ACCESA Whistleblowing Privacy POLICY
Effective Date: 24.10.2025
Welcome to the Accesa Whistleblowing Privacy Policy. At Accesa ("we," "us," or "our"), we are committed to protecting your privacy and ensuring the security of your personal data. As part of our dedication to transparency and accountability, we want to clearly explain how we collect, use, share, and protect your information in line with the European General Data Protection Regulation (GDPR) and other EU and local data protection regulations.
We value the trust you place in us, and this notice outlines our approach to managing personal data responsibly.
It covers all aspects of data processing, ensuring we handle your information with care and respect.
Who we are | Contact Us |
We are Accesa IT Systems (“Accesa”), an ICT service provider operating within Romania, acting as controller. Our mission is to create an environment where our employees and partners thrive and positively impact the community. | Visiting Address: Constanta 12, Platinia Office, Cluj-Napoca, Romania Email: hello@accesa.eu Website: https://www.accesa.eu |
If you have any questions or concerns about this Privacy Policy or how we handle your personal data, please don't hesitate to reach out to us: | Data Protection Officer (DPO) Contact: dpo@accesa.eu |
Who This Privacy Policy Covers
This privacy notice applies to all individuals whose personal data may be processed in connection with the use of Accesa’s Whistleblowing Channel (Vispato), and specifically includes:
Whistleblowers employees, former employees, contractors, suppliers, clients, or any other external party submitting a report, either identified or anonymous;
Individuals mentioned in a report persons alleged to have committed or been involved in a breach, as well as persons associated with them;
Witnesses and third parties individuals whose data is provided in the report or during the investigation;
Investigating parties members of the Whistleblowing Committee (Risk & Compliance Lead, Internal Auditor, Head of Legal) and any other internal or external investigators formally designated to handle reports.
Accesa processes personal data strictly for the purpose of receiving, assessing, and investigating whistleblowing reports, and for ensuring compliance with Law no. 361/2022 on the protection of whistleblowers in the public interest and the General Data Protection Regulation (GDPR).
By submitting a report through the whistleblowing channel, whether in writing or by voice, you confirm that you have read and understood this privacy notice.
If you have any questions or wish to exercise your rights under data protection laws, you may contact us using the details provided in this privacy notice.
What Personal Data Do We Collect?
How We Collect Your Data
We collect personal data solely in connection with whistleblowing reports submitted through Accesa’s Whistleblowing Channel (Vispato). Collection occurs both directly and indirectly, as follows:
Direct Collection
Data provided by you (the whistleblower)
When submitting a report in writing or by voice, you may provide information such as your name, contact details, professional details, and any other information you decide to disclose. Reports may also be submitted anonymously, in which case no identifying data is collected.
Voice reporting
If you choose to submit a report by phone or voice message, the conversation may be recorded or transcribed, subject to your consent as required.
Indirect Collection
Data provided about others
Reports may include information about other persons (e.g. individuals alleged to have committed a breach, witnesses, or colleagues).
Supporting documents or evidence
Reports may contain attachments, documents, or other materials that include personal data.
Information collected during the investigation
The Whistleblowing Committee or designated investigators may collect additional data from internal systems, interviews, or third-party sources strictly necessary to assess and resolve the report.
If you submit information about third parties, you are responsible for ensuring that such information is provided truthfully and in good faith, in accordance with Law no. 361/2022.
