Whistleblower Protection Policy
Borgstena has the purpose of compliance with the legal regime for the protection of whistleblowers, the processing of the personal data of whistleblowers and, in general, of all persons who use the Whistleblowing Channels or who, in any way, is involved in the whistleblower protection system, in accordance with the applicable standards in the field of data protection or information security, namely, the General Data Protection Regulation and the Enforcement Act of the General Data Protection Regulation, being the data processing carried out in the following parameters:
1.Person responsible for processing: Dual Borgstena Textile Portugal Unipessoal, Lda., hereinafter Borgstena, with Tax ID Number PT 502 355 409, with headquarters in Portugal, at EN 234 – km 87,7 (Chão do Pisco) Apartado 35, 3521 – 909 Nelas, Portugal.
Telephone: (+351) 232427660;
E-mail: info@borgstena.com;
Website: www.borgstena.com.
2. Contacts for the Data Protection Officer: The responsible entity has specific email addresses for the purposes of personal data protection and whistleblowing handling, with the Data Protection Officer available at rgpd@borgstena.com and the Whistleblower team available at compliance@borgstena.com .
3. Categories of data subjects: whistleblowers and, in general, any and all persons who use the Whistleblowing Channels or are otherwise involved in the whistleblower protection system, also including the persons targeted.
4. Personal data to be processed: where the individual chooses to identify him or herself, the personal data processed are general whistleblower identification data (name) and contact data (residence, telephone and email), and other data may be processed depending on the specific procedures for following up complaints, such as voice in the case of recording messages or telephone communications, where such processing is deemed necessary, proportionate and appropriate for such follow-up.
5. Background and purpose of the processing: the personal data of the data subjects will be processed solely for the purpose of receiving and following up the complaints lodged, and of carrying out any technical or organisational measures necessary to protect the whistleblower or persons concerned.
6. Legal basis: depending on the specific situation, data processing is based on the data subject’s express consent, on compliance with legal obligations or on the pursuit of legitimate interests, the basis being specified in each of the activities carried out.
7. Consequences of not providing the data: in addition to the possibility of submitting anonymous complaints, where the basis of the legitimacy of data processing is consent, the data subject is not obliged to allow the processing of personal data, whereby, by not consenting, or subsequently withdrawing the consent previously given, the same shall not be processed, and, in the latter case, after the request, the personal data in question shall be deleted, or the use thereof shall be cancelled for ancillary purposes, depending on the express will of the data subject, without affecting, however, the legality of the operations carried out in the meantime up to the date of the withdrawal of consent.
8. Recipients: the controller performs the processing itself (through professionals subject to the obligation of professional secrecy) or on its behalf, through subcontractors accredited for the provision of services selected by it and bound by strict technical and organizational measures adjusted to the protection of personal data.
9. Security Measures: technical and organizational security measures are in place that are deemed appropriate to ensure a level of data processing security appropriate to the risk.
10. Data collection location: data is collected by technicians designated by the controller, using paper or digital forms, whereby the privacy or confidentiality of data collection, data integrity, quality and accuracy are guaranteed.
11. Storage period: without prejudice to exceptional situations of extension of the storage period provided by law or considered necessary for the defense of rights or legitimate interests, as well as situations of withdrawal of consent, deletion, opposition or limitation of processing, which produce immediate effects without affecting, however, the legality of the operations carried out in the meantime, the personal data processed are stored by default for a period of five years, after which they will be deleted, and may be deleted before this storage period if they are not considered necessary for the follow-up of the whistleblowing report.
12. Data communication and confidentiality: with the exception of situations where data communication is legally required, there are no data communication operations. Personal data is not communicated to third parties and the identity of the whistleblower, as well as information that directly or indirectly allows the identity of the whistleblower to be deduced, are qualified as confidential and access is restricted to the persons responsible for receiving or following up on whistleblowing reports.
13. Interconnection of data and automated decisions: no interconnection of personal data is performed.
14. International transfers of personal data: No transfers of personal data of whistleblowers to a third country or international organization outside the European Union are carried out.
15. Processing and media: personal data is collected by a technician of the controller, being subject to multiple non-automated and automated processing and being incorporated into various types of analog or digital media that are deemed necessary to achieve the purposes of the activities, and are always treated confidentially.
16. Rights of the data subject: in addition to the possibility of anonymous reporting or withdrawal of consent, the data subject has the right to request the controller to access, rectify or delete their personal data, as well as to limit or oppose processing and data portability, under the conditions provided by law.
17. Right to complain to the supervisory authority: the data subject may always exercise, if he or she deems it necessary, the right to complain to the Portuguese Data Protection Commission (www.cnpd.pt).
18. Address for exercising rights: in order to request any information, present complaints or request the exercise of rights, please contact rgpd@borgstena.com .
19. Data Protection Policy: personal data processing operations are carried out in accordance with the General Data Protection Policy which is available at www.borgstena.com .
20. Data Collection Forms and Special Information Leaflets: the Forms for submission of complaints and the special Information Leaflets that may exist on the activities to be performed by BORGSTENA under the whistleblower protection system are available for consultation on the Whistleblowing Channels Platform accessible through the link https://borgstena.protecaodedenunciantes.com or by contacting the Whistleblowing team, by email compliance@borgstena.com .