Whistleblowing Privacy Notice

This Privacy Notice (Privacy Notice) explains how personal data is collected, used, and handled in relation to our whistleblowing procedures and related investigations (the "Whistleblowing Process"). Its purpose is to support you in making informed choices when using the Whistleblowing Process and to clarify how your personal data may be processed. We encourage you to read this Privacy Notice carefully. If you choose to submit a report anonymously, we confirm that no personal data will be collected or processed.

We strive to apply this Privacy Notice consistently across our organization and in all jurisdictions where we operate.


1. Information about the Data Controller

Data Controller: Data Troops, UAB; Švitrigailos g. 34, LT-03230 Vilnius, Lithuania

Contact: [email protected]

2. What Personal Data Do We Process

Where permitted by applicable law, you may use the Whistleblowing Process without disclosing any personal data. However, you may choose to voluntarily provide certain personal information when submitting a report. At your own discretion, this may include: your name, surname, email address, the name of your company, details of the concern or infringement being reported, the content of your report, any attachments you choose to include, and any other information you decide to share with us. We will also record the date on which your report is submitted.

While the Whistleblowing Process does not routinely involve the collection of special categories of personal data (e.g., information relating to racial or ethnic origin, religious beliefs, or sexual orientation), such data may be processed if you choose to include it in your report. We kindly ask that you only provide this type of information when it is essential to the context of your report.

In some cases, your report may contain personal data relating to other individuals. Depending on the nature of the report, those individuals may be given the opportunity to respond. Your identity will not be disclosed unless it is necessary for the investigation, you have given your explicit consent, or disclosure is required under applicable law.

Additionally, we may use your personal data for internal reporting and statistical purposes, but only in an anonymized format.

3. Legal Basis for Processing

We process personal data for the purpose of investigating whistleblowing reports submitted through the Whistleblowing Process and to implement any actions or remedial measures deemed necessary or appropriate following the outcome of such investigations.

The legal bases on which we rely to process your personal data may include the following, depending on the specific circumstances:

  • Your consent: where you have voluntarily provided personal data and consented to its processing (GDPR Article 6(1)(a));
  • Compliance with a legal obligation: where we are required to process your information to meet legal or regulatory obligations (GDPR Article 6(1)(c));
  • Legitimate interests: where processing is necessary for our legitimate interests or those of a third party, particularly in the context of preventing or addressing misconduct, ensuring compliance, or safeguarding the integrity of our organization (GDPR Article 6(1)(f)).
  • If your report includes any special category (sensitive) personal data – such as information relating to racial or ethnic origin, religious beliefs, or health – our processing of such data will be based on your explicit consent, in accordance with GDPR Article 9(2)(a).

4. Data Sources

The personal data we process is provided directly by you when you submit a report through the Whistleblowing Process. However, in certain instances, we may obtain personal data from other sources. These may include public authorities and institutions such as labour, social security, tax or supervisory authorities, law enforcement agencies, prosecutors, courts, or other governmental bodies - particularly when data is shared to meet legal obligations or to safeguard our legal rights and interests.

5. Disclosure of Personal Data

Where necessary and appropriate to the specific circumstances of a whistleblowing investigation, your personal data may be disclosed to a limited group of individuals within our organization, who are authorized to assess and investigate the report, and to implement any resulting actions or remedial measures. Disclosure may also extend to other individuals involved in the investigation, and to other entities of our organization as needed.

Depending on the nature and complexity of the report, we may also share your data with selected third parties, including:

  • Other affiliated entities within our organization‘s group;
  • Our professional advisers, such as legal counsel and accountants;
  • Governmental or regulatory authorities;
  • In addition, certain service providers to whom we outsource specific operational functions may receive access to your data. These may include, without limitation, providers of document processing and translation services, IT systems and software support, and data storage solutions.

Transfers outside the European Economic Area (EEA)

If/When transferring personal data outside the EEA, we rely on adequacy decisions issued by the European Commission, which confirm that the destination country ensures an adequate level of data protection. In cases where no such adequacy decision exists, we implement appropriate safeguards in accordance with Chapter V of the GDPR. This includes, but is not limited to, the use of the European Commission’s Standard Contractual Clauses (SCCs) to ensure that your personal data receives an adequate level of protection consistent with GDPR requirements.

6. Data Retention

We will retain personal data for as long as necessary to carry out the investigation of a whistleblowing report and to take appropriate follow-up actions. In line with our legal and regulatory obligations, certain information related to the investigation may be retained for a minimum of five years after the case is closed. Any data that is no longer required will be securely deleted or anonymized.

7. Your Rights

Under applicable data protection legislation, you have the following rights concerning your personal data:

  • Right of access: you can request confirmation whether your personal data is being processed and obtain access to that data along with information about its processing.
  • Right to rectification: you have the right to request correction of any inaccurate or incomplete personal data.
  • Right to erasure (“right to be forgotten”): you may request deletion of your data when: it is no longer necessary for the purposes it was collected; you withdraw consent and there is no other legal basis for processing; you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; there is a legal obligation to erase the data; the data was collected in relation to information society services offered directly to a child.
  • Right to restriction of processing: You can request that processing be limited where: you contest the accuracy of your data; the processing is unlawful but you oppose erasure and prefer restriction; we no longer need the data but you require it for legal claims; you have objected to processing pending verification of legitimate interests.
  • Right to data portability: you may receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller, provided processing is based on consent or contract and carried out by automated means.
  • Right to object: you can object to the processing of your data when it is based on a task in the public interest, official authority, or legitimate interests, including profiling, or for direct marketing purposes.
  • Right to withdraw consent: if processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: you have the right to file a complaint with supervisory authority if you believe your data protection rights have been violated.

If you wish to exercise any of these rights or require more information, please contact us using [email protected].

8. Automated decision-making, including profiling

We do not engage in decision-making based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you.

9. Technical and Organisational Measures

We are committed to ensuring the security and confidentiality of your personal data. To this end, we have implemented appropriate technical and organisational measures designed to protect your data against unauthorized access, accidental loss, destruction, alteration, or disclosure. These measures are regularly reviewed and updated to maintain an adequate level of protection in line with applicable data protection laws and industry best practices.

10. Updates

We may update this Privacy Notice from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. We encourage you to review this Privacy Notice to stay informed about how we collect, use, and protect your personal data.

Last updated: July 23, 2025


© 2018-2025 decodo.com (formerly smartproxy.com). All Rights Reserved