PAIRIS SA hereinafter referred to as the “Company“, “We” and “Us“) takes the protection of personal data very seriously. This data privacy notice explains which personal data We collect when you use the “EQS Integrity Line” software from EQS Group (hereafter the whistleblower system – “WBS“) and how We process it. We ensure compliance with the applicable data protection regulations through appropriate technical and organizational measures.
Responsible entity and Data Protection Officer (DPO)
The entity responsible for the processing of your personal data is
PAIRIS SA
Thesi Goritsa Aspropirgos, 1930, 210-25515500, Info@pairis.gr
The Data Protection Officer of the Company can be contacted via the following email address:
dpo@pairis.gr
Categories of personal data and purpose of processing
The purpose of the WBS is to facilitate the receipt and processing of reports submitted securely and confidentially by our employees and external persons regarding employee conduct that is illegal or in contravention of the object or purpose of legislation.
In doing so, the following categories of your personal data may be collected and subsequently processed by Us through the WBS:
- Your first name and last name, job title, place of employment and professional contact details (if the report is not made anonymously) and/or the corresponding data of the employees concerned by your report,
- the fact that you have used our WBS for the purposes of submitting a report
- reported behavior of the employees concerned,
- other (possibly special) categories of personal data, provided that they are entered in the WBS in the context of the report or in the subsequent investigation procedure,
- Business documents such as performance records, travel expense reports, driver’s logs, invoices and similar documents that may also contain personal data, insofar as they are required for clarifying the facts reported,
- Information on behavior when using Company communication systems, such as metadata, log data or also the contents of Company emails, insofar as they are required for clarifying the reported circumstances.
We process the aforementioned personal data in particular for the following purposes:
- Checking whether the information provided to Us appears plausible and suggests a violation of laws or other legally binding requirements or breaches of duty under the employment contract,
- If necessary, further clarification of the reported facts with regard to any violations of laws or other legally binding requirements or breaches of duty under the employment contract,
- If necessary, further clarification for the purpose of exonerating employees who are wrongly suspected of wrongdoing,
- if necessary, to avert economic and other detriments and to assert or enforce the rights of our Company and
- if applicable, the fulfilment of any obligations to cooperate on the part of our Company within the scope of investigations by law enforcement or other authorities.
Legal basis of the processing
As a Company, We must ensure compliance with all laws and other legal requirements relevant to our business operations. These include in particular the provisions of commercial and tax law, criminal and administrative offences law, labor law and antitrust law as well as data protection law. In addition, there are comprehensive legal provisions of countries outside the EU in which our Company is active. If We do not sufficiently comply with these legal obligations, our Company is threatened with considerable detriments such as fines, claims for damages, the withdrawal of any necessary permits and, last but not least, damage to our reputation and the loss of business relations.
The legal basis for the processing of your personal data is Art. 6. para. 1. lit. c) GDPR in conjunction with Art. 17 Directive (EU) 2019/1937 (“EU Whistleblowing Directive”) and any national regulations implementing the EU Whistleblowing Directive. Under the Whistleblowing Directive and national regulations implementing it, we are legally obliged to provide a whistleblowing system.
Furthermore, the processing of your personal data in the WBS is carried out on the legal basis of our legitimate interest pursuant to Art. 6 para. 1 sentence 1. letter f) GDPR in conjunction with any applicable national regulations for the prevention and detection of criminal offences, breaches of duty and other violations as well as our legitimate interest in the associated prevention of damage and liability risks for our Company. We have a legitimate interest in the processing of personal data to prevent and detect infringements within the Company, to verify the legality of internal processes and to safeguard the integrity of the Company.
Insofar as special categories of personal data, such as information on racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership, health data or data on sex life or sexual orientation, are entered into the WBS in the course of the notifications or in the subsequent investigation procedure, We process these on the legal basis of Art. 9 para. 2. letter b) GDPR in conjunction with Art. 9 para. 2 letter f) GDPR and applicable national regulations.
Technical implementation and security of your data
The WBS contains an option for anonymous communication via an encrypted connection. When you use it, your IP address and your current location are not stored at any time. After submitting a report, you will receive login details to access the WBS inbox so that you can continue to communicate with Us in a protected manner.
The data you provide will be stored within a specially secured EQS Group database within the European Union. All data stored within the database is encrypted using state-of-the art methods. Access to the data is strictly limited to appointed case managers. No other entity, including EQS Group, possesses the key to decrypt this data and make it readable.
Passing on personal data
Personal data collected and processed through the WBS may be transferred to the following recipients:
- In the course of processing reports within the WBS, it may be necessary for the personal data processed to be transmitted to other group companies within the corporate group if they are also or solely affected by the reported facts. All persons authorised to inspect the data are expressly obliged to maintain confidentiality.
