Internal Reporting Procedures – Optidata

INTERNAL REPORTING PROCEDURE IN FORCE AT OPTIDATA SP. Z O.O. WITH REGISTERED OFFICE IN KRAKÓW

Taking into account the obligations set out in Article 24(1) and other provisions of the Act of 14 June 2024 on the Protection of Whistleblowers (the “Act”), Optidata sp. z o.o., with its registered office in Kraków and entered into the Register of Entrepreneurs of the National Court Register under KRS number 0000141956 (hereinafter referred to as “Optidata” or the “Company”), introduces the Internal Reporting Procedure (hereinafter referred to as the “Procedure”).

‍

PART I: GENERAL INFORMATION

‍

PURPOSE AND SCOPE OF REGULATION

§1

Whistleblowers are legally protected against any retaliatory actions, meaning direct or indirect acts or omissions in a work-related context that result from a report or public disclosure and that violate or may violate the whistleblower’s rights, or cause or may cause unjustified harm to the whistleblower — including unfounded initiation of proceedings against the whistleblower. The reporting person is specifically protected against termination or dissolution of an employment or other contractual relationship, reduction of remuneration, denial of promotion or being passed over for promotion, and negative performance evaluations.

The protection described above applies to a whistleblower provided that they had reasonable grounds to believe that the information reported or publicly disclosed was true at the time of the report or disclosure and that it constituted information about a breach of law. Knowingly reporting false information is subject to liability under applicable legal provisions and may also result in termination of the employment or other contract, including without notice.

This Procedure sets out the internal process for reporting breaches of the law and for taking follow-up actions in force at Optidata.

The Procedure was established by the Company following consultations with representatives of individuals performing work for the Company.

‍

§2

The terms listed below have the following meanings within this Procedure:

• Information on a breach of law refers to information, including a reasonable suspicion, concerning an actual or potential breach of law that has occurred or is likely to occur in a legal entity where the whistleblower has participated in a recruitment process or other negotiations preceding the conclusion of a contract, is or was employed, or in another legal entity with which the whistleblower maintains or has maintained work-related contact. It also includes information regarding an attempt to conceal such a breach of law;

‍

• Internal report means the submission of information on a breach of law made through the internal procedures in force at Optidata, as described in Part II of the Procedure.

‍

‍

AREAS OF BREACHES SUBJECT TO REPORTING

§3

1. A breach of law subject to internal reporting is an act or omission that is unlawful or intended to circumvent the law, and that concerns the following areas:

• Corruption
• Public procurement
• Financial services, products, and markets
• Prevention of money laundering and terrorist financing
• Product safety and compliance
• Transport safety
• Environmental protection
• Radiological protection and nuclear safety
• Food and feed safety
• Animal health and welfare
• Public health
• Consumer protection
• Privacy and personal data protection
• Security of networks and information systems
• Financial interests of the State Treasury of the Republic of Poland, local government units, and the European Union
• The internal market of the European Union, including: public competition law, state aid, corporate taxation
• Constitutional freedoms and rights of individuals and citizens – in the context of interactions between individuals and public authorities, not related to the areas listed in points 1–16

‍

‍

PART II: INTERNAL REPORTING

PERSONS AUTHORIZED TO SUBMIT A REPORT AND THE REPORTING PROCEDURE

§4

1. The following individuals are authorized to submit internal reports:

• Prospective employees
• Employees
• Temporary employees
• Persons performing work on a basis other than an employment relationship, including under a civil law contract
• Entrepreneurs
• Proxies (registered representatives)
• Shareholders
• Members of the Company’s governing bodies
• Persons performing work under the supervision and direction of a contractor, subcontractor, or supplier
• Interns
• Volunteers

‍

‍

§5

The entity authorized by the Company to receive internal reports at Optidata is the REPORTING TEAM.

Members of the REPORTING TEAM are authorized to undertake follow-up actions, including verifying the internal report and maintaining further communication with the whistleblower, such as requesting additional information and providing feedback to the whistleblower. The Management Board of the Company hereby authorizes the REPORTING TEAM to carry out all follow-up actions, which should be undertaken by at least two members of the REPORTING TEAM. The Management Board guarantees their impartiality and commits to not influencing the decisions of the REPORTING TEAM in any way and to respecting all decisions made by the team regarding follow-up actions.

