Notice on Personal Data Processing from doValue with regard to the reporting of breaches of Union Law

Notice on Personal Data Processing from doValue with regard to the reporting of breaches of Union Law
Notice on Personal Data Processing from doValue with regard to the reporting of breaches of Union Law

[DIRECTIVE (EU) 2019/1937 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 23  OCTOBER 2019]

1. Introduction – Purpose

doValue Greece Loan and Credit Claims Management Co SA, with registered offices at 27 Kyprou and Archimidous St, Moschato, GR 18346, and doValue Greece Real Estate Services Single-Member SA, with registered offices at 25th Martiou, Teo and Thessalonikis St, Tavros, GR 17778 (hereinafter collectively “doValue”), as the Controller, respecting the European and national laws on the protection of personal data (General Data Protection Regulation EU 2016/679, Law 4624/2019, specific provisions of Law 4990/2022), herewith provides information with respect to the processing of your personal data carried out for the purpose of managing the report you have filed through its internal channels, on Union law breaches, as defined in Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 (hereinafter the “Report”). 

doValue, by way of derogation from article 5(1)A, articles 12 and 13, article 14(1-4), and article 34 of the GDPR, does not provide relevant notice on the processing of personal data to the Person Concerned or any third party in their capacity as a Data Subject named in the report, or the personal data that was the result of follow up, and specifically in relation to the source from which they originate, in accordance with GDPR article 14(2)(f), in implementation of GDPR article 14(5), in combination with GDPR article 23, to the extent, and as long as, necessary to prevent and address attempts to hinder reporting or to impede, frustrate or slow down follow-up, in particular investigations, or attempts to find out the identity of the reporting persons, and to provide protection against retaliation.

2. Personal scope of application

This Notice applies to any natural person, employee, current, outgoing or candidate, irrespectively of the type of employment contract, members of the Board of Directors, the Executive Committee, associates, suppliers, subcontractors, advisors of any type of doValue, in the context of project contracts, independent services, salaried orders, or employees through third parties/counterparties of doValue, who report, with or without their name, breaches that have been committed or are very likely to be committed at doValue.

3. Definitions

  • “Report”: the communication of information on breaches of this policy to the Officer responsible for Receiving and Following Up on Reports of doValue. 
  • “Person Concerned”: the natural or legal person who is referred to in the report as a person to whom the breach is attributed or who is associated to the person to whom the breach falling into the scope of this policy is attributed. 
  • “Reporting Person”: the natural person who reports information on breaches acquired in the context of their work-related activities. 
  • “Breaches”: Any acts or omissions that are unlawful under Union laws or defeat the object or the purpose of the rules of Union law.
  • “Officer Responsible for Receiving and Following Up on Reports”: the Officer Responsible for Receiving and Following Up on Reports related to breaches falling within the scope of this policy.

4. Obligation of confidentiality and measures for ensuring it

doValue guarantees the confidentiality of any Report and the information contained therein, as well as the anonymity of the Reporting Person, even in the case when the report turns out to be false or unfounded.

More specifically: 

  • Personal data and any other type of information from which the identity of the Reporting Person may be directly or indirectly deduced is not disclosed to anyone other than the authorised members of staff competent to receive or follow up on reports, unless the Reporting Person gives their explicit consent.  To this end, doValue adopts the necessary technical and organisational measures to protect and safeguard personal data and preserve confidentiality in following up on Reports.
  • Disclosures pursuant to par. 1 of this chapter are made only if the Reporting Person gives their explicit consent or if the disclosure is required by Union or national laws, and in accordance with the applicable conditions. 
  • In derogation from the above, the identity of the Reporting Person and any other information may only be disclosed in those cases when it is required by Union or national laws, in the context of administrative, civil and/or criminal investigations by the competent public authorities or in the context of judicial proceedings, and provided the disclosure is necessary to serve the purposes of the Union or national laws or to ensure the rights of defence of the Person Concerned are protected.

The above, as regards the protection of the identity of Reporting Persons, shall also apply to the protection of the identity of Persons Concerned.

doValue adopts all appropriate technical and organisational measures to ensure the security and confidentiality of Personal Data and their protection from accidental or unlawful destruction, loss, alteration, prohibited transmission, dissemination or access and any other form of unlawful processing. Moreover, it enforces confidentiality clauses and the obligation of secrecy on any person who has access to or process personal data on its behalf. 

Reports are stored in confidence and recovered when required by Union or national laws, and in any case until the conclusion of any investigation or judicial proceedings that has been initiated as a result of the Report.

