PPC, acting as Data Controller in accordance with the General Data Protection Regulation (EU) 2016/679 2016/679 (hereinafter “GDPR”) and the relevant provisions of Greek legislation on the protection of personal data, as applicable, hereby provides information on the categories of personal data it collects, the data subjects, the purpose of their collection and processing, any recipients, the retention period, any transfer to third countries (outside the EEA), as well as their rights regarding their data and how they can exercise them, subject to the specific provisions of Law 4990/2022 on the protection of persons reporting breaches of Union law and special regulations concerning the processing of personal data by competent authorities.
In the context of submitting and investigating reports through internal channels, PPC acts as the Data Controller for the personal data collected in relation to reports concerning the Company.
Categories of Personal Data collected
The data processed includes reports, as well as data processed during the submission, monitoring, management, and archiving of reports.
Indicatively, we process data such as surname and first name, contact details (e.g., email address, telephone number), job position, information regarding any complaints you have submitted or that concern you, as well as information about current or previous investigations in which you may have been involved.
The data must be strictly adequate, relevant, and limited to what is required for achieving the purposes of Law 4990/2022. Personal data that are clearly unrelated to the report should not be submitted; otherwise, they will not be subject to further processing and will be deleted without undue delay.
Categories of Data Subjects
During the operation of the reporting channels, PPC may process the data of the following categories of data subjects, as defined in Law 4990/2022 (a) reporting parties/complainants, (b) persons reported, (c)facilitators, and (d) third parties who may be named in reports or whose data may be included in recorded follow-up actions.
Purposes of processing personal data
The purposes of processing are:
(a) compliance with the obligation to establish and operate internal reporting channels,
(b) the submission, monitoring, management, and archiving of reports,
(c) protection of reporting parties/complainants, particularly against retaliation,
(d) the taking of disciplinary measures or the initiation of legal proceedingsagainst persons reported for violations,
(e) providing information on potential criminal offenses to the competent prosecuting and judicial authorities,
(f) ensuring the security and confidentiality of the reporting monitoring process and the data processed in relation to it,
(g) establishing, exercising, or defending legal claims of the Company or third parties, and
(h) improving the Company’s organization and administration.
Legal Basis for the Processing of Personal Data
The legal basis for processing is PPC’s compliance with its legal obligations arising from Law 4990/2022 [Article 6 §1(c) GDPR], which requires the establishment and operation of an internal reporting channel, as well as the implementation of measures for the review and investigation of reports.
The processing of special categories of data that may be submitted with the report or arise during its investigation and/or monitoring is based on the exceptions provided in Article 9 §2(g) GDPR (substantial public interest) and Article 9 §2(f) GDPR (establishment, exercise, or defense of legal claims), in conjunction with Articles 11 and 12 of Law 4990/2022. The processing of data relating to criminal convictions and offenses is carried out in accordance with Article 10 GDPR and Articles 11 and 12 of Law 4990/2022.
Recipients of Personal Data
Access to the personal data contained in the reports is granted to the designated Officer for each company within the Group, who is responsible for receiving, monitoring, and managing the reports, as well as other authorized Group personnel or specifically appointed individuals from subsidiaries to the extent necessary for fulfilling the purposes.
In particular, the Officer. ensures the confidentiality and protection of the reporting party’s/complainant’s personal data, unless the reporting party/complainant has explicitly consented to the disclosure of their identity.
Personal data may also be accessed by the following categories of processors acting on behalf of the Data Controller:
(a) providers of professional advisory services supporting report monitoring activities, and
(b) auditors conducting checks to fulfill the Company’s legal obligations.
The Company may transmit personal data to lawyers and law firms for the provision of legal services aimed at establishing, exercising, or defending the Company’s legal claims.
Finally, relevant information may be transferred to competent supervisory, law enforcement, and judicial authorities in the context of fulfilling the Company’s legal obligations or exercising or defending its legal claims.
All individuals authorized to access the data are expressly required to maintain its confidentiality.
Duration of Personal Data Retention
The Company stores and retains report records for a period of five (5) years from the completion of monitoring of the respective report or from the implementation of measures to protect reporting parties/complainants, or the imposition of disciplinary measures and/or the initiation of legal proceedings against reported persons or third parties.
The Company may retain personal data beyond the aforementioned period in the following exhaustively listed cases: (a) where it is necessary, and for as long as required, for the fulfilment of the purposes of processing; or (b) where we are subject to a legal obligation under an applicable statutory provision; or (c) for the safeguarding of our rights and legitimate interests before any competent court and any other public authority, within the applicable statutory limitation period(s).
Rights of data subjects regarding their personal data
|
Right to Access |
Individuals have the right to obtain confirmation as to whether personal data concerning them is being processed and, where that is the case, to access the personal data and receive a copy thereof. |
|
Right to Rectification |
Individuals have the right to obtain the rectification of inaccurate personal data concerning them and to have incomplete personal data completed. |
|
Right to Erasure |
Ιndividuals have the right to request the erasure of their personal data, in particular where such data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, or where they withdraw consent on which the processing is based (where applicable). |
|
Right to Restriction of Processing |
Individuals have the right to request the restriction of processing in the cases provided for by applicable law. |
|
Right to Data Portability |
Individuals have the right to receive the personal data concerning them, which they have provided to the Company, in a structured, commonly used, and machine-readable format. |
|
Right to object |
Individuals have the right to object, on grounds relating to their particular situation, to the processing of their personal data where such processing is based on legitimate interests (and/or where applicable, the performance of a task carried out in the public interest), including profiling to the extent that it is related to such processing. |
Please note that under Law 4990/2022, certain GDPR rights (such as the right to be informed, the right of access, the right to object, or the right to erasure) may be temporarily restricted for individuals named in a report or whose data arises in the course of the investigation. Such restriction is provided for in Article 15 of Law 4990/2022, in conjunction with Article 23 GDPR, and applies only to the extent necessary to protect the report, ensure the proper conduct of the investigation, and prevent retaliation.
Specifically, PPC, as Data Controller, by way of derogation from the relevant GDPR provisions:
In such cases of restricting data subject rights, PPC, as Data Controller, takes all necessary technical and organizational measures to safeguard the rights and freedoms of individuals.
Contact details for exercising your rights and for the Data Protection Officer (DPO)
Exercise of Rights: whistleandspeakup@dei.gr or via the contact form.
Contact the Data Protection Officer: dpo.office@dei.gr
Alternatively, if reporting parties/complainants believe that their requests have not been adequately satisfied and that the protection of their personal data is compromised in any way, they may file a complaint with the Hellenic Data Protection Authority (1–3 Kifisias Ave., 115 23 Athens, Tel.: +30 210 6475600, https://www.dpa.gr/el/syndesi/prosvasi).Detailed instructions for submitting a complaint are provided on the Authority’s website.