This document contains information on the terms and conditions of processing personal data of whistleblowers and other affected persons in line with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”) and the Act No. 18/2018 Z.z. on Personal Data Protection and on amendment of certain acts (“Act”) when verifying reports of misconduct harmful to the society and suspicions of violation of the ZSE Group's Code of Conduct.
Západoslovenská energetika, a. s., situation of the registered office at Čulenova 6, 816 47 Bratislava, CRN: 35 823 551, registered in the companies register of District Court Bratislava III, Section: Sa, File No.: 2852/B (“ZSE”, “Controller” or “we” in the applicable form), www.skupinazse.sk, processes personal data of whistleblowers and other persons in the scope and under conditions indicated in this document and as a controller, is responsible for their protection and processing. Unless otherwise stated in legal regulations, ZSE is also responsible for the processing of personal data by processors appointed by ZSE for this purpose.
We believe that more information leads to better understanding of the rules of processing personal data. In the following part, we therefore explain the most important terms used in relation to personal data protection.
Personal data – means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Report – is a statement of facts which the natural person learned about in relation to their job, work, position or function, or in relation to activity in public interest, which concern misconduct harmful to the society or a violation of the ZSE Group's The Code of Conduct.
Whistleblower – a natural person, including anonymous person, who makes a report.
Data subject – is identified or identifiable natural person who is the subject of personal data. A data subject is especially:
Controller – is the subject who determines the conditions of personal data processing and is responsible for personal data processing.
Processor – means the subject who processes personal data on behalf of the controller. The controller may authorise the processor to process personal data without the data subject's consent, however, the controller must verify that the processor provides sufficient guarantees to ensure compliance of personal data processing with the GDPR.
Processing - means any operation which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling - means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Depending on the specific purpose of processing and the legal basis, we process the following categories of personal data:
a) Identification data (name, surname, title, date of birth, Business ID, data on listing in a registry or other records);
b) Contact data (address of residence/place of business, mailing address, telephone number, email address);
c) Content of the report including the description of events and factual information which may include personal data;
d) Data concerning the manner of handling and notification;
e) Other data necessary to comply with legal requirements, and defend, exercise and prove legal claims.
We process personal data for purposes of verifying reports of misconduct harmful to the society in the scope and manner specified by legal regulations. We process personal data for purposes of verifying reports and suspicions of violation of the ZSE Group's The Code of Conduct in the scope and manner necessary for the protection of our legitimate interests.
If the data subject is concerned that personal processing based on the legitimate interest outweighs their basic rights and liberties, they may object to it.
Personal data are processed and disclosed to other subjects if there is a legal requirement stipulated by law or if it is necessary for the protection of our legitimate interests.
Acquired personal data can subsequently be processed for statistical purposes in a manner compatible with the original purpose, whereas ZSE shall ensure that personal data are only used to the necessary extent, or that only information which is not deemed personal data is processed.
As part of compliance with the obligations stipulated by law, we process personal data (including their disclosure to other subjects) especially for the following purposes:
Time of personal data processing is based on applicable laws. If, in the specific case, there is no justified need to retain the data over a longer period, they are retained for 3 years from the delivery of the report.
Legitimate interest is the basis for processing personal data if we follow certain interests crucial for us, whereas the personal data processing is required to protect and perform these interests. As prior consent is not required for using data, personal data processing has to be done in an adequate manner, which the data subjects can expect in connection with relations towards ZSE and in a manner that prevents excessive interference with interests and basic rights of data subjects.
You have the right to object to the processing of data for purposes of justified interests. In that case we may still process your personal data only if we prove necessary justified reasons for processing which prevail over your interests, rights and liberties.
ZSE processes personal data for purposes of legitimate interests, which are:
ZSE obtains personal data mainly directly from whistleblowers, from other persons during the investigation of the report, from own records gained for other purposes (e.g. accounting, surveillance camera records, etc.), from persons for are members of the ZSE Group and from publicly available sources.
When processing personal data for purposes of verifying reports of misconduct harmful to the society and reports and suspicions of violations of the ZSE Group Code of Conduct, ZSE does not carry out automated individual decision-making including profiling without human intervention, which could have legal or similarly significant effect on the data subjects.
Transfer of personal data to third countries (outside EU/EEA) will only take place if according to the decision of the Commission (EU) the third country provides adequate protection or the controller and/or processor who imported the data offered adequate guarantees of personal data protection (e.g. through standard clauses on data protection).
Personal data are provided primarily to processors who were authorised by us to process them on our behalf. These are particularly consulting companies, law firms, IT service providers and other persons whose services we use during the provision of our services. We carefully choose our processors to be able to ensure that the legal requirements for data protection are met.
Personal data may be disclosed to public authorities and other authorised entities under applicable laws. These are particularly Whistleblower Protection Office, courts of law, lawyers, distrainors, notaries, trustees in bankruptcy, law enforcement authorities, tax administrator, district authorities, Office for Personal Data Protection of the Slovak Republic, Ministry of Interior of the Slovak Republic, Labour Inspectorate, and in specific cases, ZSE Group and E.ON Group companies.
The data subject is entitled to:
In order to protect the rights of data subjects and prevent potential misuse or leak of personal data, data subjects' rights can be exercised exclusively in the following manner:
For the request to exercise the rights to be accepted it is necessary to sufficiently identify the applicant and to clearly specify the subject of the request. Otherwise the request will be rejected. In order to make access to their rights easier for data subjects, we prepared request templates available at www.skupinazse.sk, section “Personal data protection”.
With regard to the right to access to data, the right for transferability of data and right to erasure of data whose misuse could seriously affect the data subject's rights and liberties, we require for the applicant's signature on the request sent by post or delivered to the post room to be officially certified; if the request is sent via email, it must be signed using the applicant's qualified electronic signature.
If the data subject's right is exercised by another person based on the power of attorney, we require the original of the power of attorney with officially certified authorizer's signature; the power of attorney may not be older than 6 months.
Should you have any questions or comments related to personal data protection, please contact our data protection officer via email at: firstname.lastname@example.org or by means of letter to Západoslovenská energetika, a.s. – Data protection officer, Čulenova 6, 816 47 Bratislava.
This document comes into effect on 1 July 2023.
Version: July 2023