IN THE CONTEXT OF THE OPERATION OF REPORTING CHANNELS
Who is responsible for the processing of personal data?
The Company is the controller of the personal data (hereinafter referred to as “Data Controller”) collected through existing reporting channels, based on the applicable personal data legislation.
For what purpose does the Company collect and process your Data?
The Company has put in place reporting channels within the context of prevention, detection or investigation of irregular, unethical, illegal or criminal conduct within the Company. Reports/complaints of irregularities, omissions or criminal acts relate to - but are not limited to - the following:
· Bribery (offering/accepting)
· Violation of human rights (diversity, discrimination based on gender, religion, nationality, etc.)
· Misuse of assets
· Acts that endanger the health and safety of workers
· Acts harmful to the environment
· Acts that may lead to an infringement of the legislation on free competition
· Actions that conflict with the interests of the Company and/or the Group
· Violation of the Policies and Procedures of the Company and the companies of the Group that risk causing financial loss
· Violation of the legal framework governing the Company and the companies of the Group (including the legislation governing the protection of persons reporting violations of Union law)
· Other unethical/inappropriate behaviour (actions that violate the Group's rules of conduct and ethics).
· Incidents of violence and harassment
· Incidents of data breaches
· Security incidents
The above list is not exhaustive, but is intended to indicatively illustrate the type of issues.
If the above actions are subject to any legal procedure provided for by the national legislation, the Management of the Company or of the respective Group company shall promptly forward the complaint to the competent Department/Authority for further investigation.
From which sources does the Company receive your Data?
The Company receives the submitted Data in the following ways:
- By email to: email@example.com. In case of an anonymous report/complaint: It is recommended to use a non-corporate email to submit the complaint (e.g. gmail)
- Through the Company's website: www.quest.gr
- In the even of a data breach, by email to firstname.lastname@example.org
- By mail to the address of the respective Group company, for the attention of the Regulatory Compliance Officer, marked "Confidential" or, if it concerns a data breach, for the attention of the Data Protection Officer or, if it concerns a security breach, for the attention of the Group and Company Information Security Officer (if applicable)
- The procedure followed in each case is defined by the relevant Policies and Procedures of the Company and the Group (www.quest.gr)
The company may also receive data through reports forwarded by the group's subsidiaries, to the extent that a report concerns issues of public interest or directly/indirectly relates to the Company. In the context of investigating a report, the Company may collect further Data through interviews with the parties involved, as well as from other sources, as defined in its internal Policies and Procedures.
What Data does the Company process?
In order to verify or not the validity of a specific report/complaint and to further investigate the reported incident, the Company processes the Data that the reporting parties voluntarily submit, i.e. indicatively and not restrictively:
(a) the events that gave rise to the suspicion/concern, with reference to names, dates, documents, locations and
(b) the reason that led to the submission of the report/complaint.
Under no circumstances is the report/complaint expected to prove the potential concerns/suspicions of the reporting party; however, it is encouraged that all available information is provided to facilitate the investigation of the incident
It should be noted that the Company offers the reporting parties the opportunity to submit their report either officially or anonymously through its established reporting channels. Reports must be made "in good faith". The Company is committed to protecting the reporting parties, given that they have submitted the report in good faith, from any discrimination or less favourable treatment, any targeting or action aimed at punishing them and providing for an unfavourable job transfer/demotion or termination of employment. Once the report has been investigated, no sanctions or consequences are foreseen for the parties who have not been proven to have committed or contributed to the unlawful interference.
Who has access to the Data?
Access to the Data contained in the reports for the purposes of report examination or management may only be granted to those involved in the management and investigation of the incident in question and only to the extent necessary.
In particular, the Data included in the reports is shared on a case-by-case basis, depending on the nature of the incident and always in accordance with the relevant Policies and Procedures: With the members of the Company's Report Evaluation Committee (if the incident involves violence/harassment), the Regulatory Compliance Officer (responsible for receiving and monitoring reports), the Head of Internal Audit (responsible for managing/examining reports), the Data Protection Officer, the Audit Committee, the Board of Directors, external consultants bound by confidentiality clauses, lawyers, as well as judicial and/or administrative authorities.
Moreover, the Data included in the reports/complaints is shared with the persons included in the report/complaint, witnesses and anyone else having a legitimate interest. When access to the Data is allowed to the persons included in the report/complaint, the data of the complainant and witnesses are withheld, unless they have given their explicit consent or if the report/complaint has been proven to be malicious.