‍

‍

§6

Internal reports may be submitted in the following ways:

• Using the dedicated online irregularities reporting system available on the TomHRM portal at: https://tomhrm.app/public/whistleblower/pl/ma2Rkg/home (hereinafter referred to as the TomHRM System), provided by ENNOVA Spółka Jawna, ul. Sadowa 7/13, 82-300 Elbląg; or
• In writing — placed in an envelope marked "internal report of legal violations," which should then be placed in another envelope and mailed to the Company’s correspondence address; or
• During a direct conversation with the REPORTING TEAM at a meeting or video conference organized at the whistleblower’s request within 14 (fourteen) days from the REPORTING TEAM receiving such a request. A protocol of the conversation will be drawn up, reflecting its exact course. The whistleblower may review, correct, and approve the meeting protocol by signing it.

Company correspondence address:
Optidata sp. z o. o., ul. Wadowicka 8A, 30-415 Kraków.

Internal reports submitted via the channels indicated in points 2) and 3) of paragraph 1 will be promptly entered into the TomHRM System by the REPORTING TEAM.

‍

§7

1. The Company will not accept anonymous reports.
2. Reports may be submitted by the whistleblower along with their correspondence address or email address.
3. The whistleblower will receive a confirmation of receipt of the internal report within 7 (seven) days of submission, either via the TomHRM System (for reports submitted using this system) or from the REPORTING TEAM (in the case of telephone or direct reports), unless the reporter has not provided a contact address that would allow for such confirmation.

‍

SUBSEQUENT ACTIONS

^‍

§8

1. The authorized person is obliged to undertake follow-up actions with due diligence. Follow-up actions taken to verify information about breaches of the law include, in particular:

• An explanatory procedure, including requesting additional information from the whistleblower regarding the reported breach of law if the information provided in the report is insufficient, including details about the time, manner, and place of the breach, as well as information about witnesses who may have knowledge of the case and the source of the whistleblower’s knowledge about the breach;
• An internal investigation aimed at determining whether a breach of law occurred, including:
• Conducting explanatory interviews with witnesses indicated by the reporter and other persons who may have knowledge of the reported breach;
•  Obtaining written explanations from the persons referred to in point a);
• Collecting documents related to the reported breach from employees and persons cooperating with the Company, as well as requesting such documents from the Company’s business partners;
• Consultations with relevant departments of the Company and external advisors, including lawyers;
• Initiation of an audit or administrative proceedings;
• Filing of charges;
• Actions taken to recover financial resources;
• Actions undertaken to close the procedure carried out within the internal procedure for reporting breaches of law and taking follow-up actions.

‍

2. Follow-up actions are undertaken by the Authorized Person.

‍

§9

1. In the event of a confirmed breach of law, Optidata may apply the following measures against the person who committed the breach, in particular:

• Imposition of a disciplinary penalty;
• Termination of the employment relationship, including without notice;
• Termination of the contract binding the violator with Optidata;
• Filing a report of suspected criminal activity with the appropriate authorities.

‍

2. Additionally, upon confirming a breach of law, Optidata may take internal organizational actions aimed at preventing similar breaches in the future, including introducing additional internal control procedures.‍

§10

The whistleblower will receive feedback, which will include, in particular, information regarding planned or undertaken follow-up actions and the reasons for such actions. The feedback will be provided to the reporter within no more than 3 months from the date of confirmation of receipt of the internal report or — if no confirmation of receipt is provided — within 3 months from the expiry of 7 days after the internal report was submitted, unless the whistleblower has not provided a contact address to which the feedback should be sent.

DATA CONFIDENTIALITY

‍

§11

1. The Company guarantees that the internal reporting procedure and the related processing of personal data during the receipt of reports prevent unauthorized persons from accessing the information contained in the report and ensure the confidentiality of the identity of the whistleblower, the person to whom the report pertains, and any third party mentioned in the report. The confidentiality protection applies to information that can directly or indirectly identify the identity of such persons.
2. Only persons holding a written authorization from the Company (a template of the authorization is attached as Annex No. 2) may be admitted to receive and verify internal reports, undertake follow-up actions, and process the personal data of the persons referred to in paragraph 1. Authorized persons are obliged to maintain confidentiality regarding the information and personal data obtained during the receipt and verification of internal reports and follow-up actions, also after the termination of their employment or other legal relationship under which they performed such work (a template of the confidentiality statement is attached as Annex No. 3).
3. Information regarding the processing of the whistleblower’s personal data is included in Annex No. 1 to the Procedure.

‍

‍

SECTION III: FINAL PROVISIONS

§12

Information about a breach of law may, in any case, also be reported directly to the Commissioner for Human Rights or a public authority, bypassing the internal reporting procedure. An external report to the Commissioner for Human Rights should be made in the manner described on the Commissioner’s website at: https://bip.brpo.gov.pl/pl/content/zlozenie-wniosku-do-rzecznika-praw-obywatelskich. External reports to other public authorities and — where applicable — to institutions, bodies, or organizational units of the European Union should be made according to the procedures introduced by these institutions, bodies, or organizational units.

