In the event that you have reported a violation to TIM S.A., TIM S.A., fulfilling the obligation under Article 13, sections 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter: General Data Protection Regulation, GDPR), we hereby inform you that:
1. The Controller of the personal data is TIM S.A. with its registered office in Wrocław (53-612) at ul. Jaworska 13, 53-612 Wrocław, entered in the Register of Entrepreneurs by the District Court for Wrocław-Fabryczna in Wrocław, 6th Commercial Division of the National Court Register, under National Court Register (KRS) no. 0000022407, Tax ID Number (NIP) 897-000-96-78, share capital of PLN 23,000,000.00 fully paid up. Controller can be contacted by letter, e-mail at odo@tim.pl.
2. The Controller has appointed a Data Protection Officer – Roksana Lejpamer, who can be contacted via e-mail at: odo@tim.pl.
3. The Controller processes your personal data, in particular: name and surname, address of residence, e-mail address and other data indicated in the notification.
4. The data shall be processed for the purpose of fulfilling the Controller’s legal obligations related to receiving notifications of violations and undertaking follow-up activities, as well as verifying cases of notifications of violations of the law.
5. The legal basis for processing your personal data is:
a) Article 6(1)(a) of the GDPR – with regard to the disclosure of the whistleblower’s personal data, as with your consent, we may disclose your identity, but we emphasise that the aforementioned consent is entirely voluntary and may be withdrawn at any time;
b) Article 6(1)(c) of the GDPR in conjunction with Article 8, section 4 of the Whistleblower Protection Act of 14 June 2024 – to the extent necessary to accept the notification or take any follow-up activities;
c) Article 9(2)(g) of the GDPR in conjunction with Article 8(4) of the Whistleblower Protection Act of 14 June 2024 – to the extent necessary for the acceptance of notifications or possible follow-up activities;
d) Article 6(1)(f) of the GDPR – insofar as the personal data necessary to receive, verify and clarify notifications of violations of the law.
6. The Controller’s legitimate interest is to receive and verify notification and take follow-up activities.
7. The personal data shall be processed for a period of 3 years beyond the end of the calendar year in which the external notification has been submitted to the public authority competent for the follow-up activities or the follow-up activities have been completed or the proceedings initiated by these activities have been terminated.
8. The recipients of your personal data shall be the authorised bodies. Your personal data may also be processed by the supplier of the system that allows you to report violations (e.g. third-party provider of a system for receiving notifications, email provider). We assure you that these entities shall also protect your identity and shall not disclose it without your consent.
9. You have the right to:
a) access your data – the Controller shall then send you a copy of the data held;
b) complete or rectify your data;
c) request the restriction of data processing while your request is under consideration;
d) object to the processing of your data.
10. If you believe that we have violated the law by processing your personal data, you may lodge a complaint with the supervisory authority, namely: the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).
11. The provision of your personal data is voluntary. However, the provision of personal data of the person concerned by the notification is a condition for the consideration of the notification and the conduct of the investigation