Data protection-Whistleblowing - Skupina ZSE

Internet Explorer is not supported

We recommend to use Firefox or Chrome browser to get the correct browsing experience.


This document contains information on the terms and conditions of processing personal data of whistleblowers and other affected persons in line with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”) and the Act No. 18/2018 Z.z. on Personal Data Protection and on amendment of certain acts (“Act”) when verifying reports of misconduct harmful to the society and suspicions of violation of the ZSE Group's Code of Conduct.


Západoslovenská energetika, a. s., situation of the registered office at Čulenova 6, 816 47 Bratislava, CRN: 35 823 551, registered in the companies register of District Court Bratislava III, Section: Sa, File No.: 2852/B (“ZSE”, “Controller” or “we” in the applicable form),, processes personal data of whistleblowers and other persons in the scope and under conditions indicated in this document and as a controller, is responsible for their protection and processing. Unless otherwise stated in legal regulations, ZSE is also responsible for the processing of personal data by processors appointed by ZSE for this purpose.


We believe that more information leads to better understanding of the rules of processing personal data. In the following part, we therefore explain the most important terms used in relation to personal data protection.

Personal data – means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Report – is a statement of facts which the natural person learned about in relation to their job, work, position or function, or in relation to activity in public interest, which concern misconduct harmful to the society or a violation of the ZSE Group's The Code of Conduct.

Whistleblower – a natural person, including anonymous person, who makes a report.

Data subject – is identified or identifiable natural person who is the subject of personal data. A data subject is especially:

  • natural person making the report,
  • natural person identified in the report or natural person against whom the report is made (including employees of the ZSE Group companies or members of the statutory body of such company).

Controller – is the subject who determines the conditions of personal data processing and is responsible for personal data processing.

Processor – means the subject who processes personal data on behalf of the controller. The controller may authorise the processor to process personal data without the data subject's consent, however, the controller must verify that the processor provides sufficient guarantees to ensure compliance of personal data processing with the GDPR.

Processing - means any operation which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling - means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.



Depending on the specific purpose of processing and the legal basis, we process the following categories of personal data:

a) Identification data (name, surname, title, date of birth, Business ID, data on listing in a registry or other records);

b) Contact data (address of residence/place of business, mailing address, telephone number, email address);

c) Content of the report including the description of events and factual information which may include personal data;

d) Data concerning the manner of handling and notification;

e) Other data necessary to comply with legal requirements, and defend, exercise and prove legal claims.


We process personal data for purposes of verifying reports of misconduct harmful to the society in the scope and manner specified by legal regulations. We process personal data for purposes of verifying reports and suspicions of violation of the ZSE Group's The Code of Conduct in the scope and manner necessary for the protection of our legitimate interests.

If the data subject is concerned that personal processing based on the legitimate interest outweighs their basic rights and liberties, they may object to it.

Personal data are processed and disclosed to other subjects if there is a legal requirement stipulated by law or if it is necessary for the protection of our legitimate interests.

Acquired personal data can subsequently be processed for statistical purposes in a manner compatible with the original purpose, whereas ZSE shall ensure that personal data are only used to the necessary extent, or that only information which is not deemed personal data is processed.

3.2.1 Legal obligation

As part of compliance with the obligations stipulated by law, we process personal data (including their disclosure to other subjects) especially for the following purposes:

  • compliance with the obligation to verify reports under the Act No. 54/2019 Z. z. on Protection of Whistleblowers and on the Amendment of Certain Acts as amended;
  • resolving legal disputes (Act No. 160/2015 Z. z. Code of Civil Contentious Procedure, Act No. 162/2015 Z. z. Code of Administrative Court Proceedings and related laws);
  • disclosure of information for purposes of criminal proceedings (Act No. 301/2005 Z. z. Criminal Procedure Code, Act No. 171/1993 Zb. on Police Force and related laws);
  • disclosure of information required for the evaluation of the state of facts (Act No. 160/2015 Z.z. Code of Contentious Civil Procedure and related laws);
  • compliance with the obligations under GDPR and the Act, especially exercising rights of data subjects and possible investigation of personal data breach.
  • compliance with obligations under the Act No. 311/2001 Z. z. Labour Code as amended, Act No. 91/2016 Z. z. on Criminal Liability of Legal Persons as amended, and Act No. 195/2002 Z.z. on Archives and Registries and on Amendment of Certain Acts as amended.

Time of personal data processing is based on applicable laws. If, in the specific case, there is no justified need to retain the data over a longer period, they are retained for 3 years from the delivery of the report.

3.2.3 Legitimate interest

Legitimate interest is the basis for processing personal data if we follow certain interests crucial for us, whereas the personal data processing is required to protect and perform these interests. As prior consent is not required for using data, personal data processing has to be done in an adequate manner, which the data subjects can expect in connection with relations towards ZSE and in a manner that prevents excessive interference with interests and basic rights of data subjects.

