Notice on the Operation of the Internal Reporting Channels, the Reporting Process and the related Processing of Personal Data.
The Company with the name ‘’COSMOTE Payments - ELECTRONIC MONEY SERVICES SINGLE MEMBER S.A.’’, based in 99, Kifissias Αve., Maroussi Attica, 15124, (henceforth referred to as "Company"), as a controller, has established and operates the abovementioned internal reporting channels in the context of Law 4990/2022 ‘Protection of persons who report breaches of Union law’ (Government Gazette 210/A/11-11-2022).
By this form, the Company provides the following information: (a) in the capacity of the Company as person liable according to L. 4990/2022, informs the persons entitled to submit reports through the channels, for the operation of the channels, the processes for monitoring reports and their rights, and (b) in the capacity of the Company as controller, informs data subjects of the processing of their personal data during channels operation and case management.
Α. Operation of Internal Reporting Channels and Reporting Process pursuant to L. 4990/2022
Reporting persons may submit reports eponymously or anonymously, using the abovementioned reporting channels and are informed on the receipt of their report within seven (7) working days from the date of receipt. The Company takes the appropriate technical and organizational measures when monitoring the report, such as pseudonymization techniques of the personal data being processed in case of eponymous reports.
In case of an oral report submitted by phone, during the phone call, the reporting persons are informed of how they can monitor the progress of their report. During the monitoring of the report, the Reports Receiving and Monitoring Officer (‘RRMO’) of the Company may request from the reporting person to clarify the reported information, or to provide additional information on the subject of the report. Upon completion of the follow-up actions, the RRMO informs the reporting person on the outcome of the investigation as well as on the actions undertaken for the management of the report, within a reasonable timeframe, which does not exceed three (3) months from the acknowledgment of receipt of the report.
Personal data and any kind of information that leads, directly or indirectly, to the identification of the reporting person are confidential and not disclosed to anyone beyond the R.R.M.O. of the Company and the authorized members of OTE Group personnel who are responsible to receive or follow up on the reports, without the explicit consent of the reporting person.
Notwithstanding the above, the identity of the reporting person and any other information related to the report may be disclosed, only where there is an obligation imposed by law, in the context of investigations by competent authorities or in the context of judicial proceedings and provided that this disclosure is necessary to serve the purpose of L. 4990/2022 and safeguard the defense rights of the reported person. The disclosure takes place after the reporting person has been informed in writing and has given the right to submit in writing their objections to the Company.
The operation of the channels as well as the receipt, monitoring, management and archiving of reports are further specified in detail by the specific conditions of the "OTE Group Whistleblowing & Non Retaliation Policy", as in force.
Without prejudice to law, reporting persons shall not incur, inter alia, liability in relation to (a) the acquisition of information or access to information reported, provided that such acquisition or access does not constitute a self-standing criminal offense, and (b) the reports themselves, if they have reasonable grounds to believe that the report was necessary to reveal a breach.
Any form of retaliation against reporting persons, their colleagues or relatives, against facilitators and companies owned by the reporting persons or for which the reporting persons work, is prohibited, including threats of retaliation and attempts of retaliation. In case of retaliation, the persons against whom retaliation was undertaken, are entitled to full compensation for the damage suffered and may request the things to be restored to the state they were before the retaliation, if this is objectively possible and not disproportionately onerous for the Company. The termination of an employment contract that takes the form of retaliation, is in any case void.
The reporting person has the right to submit an external report to the National Transparency Authority (‘EAD’) in the following ways: (a) electronically by sending an e-mail to
kataggelies@aead.gr or by completing a digital form on the
website (b) by post, sending a written letter to the following address: National Transparency Authority, 195 Lenorman Ave. and Amfiaraou, 10442, Athens, as well as (c) in person at EAD headquarters mentioned above.
Following their request, the RRMO provides, in absolute confidentiality, to reporting beneficiaries and reporting persons appropriate information regarding the possibility to submit a report as well as information on the procedures according to which an external report can be submitted to EAD and, where applicable, to public authorities or institutions and other bodies or organizations of the European Union.
For any issue regarding the process of submitting, receiving, monitoring, managing and completing/archiving reports, the protection of the reporting and reported persons and, in general, the operation of the channels as well as the submission of external reports to EAD, you can contact the RRMO of the Company, by sending a relevant request to the following email accounts:
tellme@cosmotepayments.gr and
tellme@ote.gr.