Types of Personal Data We Process
Depending on your role in the whistleblowing process (whistleblower, person mentioned in a report, witness, or investigator), we may process the following categories of data:
Category | Data Collected from Whistleblowers | Data Collected about Other Persons (Subjects of Concern / Witnesses) | Data Collected during Investigation |
Identification Information | Name, surname (if disclosed), unique report ID, password for accessing the case | Name, surname, position, employer | Identity details as found in evidence or internal records |
Contact Details | Phone number, email address, or postal address (if provided by the whistleblower) | Contact details mentioned in the report (if any) | Contact information obtained through investigation, only if necessary |
Voice / Audio Data | Voice recordings or transcripts of oral reports (with consent) | N/A | Audio notes or transcriptions created during interviews |
Professional Details | Employer, role, contractual relationship, unit/department (if relevant to the report) | Employer, position, professional role | HR records, organizational charts, or contractual data needed for investigation |
Alleged Misconduct Information | Narrative description of the facts, context, supporting documents, evidence | Information concerning alleged breaches, involvement, or actions | Notes and reports from fact-finding activities, plausibility and investigation reports |
Sensitive Data | Only if included voluntarily and strictly relevant (e.g., health data, trade union membership) | Sensitive data may appear in connection with allegations (e.g., discrimination, harassment) | Processed only where legally required and proportionate to the investigation |
Communication Data | Messages exchanged via the whistleblowing platform with the Committee | Mentions in communications or evidence | Internal correspondence between investigators, responses to whistleblower |
Investigation Records | Report ID, timestamps of submission and follow-up | Notes of hearings or interviews, evidence logs | Final investigation report, Committee decisions, follow-up actions |
IT Security and Metadata | Log data: access date/time, IP address, device/browser metadata (collected by the platform for security purposes) | N/A | Technical security logs, if relevant for misuse prevention or fraud detection |
Other Relevant Data | Any other information voluntarily included by the whistleblower in the report | Any other information provided about persons involved in the case | Data collected from external advisors or authorities, where applicable |
Why We Need Your Data
We process personal data strictly to comply with our legal obligations under Law no. 361/2022 on the protection of whistleblowers in the public interest and to ensure that whistleblowing reports are properly assessed, investigated, and followed up.
The purposes include:
Purpose | Details on the Purpose | Legal Basis |
Receiving and registering reports | Collecting and documenting whistleblowing reports, whether submitted in writing, by voice, or anonymously. | Legal obligation (Art. 6(1)(c) GDPR; Law no. 361/2022, Art. 5–7) |
Assessing plausibility of reports | Reviewing whether the report meets legal requirements and contains sufficient information to proceed. | Legal obligation (Art. 6(1)(c) GDPR; Law no. 361/2022) |
Investigating reports and taking follow-up actions | Conducting investigations, gathering evidence, interviewing parties involved, and issuing decisions. | Legal obligation (Art. 6(1)(c) GDPR; Law no. 361/2022, Art. 10–14) |
Protecting whistleblowers | Ensuring anonymity, confidentiality, and protection against retaliation as required by law. | Legal obligation (Art. 6(1)(c) GDPR; Law no. 361/2022, Art. 8, 20–22) |
Communication with whistleblowers | Providing confirmation of receipt, updates on case progress, and outcome notifications via the platform. | Legal obligation (Art. 6(1)(c) GDPR; Law no. 361/2022, Art. 10(1)(b), (e)) |
Retention of reports | Maintaining records of reports for the statutory retention period (5 years), or longer if litigation is ongoing. | Legal obligation (Art. 6(1)(c) GDPR; Law no. 361/2022, Art. 7(2)) |
Voice recording of reports | Recording or transcribing voice reports, only where the whistleblower consents. | Consent (Art. 6(1)(a) GDPR; Law no. 361/2022, Art. 7(3)(a)) |
Consequences of not providing data:
For whistleblowers:
You may submit a report anonymously, in which case no identification data is collected. However, not providing certain information (e.g. factual details, evidence, or context) may prevent us from assessing the report or conducting a meaningful investigation.
For persons mentioned in reports:
Failure to cooperate during investigations (e.g. by refusing to provide relevant information) may affect the ability to clarify the facts and could have legal or disciplinary consequences.
We value the accuracy and reliability of the data provided. Reports must be made in good faith and contain sufficient details to allow proper investigation.
Using Third-Party Services and Tools
To effectively manage the whistleblowing process, we rely on specialized third-party services and tools. These services ensure that reports are collected, stored, and processed securely, in line with GDPR and Law no. 361/2022.
Type of Service | Purpose |
Whistleblowing Platform Provider | Vispato GmbH provides the technical platform for the secure submission, storage, and management of reports. Vispato acts as a data processor under a Data Processing Agreement, ensuring confidentiality and compliance with GDPR. |
Cloud Hosting and Ancillary Services | Reports and related data are hosted on secure servers located in Germany (ISO 27001 certified), with encryption applied both in transit and at rest. In addition, Vispato may rely on carefully selected sub-processors for ancillary services such as secure communication, case/contact management, and system resilience. All sub-processors are contractually bound to GDPR-compliant data protection standards. No transfers of whistleblowing data outside the EEA are foreseen. |
Productivity and Collaboration Tools | Limited internal use of company-provided email, document storage, and project management tools may occur for follow-up and investigation purposes, strictly on a need-to-know basis. |
External Advisors or Authorities | In specific cases, reports or parts of investigations may be shared with external legal advisors or competent authorities (e.g. National Integrity Agency, judicial authorities) where required by law. |
Why We Use These Tools
We use third-party services and tools exclusively to support a secure, transparent, and efficient whistleblowing process. Their use is necessary to:
Ensure secure and confidential reporting
Providing whistleblowers with encrypted communication channels and guaranteeing anonymity where chosen.