5. Purpose and legal basis for processing personal data

The personal data described in this Notice is subject to processing by doValue to fulfil the legal obligation to establish reporting channels and adopt the necessary measures for follow up, as defined by the law on the protection of persons who report breaches of Union law, as in force from time to time. Moreover, doValue may process this data to prepare anonymised reports in the context of its legitimate interest in sound and transparent management. 

6. Categories of personal data subject to processing 

doValue will process only the data that is strictly necessary to document the Report and serve the aforementioned purposes of processing personal data, hence the following: 

  • Identification data, such as full name, father’s name;
  • Work data, such as position, work unit, duties, annual evaluations;
  • Contact data, such as landline and mobile number, email address;
  • Data relating to the breach incident, such as time and location of the incident, additional information or available evidence, your relationship with the incident and the Person Concerned, or other people you suspect are involved in the incident.

7. Recipients of personal data 

The aforementioned personal data is subject to processing solely by competent and authorised employees and bodies of doValue to manage and document the Report and by the Officer Responsible for Receiving and Following Up on Reports. The data may also be transferred to or be subject to processing by selected and specialised third parties, such as external lawyers or advisors. In the case when the data included in the Reports may also be used as evidence in administrative, civil and criminal cases and investigations, the same will be forwarded to the competent supervisory and investigation authorities.

In case of personal data breach, doValue will not proceed to notify the Data Subject according to its obligation per GDPR article 34(1), since this notice may be detrimental to the purposes of the Report. It will notify the Data Protection Authority, which may request from doValue to disclose the breach to the data subject, if it determines that the conditions for non-disclosure are not met.

8. Transfer of Personal Data outside the EEA 

Personal data included in the Reports shall not be transferred to countries outside the European Economic Area.

9. Period for retaining the Report and personal data

Personal data will be retained solely for the time period necessary to achieve the purpose for which they were collected. Specifically:

  • When the Report is deemed unfounded, the data retention period is two (2) months from rejection of the Report.
  • When the incident described in the Report is subject to legal proceedings, the personal data is deleted once a final court judgement is handed down.
  • When the Report discloses documented evidence against a doValue executive, the personal data is retained for as long as the executive is employed by/has a relationship with doValue and is deleted 20 years after the cooperation ends by any means.
  • When the Report discloses documented evidence against a doValue external associate or supplier, the personal data is retained throughout the period of cooperation and is deleted 5 years after the cooperation ends by any means.

10. Personal data protection rights and contact information for exercising those rights

With regard to the personal data subject to the aforementioned processing, Data Subjects (e.g. Reporting Persons, Persons Concerned or third-parties involved) have the following rights:

  • The right to information and access to their data and the right to receive additional information on its processing.
  • The right to correct, amend, supplement and update the data.
  • The right to have their personal data deleted when this right is not subject to restriction according to the applicable laws or other restrictions.
  • The right to limit the processing of their personal data, when: (a) the accuracy of the personal data is contested and until it is verified; (b) the processing is unlawful and the data subject requests restriction of data use instead of erasure; (c) the personal data is not required for the purposes of processing but is however necessary in order to establish, exercise and defend legal claims; and (d) the Data Subject objects to the processing and until it is verified there are legitimate grounds related to doValue that override the grounds for objection.
  • The right to object processing, only under certain conditions specified by law.
  • The right to portability of the personal data, without charge, in a format that allows access, use and processing, and also the right to have the data directly transmitted to another controller, if technically feasible. This right applies to data they have provided and which is processed by automated means, based on their consent.

To exercise the above rights, you may contact in writing the doValue Regulatory Compliance & AML/CFT unit, at 27 Kyprou and Archimidous Streets, GR 18346 Moschato, or via email at [email protected]

You may contact the doValue Greece Data Protection Officer on matters relating to the processing of your personal data at the address 27 Kyprou & Archimidous Streets, GR 18346 Moschato, Attica, Greece or the email address:  [email protected] 

Lastly, you have the right to lodge a complaint with the competent Data Protection Authority for matters relating to the processing of your personal data. In relation to the Authorities competencies and procedures for lodging complaints, you may visit the website of the Hellenic Data Protection Authority: www.dpa.gr > Rights of individuals > Complaint to the Hellenic DPA, where detailed instructions are available.

11. Update and amendments to this Notice on personal data processing

Based on its personal data protection policy in force from time to time and in the context of the legislative and regulatory framework in force from time to time, doValue may revise or amend this Notice, and the latest version will always be available on the doValue Greece website www.dovaluegreece.gr

 

Last update: 30.06.2023

Follow us on
YouTube
linkedin
lifegate

© 2023 doValue Greece