The Procedure enters into force 7 (seven) days after being communicated to the persons performing work at the Company by sending it to the employee’s email address.

Changes to the Procedure will be made after consultation with employee representatives and will come into force 7 (seven) days after being communicated to the persons performing work in the same manner as described in §12, point 2.

The Procedure includes the following Annexes:

• Annex No. 1 – Information on the processing of whistleblowers’ personal data.
• Annex No. 2 – Template of AUTHORIZATION.
• Annex No. 3 – Template of CONFIDENTIALITY STATEMENT.

‍

Information regarding the processing of the WHISTLEBLOWER’S personal data

required under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”).

‍

1. Data Controller

• The controller of your personal data is Optidata Sp. z o.o., headquartered in Kraków at ul. Wielicka 50/5, 30–552 Kraków, registered in the National Court Register under number 00000141956 (hereinafter also referred to as the “Company”). You can contact us in the following ways:

• by mail at: Optidata Sp. z o.o., ul. Wielicka 50/5, 30–552 Kraków;
• by email: optidata@optidata.pl;
• by phone: +48 12 299 60 00;

2. Data Protection Officer:

• We have appointed a Data Protection Officer (DPO). This is the person you can contact regarding all matters related to the processing of personal data and exercising your rights related to data processing. You can contact the DPO in the following ways:

• by mail at: Optidata Sp. z o.o., ul. Wielicka 50/5, 30–552 Kraków;
• by email: abi@optidata.pl;
• by phone: +48 12 299 60 00;

3. Purpose and Legal Basis of Processing

We process your personal data for the purpose of:

Fulfilling the legal obligation incumbent on the Data Controller regarding the receipt and verification of reports of legal violations, including establishing the facts, obtaining additional information, and undertaking any necessary follow-up actions, in accordance with the internal Procedure for Reporting Legal Violations and Taking Follow-Up Actions at OPTIDATA.

‍

4. Legal basis:

The legal basis for processing is Article 6(1)(c) of the GDPR in connection with the provisions of the Act on the Protection of Whistleblowers of June 14, 2024 (Journal of Laws 2024, item 928).

5. Period of personal data retention:

We will retain your personal data for the period necessary to achieve the purposes of processing, but not longer than 3 years after the end of the calendar year in which the external report was forwarded to the competent public authority responsible for taking follow-up actions, or the follow-up actions have been completed, or after the completion of proceedings initiated by these actions. After this period, the Company deletes personal data and destroys documentation related to the internal report, unless the documentation related to the internal report is part of preparatory proceedings or a court case.

Personal data irrelevant to the consideration of the report are not collected, and if accidentally collected, are promptly deleted. Such deletion occurs within 14 days from the moment it is determined that the data is irrelevant to the case.

‍

6. Data recipients

We will disclose your personal data to:

– our employees authorized to access your data, due to the nature of their assigned duties or roles related to the Administrator’s obligations in receiving, verifying information, conducting any follow-up actions, and archiving reports of legal violations in accordance with the internal Procedure for Reporting Violations of Law and Taking Follow-up Actions at OPTIDATA.

– entities to which the Company is obligated or authorized to disclose your data under legal provisions. Such entities may include law enforcement authorities and courts.

‍

7. Transfer of data to third countries or international organizations

We do not transfer your data outside of Poland / the EU / the European Economic Area.

8. Rights related to the processing of personal data and automated decision-making

You have the following rights related to the processing of your personal data:

• the right to access your personal data;
• the right to request rectification and completion of your personal data;
• the right to request deletion of your personal data in cases specified in Article 17 of the GDPR;
• the right to request restriction of the processing of your personal data in cases specified in Article 18 of the GDPR;
• the right to lodge a complaint with the supervisory authority responsible for data protection, i.e., the President of the Personal Data Protection Office;
• the right to withdraw consent to the processing of personal data that we process based on your consent. Withdrawal of consent will not affect the lawfulness of the processing carried out based on your consent before its withdrawal.

To exercise your rights, please contact the REPORTING TEAM to whom the violation was reported.

Voluntariness of providing personal data

Providing your personal data is voluntary to the extent that we process it based on your consent, but it is necessary for purposes related to establishing contact or providing information about the ongoing activities and final conclusions of such proceedings.

EFFECTIVE FROM: November 2024

‍