Breaches of law

1. ADMINISTRATOR

The administrator of your personal data is GWW Grynhoff i Partnerzy Radcowie Prawni i Doradcy Podatkowi spółka partnerska with its registered office in Warsaw at 4 Książęca Street (00-498 Warsaw), entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw in Warsaw, XII Economic Division of the National Court Register, under the KRS number 0000541501, NIP 7792022623, REGON 631226810.

2. CONTACT DETAILS OF THE ADMINISTRATOR

In matters concerning personal data the Administrator can be contacted:

– by post, by sending a letter to: Personal Data Protection Coordinator: 4 Książęca Street, 00-498, Warsaw, marked ‘Personal Data’ or

– by sending an e-mail to: odo@gww.pl.

3. WHAT PERSONAL DATA IS PROCESSED BY THE CONTROLLER AND WHAT IS THE SOURCE OF SUCH DATA

The Administrator processes personal data only to the extent necessary to accept a request or to take possible follow-up action, including personal data:

(a) provided by you directly to the Administrator;

(b) provided by the Signallers, persons affected by the notification, persons assisting in making the notification, persons related to the Signaller, but also third parties whose data is included in the notification, in connection with the investigation of the notification;

c) obtained from publicly available sources.

The Administrator processes your data to the extent necessary to fulfil the purposes of processing indicated in point 4. In particular, the Administrator may process the following categories of personal data:

(a) concerning Signatories: name, surname, other personal data necessary for identification, contact data, other data contained in the notification or concerning the notified breach;

b) concerning the persons concerned by the notification: name, other personal data necessary for their identification, data relating to the infringement, other data included in the notification or relating to the notified infringement;

c) concerning persons assisting in the notification, persons related to the Whistleblower, but also third parties whose data are included in the notification: name, surname, other data included in the notification or concerning the notified infringement.

4. PURPOSE OF PERSONAL DATA PROCESSING AND LEGAL BASIS

Your data will be processed in order to:

(a) to receive a report or to take possible follow-up actions in connection with a reported violation of the law, on the basis of applicable legal provisions, in particular the Act of 14 June 2024 on the protection of whistleblowers (hereinafter: ‘Whistleblower Act’) – the legal basis for processing is a legal obligation incumbent on the Administrator (Article 6(1)(c) RODO) or Article 9(2)(g) RODO to the extent that the processing of special categories of data is justified by a substantial public interest;

(b) to establish, assert or defend a claim, which constitutes a legitimate interest of the Controller pursuant to Article 6(1)(f) RODO or pursuant to Article 9(2)(f) RODO to the extent that special categories of data are processed for this purpose.

5. REQUIREMENT TO PROVIDE DATA

The provision of personal data is voluntary, but may be necessary for the purposes of the Administrator’s infringement information procedure. In the case of the Whistleblower, it may be necessary to provide the Whistleblower’s contact details in order to contact the Whistleblower to provide an acknowledgement/feedback. Failure to provide personal data may make it difficult or impossible to fulfil the purposes of data processing set out above.

6. DATA RETENTION PERIOD

Personal data that are not relevant for the processing of the notification are not collected and, if accidentally collected, are deleted immediately. The deletion of such personal data shall take place within 14 days of the determination that it is not relevant.

Personal data processed in connection with accepting a report or taking follow-up action and documents related to that report will be retained for the period indicated in Article 8(8) of the Whistleblowers Act, i.e. for a period of 3 years after the end of the calendar year in which the follow-up action was completed, or after the completion of proceedings initiated by those actions.

Personal data processed for the purpose of establishing, pursuing or defending claims will be processed until the purpose of the processing ceases or the data subject raises an effective objection (whichever comes first).

After the expiry of the retention period, the Controller shall delete the personal data and destroy the documents related to the notification, if the documents related to the notification are not part of the file of pre-trial proceedings or court or administrative cases.

7. RECIPIENTS OF PERSONAL DATA

The Administrator shall ensure the confidentiality of your personal data.

Personal data may be made available to public authorities or other entities authorised to such access on the basis of the law, as well as to trusted entities providing ICT services, providers of software used by the Administrator, entities dealing with archiving and destruction of documents and trusted, impartial external advisors, including entities entrusted by the Administrator with the conduct of proceedings concerning the notification.

The personal data of the Signaller, allowing for the establishment of his/her identity, may be disclosed to unauthorised persons only with the express consent of the Signaller, unless disclosure is a necessary and proportionate legal obligation in connection with investigations conducted by public authorities or pre-trial or judicial proceedings conducted by courts, including in order to guarantee the right of defence of the reported person.

With the express consent of the Signaller or in the event that the Signaller does not fulfil the conditions indicated

in Article 6 of the Law on Signallers (does not enjoy protection), the identification data of the Signaller may be made available to persons whose data the Signaller provided in the notification, in connection with the exercise by GWW Legal of the rights to which these persons are entitled pursuant to Article 14(2)(f) RODO or Article 15(1)(g) RODO.

8. TRANSFER OF DATA OUTSIDE THE EOG

As a general rule, personal data will not be transferred to a third country, i.e. outside the European Economic Area (EEA), or made available to international organisations. However, the processing of personal data in ICT systems, may result in the transfer of data by ICT software and service providers outside the EEA. In such a case, data transfer shall only take place if an adequate level of data protection has been confirmed for the third country by the European Commission or an adequate level of data protection has been agreed with the data recipient (in particular using so-called standard contractual clauses). A copy of the applicable safeguards, including standard contractual clauses, can be obtained from the Controller.

9. INFORMATION ON AUTOMATED DECISION-MAKING INCLUDING PROFILING

Your personal data will not be processed in a purely automated manner (including profiling) that may produce legal effects against you or similarly significantly affect you.

10. RIGHTS OF DATA SUBJECTS

To the extent and in the cases stipulated by law, in particular the RODO, you have the right to access your data and to obtain a copy of your data, the right to rectify (amend) your personal data, the right to erase your personal data, the right to restrict the processing of your personal data, the right to data portability, the right to object to the processing of your data based, inter alia, on the legitimate interest of the Controller, including profiling, the right to withdraw consent (if the processing of your personal data is carried out on the basis of consent).

11. RIGHT TO COMPLAIN

If you consider that the processing of your personal data by the Controller violates the provisions of the RODO or other generally applicable data protection legislation, you may lodge a complaint with the President of the Personal Data Protection Authority.