INTERNAL REPORTING PROCEDURE
of SUMMA LINGUAE TECHNOLOGIES Spółka Akcyjna with its registered office in Krakow
§ 1 General provisions
1. The internal reporting procedure of SUMMA LINGUAE TECHNOLOGIES Spółka Akcyjna with its registered office in Krakow (hereinafter referred to as “Procedure”) lays down the rules for internal reporting of Infringements of Law, follow-up actions, as well as the measures to protect Reporting Persons against Retaliation taken in connection with the reporting.
2. The Company’s Management Board shall be responsible for:
a. implementing the Procedure in accordance with the law and providing the necessary resources for its implementation;
b. periodically reviewing the Procedure (at least once a year) to ensure that the Procedure is appropriate to the nature, scope and size of the Company’s activities;
c. supervising the implementation of the Procedure and ensuring the necessary measures for its implementation;
d. determining the principles of familiarising all persons employed in the Company, as well as persons applying for employment, with the content of the Procedure and conducting an information policy aimed at spreading knowledge of the principles and functioning of the Procedure, as well as the benefits for the Company of enabling reporting Infringements of Law.
3. The Procedure is part of the Company’s internal compliance system aimed, inter alia, at creating a friendly workplace.
4. Whenever the Procedure refers to:
a. Follow-up action – it shall be understood as any action taken by the Company to assess the accuracy of the information contained in the report and to prevent the Infringement of Law which is the subject of the report, in particular the initiation and conduct of an internal investigation, the preparation of conclusions or memoranda aimed at counteracting the effects of the infringement and the occurrence of the Infringement of Law in the future;
b. Retaliation – it shall be understood as a direct or indirect act or omission in a work-related context which is caused by a report or public disclosure and which violates or is likely to violate the rights of the Reporting Person or causes or is likely to cause unreasonable damage to the Reporting Person, including the wrongful initiation of proceedings against the Reporting Person;
c. Information about an Infringement of Law – it shall be understood as information or data, including reasonable suspicion of an existing or potential Infringement of Law, which occurred or is likely to occur in a Company in which the Reporting Person participated in the recruitment process or in other negotiations preceding the conclusion of the contract, works or worked, or in another legal entity with which the Reporting Person maintains or maintained contact in the context of the work, information or data concerning an attempt to conceal such an Infringement of Law;
d. Compliance Committee – it shall be understood as an impartial internal organisational unit separated within the organisational structure of the Company, whose members are authorised to take follow-up action, including the substantive verification of the report and the conduct of an investigation;
e. Work-related context – it shall be understood as past, present or future activities related to the performance of work on the basis of an employment relationship or other legal relationship constituting the basis for the provision of work or services or performing functions in or for the Company, where information about the Infringement of Law has been obtained and there is a possibility of Retaliation;
f. Infringement of Law – it shall be understood as an act or omission that is unlawful or aimed at circumventing the law, concerning:
i. corruption;
ii. public procurement;
iii. financial services, products and markets;
iv. counteracting money laundering and terrorist financing;
v. product safety and compliance;
vi. transport safety;
vii. environmental protection;
viii. radiological protection and nuclear safety;
ix. food and feed safety;
x. animal health and welfare;
xi. public health;
xii. consumer protection;
xiii. protection of privacy and personal data;
xiv. security of ICT networks and systems;
xv. financial interests of the State Treasury of the Republic of Poland, local government units and the European Union;
xvi. the internal market of the European Union, including public-law competition and State aid rules and corporate taxation;
g. Public authority – it shall be understood as the supreme and central government administration authority, local government authority, local government unit authority, other state authority and any other entity performing public administration tasks by operation of law, competent to take follow-up action in the areas referred to in item (d) above;
h. Reporting Person – it shall be understood as a natural person who reports or discloses to the public information about an Infringement of Law in a work-related context;
i. Person assisting in reporting – it shall be understood as a natural person who assists the Reporting Person in a report or public disclosure in a work-related context and whose assistance should not be disclosed;
j. Person related to the Reporting Person – it shall be understood as a natural person who may be retaliated against, including a collaborator or a person closest to the Reporting Person;
k. Compliance Officer – it shall be understood as a person or persons designated within the internal organisational structure of the Company, authorised to receive internal, formal and pre-verification reports and continue communication with the Reporting Person, including requesting additional information and providing feedback to the Reporting Person;
l. Register – it shall mean the register of offences kept by the Company;
m. Company – it shall be understood as SUMMA LINGUAE TECHNOLOGIES Spółka Akcyjna with its registered office in Kraków, ul. Opolska 110, 31-323 Kraków, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Kraków-Śródmieście in Kraków, 11th Commercial Division of the National Court Register under KRS No 0000400208, NIP 9452165721, REGON 12243510800000;
n. Public disclosure – it shall be understood as the public disclosure of information about the Infringement of Law;
o. Act – it shall be understood as the Act of 14 June 2024 on the protection of whistleblowers. (Journal of Laws of 2024, item 928, as amended).
