Information clause for KRUK Group companies regarding whistleblowing notifications
Basic information on the processing of your personal data by KRUK Group entities pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "GDPR").
Personal data controller
The controller of your data is the KRUK Group entity, which is related to the report made via the Whistleblowing system (the "System"). This may be:
Data Protection Officer
We have appointed a Data Protection Officer whom you may reach for all matters concerning the processing of your personal data and your rights in this regard. You may write to him by contacting the relevant Personal Data Inspector:
Why and on what basis do we process your personal data?
The system is used to report, receive and handle internal breaches at KRUK S.A. and Raven P. Krupa Law Firm sp. komandytowa. The purpose of the System is to ensure compliance of the business conducted by KRUK S.A. and Raven P. Krupa Law Firm Spółka komandytowa with the applicable laws, internal regulations, market and ethical standards. The system allows you to communicate potential compliance breaches that may have serious consequences for the organization. This includes consequences related to criminal liability.
Your personal data is processed on the basis of the legal obligation incumbent on the Controller, which is to receive, verify and clarify reports of breaches of law in accordance with Article 6(1)(c) in conjunction with Article 8(4) of the Whistleblower Protection Act of 14 June 2024, in conjunction with Article 97d of the Act on Public Offering, Conditions Governing the Introduction of Financial Instruments to Organised Trading, and Public Companies, Article 53 of the Act on Counteracting Money Laundering and Terrorist Financing and in connection with the provisions of EU Directive 2019/1937.
Who can we receive your data from and what data are we talking about?
The use of the System to report violations is voluntary, thus the data provided to us by the System comes directly from the reporting party, i.e. from you. The information provided to us determines what data we will process. We process the following data on a regular basis:
Do you have to provide us with your personal data?
Providing data is voluntary.
How long do we keep your personal data?
The data shall be stored for a period of 3 years after the end of the calendar year in which the follow-up actions were completed, after the end of the proceedings initiated by these actions or after the report was forwarded to the public authority competent to take follow-up actions, if that was the case.
Personal data that are not relevant to the investigation are not collected, and in the event of accidental collection, they are deleted within 14 days of determining that they are not relevant to the case.
Who can we share your personal data with?
Your data may be shared with entities that support our activities, such as entities that provide legal services, entities that support our IT infrastructure, our advisors or auditors and law enforcement authorities, as well as other authorities and entities where the obligation to provide data arises from legal provisions. The data provided is processed by employees of the Compliance Department of KRUK S.A. authorised to handle this channel, and, where required (including conducting an investigation), by persons authorised to provide services in the Departments connected with the report. As a matter of principle, we do not transfer data to third parties. However, it may happen that we transfer the provided data to other departments of the controller or to KRUK Group companies in accordance with Article 28 of the GDPR if it is necessary to clarify the matter. As a general rule, we are required by law to inform the accused persons or witnesses named in the report that we have received a notification about them, as long as such information does not impede further investigation of the report. The identity of the notifier will not be disclosed to the extent permitted by law.
Profiling and automated decision-making
Your personal data will not be subject to automated decision-making, including profiling.
Transfer of your personal data outside the European Economic Area (EEA)
We use suppliers and partners outside the EEA and it is therefore possible to transfer personal data to countries outside the EEA. Such transfer of personal data may take place on the basis of a decision stating the appropriate level of protection or subject to appropriate safeguards, Art. 45, 46 GDPR.
What rights do you have in relation to your data and how can you exercise them?
Pursuant to the GDPR, you have the right to:
If you wish to exercise the above rights, you may submit your request to us by:
for KRUK S.A.:
for RAVEN P. Krupa Law Firm, sp. komandytowa: