Specific Incident Reporting Privacy Policy
as Part of Reporting Channels Operation
Who is responsible for processing personal data?
The Company (Intelli Solutions S.A., having its registered seat at 46, Eleftheriou Venizelou, Kallithea, 17676, Athens, Greece) is the controller of personal data (hereinafter referred to as Data) collected through existing reporting channels, based on the applicable legislation on personal data.
For what purpose does the Company collect and process your Data?
The Company has implemented reporting channels in the context of prevention, detection or investigation of irregular, unethical, illegal or criminal conduct within the Company. Reports/complaints of irregularity, omission or criminal offence concern -but are not limited to- the following:
- Theft
- Fraud
- Corruption
- Bribery (offer/acceptance)
- Violation of human rights (diversity, discrimination based on gender, religion, nationality, etc.)
- Misuse of assets
- Operations endangering workers’ health and safety
- Acts harmful to the environment
- Acts which may lead to an infringement of the legislation on free competition
- Acts that conflict with the interests of the Company and/or the Group
- Violation of the Policies and Procedures of the Company and the Group companies with the risk of financial loss
- Violation of the legal framework governing the Company and its Group companies (including the legislation governing the protection of persons reporting violations of Union law)
- Other unethical/inappropriate behavior (actions that violate the Group’s rules of ethics).
- Incidents of violence and harassment
- Data breaches
- Security incidents
The above list is not exhaustive, but is intended to illustrate the nature of the issues.
If the above acts are subject to any legal procedure provided for by national law, the Company’s Management or the respective Group company will promptly send the complaint to the competent Service/Authority for further investigation.
From which sources does the Company receive your Data?
The Company receives the submitted Data in the following ways:
- By email at: milisemas@unisystems.gr. In the case of an anonymous report/complaint: it is recommended to use a non-corporate email to submit the complaint (e.g. gmail)
- Through the Company’s site: www.intelli-corp.com
- In the event of a data breach, by email at: databreach@intelli-corp.com
- In the event of a security breach by email at: infosec@intelli-corp.com
- By post to the address of Uni Systems, to the attention of the Compliance Officer, marked “Confidential” (in the case of a report/complaint) or if it concerns a personal data breach to the address of Intelli and to the attention of the Data Protection Officer or if it concerns an Information Security breach to the address of Intelli and to the attention of the Information Security Officer.
Intelli may also receive data through reports forwarded by its subsidiaries, to the extent that a report raises issues of public interest or directly/indirectly relates to the Company. In the context of investigating a report, the Company may collect further Data by conducting interviews with the involved parties, as well as from other sources, as defined by its internal Policies and Procedures.
What Data does the Company process?
In order to verify or not the validity of a specific report/complaint and to further investigate the reported incident, the Company processes the Data that the reporting parties voluntarily submit, i.e., indicatively and not restrictively:
(a) the events that gave rise to the suspicion/concern, with reference to names, dates, documents, locations and
(b) the reason that led to the submission of the report/complaint.
Under no circumstances is the report/complaint expected to prove the potential concerns/suspicions of the reporting party; however, it is encouraged that all available information is provided to facilitate the investigation of the incident.
It should be noted that the Company, offers the reporting parties the opportunity to submit their report either officially or anonymously through its established reporting channels. Reports must be made “in good faith”. The Company is committed to protecting the reporting parties given that they have submitted the report in good faith, from any discrimination or less favourable treatment, any targeting or action aimed at punishing them and providing for an unfavourable job transfer/demotion or termination of employment. Once the report has been investigated, no sanctions or consequences are foreseen for the parties who have not been proven to have committed or contributed to the unlawful interference.
Who has access to the Data?
Access to the Data included in the reports for the purposes of examining or managing reports may only be granted to those involved in the management and investigation of the incident and to the extent required.
In particular, the Data included in the reports are communicated on a case-by-case basis and depending on the nature of the incident and always in accordance with the relevant Policies and Procedures: the members of the Company’s Reports Evaluation Committee (if the incident involves violence/harassment), the Compliance Officer (responsible for receiving and monitoring reports), the Head of Internal Audit (responsible for managing/reviewing reports), the Data Protection Officer, the Audit Committee, the Board of Directors, external consultants bound by confidentiality clauses, lawyers, as well as judicial and/or administrative authorities.
Moreover, the Data included in the reports/complaints are shared with the persons included in the report/complaint, witnesses and anyone else having a legitimate interest. When access to the Data is allowed to the persons included in the report/complaint, the data of the complainant and the witnesses are withheld, unless they have given their explicit consent, as well as if it has been proved that the report/complaint was malicious.
The reporting parties and those involved in the process of investigating the report shall be informed of the content of the report and of their relevant rights and the exercise of those rights, in accordance with the applicable framework. However, the provision of information is considered on a case-by-case basis as there may be cases where the aforementioned information may, indicatively, a) impede the investigation of the case and hinder the evaluation of the report and the collection of the information and data required, or b) directly or indirectly lead to the identification of the reporting parties, or c) lead to the disclosure of confidential information which, due to their nature and in particular due to the Company’s overriding legal interests, must remain confidential, or d) impede the establishment, exercise or support of the Company’s legal claims and/or any criminal proceedings. In the event that those involved in the report/complaint are not immediately informed of its contents, in order to avoid obstructing the investigation, the reasons for the delay must be recorded in writing and the document must be entered in the case file.
Is the data received by the complaint management team transmitted to third parties?
The Data and generally the information received by the complaint management team are not transmitted to other persons or groups of the Company or the Group company (related to the incident), unless such transmission is considered absolutely necessary for the purposes of further investigation the complaint and exclusively to the required persons on a need-to-know basis.
How long are the Data contained in a report/complaint kept?
The Company will retain the Data for a certain period of time after the completion of the investigation, which varies depending on the outcome of the investigation. In particular:
- In the event that the report is deemed unfounded or abusive or does not contain facts constituting a breach or there are no serious indications of a breach, the Data shall be deleted within six (6) months following its closure.
- In the event that legal action is taken based on the report/complaint, the Data shall be deleted upon the issuance of an irrevocable court decision.
- In the event that the report/complaint reveals substantiated findings against an employee/executive of the Company or a Group company (related to the incident), the Data shall be retained throughout his/her employment/relationship with the Company or the Group company and shall be deleted twenty (20) years after the partnership is terminated/resolved in any way.
- In the event that the report/complaint results in substantiated findings against a third party, e.g. a customer, supplier, external partner of the Company or the Group company (concerning the incident), the Data is retained throughout the duration of the cooperation and is deleted five (5) years after the termination/resolution of the cooperation in any way.
In all cases, the relevant Company’s relevant Policies on the retention and deletion of personal data are respected.
What technical and organizational measures does the Company apply for the protection of Data?
The Company shall implement the necessary technical and organisational measures to ensure a certain level of security commensurate with the risks posed by the processing and in view of the nature of the Data processed, in accordance with the Company’s applicable policies and procedures in relation to the processing of Data and the security of information (such as access to information on a need-to-know basis, binding the personnel that can access the Data under a confidentiality obligation, control of access rights, use of encryption, overseeing IT equipment and services in full compliance with current legislation, etc.).
Who can I contact for more information?
For more information on the processing of your Data and your rights, please refer to the Privacy Policy at the following link: Privacy Policy, in the Complaint-Handling Policy or contact the Data Protection Officer (DPO) at dpo@intelli-corp.com .