Privacy Notice for Whistleblowing

In HeaDS (hereinafter referred to as the “Company” or “we”) we consider Data Protection an integral part of our operational business principles and are committed in respecting your privacy and complying with all applicable laws on data protection, including the General Data Protection Regulation (GDPR).  

Lawfulness and purpose of data processing  

We process your personal data, based on one or more of the following lawful bases: 

  1. Compliance with legislation on the protection of persons who report breaches of EU law: Personal data are processed by HeaDS, to the extent permitted or required by applicable law, for the purpose of receiving and evaluating reports on breaches of EU law. The legal basis for such processing is HeaDS’ compliance with national legislation transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (the “Law”). 


What personal data do we process?  

The Company, under the capacity of controller, processes any information included in the report or otherwise brought to its attention in the context of the receipt and handling of a report. Depending on the case and the nature and content of each report, the Company may collect and process the following data: 

  1. The act or omission reported 
  1. Identifying information and contact details (e.g., name, surname, age, date of birth, signature, photograph, address, telephone number, email address, family members, marital status) 
  1. Business details (e.g., employment company, job title, department, position level, employment contract and similar data.) 


What are the recipients of your personal data?  

In the context of a report, the Company may share personal data and the information received with public, judicial, prosecutorial, investigative, supervisory, independent authorities and/or to any authority required to evaluate the report, as well as with external advisors (e.g., lawyers, auditors). HeaDS may also share personal data with third party service providers (processors), specifically with the externally appointed Whistleblowing Officer, also with the email service provider and the hosting service provider.

For the needs of receiving services by the aforementioned processors, any transfer of your personal data outside the EU/European Economic Area due to sharing of personal data with the said processors, will be based on an adequacy decision issued by the European Commission or subject to suitable and appropriate safeguards and conditions to ensure an adequate level of data protection, e.g., data transfer agreements based on standard contractual clauses approved by the European Commission.  

For further information on how HeaDS protects personal data when transferred outside the EU/European Economic Area or in order to obtain a copy of the safeguards we implement to protect personal data when transferred outside the EU/European Economic Area, please contact our Data Protection Officer at 


How long do we process your personal data for? 

Personal data are processed for the purposes mentioned above and will be retained for as long as this is necessary for the management and following up on the report. In case of subsequent litigation or disciplinary proceedings or other proceedings before a court or independent authority, personal data will be retained until the conclusion of the said proceedings. In principle, HeaDS will retain your personal data for as long as required or permitted by applicable law, including for as long as the data may be required to pursue or defend any claims that have not been time-barred. 

Personal data which are manifestly not related for the handling of a specific report are not collected or, if accidentally collected, are deleted without undue delay. 


Your rights 

The Law provides for certain limitations to the General Data Protection Regulation (“GDPR”) rights of the persons concerned or third parties whose data were included in the report or have been obtained through monitoring measures. In particular, HeaDS may refuse to satisfy the right to be informed, the rights of access, rectification, erasure, restriction, etc. of the persons concerned and third parties, for as long as necessary, in order to ensure that the process described in the Policy is carried out in accordance with the Law. 

Subject to the above conditions and the conditions set out in the GDPR, you have the following rights regarding the protection of your personal data: 


Right of Access 

You can contact HeaDS so that we can inform you and explain whether and what data we retain about you and how we process them. You may also request a copy of your personal data that the Company retains. 

Right to Rectification 

If you believe your data are inaccurate or need to be updated, you have the right to request the rectification of inaccurate personal data and the supplementation of incomplete data. 

Right to be Forgotten / Right to Erasure 

Under certain conditions, e.g., when the data are no longer needed or you have withdrawn your consent or the data have been unlawfully processed, you have the right to request from HeaDS the erasure of your personal data. 

Right to Restriction 

If you consider that your data are inaccurate or that their processing is unlawful, or you consider that the data are no longer needed HeaDS, or you object to automated processing, you have the right to request that the processing be restricted. 

Right to Object 

You may object to the processing of your personal data by HeaDS on grounds that concern you and relate to your particular situation, unless, inter alia, there are compelling legitimate grounds for the processing which override your interests, rights and freedoms. You also have the right to object when a decision concerning you is based solely on automated processing, including profiling, and this decision produces legal effects concerning you or significantly affects you (exceptions provided by law). 

Right to Portability 

You may request to receive your data in a structured, commonly used and machine-readable format, and have your data transmitted to another organization (controller), which you will indicate to HeaDS 


How can you exercise your rights? 

For further and more detailed information about your rights, we encourage you to visit the corresponding Data Protection Authority website, as indicated below.  

If you have any queries or concerns, or you wish to exercise your rights (of access, objection, etc.) please contact us as indicated below. 

If you have any question or concern regarding this Privacy Notice and your personal data processing by the Company, you may contact the Data Protection Officer at 

You have the right to lodge a complaint with the corresponding Data Protection Authority with regard to matters that concern the processing of your personal data by the Company. More information on the competence of the Data Protection Authority and how to lodge a complaint, you can find on the respective website.  

 A list of contact details for the Data Protection Authorities in the EEA can be found here. For the Swiss authority here, for the UK authority here. 


Last updated: 22-Mar-2024 

Get in touch with us or find an office closest to you.