B. Processing of Personal Data during the Operation of Internal Reporting Channels
During the operation of the channels, the Company as controller may process the data of the following categories of data subjects, as defined in L. 4990/2022: (a) reporting persons, (b) reported persons, (c) facilitators, and (d) third parties referred to in the reports or whose data may be included in documented monitoring actions.
The data, which are processed, are data included in reports as well as data that are processed during the submission, monitoring, management and archiving of reports, the protection actions of the reporting persons and, in general, the operation of the channels and the application of the ‘OTE Group Whistleblowing & Non Retaliation Policy’ and which concern or are related, inter alia, to legal rules breaches that fall within the scope of L. 4990/2022. Data sources are the reporting persons, the reported persons, the facilitators as well as third parties from whom data is collected when performing monitoring actions.
The purposes of the processing are the following: (a) the fulfillment of the obligation to establish and operate the channels, (b) the submission, monitoring, management and archiving of reports, (c) the execution of monitoring actions and, in general, the adoption of the necessary measures for the follow-up of submitted reports, (d) the protection of reporting persons, in particular against retaliation, (e) the adoption of disciplinary measures or even legal actions against reported persons who commit violations, (f) the provision of information on criminal offenses to the competent investigative and judicial authorities, (g) the safety and confidentiality of the process regarding the monitoring of reports and the processed data related to it, (h) the establishment, exercise or defense of legal claims of the Company or third parties, and (i) the improvement of Company’s organization and management.
The legal basis of the processing is, on the one hand, the compliance with the legal obligations of the Company, as defined in L. 4990/2022, as well as the pursuance of OTE Group legitimate interests for the proper operation of its companies and the prevention, suppression, criminal prosecution and compensation for violations within those companies (Article 6 § 1 (c) and (f) GDPR) and, on the other hand, the processing for the establishment, exercise or defense of legal claims of the Company or third parties as well as for reasons of substantial public interest based on L. 4990/2022 [article 9 § 2 (f) and (g) GDPR].
Our Company will keep your personal data for a period of five (5) years from the completion of the follow up of the report or from the adoption of measures to protect the reporting persons or the adoption of disciplinary measures or/and legal actions against the reported persons or third parties. Our Company may retain your personal data after the abovementioned period in the following limited cases: (a) if this is necessary and for as long as it is required in the context of pursuance of the processing purposes, or (b) if there is a legal obligation from a relevant law provision, or (c) for defending our rights and legitimate interests before any competent Court and any other public authority within the provided limitation period.
The following categories of data processors on behalf of the joint data controllers have access to the personal data: (a) IT service providers in the context of supporting and hosting Company's IT systems, (b) professional advice providers in the context of supporting the monitoring of reports and (c) auditors in the context of conducting audits for the fulfillment of Company's legal obligations. The Company may transfer personal data to lawyers and law firms for the provision of legal services for the purpose of establishing, exercising, or defending Company's legal claims. Finally, transfers of relevant information to the competent supervisory, investigative, and judicial authorities may take place in the context of the execution of the Company's legal obligations or the exercise or defense of its legal claims.
Your personal data is exclusively stored at Company's premises, where it is protected by appropriate security measures. We will not transfer your data to third countries outside the European Economic Area (EEA).
Without prejudice to law, employees or third parties who report incidents of misconduct as well as employees or third parties who may be included in the above reports may exercise, as applicable, the rights provided for in articles 15-22 of the GDPR regarding access, rectification, erasure, restriction of processing, data portability or objection to the processing of their personal data or objection to automated decision-making, including profiling, by sending a relevant request to the email account:
privacy@ote.gr.
The Company may reject the relevant requests of the involved parties for the period of time that will be deemed as critical in order to avoid obstructing investigations or to implement the actions towards the conclusion of the case or the protection of the reporting persons.
Alternatively, in case you consider that we have not adequately satisfied your request and the protection of your personal data is adversely affected in any way, you can file a complaint to the Hellenic Data Protection Authority (Kifisias Ave. 1-3, P.C. 115 23, Athens, phone: 210 6475600). Detailed instructions for submitting a complaint are provided on the Authority's website:
Complaint to the Hellenic DPA | Hellenic Data Protection Authority..