Information for Whistleblowers

With the adoption of a procedure for the protection of personal data of whistleblowers and for reporting breaches of law at EMBS Sp. z o.o., with its registered office in Gliwice, 44-100 ul. Alberta Einsteina 36, entered in the register: KRS (National Court Register Number) 000080666, NIP (Taxpayer ID) 6482326274, REGON (Statistical ID) 276598325, we provide information about the policy for processing personal data of you as a Whistleblower relating to the compliance with the requirements of the Act of 14.06.2024 on the protection of whistleblowers and Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019.  

The purpose of this information notice is to ensure that you are fully aware of the processing of your personal data concerning your reports of breaches of Union law and to ensure that your data is protected following the applicable legislation. This policy also applies to third parties whose data may be disclosed in such a report. 

Personal data processing policy 

The policy applies when whistleblowing is done in person or anonymously via established channels, i.e.  

1. Through the ICT system available on the website: https://zgloszenie.n-serwis.pl/zgloszenie/embs/ (according to the instructions on the website) 
2. By telephone at an automated telephone number: 32 722 0201 

According to Articles 13-14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data (GDPR) and DIRECTIVE (EU) 2019/1937 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 October 2019 on the protection of persons who report breaches of Union law, we inform you that: 

1. The Data Controller for your personal data is EMBS Sp. z o.o., with its registered office in Gliwice 44-100, entered in the register: KRS (National Court Register Number) 000080666, NIP (Taxpayer ID) 6482326274, REGON (Statistical ID) 276598325. 

2. We have designated a Data Protection Officer you can contact concerning issues of personal data protection and exercise of your rights, by email: [email address] or in writing to our registered office address, stating “Data Protection Officer” on the envelope. 

3. Your personal data is processed for the purpose of: 

a. receiving and investigating reports of breaches, 

b. granting protection to persons who report breaches in accordance to DIRECTIVE (EU) 2019/1937. 

The legal basis for the processing of personal data is provided by: 

a. point (c) of Article 6(1) of the GDPR – compliance with a legal obligation to which the Controller is subject, in particular the Act of 14.06.2024 on the protection of whistleblowers and Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019. 

b. point (f) of Article 6(1) of the GDPR – a legitimate interest of the Controller to ensure compliance with the law and to protect the rights and interests of whistleblowers. 

4. Your provision of personal data is voluntary but necessary for the purpose of the processing, which is to handle your report of a breach. 

5. Recipients of your personal data may include public authorities with regard to the performance of their legal obligations. 

6. The data will also be accessed by external entities that are assigned the maintenance and support of IT systems in accordance with the contracts concluded. 

7. Your personal data will be retained for the period necessary for the fulfilment of the purpose for which it was collected, but for no longer than 12 months, unless longer retention is required by law or there is another purpose for processing, e.g. in connection with legal proceedings. 

8. You have the right to: 

a. access to your personal data, 

b. rectification of your personal data, 

c. erasure (“right to be forgotten”), 

d. restriction of processing your personal data, 

e. data portability, 

f. object to the processing of your personal data. 

9. The exercise of rights may be limited or none in situations of anonymous reports. In order to exercise the above-mentioned rights, please contact the Controller. 

10. You have the right to lodge a complaint with a supervisory authority, i.e. the President of the Personal Data Protection Authority (Polish: Prezes Urzędu Ochrony Danych Osobowych, PUODO), ul. Stawki 2, 00-193 Warszawa. 

11. Your personal data will not be processed by automated means, including profiling. 

Right to report externally  

Under Article 25 para. 8 of the Act on the protection of whistleblowers, we provide information on reporting externally to the Ombudsman, public authorities and, where relevant, to institutions, bodies, offices or agencies of the European Union.

Reporting to the Ombudsman 

Whistleblowers can report breaches of the law to the Ombudsman. To report a breach: 

a. Use the report form available on the Ombudsman’s website: Link to the Ombudsman’s report form 

b. Complete the form with details of the breach, including the whistleblower’s contact details (if the whistleblower wishes to remain anonymous, it is not mandatory to provide contact details) 

c. Send the completed form electronically or by post to the following address: Biuro Rzecznika Praw Obywatelskich, ul. Długa 23/25, 00-238 Warszawa 

Reporting to public authorities 

Reports of breaches of law may also be addressed to the relevant public authorities, such as: 

a. The National Labour Inspectorate 

b. The Office for Competition and Consumer Protection 

c. The Financial Supervision Authority 

d. The prosecutor’s office 

e. Other relevant regulatory and supervisory authorities depending on the nature of the breach. 

Details of how to apply to each public authority are available on their websites. 

Reporting to institutions, bodies, offices or agencies of the European Union. 

In the case of breaches of European Union law, reports may be addressed to the relevant institutions, bodies, offices or agencies of the European Union, such as: 

a. The European Anti-fraud Office (OLAF) 

b. The European Ombudsman 

c. The European Data Protection Supervisor 

d. Other relevant institutions and bodies of the European Union. 

Information on how to report to the institutions of the European Union is available on their websites. 

Anonymity and protection of data 

Whistleblowers have the right to make reports anonymously. All reports will be handled with utmost confidentiality and personal data contained therein will be protected under applicable laws. 

Support and advice 

Whistleblowers can obtain support and legal advice on whistleblowing by contacting whistleblower protection and human rights organisations such as: 

a. The Helsinki Foundation 

b. Transparency International 

c. Other NGOs working to protect whistleblowers.