Internal notification system of Dopravní podnik města Hradce Králové, a.s.


Dopravní podnik města Hradce Králové, a.s., with its registered office at Pouchovská 153/52, Věkoše, 500 03 Hradec Králové, IČO: 25267213, registered in the Commercial Register maintained by the Regional Court in  Hradec Králové, Section B, File 1625 (hereinafter referred to as the "Company"):

(a) in accordance with Directive (EU)   2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law ('EU Directive'); and

b) having regard to Regulation (EU)   2016/679 of the European Parliament and of the Council of 27.4.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "GDPR"), which lays down in particular rules relating to the protection of natural persons with regard to the processing of personal data,

introduced the Company's Internal Notification System.

The Company's internal notification system is used to implement the EU Directive in connection with the notification of breaches of European Union law.

The EU Directive is available e.g. here:

https://eur-lex.europa.eu/legal-content/CS/TXT/PDF/?uri=CELEX:32019L1937&from=CS

 

I.    NOTIFIER

1.    The EU Directive applies to reporting persons working in the private or public sector ("Whistleblower") who acquired information on breaches in a work-related context, to the extent of:

 

(a)   persons having the status of worker within the meaning of Article 45(4); 1 TFEU, including civil servants;

(b)   persons having the status of self-employed persons within the meaning of Article 49 TFEU;

(c)   shareholders and persons belonging to the administrative, management or supervisory body of an undertaking, including non-executive members, as well as volunteers and paid or unpaid trainees;

(d)   any persons working under the supervision and direction of contractors, subcontractors and suppliers.

Whistleblowers include persons who report or disclose information about the Breach obtained in the course of an employment relationship that has since ended, and persons whose employment is yet to begin, if the information about the Breach was obtained during the recruitment procedure or other pre-contractual negotiations. 

 

II.  INTERNAL NOTIFICATION SYSTEM

1.   Person concerned and contact details (channels for receiving reports)

1.1 The relevant person is the person who receives and handles reports within the Company's internal notification system.

1.2 The Company has designated as the relevant person to perform the activities of the relevant person under the EU Directive: Josef Januš (hereinafter referred to as the "Relevant Person").

1.3 The Company determines the following contact details – channels for receiving Notifications under the EU Directive by the Person Concerned:

  • telephone number of the relevant person 495 089 270,
  • e-mail Relevant persons: oznameni@dpmhk.cz
  • via the contact form of the Person Concerned on the www.dpmhk.cz website
  • by post to the delivery address: Pouchovská 153/52, Věkoše, 500 03 Hradec Králové,
  • in person in the office Relevant persons: Pouchovská 153/52, Věkoše, 500 03 Hradec Králové, building, ground floor, room No. 19; office hours Relevant persons for personal meetings Mon – Fri, 8:30 am – 10:30 am, or by prior arrangement.

 

2.    Submission and receipt of notifications

2.1. The notifier shall be allowed to submit a notification through the internal notification system in writing and orally (including telephone notification) and, upon request, in person.

2.2 If requested by the Notifier, the Person concerned is obliged to accept the notification in person within a reasonable time, but no longer than 30 days.

2.3 The Relevant Person is obliged to notify the Notifier in writing of the receipt of the notification within 7 days from the date of its receipt, unless:

(a)   the notifier has expressly requested the Relevant Person not to notify him of the receipt of the Report, or

b)   it is clear that notification of receipt of the Notification would reveal the identity of the Notifier.

 

3.   Handling of information

3.1 Only the Relevant Person may become acquainted with the submitted reports. The person concerned shall not provide information that could defeat or jeopardise the purpose of the report.

3.2 Information about the identity of the Notifier and other persons under the EU Directive may only be provided with their written consent, unless the Relevant Person is obliged to provide such information to the competent public authorities under generally binding legal regulations; this also applies to information on the identity of the person mentioned in the notification.

3.3 If the Relevant Person provides information about the identity of the Whistleblower to a public authority pursuant to Article 3.2, he/she is obliged to notify the Notifier in advance, together with the reasons for which he/she is obliged to provide the identity information, and to allow the Notifier to comment on the provision of the information.

 

III. PROTECTION OF PERSONAL DATA

1.    General principles

1.1  Any processing of personal data is carried out in accordance with the GDPR.

1.2 Personal data that are manifestly irrelevant for the handling of the report shall not be collected and, if accidentally acquired, shall be deleted without undue delay.

1.    Processed personal data

      The Company, as a personal data controller, processes the following personal data:

a)   Name, or names, surname, date of birth, contact address, email and telephone number of the Notifier, if these data are communicated by the Notifier to the Company.