p. Report – it shall be understood as the provision in good faith of information about the actual Infringement of Law or a substantiated suspicion of Infringement of Law, using one of the reporting channels indicated in the Reporting Procedure. Reports shall be divided into:
– internal (oral or written communication of the Infringement of Law to the Company) and
– external (oral or written communication to the Ombudsman or to a public authority of an Infringement of Law).
5. The Procedure shall apply to reports of Infringements of Law committed, in particular, by:
a. employees, temporary workers of the Company;
b. persons providing work to the Company on a basis other than the employment relationship, including on the basis of a civil law contract;
c. proxies, partners or members of the Company’s governing bodies;
d. trainees, apprentices or volunteers employed or working for the Company.
The Procedure shall also apply to persons who report or make public information about an Infringement of Law that occurred in a work-related context before, or after, the employment relationship or other legal relationship giving rise to the provision of work or services.
6. The Procedure shall not apply to:
a. matters relating to the private life of persons employed in the Company or their personal conflicts,
b. labour law matters, for which the provisions of labour law and labour courts remain applicable,
c. matters falling within the scope of other internal regulations applicable at the Company, in particular concerning: counteracting workplace bullying, discrimination and other Company codes of ethics.
7. The Reporting Person shall be protected from the time the filing or public disclosure is made, provided that they have reasonable grounds to believe that the information that is the subject of the filing or public disclosure is true at the time of filing or public disclosure and that it constitutes an Infringement of Law.
8. The Company shall provide information about the existence of the Procedure with information about the possibility to read it at the beginning of recruitment or negotiations preceding the conclusion of the contract.
§ 2 Purpose of the Procedure
1. The purpose of the Procedure is to create dedicated, internal and confidential means (reporting channels) to enable internal reporting of Infringements of Law in a work-related context and to provide Reporting Persons with adequate and effective protection against Retaliation undertaken in connection with the Report.
2. The aim of the Procedure is also to prevent Infringements of Law or mitigate the possible effects of Infringements of Law on the Company by early detecting them and taking appropriate follow-up measures, in particular to reduce Infringements of Law in the future.
§ 3 Reporting Methods
1. Reports of Infringements of Law shall be made in the form of:
a. internal reports, the rules of which are laid down in the Procedure,
b. external reports.
2. The Management Board of the Company guarantees:
a. that the Procedure and the processing of personal data related to the receipt of Reports prevent unauthorised persons from accessing the information covered by the Report and ensure that the identity of the Reporting Person, the person concerned by the Report and any third party identified in the Report is protected. The protection of confidentiality concerns information from which the identity of those persons can be directly or indirectly identified;
b. that no Retaliation, attempted or threatened action may be taken against the Reporting Person;
c. that it will endeavour to ensure that all Reports are handled impartially, objectively and with due care and diligence;
d. that follow-up actions will be taken by the Compliance Committee, with due dilligence;
therefore, it encourages that, where an Infringement of Law can be effectively remedied within the Company’s organisational structure and the Reporting Person considers that there is no risk of Retaliation, all persons who are aware of an actual or suspected Infringement of Law should submit internal reports in accordance with the rules set out in the Procedure.
In the opinion of the Company’s Management Board and Supervisory Board, internal reports ensure, on the one hand, greater efficiency and speed of follow-up and, on the other hand, allow the Company’s Management Board or Supervisory Board (if the Infringement of Law results from the action of a Member of the Company’s Management Board) to better prevent possible negative consequences of the Infringement of Law for the Company and the Reporting Persons and to take appropriate actions to prevent their occurrence in the future.
3. The Reporting Person may use the form of an external report without first making an internal report.
4. External reports shall be accepted by the Ombudsman or by a Public Authority, in accordance with the principles set out in detail in the Act.
