EthicsPortal YAROSLAV SHMAROV

Privacy notice — whistleblower reporting channel

Data protection information pursuant to GDPR Articles 13 and 14

Effective date: April 19, 2026

YAROSLAV SHMAROV

1. Data controller

The data controller for the processing of personal data through the whistleblower reporting channel is YAROSLAV SHMAROV, registration no. 5272755790, with registered address at OBRZEZNA 1A/232, 02-691 WARSZAWA.

Website: https://ethicsportal.eu

2. Purpose of processing

Personal data is processed through the reporting channel for the purpose of receiving, assessing, and investigating reports of breaches of law submitted in accordance with Ustawa z dnia 14 czerwca 2024 r. o ochronie sygnalistów. This includes acknowledging receipt of reports, communicating with the reporting person, conducting follow-up actions, and maintaining records as required by law. YAROSLAV SHMAROV does not use the data collected for any purpose other than handling the report.

3. Legal basis for processing

The processing of personal data through the reporting channel is based on the following legal grounds under Ustawa z dnia 14 czerwca 2024 r. o ochronie sygnalistów and the GDPR:

  • GDPR Article 6(1)(c) — processing is necessary for compliance with a legal obligation under Ustawa z dnia 14 czerwca 2024 r. o ochronie sygnalistów
  • GDPR Article 6(1)(f) — processing is necessary for the legitimate interests of the controller, namely investigating and preventing breaches of law
  • GDPR Article 9(2)(g) — where special categories of data are involved, processing is necessary for reasons of substantial public interest on the basis of Union or Member State law

4. Categories of personal data processed

The following categories of personal data may be processed through the reporting channel:

  • Reporter identity data (name, contact details) — only if voluntarily provided; anonymous reporting is fully supported
  • Reported person identity data (name, role, department)
  • Witness or third-party data, if mentioned in the report
  • Facts and circumstances described in the report
  • Supporting evidence and attachments submitted with the report
  • Communication records between reporter and case handler
  • Technical data: anonymized IP hash for rate-limiting only — no IP addresses are stored

5. Recipients of personal data

Access to personal data processed through the reporting channel is strictly limited. Within YAROSLAV SHMAROV, only the following persons may access report data:

  • The designated person(s) responsible for receiving and following up on reports
  • Assigned case handlers (access limited to reports assigned to them)
  • System administrators (for system management only, not report content)
  • External legal counsel, if involved in the investigation (subject to professional secrecy)
  • The competent national authority, if the report is forwarded or the authority exercises its legal powers

6. Data retention

Personal data processed through the reporting channel is retained for a maximum of 5 years (60 months) after the case is closed or dismissed, in accordance with the data retention policy of YAROSLAV SHMAROV and the requirements of Ustawa z dnia 14 czerwca 2024 r. o ochronie sygnalistów. After the retention period expires, all personal data is permanently and automatically deleted from the system. Reports that are not followed up are retained only for the period necessary to determine that no further action is warranted.

7. Data subject rights

Under the GDPR, data subjects have the following rights in relation to their personal data:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object to processing (Article 21)

The exercise of these rights may be limited where it would compromise the confidentiality of the reporting person's identity, the integrity of the investigation, or the rights of other persons involved. In particular, the reported person's right of access may be restricted to protect the identity of the reporter and the integrity of the investigation, in accordance with applicable law.

8. Security measures

The reporting channel employs the following technical and organizational measures to protect personal data: application-level encryption of all sensitive report data (description, reporter identity, contact information); anonymization of reporter IP addresses (one-way hash used for rate-limiting only); role-based access control restricting report visibility to authorized personnel; a complete and append-only audit trail of all actions performed on each report; automatic stripping of metadata (EXIF, GPS, author data) from uploaded files; and TLS encryption for all data in transit.

9. International data transfers

All report data is stored and processed within the European Economic Area (EEA). No personal data is transferred to third countries outside the EEA. If this changes, appropriate safeguards under GDPR Chapter V will be implemented and this notice will be updated accordingly.

10. Right to lodge a complaint

If you believe that the processing of your personal data through the reporting channel infringes the GDPR or applicable national data protection law, you have the right to lodge a complaint with Urząd Ochrony Danych Osobowych (UODO).

11. Updates to this notice

This privacy notice is effective as of April 19, 2026. YAROSLAV SHMAROV may update this notice to reflect changes in the processing activities or applicable law. The current version is always available through the reporting channel at https://secure.ethicsportal.eu/p/BiPdmk.