PRIVACY POLICY - INFORMATION FOR WHISTLEBLOWERS

Dear Madam or Sir,

we are aware that protecting your personal data provided in connection with your report of possible unlawful conduct is very important to you. In this Policy, we therefore describe in detail how we process your personal data within the internal whistleblowing system we have implemented in accordance with Act No. 171/2023 Coll., on the protection of whistleblowers, as amended (hereinafter the “Act”).

Basic information on how you, our employees, interns, trainees, co-operating self-employed persons, members of our company’s bodies, employees of our company’s business partners and other persons defined in Section 2(3) of the Act, may submit a report, what reports are protected by law, or how a report is handled, can be found in the Information for whistleblowers available at /en_GB/whistleblowing/information-for-whistleblowers and on the Company’s intranet. Further information for employees is also contained in the relevant internal regulation.

Personal data mean any information relating to a specific natural person, who can be identified based on such information or its combination with other information.

TABLE OF CONTENTS

- Who is the controller of your personal data?

- Which of your personal data do we process and for what purpose?

- From what sources do we obtain your personal data?

- Recipients of personal data

- Do we transfer the personal data to countries outside the EEA?

- How are your personal data secured?

- For how long will we retain your personal data?

- What are your rights relating to the personal data processing?

- Enquiries and contact details

- Amendments to this Policy

Who is the controller of your personal data?

The data controller is the company 2N TELEKOMUNIKACE a.s., Id. No: 26183960, with its registered office in Prague 4, Modřanská 621/72, Postal Code 14301, File No. B 6613, kept by the Municipal Court in Prague (hereinafter the“Company”).

The Company determines the ways and purposes of the processing of your personal data.

The Company has appointed a competent person to receive and assess the validity of the report. Contact details of the competent person can be found in chapter “Enquiries and contact details” below.

Which of your personal data do we process and for what purpose? 

The personal data that we collect in connection with reports that you submit through the internal whistleblowing system and the legal basis and purpose of their processing are described in detail below.

Personal information Purpose of processing Legal basis for processing

Basic identification and contact details of the whistleblower:
• name and surname; 
• date of birth;
• contact details;
• other data from which the identity of the whistleblower can be inferred.

Report data:
• details of the receipt, assessment and resolution of the report;
• a summary of the contents of the report; 
• personal data of other persons specified in the report.

• Receipt and assessment of the report in accordance with the law; 
• prevention of unlawful conduct;
• enforcing compliance with legal regulations and the internal regulations of the Company.

• Performance of the Company’s legal obligations;
• the Company’s legitimate interest in compliance with legal regulations by its employees and prevention of unlawful conduct.
Audio recording of an oral report • Consent of the data subject.

From what sources do we obtain your personal data? 

We obtain personal data primarily from the whistleblower and other persons involved in processing reports or from systems or records kept by the Company. We may also obtain such data from publicly accessible sources, from other persons or public authorities. 

Recipients of personal data

The recipient of personal data of the whistleblower and other persons identified in the report/investigation of reports of identified persons is the competent person who receives, records, assesses and investigates individual reports. 

Personal data may also be disclosed to prosecuting bodies or other public authorities under the conditions specified by the law. 

Information on the identity of the whistleblower and other protected persons may be provided only with their written consent unless the competent person is obliged to provide such information to the relevant public authorities pursuant to other legal regulations. If the competent person provides information on the identity of the whistleblower to a public authority, he/she is obliged to notify the whistleblower in advance, together with the reasons for which he/she is obliged to provide the information, and allow the whistleblower to comment on the provision of the information. 

Do we transfer the personal data to countries outside the EEA?

The Company does not transfer your personal data outside the European Economic Area (EEA). 

How are your personal data secured?

In order to ensure confidentiality, integrity and availability of your personal data, the Company uses modern security systems. Specifically, we adopted suitable security, technical and organisational measures against illegal or unauthorised personal data processing and against accidental loss and destruction of personal data. The specific technical and organisational measures are specified in Annex 1 hereto. 

Access to your personal data is granted only to the competent person who receives, records, assesses and investigates individual reports. 

For how long will we retain your personal data?

We will retain your personal data only for the period necessary to fulfil the respective collection purpose (see above), to protect our legitimate interests (e.g. in a lawsuit and/or for inspection purposes) and to comply with our statutory archiving duties, as the case may be.

The competent person is obliged to keep the reports submitted through the internal whistleblowing system and the related documents for a period of 5 years from the date of receipt of the report.  

What are your rights relating to the personal data processing?

Under the set conditions, you may exercise any and all rights stated below granted to you by the legal regulations on personal data protection, in particular the General Data Protection Regulation (GDPR)

  • the right to clear, transparent and comprehensible information on how your personal data is used and what your rights are;
  • right of access to the personal data and right to receive further information on the processing of your personal data;
  • right to rectification of incorrect and incomplete personal data;
  • right to acquire your personal data and transfer them to another controller;
  • right to object to the processing of your personal data;
  • right to restriction of personal data processing;
  • right to erasure of personal data;
  • right to withdraw your consent to the processing;  
  • right to lodge a complaint with a supervisory authority (the Office for Personal Data Protection, www.uoou.cz). 

Should you have any enquiries or requests related to your rights, contact us using the contact details specified in chapter “Enquiries and contact details” below.

Enquiries and contact details 

If you wish to exercise any of your rights in relation to the processing of your personal data or if you have any other query or complaint regarding their processing, please contact us in person, by post, by telephone or by e-mail using the contact details below. If you use the option to contact us by post, use a sealed envelope marked “DO NOT OPEN – WHISTLEBLOWER”.

Competent person: Jana Krajcarová, Chief HR Officer (CHRO)

E-mail: whistleblower@2n.com

tel.: +420 225 271 987

Address: Modřanská 621/72, 143 01 Prague 4, Czech Republic

Amendments to this Policy 

The Company may decide to amend or update this Policy. The up-to-date version will always be available on the Company’s website /en_GB/whistleblowing/privacy-policy-information-for-whistleblowers and on the Company’s intranet. Employees can also find the up-to-date version of this Policy in the Company’s internal documentation. 

Annex 1: Technical and Organisational Measures

Only the competent person who meets the statutory conditions for the performance of this function and who has been duly informed of his/her rights and obligations under the Whistleblower Protection Act and the relevant internal guidelines of the Company will have access to personal data obtained through the internal whistleblowing system. Only this person has access to the means through which reports can be made (telephone, e-mail) and other tools used to process the reports submitted.

The competent person accepts telephone reports on a designated telephone line (mobile phone) protected by standard security tools (user login with a unique account and access code, or other alternatives for unlocking the phone). 

Calls are recorded (with the consent of the whistleblower) using a suitable mobile application. The call recording is stored on the phone under the competent person’s own account, who can subsequently transfer (copy) the recording to his/her personal computer.

Only the competent person has access to the e-mail for receiving and handling reports; the access is protected by a username (login) and a password. 

Records of the submitted reports and other related documents in printed form are kept by the competent person in a locked designated folder; only the competent person has access to these documents.

The competent person is obliged to comply with other internal regulations of the Company issued to ensure information security (ISO 27001).