Facilitate efficient case management
Enabling the Whistleblowing Committee to receive, organize, and follow up on reports in a structured and timely manner.
Protect data integrity and security
Hosting and processing reports in certified, GDPR-compliant environments, ensuring confidentiality and access controls.
Support communication with whistleblowers
Allowing secure two-way communication, updates on case status, and clarifications during investigations.
In some cases, these tools may require limited categories of personal data (such as name, contact details, professional role, or case metadata) to operate securely.
Automated Decision and Profiling
We do not use automated decision-making or profiling in the processing of whistleblowing reports. All assessments and decisions are made by authorized members of the Whistleblowing Committee or designated investigators, ensuring that every case is subject to human review.
Who Do We Share Your Data With?
To handle whistleblowing reports in compliance with legal requirements, we may need to share personal data with a limited number of recipients. Data is shared only when strictly necessary, under confidentiality obligations, and in accordance with GDPR and Law no. 361/2022.
Category of Recipients | Purpose of Data Sharing |
Whistleblowing Committee (Risk & Compliance Lead, Internal Auditor, Head of Legal) | Reviewing, investigating, and deciding on whistleblowing cases. |
Designated Investigators (internal or external experts appointed by the Committee) | Conducting fact-finding and investigations, on a strict need-to-know basis. |
Vispato GmbH (platform provider) and its subprocessors | Providing the secure technical infrastructure for submitting and managing reports, under a Data Processing Agreement. |
External Professional Advisors (e.g. lawyers, auditors, consultants) | Assisting with investigations, litigation defense, or ensuring legal compliance. |
Competent Public Authorities (e.g. National Integrity Agency, law enforcement, courts) | Where disclosure is legally required in the context of investigations or legal proceedings. |
Other Authorized Recipients | Data sharing based on explicit legal requirements, ensuring confidentiality and proportionality. |
International Data Transfers (outside EEA)
At present, we do not transfer personal data outside the European Economic Area (EEA) in connection with the operation of the Whistleblowing Channel (Vispato).
All personal data is hosted and processed within the European Union, primarily in Germany, by Vispato’s sub-processors.
As a result, no international transfers outside the EEA are foreseen. Should this change in the future, we will ensure that any transfer is carried out in compliance with GDPR requirements and will update this Privacy Notice accordingly.
How Long Do We Keep Your Data?
We retain personal data only for as long as necessary to manage whistleblowing reports, comply with legal obligations, and protect the rights of whistleblowers and other parties involved. Retention periods are determined by applicable legal requirements.
Situation | Data Subjects Covered | Data Retention Period | Purpose of Retention |
Whistleblowing reports and related documentation | Whistleblowers (identified or anonymous), persons mentioned in reports, witnesses | 5 years from registration | Compliance with Art. 7(2) of Law no. 361/2022; enabling internal and external audits; ensuring follow-up actions |
Voice recordings or transcripts of reports | Whistleblowers, persons mentioned during oral reporting | 5 years from registration | Maintaining a complete and accurate record of the report, in line with legal requirements |
Investigation records (e.g. plausibility reports, investigation reports, Committee decisions) | Subjects of concerns, whistleblowers, witnesses, investigators | 5 years from registration | Documentation for compliance, accountability, and protection against retaliation claims |
Data involved in legal disputes or litigation | All categories of data subjects | Until final resolution of the dispute + up to 3 years thereafter | Defending or establishing the Accesa’s legal rights |
Exercise of GDPR rights | Whistleblowers, subjects of concerns, witnesses | 3 years from registration | Demonstrating compliance with GDPR obligations |
Restricted data (at the request of the data subject) | All categories | For the duration of the restriction | Ensuring compliance with the right to restrict processing |
What Happens When the Retention Period Ends?
When the retention period ends, we securely delete or anonymize personal data in compliance with GDPR and national law, ensuring that it is no longer accessible or processed in a manner that affects the rights of data subjects.