5. The Ombudsman and the Public Authority are separate controllers of the personal data provided in the external report, which has been accepted by those authorities.
6. The Ombudsman and the Public Authority shall establish their own separate Procedures for receiving and handling external declarations and shall apply and ensure the statutory measures provided for the protection of the confidentiality of the Reporting Person.
7. An external application addressed to the Ombudsman or to a Public Authority may be made orally or in writing. An external report in documentary form may be submitted: in paper form, to the correspondence address indicated by the Ombudsman or by the Public Authority receiving the report, or in electronic form, to the e-mail address or electronic mailbox, or to the e-mail correspondence address indicated by the Ombudsman or by the Public Authority receiving the Report, or via a dedicated internet form or application designated by the Public Authority for submitting electronic reports.
8. Details of the receipt of external reports by the Ombudsman and Public Authorities are available on the websites of the Public Information Bulletins.
9. A criminal offence must be reported to the competent law enforcement authorities (police or public prosecutor’s office), irrespective of the use of the reporting channels specified in the Procedure.
§ 4 Internal reporting channels
1. The Company shall ensure that internal reports are made in the form of messages sent via the platform used in the Company (Microsoft Forms – Sygnaliści | Whistleblower). The Company shall make available a link to a dedicated reporting form together with the content of the Procedure.
2. At the request of the Reporting Person, the Company shall make it possible to report orally at a meeting between the Reporting Person and the Compliance Officer, which shall take place within 14 days of the date of receipt of such a request. The Reporting Person may appoint a specific Compliance Officer to attend the meeting, if this is justified by the Reporting Person’s information about the Infringement of Law.
3. Where an oral application is made, in the manner provided for in the preceding item, with the consent of the person making the application, the application shall be documented in the form of:
a. recordings of the conversation, enabling the conversation to be searched, or
b. the minutes of the meeting, reproducing the exact course of the meeting. In such a case, the Reporting Person may check, correct and approve the minutes of the meeting by signing them.
4. Each of the above-mentioned channels is operated by the Compliance Officer.
5. The Company envisages handling information about Infringements of Law reported anonymously. A Reporting Person wishing to remain anonymous should not provide personally identifiable information in the Report (in particular name or other identifying information)
6. The Company reserves that in the case of information about Infringements of Law reported anonymously, protection against Retaliation may be hindered (due to the lack of information on the identity of the Reporting Person), and therefore encourages the provision of identification data when making Reports.
7. In order to ensure full impartial, objective and independent processing of Reports, the Company shall establish an alternative internal whistleblowing channel in case the report concerns the Compliance Officer. The report must then be submitted as follows:
a. at the request of the Reporting Person – orally at a meeting of the Reporting Person with the Compliance Officer indicated by the Reporting Person, organised within 14 days of the date of receipt of such a request,
b. in the form of a message sent via the platform used in the Company (Microsoft Forms, Skrzynka zaufania | Trust box). The Company shall provide a link to the dedicated reporting form concerning the Compliance Officer together with the content of the Procedure.
8. The Company shall provide appropriate technical means to ensure that alternative internal channels for reporting Infringements of Law referred to in the preceding item are operated by persons not concerned by the Infringement of Law.
9. Alternative internal whistleblowing channels are only used to handle reports concerning the Compliance Officer, where a report submitted via the above-mentioned alternative channels concerns other persons, the report shall be forwarded to the Compliance Officer.
10. It shall be up to the Reporting Person to choose the channel and the manner in which the Report concerning the Compliance Officer in accordance with item 7 is to be submitted.
§ 5 Report: Necessary Elements
In order to ensure efficiency and speed of follow-up, verification of the report, further communication with the Reporting Person, provision of feedback, the report should contain the fullest possible description of the information about the Infringement of Law, i.e.:
a. an indication of the specific person or organisational unit of the Company concerned by the application, together with a description of the Infringement of Law (what it refers to, when and where it took place or could have taken place);
b. indication of persons having knowledge of the Infringement of Law or other persons having or likely to have material information about the Infringement of Law;
c. an indication or transmission of any such document or other information or data which could constitute evidence in the case;
d. any relevant additional information substantiating an actual or suspected Infringement of Law or likely to facilitate clarification of the Report;
e. whether the case has already been signalled in the past and, if so, in what way;
f. contact details of the Reporting Person (correspondence address, e-mail address or contact phone number) for further correspondence.