(a)   Identification of the person against whom the notification is directed.

      The notification may also be made anonymously, if in such a case the processing of the Notifier's personal data does not take place.

2. Information according to Art.    13 GDPR

In accordance with Article 13 of the GDPR, the Company hereby provides all personal data subjects with the following information:

a)   Identity and contact details of the personal data controller

The administrator of personal data is the Company.

b)   Data Protection Officer

The company has appointed a data protection officer, namely GDPR Hradec s.r.o., with its registered office: Fráni Šrámka 1139, 500 02 Hradec Králové, IČ: 06708218, contact person: Mgr. Martin Jeřábek, e-mail: info@gdprhradec.cz, tel.: +420 495 510 765.

c)   Purposes of processing

Processing and handling of notifications.

d)   Legal basis of processing

The legal basis for the processing of personal data is the legal title referred to in Art. 6 para. 1 point. c) GDPR, when the processing of personal data is necessary for compliance with a legal obligation to which the Company as a controller is subject, and the title referred to in Article 6 para. 1 point. a) GDPR, i.e. the consent of the Notifier (data subject) for the purpose of providing information on the identity of the Notifier and for the purpose of making an audio recording or transcription of the oral Notification.

e)   Categories of data subjects concerned

Whistleblowers, other persons under the EU Directive, and persons affected by the report.

f)    Potential recipients of personal data

Law enforcement authorities, if the legal conditions for the transfer of processed personal data to this authority are met.

g)   Duration of personal data processing

For the time necessary to prepare the notification and the facts stated therein , and for the period of fulfilling the obligations stipulated by generally binding legal regulations.

h)   Source of personal data

Notifications and personal data provided by the Notifier.

i)    Rights of data subjects:

1)   Right of access to personal data

The data subject has the right of access to all processed personal data. At his/her request, the Company shall provide a copy of the processed personal data in a machine-readable format.

2)   Right to rectification of personal data

The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by providing a supplementary statement.

3)   Right to erasure of personal data

The data subject has the right to erasure of personal data that the Company would process unlawfully.

4)   Right to restriction of personal data processing

The data subject has the right to block his or her personal data under the conditions set out in Article 18 of the GDPR (in particular, if an objection is raised, there is a dispute about the legitimacy of data processing).

5)   Right to data portability

The data subject has the right to obtain from the Company automatically processed personal data in a structured, commonly used and machine-readable format, or to have the Company transmit these data to another administrator, if technically feasible.

6)   The right not to be subject to automated decision-making

The data subject has the right not to be subject to any decision based solely on automated processing, including profiling, which would produce legal effects concerning him or her or significantly affect him/her. The Company does not carry out any such automated decision-making or profiling.

7)   Right to object

The data subject has the right to object to the processing of personal data on the grounds of legitimate interest.

8)    Request for the processing of personal data

If personal data is provided by the Notifier, they will be processed in accordance with the GDPR. The processing of the Notifier's personal data is carried out on the basis of the EU Directive and Article 6 para. 1 point. c) GDPR, is not a contractual requirement, and the Notifier is not obliged to provide personal data.

The provision or non-provision of personal data has no consequence for the Notifier, except that if personal data is not provided, the Company will not be able to identify the Notifier.

 

9)   Right to lodge a complaint

The data subject has the right to address his complaint to the Company at any time, or to file a complaint with the Office for Personal Data Protection, address: registered office at Pplk. Sochora 27, 170 00 Prague 7 or to request judicial protection.

 

3.    How to exercise data protection rights

3.1 To exercise your rights in connection with the Notice, please contact the Company: The relevant person.

3.2 On the http://www.dpmhk.cz/ website there are model forms for exercising the rights of data subjects .

3.3 The Company is obliged to inform the Applicant free of charge of the measures taken without undue delay and in any case within one month of receipt of the request. That period may be extended by a further two months, if necessary, taking into account the complexity and number of requests. Should the Company not comply with the request, the applicant will be informed immediately (at the latest within one month) of the reasons for the non-compliance. 

In some cases defined by legislation, the Company is not obliged to comply with the request in whole or in part. This will be the case, in particular, where the request is manifestly unfounded or excessive, in particular because it is repeated. In such cases, the Company may:

  • impose a reasonable fee taking into account the administrative costs; or
  • refuse to comply with the request.

If the Company receives a request but has reasonable doubts as to the identity of the sender of the request, it may request the provision of additional information necessary to confirm the identity of the applicant.