How We Keep Your Data Safe?
We apply strict technical and organizational measures to safeguard personal data processed through the Whistleblowing Channel (Vispato).
Safeguard | Description |
Organizational Safeguards | Internal policies and procedures govern the handling of whistleblowing cases; confidentiality obligations for the Whistleblowing Committee and investigators; role-based access management ensures only designated persons access reports. |
Data Encryption | End-to-end encryption secures whistleblower submissions and communications; data is encrypted both in transit and at rest, making it unreadable to unauthorized parties. |
Access Controls | Multi-factor authentication (MFA) is used; strict access rights are assigned and reviewed periodically; access attempts are logged and monitored. |
Data Minimization | Only information strictly necessary for case handling is collected; irrelevant or excessive personal data is deleted without delay, in line with Art. 31(2) of Law no. 361/2022. |
Privacy by Design & Default | Platform configuration ensures anonymity and confidentiality by default; case segregation restricts access to those directly involved in the investigation. |
Employee Training | Members of the Whistleblowing Committee and investigators receive regular training on confidentiality, GDPR, and non-retaliation obligations. |
Incident Response | Procedures are in place to promptly detect, investigate, and mitigate potential data breaches; notifications to ANSPDCP and affected individuals are made in line with GDPR. |
Regular Assessments | Periodic audits, penetration tests, and reviews of sub-processors ensure resilience and compliance with data protection standards. |
Continuous Improvement | Security controls are continuously updated to reflect evolving threats and best practices, ensuring confidentiality, integrity, and availability of whistleblowing data. |
If you have any concerns regarding the security of your personal data or suspect unauthorized access or disclosure, please contact us using the details provided in the “Contact Details” section of this Privacy Notice.
Your Privacy Rights
We are committed to transparency in handling your personal data and ensuring that you can exercise your rights under the GDPR. Please note that, in certain cases, the exercise of these rights may be limited or deferred if their immediate application would compromise the confidentiality of investigations or the protection of whistleblowers.
Right | Description |
Right to Be Informed | You have the right to know how your personal data is collected and processed, the purposes for processing, who has access to it, and how long it will be kept. |
Right to Access Your Data | You may request confirmation whether we process your personal data and obtain a copy. Access may be restricted if disclosure would reveal the identity of a whistleblower or compromise the investigation. |
Right to Rectify Your Data | You may request correction of inaccurate or incomplete data. |
Right to Erasure (Right to Be Forgotten) | You may request deletion of your personal data when it is no longer necessary for the purposes collected, unless retention is required by Law no. 361/2022 (5-year period) or for ongoing legal proceedings. |
Right to Restrict Processing | You may request restriction of processing in certain circumstances (e.g. while accuracy is contested). During restriction, data will only be stored and used to defend legal rights. |
Right to Object | If data is processed on grounds other than legal obligation (e.g. with your consent for voice recording), you may object at any time. |
Right to Withdraw Consent | If processing is based on your consent (e.g. recording of a voice report), you may withdraw consent at any time, until the recorded is started and submitted for reporting. |
Right to Data Portability | Not generally applicable to whistleblowing. However, if consent-based processing applies, you may request transfer of your data in a structured, machine-readable format. |
Right Not to Be Subject to Automated Decision-Making | No decisions regarding whistleblowing cases are made solely by automated means. All decisions are reviewed and taken by human investigators. |
Right to Lodge a Complaint | You may lodge a complaint with the Romanian Supervisory Authority (ANSPDCP) via https://www.dataprotection.ro/ or directly with the competent courts. |
To exercise any of your rights, please contact our Data Protection Officer (DPO) at [insert email] or by mail to our head office. We will respond to your request as soon as possible and no later than three months from receipt, in line with GDPR and Law no. 361/2022.
Limitations or Exceptions Your Rights
While we respect your rights under GDPR, there are situations where certain requests cannot be fulfilled immediately or in full. These limitations are necessary to comply with Law no. 361/2022 and to protect the integrity of investigations and the confidentiality of whistleblowers.