- EQS Group is our technical service provider and acts as a processor on the basis of a processing order pursuant to Art. 28 para. 3 GDPR. It may have access to your encrypted data (not in readable form) in the course of maintenance work.
- If the processing of the report leads to the conclusion that a violation has occurred, personal data of the accused or, in the case of non-anonymous reports, also of the whistleblower may be transmitted to law enforcement agencies or courts as well as lawyers or consultants commissioned by Us.
- Insofar as it is necessary for the assertion and enforcement of claims by our Company and there are no interests of data subjects that are worthy of protection, personal data may also be transferred to opposing parties or insurers.
Our group companies to which your personal data from the WBS may be transferred in accordance with the principles described above are located in Germany and in some cases in other European and non-European countries. In the non-European countries, the level of data protection may not be equivalent to the level of data protection of the GDPR that also applies to you in the European Union. In this case, We ensure the protection of personal data in the recipient country by means of suitable guarantees, e.g. by means of so-called standard contractual clauses of the European Union pursuant to Art. 46 para. 2 letter c) GDPR.
Insofar as a transfer of your personal data to a court or an authority in a non-European state without an adequate level of data protection is necessary and legally permissible for the assertion, exercise or defense of legal claims of our Company, this may be carried out on the basis of Art. 49 para. 1 sentence 1 letter e) GDPR, without additional measures being necessary to ensure an adequate level of data protection.
In certain cases, We are obliged under data protection law to inform the person(s) named in your report of the allegations made against them. This is required by law, for example, if it is objectively determined that providing information to this person(s) can no longer affect the clarification of the reported facts. If you have not submitted your report anonymously, We will not disclose your identity as a whistleblower – insofar as this is legally permissible – and We will also ensure that no other conclusions can be drawn about your identity. Please note that if you knowingly make a false report with the intention of discrediting another person, We may be obliged to disclose your identity to that person.
For further information on the recipients of your personal data and any guarantees, please contact Us at the e-mail address above. Your personal data will only be transferred to the above-mentioned recipients if this is necessary and legally permissible.
Otherwise, your personal data will only be passed on to third parties (outside of our Company) in cases where this is necessary for the performance of the activity, e.g. to external auditing companies for the performance of an audit. In this case as well, data is always passed on and processed for a specific purpose on the basis of a legal foundation. We may pass on your personal data to external service providers (IT service providers for remote maintenance and support, etc.) as part of com-missioned processing in accordance with instructions.
Storage period
Personal data stored within the WBS are usually deleted within two months of the conclusion of the respective investigation, unless they need to be further processed for other purposes, e.g. to fulfil retention obligations or to exercise, assert or defend legal claims.
Your rights
With regard to the processing of your personal data by Us, you can contact Us in writing at the above address or via email at the email address above to exercise your following rights:
- You have the right, in accordance with the relevant legal provisions, to request information about the processing of those personal data which concern you. In this context, you also have the right to obtain a copy of the personal data which are the subject of the processing (Art. 15 GDPR).
- You have the right to request, without undue delay, the rectification of inaccurate or the completion of incomplete personal data relating to you, in accordance with the relevant legal provisions (Art. 16 GDPR).
- You also have the right to request the immediate deletion of personal data relating to you, provided that this data is no longer required to fulfil the purpose for which it was collected or there is another reason for deletion and the deletion is not prevented by any obstacles to deletion, such as statutory retention periods (Art. 17 GDPR).
- You have the right to request the restriction of the processing of your personal data in accordance with the respective legal provisions (Art. 18 GDPR).
- We are obliged to inform all recipients to whom your data has been disclosed about a correction or deletion of your data or a restriction of processing. This only does not apply if this proves impossible or involves a disproportionate effort. You have the right to be informed by Us about these recipients (Art. 19 GDPR).
- Insofar as your personal data is processed on the basis of our legitimate interest pursuant to Art. 6 para. 1 sentence 1 letter f) GDPR, you have the right to object to this processing of your personal data at any time on grounds arising from your particular situation (Art. 21 para. 1 GDPR). The objection can be made without any formalities.
- If you object, We will no longer process personal data relating to you unless We can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
- Finally, you have the right to complain to any supervisory authority of your choice, in particular in the EU Member State of your residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you by Us is in breach of the law. This is without prejudice to any other administrative or judicial remedies you may have (Art. 77 GPDR).
Company Employees
Company employees can find further information regarding the processing of their personal data in our data protection policy for employees.
How to reach us
E.PAIRIS SA Group of Companies
Contact Person: Doris Pairi
Address: Gorytsa – Aspropyrgos, 19300, Athens
Email: doris.pairi@pairis.gr | dpo@pairis.gr
Phone: 210 515555
Fax: 210 5576192
Web: www.pairis.gr