You have the right to object to the processing of data for purposes of justified interests. In that case we may still process your personal data only if we prove necessary justified reasons for processing which prevail over your interests, rights and liberties.

ZSE processes personal data for purposes of legitimate interests, which are:

  • compliance with the ZSE Group's The Code of Conduct;
  • protection of property and property rights;
  • proving the compliance with legal and contractual obligations;
  • statistical purposes


ZSE obtains personal data mainly directly from whistleblowers, from other persons during the investigation of the report, from own records gained for other purposes (e.g. accounting, surveillance camera records, etc.), from persons for are members of the ZSE Group and from publicly available sources. 


When processing personal data for purposes of verifying reports of misconduct harmful to the society and reports and suspicions of violations of the ZSE Group Code of Conduct, ZSE does not carry out automated individual decision-making including profiling without human intervention, which could have legal or similarly significant effect on the data subjects.


Transfer of personal data to third countries (outside EU/EEA) will only take place if according to the decision of the Commission (EU) the third country provides adequate protection or the controller and/or processor who imported the data offered adequate guarantees of personal data protection (e.g. through standard clauses on data protection).


Personal data are provided primarily to processors who were authorised by us to process them on our behalf. These are particularly consulting companies, law firms, IT service providers and other persons whose services we use during the provision of our services. We carefully choose our processors to be able to ensure that the legal requirements for data protection are met.

Personal data may be disclosed to public authorities and other authorised entities under applicable laws. These are particularly Whistleblower Protection Office, courts of law, lawyers, distrainors, notaries, trustees in bankruptcy, law enforcement authorities, tax administrator, district authorities, Office for Personal Data Protection of the Slovak Republic, Ministry of Interior of the Slovak Republic, Labour Inspectorate, and in specific cases, ZSE Group and E.ON Group companies.


5.1 Data subject's rights

The data subject is entitled to:

  • obtain from ZSE a confirmation whether personal data relating to him or her are processed and if so, he or she is entitled to access to such personal data, information on personal data processing and a copy of data (ZSE shall be entitled to charge an adequate fee for administrative costs related to issuing additional copies);
  • for ZSE to rectify incorrect personal data relating to the data subject without undue delay,
  • right to erasure, i.e. right to make ZSE without undue delay erase personal data relating to him or her, and the controller is obliged to erase personal data without undue delay, provided that conditions indicated in Article 17 of GDPR are met;
  • right to restriction of personal data processing in cases specified in Article 18 of GDPR;
  • right to withdraw consent (this right does not apply if data are processed on a legal basis other than data subject’s consent);
  • right for transferability of data, meaning the right to get personal data related to him/her, which he/she provided to ZSE, in a structured, generally used format that can be displayed on computers, and the right to transfer this data to another controller, if conditions under Article 20 of GDPR are met;
  • to object against the processing of personal data related to him/her any time due to reasons related to his/her specific situation, if such processing is being conducted based on a legitimate interest, including objecting against profiling;
  • right not to be subject to decisions based exclusively on automated processing, including profiling, which has the legal effects applying to him/her, relates to him/her or significantly impacts him/her;
  • seek protection of his/her rights at the relevant court under Article 78 of GDPR;
  • file a complaint with the supervisory authority, especially in the member state of his or her habitual residence, place of work or place of the alleged infringement if the data subject assumes that the processing of personal data relating to him or her infringes GDPR. For the Slovak Republic, the supervisory authority is the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27, phone: +421 2 3231 3214, email:

5.2 How to exercise your rights

In order to protect the rights of data subjects and prevent potential misuse or leak of personal data, data subjects' rights can be exercised exclusively in the following manner:

  • By means of a letter sent or delivered to the registered office / mailing office of ZSE;
  • Via email at:

For the request to exercise the rights to be accepted it is necessary to sufficiently identify the applicant and to clearly specify the subject of the request. Otherwise the request will be rejected. In order to make access to their rights easier for data subjects, we prepared request templates available at, section “Personal data protection”.

With regard to the right to access to data, the right for transferability of data and right to erasure of data whose misuse could seriously affect the data subject's rights and liberties, we require for the applicant's signature on the request sent by post or delivered to the post room to be officially certified; if the request is sent via email, it must be signed using the applicant's qualified electronic signature.

If the data subject's right is exercised by another person based on the power of attorney, we require the original of the power of attorney with officially certified authorizer's signature; the power of attorney may not be older than 6 months.


Should you have any questions or comments related to personal data protection, please contact our data protection officer via email at: or by means of letter to Západoslovenská energetika, a.s. – Data protection officer, Čulenova 6, 816 47 Bratislava.


This document comes into effect on 1 July 2023.

Version: July 2023