GREEK WHISTLEBLOWING SYSTEM
Last update: December 2023
The purpose of this information notice concerning the processing activity carried out in the context of the Greek Whistleblowing System, is to provide you with all the information required by the applicable regulations on the protection of personal data and in particular by the General Data Protection Regulation (GDPR), the Greek Data Protection Law 4626/2019, as in force and Greek Whistleblowing Law 4990/2022, as in force, including other relevant rules and secondary legislation (Greek WB Law).
- Identity and contact details of the data controller
Saint-Gobain Sekurit Service Hellas S.A. for the Trade of Glazing Products
- Contact information of the Data Protection Officer (DPO)
To exercise your rights or if you have any question related to the processing of your data within this plan, use the following address: PrivacyContact.CSG.FR@saint-gobain.com
- Processing purpose
The processing of personal data carried out in the context of the Greek Whistleblowing System is conducted in order to allow data controller’s employees, as well as stakeholders, as defined in the GR Whistleblowing Policy of Saint Gobain to report the breaches under Greek WB Law, and to take the appropriate measures for the monitoring of the reports. In particular, the reports shall concern:
- breaches falling within the scope of the European Union acts that concern the following areas:
- public procurement
- financial services, products and markets, and prevention of money laundering and terrorist financing;
- product safety and compliance;
- transport safety;
- protection of the environment;
- radiation protection and nuclear safety;
- food and feed safety, animal health and welfare;
- public health;
- consumer protection;
- protection of privacy and personal data, and security of network and information systems;
- breaches affecting the financial interests of the European Union as referred in Article 325 TFEU
- breaches relating to the internal market, as referred to in Article 26(2) TFEU, including breaches of Union competition and State aid rules, breaches relating to the internal market in relation to acts which breach the rules of corporate tax or to arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law.
- Legal basis of the processing operation:
Legal obligation: the processing is necessary to comply with a legal obligation requiring the implementation of a whistleblowing system, and in particular to establish reporting channels and to take the appropriate measures to monitor the submitted reports in the context of the whistleblowing system, as provided for in the Greek WB Law.
- Data and retention periods
- Reports, minutes and minutes of oral reports are stored for a reasonable and necessary period of time in order to be retrievable and to comply with the requirements under the Greek WB Law, Union or national law and in any case until the conclusion of any investigation or judicial proceedings initiated as a consequence of the report.
- Recipient(s)
The data collected are intended to be used by the appointed person acting as “Responsible for Receiving and Monitoring Reports” (“RRMR Officer”) and made accessible to the competent bodies within the company or outside the company, as provided for under the Greek WB Law, including any necessary third parties (lawyers, experts, auditors) for purposes strictly related to further investigation of the report.
- Data transfer outside the European Union
The data collected may be made accessible outside the European Union, when it is necessary for the processing of the alerts received, in particular in the context of an investigation to establish the materiality of the breaches. The data controller ensures prior to any transfer of personal data, in particular through the European Commission's Standard Contractual Clauses, that the persons having access to it guarantee an adequate level of protection.
- Rights of individuals
The regulations may allow you to exercise the following rights over your personal data:
- Right of access; You have the right to request a copy of the information about you. If you would like a copy of some or all of your personal information, please contact us using the contact details stated above. We will respond to your request within one month of receiving it or as otherwise provided in the applicable legislation.
- Right of rectification; The data controller wants to make sure that your personal information is accurate and up to date. You may ask the data controller to correct or remove information you think is inaccurate. The data controller may ask you to provide reasonable proof to verify your request.
- Right to erasure; You may ask the data controller to delete the information it holds on you where it is no longer necessary for the purpose for which it was collected, where you object to the processing, or where our processing is unlawful. Please note, however, that we are also subject to certain legal obligations that prevent us from immediately deleting all of your information. However, any data we are prohibited from deleting will be blocked and, when we are no longer obliged to keep it, it will be erased.
- Right to limitation of processing; If you believe the personal information the data controller holds is inaccurate, unlawful, or that the data controller does not have a legitimate interest to process it, you can request that the data controller restricts any processing until this is rectified.
- Right of opposition for legitimate reasons; Where your particular situation merits that the data controller no longer processes your information for the performance of a task carried out in the public interest or based on our legitimate interest, you have the right to object to the processing
- Right to lodge a complaint: If, after contacting the data controller, you consider that your rights are not respected or that this data processing does not comply with data protection rules you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA): www.dpa.gr.
However, the data controller has the discretion not to provide a notice regarding the processing of personal data to the reporting persons, including any third person mentioned in the report, or of personal data which have resulted from monitoring measures under the Greek WB Law and, in particular, regarding the source of personal data, for as long as necessary for the purpose of preventing and countering attempts to obstruct the reporting, frustrate or delay the monitoring measures, especially with regard to investigations, or attempts to identify the reporting persons, and to protect them against retaliation.
In addition, the data controller has the discretion not to fulfil the above data subjects’ rights, when these are exercised by the reported persons or any third person mentioned in the report or have resulted from monitoring measures.
In case of restriction of data subjects’ rights, the data controller shall take all necessary technical and organizational measures to protect their rights and freedoms. Where the data controller refuses to satisfy the rights without informing the data subject of the reason for the restriction, the data subject shall have the right to lodge a complaint with the HDPA, which may investigate the existence of the conditions for the restriction of rights and inform the data subject accordingly, provided that such information is not prejudicial to the fulfilment of those purposes.
- Additional information
The elements of this detailed information notice may change according to the requirements of applicable local law.
To retrieve at any time the information relating to the data processing implemented, go to the home page of the site allowing you to use the whistleblowing system.
You can also consult the Saint-Gobain Group's Privacy Policy on our corporate website: www.saint-gobain.com.