GDPR Policy on Whistleblowers
This privacy policy contains the information required by law regarding the processing of personal data processed by HRK S.A. with headquarters in Warsaw (00-095), Plac Bankowy 2 (hereinafter referred to as HRK).
Whistleblower clause
Pursuant to Article 13 (1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”), HRK S.A. provides the following information:
1. Personal data controller
The contoller of your personal data is HRK S.A. with headquarters in Warsaw 00-095, Pl. Bankowy 2
2. Data Protection Officer
Correspondence on issues related to personal data protection should be addressed to HRK S.A.’s designated Inspector for Personal Data Protection:
- by mail to the address of the registered office of HRK S.A.
- by e-mail to: [email protected]
3. Purposes and legal basis for processing personal data
Personal data obtained in connection with the notification of violation of the law in HRK S.A., i.e. first and last names, mailing addresses and other data indicated in the notification made (as long as such notification is not made anonymously) are processed for the following purposes and on the basis of:
| Basis for processing personal data | Purpose of personal data processing |
| Article 6(1)(c) of the GDPR
Authorizing the processing of personal data if it is necessary for the performance of legal obligations incumbent on the controller | Performing legal obligations under Article 8(4) of the Act on the Protection of Whistleblowers to the extent necessary to accept a report and/or take follow-up action. |
| Article 6(1)(a) of the GDPR
Consent to processing of personal data | Disclosure of the identity of the person filing a report (whistleblower). |
| Article 9(2)(g) of the GDPR
Permittee has processing is necessary for reasons of important public interest, based on the law | Performing legal obligations under Article 8(4) of the Act on the Protection of Whistleblowers to the extent necessary to accept a report and/or take follow-up action. |
4. Recipients of personal data
Personal data obtained from you will not be transferred to third parties except for:
- Entities that provide services or goods to HRK S.A. and to whom HRK has entrusted the processing of personal data in accordance with Article 28 of the GDPR, such as IT service providers, data storage and archiving;
- Public authorities or entities authorized to obtain data under applicable law, such as courts, law enforcement agencies or state institutions.
HRK S.A. does not transfer your personal data to a third country (i.e. a country that is not part of the European Economic Area comprising the European Union, Norway, Liechtenstein and Iceland) nor to international organizations.
5. Period of personal data processing
Your personal data will be processed:
- for a period of 3 years after the end of the calendar year in which the follow-up actions are completed, or after the completion of the proceedings initiated by these actions;
- in the case of transmission of a notification to a public body, for a period of 3 years after the end of the calendar year in which the notification was transmitted to the public body competent to take follow-up action or follow-up action was completed, or after the completion of the proceedings initiated by these actions.
6. Rights of data subjects:
In accordance with the GDPR, you shall have the following rights:
- The right to access your personal data
- The right to request the rectification of your personal data that is incorrect and the completion of incomplete personal data
- The right to request the deletion of your personal data
- The right to request restrictions on the processing of your personal data
- The right to portability of your personal data
- The right to lodge a complaint with the supervisory authority in charge of personal data protection, i.e. the President of the Office for Personal Data Protection, based in Warsaw, ul. Stawki 2.
To the extent that your data are processed on the basis of consent, you shall have the right to withdraw your consent to data processing at any time. Withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of your consent before its withdrawal. You may withdraw your consent by sending a statement of withdrawal of consent to our mailing address or e-mail address, i.e. [email protected].
7. Information about the requirement /voluntariness of provision of personal data
The provision of personal data whose purpose of processing is the implementation of the controller’s legal obligations is mandatory. Provision of personal data in the rest is voluntary.
8. Automated decision-making
Based on your personal data, HRK S.A. will not make automated decisions against you, including decisions resulting from profiling.
Third party witness clause
Pursuant to Article 14(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”), HRK S.A. provides the following information:
1. Personal data controller
The contoller of your personal data is HRK S.A. with headquarters in Warsaw 00-095, Pl. Bankowy 2
2. Data Protection Officer
Correspondence on issues related to personal data protection should be addressed to HRK S.A.’s designated Inspector for Personal Data Protection:
- by mail to the address of the registered office of HRK S.A.
- by e-mail to: i[email protected]
3. Purposes and legal basis for processing personal data
Personal data obtained in connection with the notification of violation of the law in HRK S.A., i.e. first and last names and other data indicated by a person filing a report (a whistleblower) are processed for the following purposes and on the basis of:
| Basis for processing personal data | Purpose of personal data processing |
| Article 6(1)(c) of the GDPR
Authorizing the processing of personal data if it is necessary for the performance of legal obligations incumbent on the controller | Performing legal obligations under Article 8(4) of the Act on the Protection of Whistleblowers to the extent necessary to accept a report and/or take follow-up action. |
| Article 9(2)(g) of the GDPR
Permittee has processing is necessary for reasons of important public interest, based on the law | Performing legal obligations under Article 8(4) of the Act on the Protection of Whistleblowers to the extent necessary to accept a report and/or take follow-up action. |
4. Recipients of personal data
Personal data obtained from you will not be transferred to third parties except for:
- Entities that provide services or goods to HRK S.A. and to whom HRK has entrusted the processing of personal data in accordance with Article 28 of the GDPR, such as IT service providers, data storage and archiving;
- Public authorities or entities authorized to obtain data under applicable law, such as courts, law enforcement agencies or state institutions.
HRK S.A. does not transfer your personal data to a third country (i.e. a country that is not part of the European Economic Area comprising the European Union, Norway, Liechtenstein and Iceland) nor to international organizations.
5. Period of personal data processing
Your personal data will be processed:
- for a period of 3 years after the end of the calendar year in which the follow-up actions are completed, or after the completion of the proceedings initiated by these actions;
- in the case of transmission of a notification to a public body, for a period of 3 years after the end of the calendar year in which the notification was transmitted to the public body competent to take follow-up action or follow-up action was completed, or after the completion of the proceedings initiated by these actions.
6. Rights of data subjects:
In accordance with the GDPR, you shall have the following rights:
- The right to access your personal data
- The right to request the rectification of your personal data that is incorrect and the completion of incomplete personal data
- The right to request the deletion of your personal data
- The right to request restrictions on the processing of your personal data
- The right to portability of your personal data
- The right to lodge a complaint with the supervisory authority in charge of personal data protection, i.e. the President of the Office for Personal Data Protection, based in Warsaw, ul. Stawki 2.
To the extent that your data are processed on the basis of consent, you shall have the right to withdraw your consent to data processing at any time. Withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of your consent before its withdrawal. You may withdraw your consent by sending a statement of withdrawal of consent to our mailing address or e-mail address, i.e. [email protected].
7. Information about the requirement /voluntariness of provision of personal data
The provision of personal data whose purpose of processing is the implementation of the controller’s legal obligations is mandatory.
8. Automated decision-making
Based on your personal data, HRK S.A. will not make automated decisions against you, including decisions resulting from profiling.
9. Data source
HRK has acquired your data from a person filing a report on a violation(s) of the law (a whistleblower).