Right | Possible Limitation | Reason |
Right to Access | Access may be delayed or restricted. | To avoid disclosing the identity of a whistleblower or witnesses, or to prevent compromising the investigation. |
Right to Erasure | Erasure may not be possible within the statutory retention period (5 years). | Legal obligation to retain whistleblowing records (Law no. 361/2022, Art. 7). |
Right to Rectification | Rectification may be limited for investigation records. | To preserve the integrity of evidence and official records. |
Right to Restrict Processing | Restriction may not apply to core investigation data. | Processing may still be required to comply with legal obligations or defend legal rights. |
Right to Data Portability | Not applicable in most cases. | Whistleblowing data is not processed based on contract or standard consent and cannot be transferred between controllers. |
If we cannot comply with your request, we will provide a clear explanation of the reasons and inform you of your right to lodge a complaint with the supervisory authority (ANSPDCP) or seek judicial remedy.
Changes to This Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in legal requirements, regulatory guidance, or the way we operate the Whistleblowing Channel (Vispato).
The latest version will always be made available directly within the whistleblowing platform, so that reporters and other affected individuals can review it before submitting or accessing a report.
Explanation of the Technical Terms Used in this Privacy Notice
To help you better understand the terms we use in this Privacy Notice, here are some definitions of key legal and technical terms. If you have any questions or need further clarification, please feel free to contact us. Your understanding of your rights and our practices is important to us.
Personal Data | Any information about you, such as your name, email, or any other information that can be used to directly or indirectly identify you as an individual. |
Data Subject | An individual whose personal data is being processed. |
Data Subject Rights | Your rights under data protection laws, such as your right to access, correct, delete, or restrict the use of your data. |
Data Controller | This is our Company, and we are responsible for determining how and why data is processed and we ensure compliance with data protection laws. |
Data Processor | This is an external entity that helps us manage your personal data based on our instructions. They do not decide how or why your data is processed but follow our guidelines to ensure it is handled securely and properly. |
Data Processing | Any action we take with your personal data, including collecting, storing, organizing, using, sharing, or deleting it. |
Data Processed | The specific personal data that we collect, use, or otherwise handle as described in this Privacy Policy. |
Purposes | The specific reasons we process your personal data, which are explained in this Privacy Policy or provided to you when obtaining your consent. |
Legal Basis | The lawful justification (permission) we have for processing your personal data, ensuring that our actions comply with data protection laws. |
Consent | Your voluntary and informed acceptance for us to process your data for specific purposes. You give this voluntarily and withdraw it at any time. |
Legitimate Interest | One of the legal bases (permissions) for processing your data that is based on our need to operate effectively and efficiently without infringing on your rights or interests. |
Legal Obligation | A legal requirement that enables us to process your personal data to comply with applicable laws, regulations, or legal mandates. |
Data Minimisation | The practice of collecting only the data that is strictly necessary for the specified purposes, minimising the amount of personal data collected and used. |
Privacy by Design and Default | An approach that ensures the protection of your personal data is integrated into the design and operation of our recruitment processes and systems from the outset and throughout their entire lifecycle. |
Profiling | Automated processing of your data to analyse or predict aspects of your behaviour, preferences, or interests. It helps us personalise your experience, assess risks, or conduct analytics. |
Automated Decision-Making | Decisions made solely by machines or automated systems, without human involvement, which may impact your rights and freedoms. |
International Data Transfers | Moving or sharing your personal data to various third parties in countries outside the European Economic Area (EEA), which may have different data protection rules. We use safeguards to ensure your data remains protected. |
Adequacy Decisions | Official decisions by the European Commission indicating that certain countries outside the EEA provide an adequate level of data protection, allowing for data transfers without additional safeguards. |
Standard Contractual Clauses | Legally binding agreements established to ensure data protection when personal data is transferred outside the EEA to entities that may not have equivalent data protection laws. |
Cookies | Small files stored on your device that help us improve your web experience, track preferences, and analyse user behaviour. |
Retention of Your Data | The period during which we use or keep your personal data, based on legal requirements and business needs. |
Data Protection Officer (DPO) | The internally appointed person responsible for overseeing data protection compliance within our organisation and acting as a single point of contact for data-related inquiries from Supervisory Authority and data subjects. |
Security Measures | Proactive actions and safeguards that we take to protect your data from unauthorised access, disclosure, changes, loss, or destruction. |
Access Controls | Mechanisms and policies put in place that limit who can access your personal data, ensuring that only authorised individuals have access. |
Data Encryption | A method of converting your data into a coded format to protect it from unauthorised access during transmission and storage. |