Personal Data Processing Policy of OSTROJ a.s. for Whistleblowers

At OSTROJ a.s., we consider the protection of personal data a priority and treat it with due care. When processing personal data, we act in compliance with applicable legislation, in particular the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Act No. 110/2019 Coll., on the processing of personal data, and other relevant Czech laws. 

This document provides information on how personal data is processed and on the rights related to such processing, in the context of our Internal Whistleblowing System as per Act No. 131/2023 Coll., on the Protection of Whistleblowers (hereinafter referred to as "the Act"). The policy applies primarily to the following categories of data subjects:

• Whistleblowers reporting unlawful conduct – including employees, agency workers, individuals working under agreements outside of employment (e.g., agreements to perform work or agreements on work activity), volunteers, interns, and job applicants – regardless of whether or not they ultimately carried out the work or were hired;
• Individuals mentioned in whistleblower reports – such as the persons alleged to have committed the misconduct and named witnesses;
• Other individuals affected by the whistleblower report – including employees whose data is processed during the investigation, and protected persons under Section 4(2) of the Act (e.g., a person assisting the whistleblower, a relative, or a co-worker of the whistleblower).

Controller and Contact Information

We are the controller of your personal data. Our contact details are:

OSTROJ a.s., Company ID No 451 93 681, with its registered office at Těšínská 1586/66, Předměstí, 746 01 Opava

Registered in the Commercial Register maintained by the Regional Court in Ostrava, Section B, Insert 349

e-mail: gdpr@ostroj.cz, tel. č.: + 420 553 872 111, www.ostroj.cz

Legal Basis and Purpose of Processing

We process your personal data:

• to fulfil our legal obligations under the Act, in particular for receiving, investigating, recording, and archiving whistleblower reports through our Internal Whistleblowing System;
• based on our legitimate interests, for the purpose of exercising or defending legal claims related to whistleblower reports, alleged misconduct, or claims concerning retaliatory measures.

No consent is required for this processing.

Categories of Personal Data Processed

We only process data necessary for the given purpose, including:

1. Identification data: e.g., name, surname, date of birth, personal ID number, or other identifiers;
2. Contact details: e.g., postal address, e-mail, phone number;
3. Additional data relevant to the reported misconduct and its investigation, such as job title or date of the report.

Any clearly irrelevant personal data will not be collected and will be deleted without undue delay if obtained inadvertently.

Data Security

We handle personal data with appropriate technical and organizational safeguards and in accordance with GDPR and the Act. Only a designated Competent Person, appointed by the company’s Board of Directors, will have access to personal data. Their contact details are published on our website www.ostroj.cz. 

This individual is properly trained, bound by confidentiality, and provided with the necessary tools and conditions to ensure effective protection of personal data.

Your Rights

You have the right to:

1. access your personal data and understand how we process it;
2. rectify inaccurate or incomplete data;
3. request deletion or restriction of processing (if legally applicable);
4. object to processing based on our legitimate interest;
5. data portability (where applicable);
6. withdraw your consent (if processing is based on consent), without affecting the lawfulness of prior processing.

Please note: Exercising your rights must not compromise the confidentiality of the whistleblower’s identity or the content of the report. In such cases, we may be unable to comply.

Disclosure of Personal Data to Third Parties

Only the Competent Person has access to personal data. It will not be disclosed to third parties without your written consent, unless required by law (e.g., disclosure to public authorities). If disclosure of the whistleblower’s or protected persons’ identity is required by law, you will be informed in advance, along with the reasons, and will have the opportunity to comment.

We do not intend to transfer your personal data outside the EU or to international organizations.

§  Automated Decision-Making

Your personal data will not be subject to automated decision-making or profiling. 

Retention Period

Personal data will be stored only as long as necessary to fulfil the purpose of processing – typically for 5 years from the date the report is received. A longer retention period may apply if necessary to follow up on substantiated reports or to defend legal claims. 

Internal Regulations

Further information is available in our internal regulations:

Z 004 – Work Rules

V 114 – Personal Data Protection

V 125 – Internal Whistleblowing System and Whistleblower Protection

How to Contact Us

For general questions regarding data protection, contact us via e-mail at gdpr@ostroj.cz or via other contact details provided above.

If your request might affect the confidentiality of the whistleblower or report content, please contact the Competent Person directly via the contact details published on www.ostroj.cz or use our Internal Whistleblowing System.

Your request will be addressed promptly. In certain cases, we may request additional information. A fee may be charged if the request is manifestly unfounded or excessive (e.g., repetitive requests).

Right to File a Complaint

You have the right to lodge a complaint with the supervisory authority:
The Office for Personal Data Protection

Pplk. Sochora 27
170 00 Prague 7
www.uoou.cz