longer period, where necessary, in order to:

  • complete the investigation and follow‑up actions;
  • address potential or actual legal claims;
  • comply with audit, governance, regulatory, or statutory obligations; or
  • establish, exercise, or defend legal claims.

In such cases, personal data is retained for as long as necessary for these purposes, subject to:

  • applicable statutory limitation periods; and
  • mandatory maximum retention periods or deletion obligations under national law, as set out in the relevant jurisdiction‑specific annex.

Extended retention (including retention for several years) applies only where legally justified and permitted and does not override shorter retention or deletion requirements imposed by applicable national law.

After the applicable retention period has expired, personal data will be deleted or irreversibly anonymised, unless continued retention is required by law (e.g. litigation holds, regulatory investigations, or defence‑ or security‑related obligations).

11. Data subject rights

Data subjects have the right to:

  • Access their personal data
  • Request rectification or erasure
  • Request restriction of processing or object to processing
  • Lodge a complaint with a supervisory authority

Certain rights may be restricted, where permitted by law, to protect investigations, confidentiality, or the rights of others.

12. How to exercise your rights

Requests may be submitted to [email protected].
You may also lodge a complaint with your local supervisory authority.
If you have any questions about how we process your personal data, or if you wish to exercise your data protection rights, you can contact our Data Protection Contact at  [email protected].
If you believe that your personal data has not been processed in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) or applicable national data protection law, you  also have the right to lodge a complaint with a Supervisory Authority.

In particular, you may contact the Supervisory Authority in the country where:

  • You normally live,
  • You work, or
  • The alleged infringement of data protection law has taken place.

For individuals located in following countries, the competent supervisory authority is:

Finland
Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
P.O. Box 800
00531 Helsinki
Finland
Email: [email protected]
Telephone: +358 29 566 6700
Website: www.tietosuoja.fi

Please note that contacting our  Data protection Contact  does not limit your right to lodge a complaint with a supervisory authority.

The Netherlands
Netherlands -Autoriteit Persoonsgegevens
Hoge Nieuwstraat 8, 2514 EL The Hague, The Netherlands Website: https://autoriteitpersoonsgegevens.nl
Phone number: +31 88 1805 250

Belgium
Belgium -Autorité de protection des données
Website: https://www.autoriteprotectiondonnees.be/citoyen
Phone number: +32 (0)2 274 48 00
Email: [email protected]

Sweden
Sweden -Integritetsskyddsmyndigheten
Postal address Box 8114, 104 20 Stockholm, Sweden
Phone number: +46 (0)8 657 61 00
Email: [email protected]

Latvia
Address: Elijas iela 17, Riga, LV-1050, Latvia
Phone: +371 6722 3131
Fax: +371 6722 3556
Email: [email protected]
Website: https://www.dvi.gov.lv/

13. Jurisdiction-Specific Annexes

The following annexes apply in addition to this Whistleblowing Transparency Notice where the reporting person or the persons concerned are located in the relevant jurisdiction.

Annex A – Finland 

Additional Whistleblowing Information

This annex applies to reports falling within the scope of Finnish law.
Processing is governed by the Finnish Whistleblower Protection Act (1171/2022).
Anonymous reporting is permitted. The identity of the reporting person is subject to strict confidentiality and may be disclosed only in the limited circumstances provided by law.
Employee representatives may be informed or consulted where required.
Personal data must be relevant, proportionate, and retained only for as long as necessary in light of occupational safety and employment law obligations.

Annex B – Belgium 

Additional Whistleblowing Information

This annex applies to reports subject to the Belgian Whistleblowing Act.
Anonymous reporting is permitted.
Statutory deadlines apply for acknowledgement of receipt and feedback to the reporting person.
The confidentiality of the identities of the reporting person and any persons concerned is mandatory.
Whistleblowing data is generally retained for a maximum period of five (5) years, unless longer retention is legally required.
Depending on the sector and organisational structure, social dialogue bodies (e.g. Works Council or trade unions) may be involved.
Under Belgian law, the organisation must designate an independent and impartial person or department to receive and follow up on whistleblowing reports.

Reporting persons are informed of their right to submit reports:

  • internally, via the designated whistleblowing channel; and
  • externally, to the competent Belgian authorities, in accordance with the Belgian Whistleblowing Act.

The confidentiality of the reporting person’s identity is protected in all cases.
External reporting and escalation rights apply under the conditions and timeframes set out in Belgian law.

Annex C – Sweden 

Additional Whistleblowing Information

This annex applies to reports governed by the Swedish Whistleblowing Act.
The personal scope of protection is broad and includes employees, job applicants, and other categories defined by law.
Anonymous reporting is permitted and strong protections against retaliation apply.
Whistleblowing procedures must be clearly separated from ordinary HR grievance mechanisms.
Processing must comply with Swedish labour law principles, including proportionality and fairness.
 

Under Swedish law, reporting persons are entitled to make:

  • internal reports via the organisation’s whistleblowing channel; and
  • external reports to competent authorities designated under Swedish law.

Public disclosure may be permitted in circumstances defined by law, including where there is an overriding public interest or where external reporting has not resulted in appropriate action.

Whistleblowing procedures must remain clearly separated from ordinary HR grievance processes.

Annex D – The Netherlands 

Additional Whistleblowing Information

This annex applies under the Dutch Whistleblowers Act.
An internal whistleblowing procedure is mandatory and anonymous reporting is permitted.
The Works Council must be involved in the establishment and material modification of the whistleblowing procedure.
A clear distinction must be maintained between integrity-related whistleblowing reports and labour disputes.
Retention periods must be documented and justified.

Under the Dutch Whistleblowers Act, reporting persons have the right to:

  • submit a report internally via the organisation’s whistleblowing procedure; and
  • report externally to the competent authority designated under Dutch law.

Where internal reporting does not lead to appropriate action, or where reporting internally is not reasonable, reporting persons may make an external disclosure in accordance with the Act.
The Works Council is involved in the establishment and material modification of the whistleblowing procedure.

Annex E – Latvia

Additional Whistleblowing Information

This annex applies under the Latvian Whistleblowing Law.
Anonymous reporting is permitted.
Strict confidentiality obligations apply to the identity of the reporting person and other individuals concerned.
Internal investigation procedures are mandatory.
Personal data is retained only for the duration necessary to investigate the report and comply with legal obligations.
Retaliation against whistleblowers is prohibited.

Annex F – Germany 

Additional Whistleblowing Information

This annex applies under the German Whistleblower Protection Act.
Anonymous reporting must be enabled.
Employee participation rights under the Works Constitution Act  must be respected where applicable.
Whistleblowing systems must be strictly separated from performance evaluation and disciplinary HR systems.
As a general rule, whistleblowing data must be deleted within three (3) years after case closure, unless longer retention is required by law.
Transparency obligations must be balanced with strong employee protection rights.

14. Updates to this notice

 Dated April 8th 2026.
This notice may be updated to reflect legal or operational changes.
The most recent version will always be made available