The reporting parties and those involved in the process of investigating the report shall be informed of the content of the report and of their relevant rights and the exercise of those rights, in accordance with the applicable framework. However, the provision of information is considered on a case-by-case basis as there may be cases where the aforementioned information may, indicatively, a) impede the investigation of the case and hinder the evaluation of the report and the collection of the information and data required, or b) directly or indirectly lead to the identification of the reporting parties, or c) lead to the disclosure of confidential information which, due to their nature and in particular due to the Company's overriding legal interests, must remain confidential, or d) impede the establishment, exercise or support of the Company's legal claims and/or any criminal proceedings. In the event that those involved in the report/complaint are not immediately informed of its contents, in order to avoid obstructing the investigation, the reasons for the delay must be recorded in writing and the document must be entered in the case file.
Is the Data received by the complaint management team transmitted to third parties?
The Data and overall information received by the complaint management team shall not be transmitted to other persons or teams of the Company or the Group company (to which the incident relates), unless such transmission is considered absolutely necessary for the purposes of further investigating the complaint and exclusively to the required persons on a need-to-know basis.
How long is the Data contained in a report/complaint retained?
The Company will retain the Data for a certain period of time after the completion of the investigation, which varies depending on the outcome of the investigation. In particular:
- In the event that the report is deemed unfounded or abusive or does not contain facts constituting a breach or there are no serious indications of a breach, the Data shall be deleted within six (6) months following its closure.
- In the event that legal action is taken based on the report/complaint, the Data shall be deleted upon the issuance of an irrevocable court decision.
- In the event that the report/complaint results in substantiated findings against an employee/executive of the Company or a Group company (concerning the incident), the Data shall be retained throughout the duration of their employment/relationship with the Company or Group company and shall be deleted twenty (20) years after the partnership is terminated/resolved in any way.
- In the event that the report/complaint results in substantiated findings against a third party, e.g. a customer, supplier, external partner of the Company or the Group company (concerning the incident), the Data is retained throughout the duration of the cooperation and is deleted five (5) years after the termination/resolution of the cooperation in any way.
In all cases, the Company's relevant Policies on the retention and deletion of personal data are respected.
What are your rights in relation to your personal data?
All natural persons whose data is processed by the Company have the following rights:
Right of access:
You have the right to be aware of and verify the legitimacy of the processing. Therefore, you have the right to access the data and to receive additional information about its processing.
Right to rectification:
You have the right to review, correct, update or modify your personal data.
Right to erasure:
You have the right to request the erasure of your personal data when we process it on the basis of your consent or in order to protect the legitimate interests of our company. In all other cases (such as, but not limited to, where there is a contract, a legal obligation to process personal data, or a public interest), this right is subject to specific limitations or does not exist, as the case may be.
Right to restrict processing:
You have the right to request the restriction of the processing of your personal data in the following cases: (a) when you contest the accuracy of the personal data and until its verification, (b) when you oppose the erasure of personal data and request the restriction of its use instead of erasure, (c) when the personal data is not necessary for the purposes of processing, but is necessary for the establishment, exercise, support of legal claims, and (d) when you object to its processing and until it is verified that the personal data is not necessary for the purposes of processing, and (e) when you object to its processing and until it is verified that there are legitimate grounds concerning us that supersede the grounds for which you object to its processing.
Right to object to processing:
You have the right to object at any time to the processing of your personal data where, as described above, this processing is necessary for legitimate interests pursued by us as data controllers, as well as to its processing for direct marketing and consumer profiling purposes.
Right to data portability:
You have the right to receive your personal data free of charge, in a format that allows you to access, use and process it using common processing methods. You also have the right to ask us to transfer the data directly to another controller, if technically feasible. This right extends to the data you have provided us with and its processing is carried out by automated means on the basis of your consent or in execution of a relevant contract.
To exercise any of the above rights, you may contact the Company's Data Protection Office (DPO) at the following email: email@example.com. If wish to contact the Data Protection Officer (DPO), send an email to: firstname.lastname@example.org.
Right to Lodge a Complaint
If you believe that we have not adequately fulfilled your request and the protection of your personal data is affected in any way, you can use a special portal to submit a complaint to the Hellenic Data Protection Authority (Athens, 1-3 Kifissias Avenue, P.C. 115 23 | tel.: +30 210 6475600). You can find detailed instructions for filing a complaint on the Authority's website.
What technical and organisational measures does the Company apply for the protection of Data?
The Company shall implement the necessary technical and organisational measures to ensure a certain level of security commensurate with the risks posed by the processing and in view of the nature of the Data processed, in accordance with the Company's applicable policies and procedures in relation to the processing of Data and the security of information (such as access to information on a need-to-know basis, binding the personnel that can access the Data under a confidentiality obligation, control of access rights, use of encryption, overseeing IT equipment and services in full compliance with current legislation, etc.).
Where can I find more information?
For more information about the processing of your Data and your rights, please refer to the Privacy Notice at the following link: www.quest.gr/en/privacy-policy or to the Report-Complaint Management Policy, or contact the Data Protection Officer (DPO) at email@example.com