Enerwave Whistleblowing Portal by Ethicontrol
Privacy Statement
Data Protection
Since the reports contain personal data, these are being handled in accordance to the General Data Protection Regulation (GDPR) and the Greek law 4990/2022.
1. Personal data categories and sources
In the context of the whistleblowing process ENERWAVE may process the following categories of personal data:
a) Identification and contact information, such as full name, business title and organization for which the person concerned or an involved person may work for and Identification and contact information, such as full name, telephone number, email, business title and organization for which the reporting person may work for
b) The type of violation the person concerned has conducted.
c) Any business-related evidence that may come up by the reporting person, a person concerned, the background investigation or the data subject itself usually names and business-related details of the reporting person, the person concerned and any involved person
The source for the above personal data may be the reporting person, an involved person, the concerned person or any business-related information acquired through the fact finding process. All above mentioned information should be legally obtained. Any other information not meeting this requirement shall be discarded and not considered in the fact-finding process.
2. Purpose of data processing
Managing and clarifying the whistleblowing report till its resolution in order to identify any wrong doing acts that endanger the reputation and the operation of ENERWAVE.
Data transfer to authorities per their request or to protect the interests of ENERWAVE.
3. Legal basis for data processing
A reporting person’s personal data – in case he/she chooses to disclose them - shall be processed based on the legal obligation of ENERWAVE to establish the internal whistleblowing system and to investigate the incoming reports as per national legislation 4990/2022, (Article 6 (1) (c) of GDPR).The reporting person shall withdraw his/her consent with an effective date at the time of withdrawal meaning that the already processed data has been lawfully processed.
A person’s concerned and any other’s involved person’s personal data shall be processed based on legitimate interests pursued by the Company (Article 6 (1) (f) of GDPR) and complying with legal obligations of the Company in case of any authority request. (article 6 (1) (c) of GDPR).
4. Data recipients and data transfers
The Company may transfer personal data to judicial, administrative, taxation, customs, arbitration authorities or other public authorities, regulatory bodies and attorneys-at-law, if necessary, for it’s compliance with legislation and/or for establishing, exercising or defending its legal claims.
The recipients of personal data may be established outside the European Economic Area (ΕΕΑ). In such cases, the Company takes measures so that adequate and appropriate safeguards are applied for the protection of personal data by other means, mainly by way of the use of the EU standard contractual clauses (SCC).
5. Data Retention Period
The Company shall store personal data for as long as is necessary to achieve the purposes described in the present paragraph and after the case resolution all data shall be retained for a period of 5 years from the closure of the process unless the applicable legislation stipulates or allows a longer time period or as long as is necessary for the Company to be in compliance with a legal obligation it incurs, or as long as is necessary for the company to defend itself (such as defense of rights in court, audits by regulatory authorities, etc.).
6. Technical and organizational measures
The Company effectively implements, both at the time of determination of the means of processing and at the time of processing, appropriate technical and organizational measures such as controlled access to the data, encryption, processing on an as need-to-know basis, data minimization and/or pseudonymization for reporting purposes and the integration of the necessary safeguards into the said processing in a manner fulfilling the requirements of the applicable legislation and protecting the rights of natural persons.
7. Right to withdraw your consent
In case you have given us your consent to process specific personal data, you have the right to withdraw your consent at any time by contacting [email protected], with prospective effect. Such withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In case of such withdrawal, the Company may further process your personal data only in cases where there is some other legal ground for such processing.
8. Rights of the data subject
Under the applicable legislation on personal data protection and provided the relevant legal conditions are met, you have the following rights:
8.1. Right of access
You have the right to be informed as to whether or not the Company processes your data, to have access to such data and obtain supplementary information in connection with such processing.
8.2. Right to rectification
You have the right to request that your personal data be updated, rectified or completed.
8.3. Right to erasure
You have the right to submit a request for the erasure of your personal data, and such request shall be granted provided no other legal grounds for processing are in place (such as, as an indication, compliance with a legal obligation to process personal data).
8.4. Right to restriction of processing
You have the right to request the restriction of the processing of your personal data in the following cases: (a) when you contest the accuracy of your personal data, and pending verification of the accuracy of your data; (b) when you oppose the erasure of your personal data and you request the restriction of their use instead; (c) when your personal data are no longer needed for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, and (d) when you have objected to the processing and pending verification that our legitimate grounds for processing override those for which you object to the processing.
8.5. Right to object to the processing
You have the right to object at any time to the processing of personal data concerning you which is based on the legal basis of the processing (Article 6 (1) (e) or (f) of the General Regulation) and your objection shall be granted unless the Company demonstrates compelling legitimate grounds for the processing.
8.6. Right to data portability
You have the right to receive, at no cost, your personal data in a structured, commonly used and machine-readable format or to request, if technically feasible, that we transmit such data directly to another controller
8.7. Right to oppose automated decision-making
You have the right to request that you be excluded from decision-making which is based on automated processing, including profiling.
8.8 Exceptions
The data controller does not inform the subject or other 3rd parties named in the report about the data processing or the source of information according to article 15 par 5 of law 4990/2022. Additionally, the data controller may not satisfy the above-mentioned data subject rights when they are exercised by the subject or 3rd parties named in the report.
8.9 Protection of the whistleblower as per law 4990/2022
Personal data of the reporter or any other information that may lead to his/ her identity are not to be revealed by the data controller to anyone else than the persons entitled to investigate and handle the report.
As an exception to the above, the identity of the whistleblower can be revealed in cases imposed by the European or the National legislation in the framework of authority investigation, or for the legal defense of the subject. It is obligatory that prior to the announcement, the data controller should inform the reporter in writing about this intention unless this action undermines the investigative or legal efforts.The reporter has the right to raise any objections to the data controller. Should those objections deemed insufficient, the data controller can announce the identity of the reporter and any other case confidential data.
9. Data Controller
The Data Controller is «ENERWAVE S.A.», located at Fragkokklisias 6, Marrousi Attica,151 25.
The Company provides support for all questions, comments, concerns or complaints relating to personal data protection or should you wish to exercise any right in connection with the protection of your data. You may contact our Data Protection Officer by email at [email protected] or by post at the following mailing address:
ENERWAVE S.A.
Attention: DPO
Fragkokklisias 6, Marousi, GR151 25, Athens
10. Right to lodge a complaint with the competent authority
If you wish to lodge a complaint with the competent authority, the competent authority for these matters is Hellenic Data Protection Authority (HDPA). You can try first to exercise your rights to the Data Controller.
For the Authority's responsibilities and how to file a complaint, you can visit its website. (Individuals>My Rights> Complaint to the Hellenic DPA) where detailed information is available.