Data management information related to the internal whistleblowing system

DATA PROCESSING NOTICE

CONCERNING DATA PROCESSING ASSOCIATED WITH THE OPERATION OF GB SOLUTIONS ZRT.'S INTERNAL WHISTLEBLOWING SYSTEM

Effective Date: December 17, 2023

I. IDENTIFICATION OF THE DATA CONTROLLER

Data Controller: GB SOLUTIONS Information Technology and Consulting Service Private Company Limited by Shares (hereinafter referred to as: GBS)

Registered Office: 1092 Budapest, Köztelek utca 6.

Company Registration Number: 01-10-140044 (Registry Court: Company Registry Court of Budapest-Capital Regional Court)

Tax Number: 26568320-2-42

Email: visszaelesbejelentes@intuitech.studio

Information related to data processing associated with the operation of GBS's internal whistleblowing system is continuously available at https://gbsolutions.io/visszaelesbejelentés.

II. REGULATIONS SERVING AS THE BASIS FOR DATA PROCESSING

Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR);
Act CXII of 2011 on the Right of Informational Self-Determination and on the Freedom of Information (hereinafter: Info Act);
Act XXV of 2023 on complaints, public interest disclosures, and related rules on whistleblowing (hereinafter: Complaint Act);
Act V of 2013 on the Civil Code.

III. SCOPE OF PROCESSED DATA, PURPOSE, LEGAL BASIS, AND DURATION OF DATA PROCESSING

1. FILING AND INVESTIGATION OF WHISTLEBLOWING REPORTS

Personal Data and Objective of Processing

a) Name (surname and given name): Identification of the whistleblower.

b) Contact details (telephone number, email address, postal address): Communication.

c) Data recorded in the report (names of involved and contested individuals and organizations, description of the incident, other related information): Investigation of the report.

d) Employment-related data (position, information related to contractual relationships, voluntary work, etc.): Verification of reporting eligibility as defined by the Complaints Act.

Reports can be made within the internal whistleblowing system by:

Employees of GBS;
Former employees of GBS;
Applicants for, or candidates at GBS;
Individuals undertaking or having completed internships or voluntary work at GBS;
Persons with ownership interest in GBS, as well as members of GBS's executive, managing, or supervisory bodies, including non-executive members;
Sole proprietors or individual companies contracted with GBS;
Contractors, subcontractors, suppliers in contractual relations with GBS or under GBS's supervision.

Legal Basis for Data Processing:

GBS processes the aforementioned data pursuant to Sections 18-29 and 41-49 of the Complaints Act, and to fulfill legal obligations as per Article 6(1)(c) of the GDPR.
Should the data subject voluntarily provide personal data, GBS processes such data based on Article 6(1)(a) of the GDPR.

The data contained in the report can be processed exclusively by:

the internal complaint handler of GBS;
the person involved for the purpose of conducting the investigation, ensuring the principle of proportionality in data processing.

Data Retention Period:

Personal data that are not necessary for the purpose of the report are deleted immediately.
If the investigation determines that the report is unfounded or further action is unnecessary, personal data relating to the report are deleted within 60 days following the conclusion of the investigation.
If action is taken based on the report, including legal action against the whistleblower, data related to the report are retained until the final closure of procedures initiated based on the report.

IV. ACCESS TO PERSONAL DATA AND DISCLOSURE TO THIRD PARTIES

The internal whistleblowing system is designed to ensure that personal data of identified whistleblowers and individuals involved in the report are only accessible to authorized persons. The investigators of the report may share information pertaining to the report or involved individuals with other organizational units or employees to the extent necessary for conducting the investigation.

If a whistleblower protection attorney or an external organization is engaged in the investigation, personal data may also be disclosed to them.

Personal data of the whistleblower cannot be disclosed without their consent. If the report pertains to a natural person, during the exercise of their right to information and access concerning their personal data, the whistleblower's personal data cannot be disclosed to the requesting party.

If it becomes clear that the whistleblower acted in bad faith by providing false data or information, and:

a. there is a circumstance that suggests the commission of a crime or infraction, their personal data must be forwarded to the competent authority or individual entitled to conduct the procedure,

b. it is probable that they caused unlawful damage or legal harm to others, their personal data must be provided upon request to the authority or person entitled to initiate or conduct proceedings.

