Special Reporting Privacy Statement

INFORMATION ON THE PROCESSING OF PERSONAL DATA IN THE CONTEXT OF THE OPERATION OF REPORTING CHANNELS

The Company is the controller of personal data (hereinafter Data) collected through existing reporting channels, based on applicable personal data legislation.

Company details:

  • iStorm Trade in Information Technology and Telecommunications Products and Services Societe Anonyme", d.o.b. "iStorm M.A.E.". The company's headquarters are located at 19-20 Filikis Etaireias Square, Kolonaki, 106 73, Attica. VAT No.: 095727131, TIN NO.: 002700001000, ATHENS TAX OFFICE.

The Company has implemented reporting channels in the context of preventing, detecting or investigating irregular, unethical, illegal or criminal behavior within the Company. Reports/complaints of irregularity, omission or criminal act concern -but are not limited to- the following:

  • Theft
  • Fraud
  • Corruption
  • Bribery (offer/acceptance)
  • Violation of human rights (diversity, discrimination based on gender, religion, nationality, etc.)
  • Misuse of assets
  • Acts that endanger the health and safety of workers
  • Acts harmful to the environment
  • Acts that may lead to a violation of competition law
  • Acts that conflict with the interests of the Company and/or the Group
  • Violation of the Policies and Procedures of the Company and Group companies with a risk of causing financial loss
  • Violation of the legislative framework governing the Company and its Group companies (including legislation governing the protection of persons reporting violations of EU law)
  • Other unethical/improper behavior (acts that violate the Group's rules of ethics and conduct).
  • Incidents of violence and harassment
  • Incidents of personal data breaches (data breaches)
  • Information security incidents

The above list is not exhaustive, but is intended to illustrate the type of issues.

If the above acts are subject to any legal procedure provided for by national legislation, the Management of the Company or the respective Group company will immediately send the complaint to the competent Service/Authority for further investigation.

The Company receives the Data submitted in the following ways:

  • By email to: milicemas@quest.gr In the case of an anonymous report/complaint: it is recommended to use a non-corporate email to submit the complaint (e.g. gmail)
  • Through the Company's website: www.istorm.gr
  • By email for cases of personal data breach at databreach@istorm.gr
  • By email for cases of information security breaches to the following address: Company Information Security Officer at: infosec@quest.gr
  • By mail to the address of the relevant Group company, attention of the Compliance Officer, marked "Confidential" or if it concerns a personal data breach, attention of the Data Protection Officer or if it concerns Information Security breach issues, attention of the Group Information Security Officer

It may also receive data through reports transmitted to it by the group's subsidiaries, to the extent that a report raises issues of public interest or directly/indirectly concerns the Company. In the context of investigating a report, the Company may collect further Data through interviews with those involved, as well as from other sources, in accordance with what is defined in its internal Policies and Procedures.

In order to verify or not the validity of a specific report/complaint and to further investigate the reported incident, the Company processes the Data voluntarily submitted by the complainants, i.e. indicatively and not restrictively:

(a) the events that gave rise to the suspicion/concern, with reference to names, dates, documents, locations and
(b) the reason that led to the submission of the report/complaint.

In no case is the report/complaint expected to prove the potential concerns/suspicions of the complainant, however it is encouraged to report all available information, in order to facilitate the investigation of the case.

It should be noted that the Company, through the reporting channels it has established, allows the complainants to submit their report either by name or anonymously. Reports must be made “in good faith”. The Company is committed to protecting the complainants, given that they submitted the report in good faith, from any discrimination or adverse treatment, any targeting or act aimed at punishing them and providing for adverse professional transfer/transfer or termination of employment. After the examination of the report, no sanctions or consequences are foreseen for those who are not proven to have committed or contributed to an illegal act.

Access to the Data included in the reports for the purposes of examining or managing the reports may only be granted to those involved in the management and investigation of the incident in question and to the extent required.

In particular, the Data included in the reports are communicated on a case-by-case basis and depending on the nature of the incident and always in accordance with the relevant Policies and Procedures: to the members of the Company's Report Evaluation Committee (if the incident concerns violence/harassment), to the Compliance Officer (responsible for receiving and monitoring reports), to the Head of Internal Audit (responsible for managing/examining reports), to the Data Protection Officer, to the Audit Committee, to the Board of Directors, to external consultants bound by confidentiality clauses, lawyers, as well as to judicial and/or administrative authorities.

Also, the Data included in reports/complaints is disclosed to the individuals included in the report/complaint, to witnesses and to anyone else with a legitimate interest. When access to the Data is granted to the individuals included in the report/complaint, the details of the complainant and witnesses are concealed, unless they have given explicit consent, as well as if it has been proven that the report/complaint was malicious.

The reporting parties and those involved in the investigation process of the report are informed of the content of the report and of their relevant rights and their exercise, in accordance with the applicable framework. However, the provision of information is considered on a case-by-case basis as cases may arise where the above information may, for example, a) hinder the investigation of the case and hinder the evaluation of the report as well as the collection of information and data required, or b) lead directly or indirectly to the identification of the reporting parties, or c) lead to the disclosure of confidential information which, due to its nature and in particular due to the Company's overriding legitimate interests, must remain confidential, or d) hinder the establishment, exercise or support of legal claims of the Company and/or any criminal proceedings. In the event that those included in the report/complaint are not immediately informed of its content, in order to prevent them from taking actions that obstruct the investigation, the reasons for the relevant delay should be recorded in writing and the document should be filed in the case file.

The Data and generally the information received by the complaint management team are not transmitted to other persons or groups of the Company or the Group company (regarding the incident), unless such transmission is considered absolutely necessary for the purposes of further investigating the complaint and exclusively to the required persons on a need-to-know basis.

The Company will retain the Data for a specific period of time from the completion of the investigation, which varies depending on the outcome of the investigation. Specifically:

  • In the event that the report is deemed unfounded or abusive or does not contain incidents that establish a violation or there are no serious indications of a violation, the Data will be deleted within six (6) months of its placement in the file.
  • In the event that the report/complaint follows the legal route, the Data is deleted upon the issuance of an irrevocable court decision thereon.
  • In the event that the report/complaint results in documented findings against an employee/executive of the Company or a Group company (regarding the incident), the Data is retained throughout the duration of his/her employment/relationship with the Company or the Group company and is deleted twenty (20) years after the termination/termination of the collaboration in any way.
  • In the event that the report/complaint results in documented findings against a third party, e.g. a customer, supplier, external partner of the Company or the Group company (regarding the incident), the Data is retained throughout the duration of the collaboration and is deleted five (5) years after the termination/termination of the collaboration in any way.

In all cases, the relevant Company Policies for the retention and deletion of personal data are adhered to.

The Company implements the necessary technical and organizational measures to ensure a certain level of security commensurate with the risks posed by the processing and in view of the nature of the Data being processed, in accordance with the Company's applicable policies and procedures in relation to the processing of Data and information security (such as access to information on a need to know basis, binding personnel with access to confidentiality obligations, control of access rights, use of encryption, supervision of IT equipment and services in full compliance with applicable legislation, etc.).

For more information on the processing of your Data and your rights, please refer to the Privacy Statement at the following link: https://www.istorm.gr/gdpr/privacy-notice, the Complaints Management Policy or contact the Data Protection Officer (DPO) at the email address dpo@istorm.gr.