§ 6 Receipt and Preliminary Verification of Reports
1. The Compliance Officer shall notify the Reporting Person of the acceptance or refusal of the report within 7 days of the date of its receipt, unless the Reporting Person has not provided the contact details to which the confirmation should be transmitted.
2. The acknowledgment or refusal of the Report shall be communicated in the manner and using the contact details indicated in the Report or in the manner in which the Report was filed.
3. Immediately after receipt of the Report:
a. it shall be subject to a preliminary formal assessment as to whether it contains elements allowing the further activities provided for in the Procedure to be carried out;
b. it is subject to a preliminary assessment as to whether the alleged infringement can be regarded as an Infringement of Law within the meaning of the Procedure;
c. it is subject to a preliminary assessment as to whether the reported infringement is manifestly unfounded.
4. If:
a. the alleged infringement cannot be regarded as an Infringement of Law within the meaning of the Procedure;
b. the reported infringement is manifestly unfounded; or
c. the content of the Report contains deficiencies that prevent follow-up;
No later than within the time limit referred to in item 1 of this paragraph, the Reporting Person shall be provided with feedback on the refusal to accept the Report, stating the reason therefor. When such feedback is provided, the Reportis considered closed. The date of feedback on refusal shall be the date of completion of the case, which shall be recorded in the Register.
5. In any other case, i.e. in particular when:
a. the alleged infringement may be regarded as an Infringement of Law within the meaning of the Procedure;
b. the notified infringement is manifestly not unreasonably initiated; or
c. the content of the Report allows the follow-up to be continued;
The Compliance Officer is required to forward the report to the Compliance Committee for the follow-up.
6. In case of doubts about the Report, the Compliance Officer may forward the report to the Compliance Committee before acknowledging the receipt of the Report.
§ 7 Follow-up and investigation
1. As part of the follow-up of the investigation, the members of the Compliance Committee shall be authorised to take action to examine the Report thoroughly and to confirm an Infringement of Law, in particular by:
a. interviews with the following persons:
i. The Reporting Person;
ii. A Person assisting in reporting (if their personal data have been disclosed);
iii. A Person related to the Reporting Person (if their personal data have been disclosed);
iv. any other person or persons employed by the Company (if the circumstances of the case so require); or
v. the person or persons indicated in the report (if such person’s personal data have been disclosed);
b. asking the Reporting Person for additional, relevant information or explanations regarding the matter, unless the Reporting Person has not provided contact details;
c. contacting other persons employed by the Company or persons indicated in the request for additional, relevant information on the case or explanations, subject to the confidentiality requirements set out in the Procedure;
d. the determination and hearing of witnesses of the Infringement of Law;
e. gathering or verifying the documentation gathered on the Report.
2. In assessing what follow-up actions will be appropriate to the case and what follow-up actions will be taken, account shall be taken, in particular, of the actions taken to verify the information about the Infringement of Law, the correctness of the assessment of the information about the Infringement of Law and the adequacy of the measures taken to eliminate the Infringement of Law or its effects, taking into account the significance of the case and the Report.
3. The Compliance Officer or a member of the Compliance Committee concerned by the Report or whose participation may give rise to justifiable doubts as to their impartiality or cause a conflict of interest shall be excluded from participation in the case.
4. If the follow-up action or documentation gathered in the case does not confirm an Infringement of Law in the opinion of the members of the Compliance Committee, the Compliance Officer shall provide the Reporting Person with feedback on the conclusion of the investigation without finding an Infringement of Law with a statement of reasons. Once the above-mentioned feedback has been provided, the Report is considered closed. The date of the feedback on the conclusion of the investigation shall be the date of the conclusion of the case, which shall be recorded in the Register.
5. If the follow-up activities in the opinion of the members of the Compliance Committee confirm an Infringement of Law, the Compliance Officer shall provide the Reporting Person with feedback on the completion of the investigation, providing the information referred to in item 9 of this paragraph.
6. The maximum time limit for providing feedback to the Reporting Person, understood as information on planned or undertaken follow-up actions and the reasons for such actions, shall not exceed:
a. 3 months from the date of acknowledgement of receipt of the Report, or
b. if the confirmation referred to in paragraph 1 of this Article is not provided – 3 months after the expiry of the 7-day period from the date of the Report, unless the Reporting Person failed to provide contact details to which the feedback should be provided.