Data processed within the internal whistleblowing system may only be transferred to a third country or international organization if the recipient legally commits to observe the rules pertaining to the report as stipulated in the Complaint Act and ensures data protection measures.

V. THE RIGHTS OF THE DATA SUBJECT IN RELATION TO DATA PROCESSING

Right to Access (Right to Request Information): Data subjects may request information at any time regarding whether their personal data is processed by contacting us through the specified contact details. They can also request detailed information about the purposes of the processing, legal basis, categories of personal data processed, recipients or categories of recipients with whom data has been or will be shared, including those in third countries, and the data retention period. Additionally, they can inquire about their rights to request rectification, erasure, or restriction of processing, object to processing, lodge a complaint with the NAIH, and inquire about the data source and any data breach incidents.
A copy of the processed personal data is provided to the data subject free of charge with the information. A reasonable fee based on administrative costs may be charged for additional copies. This amount will be communicated to the data subject in advance.
Right to Rectification and Supplementation: If the data subject notices that some personal data are recorded inaccurately or incompletely, they should promptly provide the accurate or supplementary data to GBS to ensure rectification and supplementation.
Right to Erasure (“Right to be Forgotten”): Data subjects are entitled to request the deletion of their personal data. If data processing has no other legal basis, withdrawing consent to data processing will also lead to data deletion. We inform you that data deletion may be refused, especially if needed for legal compliance or the enforcement of legal claims.
Right to Restriction of Processing: During the data processing, the data subject may request restriction of data processing if (i) they contest the accuracy of the personal data, in which case processing is restricted for a period enabling verification of data accuracy; (ii) the processing is unlawful and instead of erasure, they oppose data deletion and request restriction of its use; (iii) GBS no longer needs the personal data for processing purposes, but the data subject requires it for the establishment, exercise, or defense of legal claims; (iv) the data subject has objected to processing, pending verification of whether the legitimate grounds of the data controller override those of the data subject.

In case of restriction, the data will only be stored, and further processing will only occur if the data subject consents or it is necessary for the protection of the rights of others, public interest, or the establishment, exercise, or defense of legal claims. The data subject will be informed in advance about the lifting of the restriction on processing.

VI. LEGAL REMEDIES RELATING TO DATA PROCESSING

We kindly ask that you submit your requests in writing using any of our specified contact details when asserting your rights. In your letter, please provide your identity information and correspondence address required for identification. If we have doubts about your identity or the data provided is insufficient for identification, we may request additional identification data.

We will fulfill your request within one month. If necessary, we may extend this deadline by two additional months, and we will inform you accordingly with reasons.

Valid requests will be fulfilled free of charge. However, if a request is manifestly unfounded or excessive, especially due to its repetitive nature, we may charge a reasonable fee or refuse to act on the request.

We will notify anyone with whom we have shared the data regarding data correction, deletion, or restriction, except when this proves impossible or involves disproportionate effort. Upon request, we will inform you about these recipients.

VII. OPTIONS FOR FILING COMPLAINTS CONCERNING THE PROCESSING OF PERSONAL DATA

If you believe GBS is not processing your personal data lawfully, we kindly ask you to first communicate your observations and claims with GBS, as the data controller, through the provided contact channels, so we can handle and process your feedback as quickly and effectively as possible.

In case of unlawful data processing, you may contact the National Authority for Data Protection and Freedom of Information (NAIH) and initiate its proceedings.

NAIH Contact Details:

Website: https://www.naih.hu/

Address: 1055 Budapest, Falk Miksa Street 9-11

Mailing Address: 1363 Budapest, P.O. Box 9

Email: ugyfelszolgalat@naih.hu

You are also entitled to pursue your claim in court. They have competence over such proceedings, and you may file a lawsuit at the competent court at the location of the GBS registered office or, at your discretion, at the applicable court based on your residence or habitual residence. You can find the contact details of the courts on the https://birosag.hu/ugyfeleknek/birosagok/torvenyszekek page.