Information clause for the person reporting a legal violation

In accordance with Article 13(1) and (2) of the European Parliament and Council Regulation (EU) 2016/679 of April 27, 2016 (General Data Protection Regulation, GDPR), we inform you that:

1. The administrator of personal data is ATS Display Sp. z o. o. ul. Boryszewska 22C, 05-462 Wiązowna (hereinafter “Administrator”).

2. For all matters concerning the processing of personal data and the exercise of rights related to such processing, you may contact the Administrator in writing at the registered office of ATS Display Sp. z o. o. or via e-mail at: iod@atsdisplay.com

3. The Administrator will process personal data in connection with the handling of reports of legal violations for the following purposes:

a. To fulfill a legal obligation related to accepting of internal reports concerning legal violations under the Act on the Protection of Persons Reporting Legal Violations (in accordance with Article 6(1)(c) of the GDPR). Personal data will be processed for 3 years after the end of the calendar year in which the proceedings initiated by subsequent actions were concluded.

b. To take follow-up actions based on legal obligations under the same Act (Article 6(1)(c) of the GDPR). Data will be processed for 3 years after the end of the calendar year in which the follow-up actions were completed or the related proceedings concluded.

c. To maintain documentation, including a Register of Reports of Violations, as required by law (Article 6(1)(c) of the GDPR). Data will be processed for 3 years after the end of the calendar year in which the follow-up actions were completed or the proceedings concluded.

d. To pursue claims or defend against claims arising from reports of legal violations (Article 6(1)(f) of the GDPR, legitimate interest of the Administrator). Data will be processed for 3 years after the end of the calendar year in which proceedings were concluded.

e. If proceedings are positively resolved, the retention period for personal data may be extended until the final conclusion of the related proceedings.

4. Recipients of personal data may include public authorities or entities authorized by law to request access to or receive personal data.

5. Personal data will not be subject to automated processing (including profiling).

6. The person reporting legal violations has the right to request access to their personal data, as well as to rectify (correct) it. They also have the right to object to processing unless further processing is required by law.

7. If the Administrator’s processing of personal data violates GDPR provisions, the reporting person has the right to file a complaint with the supervisory authority (the President of the Personal Data Protection Office).

8. Providing personal data is voluntary but may be necessary for investigating the report. If required, it may also be essential for contacting the person reporting the violation.