7. Feedback shall be provided in a manner and using the contact details indicated in the report, in a manner that has led to the Report or otherwise agreed with the Reporting Person.
8. The content of the feedback provided to the Reporting Person shall be prepared by the members of the Compliance Committee and provided by the Compliance Officer.
9. The content of the feedback provided to the Reporting Person shall indicate at least the following information:
a. whether the infringement was found or not;
b. the follow-up actions and measures planned or taken and the reasons for such actions or measures taken to respond to the Infringement of Law found.
10. When preparing the feedback, the principles of data protection and confidentiality set out in § 8 of the Procedure and the obligation to keep the Company’s business secret shall be taken into account, in particular when feedback is provided in response to an anonymous report. The content of the feedback may include an instruction for the Reporting Person to maintain confidentiality of the feedback provided.
11. Where the follow-up action or documentation gathered in a case confirms that an Infringement of Law has been committed and this is justified by its nature, scale or consequences, the Compliance Committee may draw up a recovery plan containing a proposal for corrective action and forward it for implementation to the relevant person(s) or organisational unit of the Company (in particular the Management Board or the Supervisory Board). Remedial actions shall include in particular: any actions aimed at eliminating the infringement and remedying its effects, which includes minimising legal, financial or image risks for the Company.
12. Where the follow-up or the documentation collected confirms that an Infringement of Law has been committed, the members of the Commission shall draw up a Memorandum in which they indicate: identification of the Report, persons involved in the examination of the Report, description of the actions taken, outcome of the investigation, description of the facts, proposed follow-up measures to be taken by the Company’s Management Board or Supervisory Board, where the Infringement of Law results from the action of a Member of the Company’s Management Board.
13. The Memorandum referred to in the preceding item shall be submitted to the Company’s Management Board or the Company’s Supervisory Board, where the Infringement of Law results from the action of a Member of the Company’s Management Board.
14. Follow-up action may include in particular:
a. the initiation of disciplinary or other appropriate proceedings against the person who committed the Infringement of Law;
b. modification of the Company’s procedures or operating diagrams in order to prevent the occurrence of a Infringement of Law in the future;
c. carrying out additional educational or training activities;
d. conducting an audit or increasing the frequency of audits in the Company’s area of activity;
e. structural changes or transfers of competences;
f. appropriate legal (including procedural) measures.
15. The date of submission of the Memorandum shall be the date of completion of the case, which shall be recorded in the Register.
§ 8 Data protection and Confidentiality
1. The Reporting Person’s personal data, allowing identification of the Reporting Person, shall not be disclosed to unauthorised persons, unless with the express consent of the Reporting Person.
2. The provisions of the preceding item shall not apply where disclosure is a necessary and proportionate obligation under the law in connection with investigations by Public Authorities or investigations or court proceedings, including in order to safeguard the rights of defence of the person concerned by the Report.
3. Upon receipt of the Report, the Company shall process personal data to the extent necessary to receive the Report or to take any possible follow-up actions. Personal data not relevant to the processing of the Report are not collected and, in the event of accidental collection, are deleted without undue delay. The deletion of these personal data shall take place within 14 days of determining their irrelevance.
4. Only persons holding a written authorisation of the Company’s Management Board may be authorised to receive and verify internal Reports, take follow-up actions and process personal data in connection with the Report. Authorised persons shall be obliged to maintain confidentiality with respect to information and personal data obtained in the course of receiving and verifying internal Reports, and to take follow-up action, also after termination of the employment relationship or other legal relationship under which they performed such work.
5. Persons authorised to receive internal Reports and follow-up, including verification of the Report and further communication with the Reporting Person, which includes requesting additional information and providing feedback to the Reporting Person, may use the services of external entities, in particular external law firms, legal advisers, solicitors or other professional advisers, if this is necessary for the proper explanation, processing or handling of the Report. The obligation of absolute confidentiality shall then extend to such persons. The Company is obliged to conclude a separate confidentiality agreement with such entities within the scope resulting from the Procedure, unless third parties are obliged to maintain confidentiality, inter alia, within the scope resulting from the Procedure under generally applicable laws, including professional secrecy.
6. A breach of the confidentiality obligation may give rise to legal liability (including liability for damages) or disciplinary liability on the part of the person who committed the infringement.
