Information clause for the Whistleblower or the Person Assisting in Making the Report
(Article 13 GDPR)

According to the Art. 13 sect. 1 and 2 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), further referred to as GDPR, we inform you that:

• The Controller of your personal data, i.e. the entity that decides on the purposes and means of its processing, is OKECHAMP S.A., based in Poznań (60 - 449), ul. Wichrona 1A, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court Poznań - Nowe Miasto and Wilda in Poznań, VIII Commercial Division of the National Court Register under KRS number 0000235254, NIP 7792194028, share capital: PLN 6,476,511.00 - paid in full, (further referred to as ‘Controller’, ‘We’ or ‘DC’), who can be contacted at the mailing address: Okechamp S.A. ul. Wichrowa 1A, 60-449 Poznań, or by e-mail at: iod@okechamp.eu
• The contact person for all matters concerning data protection and your rights is the Data Protection Officer. You can contact the Data Protection Officer by sending an e-mail to: iod@okechamp.eu or by post at the DC's postal address indicated above, marked ‘To the Data Protection Officer’, or by telephone at: +48 61,846 99 33
• We will process your personal data to the extent arising from the content of the Whistleblowing Report for purposes arising from the provisions of the Act of 14 June 2024 on the protection of whistleblowers  (Journal of Laws, item 928 as amended; further referred to as the WPA), related to the performance of the DC's obligations referred to in that Act, i.e. based on Article 23(1)-(3) of the WPA and Article 6(1)(c) of the GDPR, i.e. to the extent necessary to fulfil the Controller's legal obligation.
• By authorising us to contact you at the e-mail address or telephone number you have indicated, you grant us permission for such contact and the processing of your personal data to the extent necessary for such contact (e-mail address, telephone number). In such a situation, the legal basis that allows or obliges us to process your personal data is:
  •  Article 6(1)(c) of the GDPR - i.e. a legal provision - when the processing is necessary for compliance with a legal obligation to which the Controller is subject, which arises, among others, from the provisions of the WPA;
  • Article 6(1)(f) of the GDPR - when, as DC, we pursue our legitimate interest, including in particular:
    • we include your data in the register of Violation Reports and pass your data to the Committee set up to examine Reports to enable communication regarding the Report;
    • we retain your data for record-keeping (evidential) purposes to safeguard information if we are legally required to prove some facts in the course of a Report Proceedings or follow-up procedure;
    • we process your data for possible establishment, investigation or defence against claims;
  •  Article 6(1)(a) of the GDPR - i.e. the consent you have given (processing for the purpose set out in such consent if you decide to grant it in connection with the method of communication you have chosen).
• The provision of personal data is voluntary but necessary for the purposes of the acceptance and handling of the Internal Report regarding irregularities referred to in the WPA regulations. It means that your failure to provide data will preclude the possibility of receiving and examining the Violation Report. On the other hand, concerning the personal data for which we ask your consent - the provision of such data is entirely voluntary and subject to your discretion. Failure to provide consent or the withdrawal of previously provided consent will not entail any negative consequences in terms of your Report; however, it may affect our ability to contact you about the Report.
• The recipients of your personal data, i.e. the entities with whom we may share your data, are:
  • Entities that cooperate with us or support the DC in the conduct of matters relating to Whistleblower Reports (so-called processors who may process your personal data for purposes designated by us);
  • Affiliates of the DC - who are part of the same group of companies – based on separate agreements or binding corporate rules and, in the case of non-EEA entities, based on EC decisions regarding the recognition of adequacy of personal data protection or standard contractual clauses approved by the EC;
  • Other controllers, if they have a legal basis to process the above personal data.
• The recipients of your personal data may therefore be entities that provide us with accounting or payroll services, provide us with the software necessary for data processing and the cloud systems in which the data are stored, provide us with IT, telecommunications, consulting, training, auditing, legal, hotel, transport, postal, courier, security or health and safety services, as well as our agents and contractors, if justified by the content of the Report or the terms of the Proceedings initiated by the Report.
• We may transfer your personal data outside the European Economic Area, subject to the obligation to ensure compliance with legal requirements.
• Your personal data will be retained for three years after the end of the calendar year in which the Follow-up is completed or after the proceedings initiated by the Follow-up are completed.
• If during the proceedings initiated by the Report audio or video recordings are made, they will be stored by the Data Controller for a period not exceeding that specified in point 8 above; however, if the recordings of image or sound serve as evidence in proceedings conducted under the law or if the Controller becomes aware that they may serve as evidence, the periods mentioned above shall be extended until the final resolution of the proceedings or the expiration of claims or periods of liability related to the specific violation. After the above periods have expired, the audio and video recordings containing personal data will be destroyed unless separate regulations provide otherwise.
• Your personal data will not be processed in an automated manner (including profiling).
• You have the right to access your personal data, rectify or delete it, restrict its processing, request its transfer, object to its processing, and withdraw your consent to its processing (withdrawing consent does not affect the lawfulness of data processing carried out before such withdrawal). You can exercise all these rights by contacting us in writing (at the address indicated in point 1 with the note 'Personal Data') or by email at: iod@okechamp.eu.
• If you believe that we process your personal data incorrectly, you also have the right to file a complaint with the supervisory authority, i.e., the President of the Office for Personal Data Protection (address: ul. Stawki 2, 00 - 193 Warsaw).