Information clause on the receipt of whistleblowing notifications addressed to whistleblowers and persons who are the subject of a notification

Information clause in connection with the acceptance of whistleblower notifications addressed to whistleblowers and persons affected by a notification

  1. The controller of the personal data is IdoBooking sp. z o. o. (also referred to as the "Operator") with its registered office at al. Piastów 30, 71-064 Szczecin, entered in the register of entrepreneurs kept by the District Court Szczecin-Centrum in Szczecin, XIII Business Division of the National Court Register under the number 00001118562 NIP: 8522710288; REGON: 529324888; with the share capital of PLN 200,000.00. IdoBooking may be contacted by e-mail: sales@idobooking.com and by phone: +48 91 443 66 00.
  2. The Data Protection Inspector at IdoBooking is Rafał Malujda, e-mail address: gdpr- inspector@idobooking.com.
  3. The purpose of the processing of personal data is to receive reports of violations of the law and to take appropriate follow-up action.
  4. The legal basis for the processing is:

for the processing of personal data of whistleblowers - Article 6(1)(c) and Article 9(2)(b) of the GDPR, i.e. the processing is necessary for the fulfilment of a legal obligation incumbent on the controller and the processing is necessary for the fulfilment of obligations and the exercise of specific rights by the controller or the data subject in the field of labour law, social security and social protection, including in relation to the performance of obligations imposed by the Law on the Protection of Whistleblowers, in particular accepting and documenting a report from a whistleblower (Article 26), conducting an investigation keeping a register of internal reports (Article 29);
in the case of the processing of personal data of reported persons (including, inter alia, witnesses to a breach of the law) - Article 6(1)(f) GDPR, i.e. the processing is necessary for the performance of a task carried out in the public interest.

  1. Recipients of the data may be entities to whom personal data must be made available in order to comply with a legal obligation, e.g. public authorities, courts and trusted entities entrusted by the controller with data processing.
  2. Personal data will be retained for a period of 3 years after the end of the calendar year in which the follow-up actions have been completed or the proceedings initiated by these actions have been concluded. Personal data that have been collected inadvertently and that are not relevant to the case will be deleted immediately and, at the latest, within 14 days from the date on which it is established that they are not relevant to the case.
  3. You have the right to request the Controller to access, rectify, erase or restrict processing of your personal data, as well as the right to data portability.
  4. The right to data portability allows data subjects to access their personal data in a structured, commonly used and machine-readable format and to transmit it to another controller without hindrance from the original controller. This right is available in situations where the legal basis for the processing is:

the consent of the data subject (Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR), or
the performance of a contract to which the data subject is party (Article 6(1)(b) GDPR). Data covered by the right to portability must be processed by technical means, e.g. in IT systems. This right does not apply to data processed in paper form. This right only covers personal data that the person has provided to the controller, such as data entered during account registration, data in online forms or data collected during the use of services (e.g. purchase history, user preferences). The data subject may request that the data be transferred directly to another controller if this is technically possible. The right to data portability does not affect the rights and freedoms of others - if the rights of others could be affected by the data portability, the controller may limit the scope of the portability. The right to data portability does not extend to situations where the processing is based on a legal ground other than consent or contract, e.g. a legal obligation of the controller or a task carried out in the public interest.

  1. You have the right to lodge a complaint to the supervisory authority, i.e. the President of the Office for Personal Data Protection, if you consider that the processing of your personal data by the Controller violates the provisions on personal data protection.
  2. The provision of personal data is voluntary, however, it may be necessary in order to accept reported infringements of the law and take appropriate follow-up actions if the Controller decides not to accept anonymous reports.