§ 9 Prohibition of Retaliation
1. No Retaliation or attempted or threatened action shall be taken against the Reporting Person.
2. The Reporting Person employed on the basis of an employment relationship may not be retaliated against, in particular by:
a. refusal to establish an employment relationship;
b. termination or dissolution without notice;
c. failure to conclude a fixed-term employment agreement or an employment agreement of indefinite duration after the termination of the employment contract for a probation period, failure to conclude another fixed-term employment agreement or failure to conclude an employment agreement of indefinite duration after the termination of the employment agreement for a fixed term – where the Reporting Person had a reasonable expectation that such an agreement would be concluded with them;
d. reduction of remuneration for work;
e. the suspension of promotion or omission at promotion;
f. moving to a lower job position;
g. disadvantageous change of the place of work or working time schedule;
h. negative assessment of the results of work or a negative opinion on work;
i. imposition or application of a disciplinary measure, including a financial penalty, or a similar measure;
j. coercion, intimidation or exclusion;
k. mobbing;
l. discrimination;
m. disadvantageous or unfair treatment;
n. suspension of participation in or omission from vocational training courses when selecting to participate;
o. causing other non-material damage, including the violation of personal interests, in particular the reputation of the Reporting Person.
3. Where work or services have been, are or are to be provided under a legal relationship other than the employment relationship which is the basis for the provision of work or services or the performance of a function, the provisions of the preceding item shall apply mutatis mutandis, provided that the nature of the work or services does not preclude the application of such action to the Reporting Person.
4. The prohibition of Retaliation covers both the protection of the Reporting Person and the Person assisting in the reporting and the legal person or other organisational unit assisting the Reporting Person or a Related Person, in particular owned or employed by that person.
5. Retaliation due to a Report or Public Disclosure shall also be deemed an attempt or threat of Retaliation referred to in item 2 above.
6. The filing of a Report or Public Disclosure may not give rise to liability, including disciplinary liability or liability for damage arising from infringement of the rights of other persons or obligations laid down in the law, in particular as regards defamation, infringement of personal interests, copyrights, protection of personal data and the obligation to maintain secrecy, including business secrets, provided that the Reporting Person had reasonable grounds to believe that the filing or Public Disclosure is necessary to disclose the Infringement of Law in accordance with the law.
7. The Reporting Person shall not be subject to the protection provided for in the Procedure where the reporting is made:
a. where no Infringement of Law has occurred;
b. in bad faith, in particular for the purpose of causing harm to or violating the personal rights of another person or solely for the purpose of slandering another person.
8. A person who has suffered damage as a result of a deliberate reporting or Public Disclosure of false information by the Reporting Person shall be entitled to compensation or reparation for the infringement of personal rights from the Reporting Person who made the Report or Public Disclosure.
9. A person who submits a Report in bad faith, i.e. knowing that there has been no Infringement of Law, shall be subject to criminal liability.
§ 10 Register
1. The Company keeps a Register of Infringements of Law.
2. All Reports, regardless of the reporting channel, shall be recorded in the Register.
3. The Register shall be kept in electronic form and may be kept by automated means using a dedicated IT system to which the Company has access.
4. The data contained in the Register are protected against unauthorised access.
5. Individual Compliance Officers and members of the Compliance Committee (with the exception of the persons concerned by the Reports) have access to the Register.
6. At least the following data shall be included in the Register:
a. Report number:
b. subject matter of the Infringement of Law;
c. personal data of the Reporting Person and the person concerned, necessary to identify them;
d. contact address of the Reporting Person;
e. date of filing;
f. information on the follow-up actions taken;
g. date of conclusion of the case.
7. Personal data and other information contained in the Register shall be kept for a period of 3 years after the end of the calendar year in which the follow-up action was completed or after the completion of the proceedings initiated by those actions.
§ 11 The Reporting Persons’ Personal Data
1. The Reporting Persons’ personal data is controlled by the Company.
2. For matters relating to the processing of personal data, please contact: ul. Opolska 110, 31-323 Kraków, e-mail: iod@summalinguae.com.
3. The Reporting Person’s personal data shall be processed by the Company to the extent necessary for the acceptance of the Report, determining whether the reported infringement constitutes a real or potential infringement, detecting infringements in the Company, investigating internal Reports, conducting investigations, informing the Reporting Persons about the acceptance and processing of the Report in the manner described in the Procedure, as well as for undertaking follow-up actions aimed at counteracting the reported infringements and for fulfilling the Company’s obligations under the applicable laws.
4. Personal data which are not relevant to the processing of the Report are not collected and, in the event of accidental collection, are deleted without undue delay. The deletion of these personal data shall take place within 14 days of determining their irrelevance.
5. Legal basis for the processing of personal data of the Reporting Persons:
a. to the extent that the processing is necessary for the fulfilment of a legal obligation to which the Company is subject in connection with the examination of a Report and the conduct of an investigation in connection with an Infringement of Law, as well as the keeping of records of internal Reports, personal data will be processed by the Company pursuant to Article 6(1)(c) of the General Data Protection Regulation of 27 April 2016 (hereinafter referred to as “GDPR”);
b. to the extent that the Reporting Person consents to the disclosure of their identity, the basis for the processing of their personal data will be their consent (Article 6(1)(a) of GDPR);
c. to the extent that the processing is necessary for the performance of a task carried out in the public interest, where the conduct of an internal investigation will be the performance of a public task related to the protection of the public interest, the fight against and the detection of violations of the law – personal data will be processed by the Company pursuant to Article 6(1)(e) of GDPR,
d. for the processing of specific categories of personal data (including data revealing racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation), to the extent that such processing is necessary for reasons of substantial public interest, on the basis of European Union or Member State law which is proportionate to the objective pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to protect the fundamental rights and interests of the individual data subject – personal data will be processed by the Company pursuant to Article 9(1)(g) of GDPR, which should be read in conjunction with Article 6(1)(e) of GDPR.
6. Personal data processed in connection with receiving a Report or taking follow-up action, as well as documents related to that Report, shall be kept by the Company for a period of 3 years after the end of the calendar year in which the follow-up action was completed, or after the completion of the proceedings initiated by these actions.
7. Personal data and other information in the register of internal reports shall be stored for a period of 3 years after the end of the calendar year in which the follow-up action was completed or after the completion of the proceedings initiated by these actions.
8. The Company shall ensure the confidentiality of Reporting Persons’ data in connection with the received Report, and if the Reporting Person wishes to remain anonymous, it shall also ensure full anonymity. Therefore, the data may only be made available to entities authorised to do so under the law and, where appropriate, to entities entrusted by the Company with the processing of the data, i.e. providers of the e-mail system used to handle reports in accordance with this Procedure, to hosting providers.
9. In connection with the processing of personal data, the Reporting Persons shall have, within the limits laid down by law and, where applicable, the following rights:
a. right to request access to and rectification (correction) of their personal data;
b. right to request erasure or restriction of processing, as well as to object to processing, but only if further processing is not necessary for the Company to comply with a legal obligation and there are no other overriding legal grounds for processing;
c. where the legal basis for the processing of the Reporting Person’s personal data is consent, to the extent that the Reporting Person consents to their identity being disclosed, the right to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;
d. right to lodge a complaint with a supervisory authority (Head of the Personal Data Protection Office – www.uodo.gov.pl).
10. The provision of personal data is voluntary but necessary to provide the report in accordance with this Procedure.
11. The Reporting Person’s personal data may be transferred outside the European Economic Area due to the use of Microsoft Corporation services (Microsoft Forms contact form for receiving reports). By decision of 10 July 2023 The European Commission has ensured an adequate level of protection of personal data on the basis of the EU-US Data Privacy Framework. The transfer of personal data from the EEA to organisations that have acceded to the EU-US Data Protection Framework Programme and are on the list published by the US Department of Commerce is possible without any additional authorisation required, whether the use of legal instruments such as standard contractual clauses or binding corporate rules. Microsoft Corporation has joined the EU-US Data Protection Framework and is included in the list (https://www.dataprivacyframework.gov/list).
12. Based on the personal data collected, the Company will not make any automated decisions, including decisions resulting from profiling.
§ 12 Final Provisions
1. The Procedure was established after consultation with representatives of the Company’s employees.
2. The Procedure shall enter into force 7 days after the date of its announcement by the Company’s Management Board to the employees.
3. The current version of the Procedure shall be available at any time in electronic form via the platforms used in the Company.
4. Information about the validity of the Procedure together with its content or the manner in which it can be accessed should be provided or made available in the first correspondence exchanged in connection with the initiated recruitment procedure or negotiations preceding the conclusion of an agreement.
5. The Company verifies the employment status as of 1 January or 1 July of each year.