Reportee – Privacy Notice

Reportee is an internal whistleblowing reporting system operated by Red Raccoon Digital Ltd. (hereinafter: Red Raccoon Digital, data controller, our company, or we) on behalf of its clients. It is important to note that Red Raccoon Digital does not qualify as a data controller in relation to the reports; our clients who are required by law to operate an internal whistleblowing reporting system are the data controllers for these reports. Therefore, regarding the submission of reports and the processing, storage, and transfer of personal data related to the reports, our clients' privacy notices, and not this privacy notice, shall apply. In relation to the reports, Red Raccoon Digital qualifies as a data controller. Our clients' privacy notices related to the reports can be found on the reporting interfaces and on the pages for making reports.

This privacy notice applies to data processing where our company acts as a data controller in the promotion of its services, the conclusion and performance of its contracts, and in its communication with its clients.

In our data processing practices, we comply with the provisions of the General Data Protection Regulation (GDPR) of the European Parliament and the Council (EU) 2016/679. We process personal data solely for the purposes specified in this notice and only to the extent and for the duration necessary to achieve those purposes. No decision-making or profiling based on automated data processing takes place during the data processing.

1. What types of data processing does Red Raccoon Digital carry out, and what are their purposes and legal bases?

Individual Data Processing Activities

When we provide services to our clients, we often process personal data in our capacity as a data controller. For example:

• When we want to promote Reportee, expand our client base, and therefore initiate contact with potential or former Reportee clients via email, phone, or social media platforms (such as LinkedIn, Facebook, Instagram, etc.). In such cases, we may send information related to Reportee or notify potential clients about various events (e.g., webinars on Reportee and whistleblowing systems). The purpose of data processing in these cases is to send direct marketing communications to the target audience of the business, provided the data subject does not object to the data processing. When we process personal data for such purposes, we rely on our legitimate interest (Article 6(1)(f) of the GDPR). Our legitimate interest lies in expanding our client base (see Recital 47 of the GDPR). For these purposes, we may also use publicly available data (e.g., email addresses found in company registry data or business-related databases) where it can be presumed that such data contains the business contact information of the data subject, who could reasonably expect similar inquiries at these contact points. Furthermore, we may contact our former clients or clients who have used our services on a trial basis at their business contact details available to us. Of course, we provide the option to object, so if the data subject informs us that they do not wish to receive direct marketing communications from us, we will delete their data and will no longer use it for this purpose.
• When clients, potential clients, or whistleblowers contact us through the website www.reportee.com or via various social media channels for any purpose, such as inquiring about Reportee. In such cases, the purpose of data processing is to provide an appropriate response to the specific inquiry or to provide assistance related to our services. Depending on the circumstances, the legal basis for data processing may be the data subject's consent (Article 6(1)(a) of the GDPR), "taking steps at the request of the data subject prior to entering into a contract" (Article 6(1)(b) of the GDPR), or our legitimate interest (Article 6(1)(f) of the GDPR), for example, if the potential client is not a natural person, or in case of claims or complaints. Our legitimate interest in this case lies in being able to enter into contracts with as many clients as possible regarding the use of Reportee, and, depending on the nature of the inquiry, in being able to handle the inquiry, provide assistance, and properly manage complaints.
• When we send newsletters or direct marketing communications to interested parties and clients who have given their consent. The purpose of data processing is to promote Reportee, provide information, and maintain contact with interested parties and potential clients. The legal basis for data processing is the consent of the data subject (Article 6(1)(a) of the GDPR).
• When potential clients request quotes from us for the use of Reportee or when we discuss the details of the contract or its performance before entering into a contract. The purpose of data processing is to provide offers that encourage contract formation to potential clients and to facilitate the conclusion of contracts. If the potential client is a natural person or a sole trader, the legal basis for data processing is "taking steps at the request of the data subject prior to entering into a contract" (Article 6(1)(b) of the GDPR). If the potential client is not a natural person, the legal basis for data processing is our legitimate interest (Article 6(1)(f) of the GDPR). Our legitimate interest lies in being able to enter into contracts for the use of Reportee with as many clients as possible and, to this end, to discuss the necessary details with potential clients through communication with the natural person acting on their behalf.
• When we enter into, amend, extend, or terminate contracts with our clients and keep contracts (modifications, termination documents) in our internal records. Contracts may contain personal data, such as the names, positions, email addresses, and phone numbers of contact persons, as well as the names, positions, and signatures of representatives. In connection with the contracts, we may also receive and store signature specimens or authorization documents that typically contain additional personal data used to identify the signing individuals. The purpose of data processing is to conclude, amend, or terminate our contracts, to administer and retain them for future verification and control purposes, and to verify the entitlement to conclude contracts when making legal declarations. For natural person clients, the legal basis for data processing is the conclusion and performance of the contract (Article 6(1)(b) of the GDPR). If the client is not a natural person, the legal basis for data processing is our legitimate interest (Article 6(1)(f) of the GDPR). Our legitimate interest lies in entering into written or legally equivalent contracts with our clients as required by applicable laws and storing these contracts to have the necessary documentation available to substantiate the use of our services and to invoice our clients for our services.
• When we perform services and communicate with our clients or their contact persons regarding the terms of performance, specific requests, developments, services, invoicing, etc. The purpose of data processing is to ensure smooth and efficient communication between contractual contact persons during contractual relationships. To achieve this, we need to know and store the contact details (name, email address, and phone number) of contact persons in our systems (both in paper and electronic formats). The legal basis for data processing for natural person clients and sole trader clients is the performance of the contract (Article 6(1)(b) of the GDPR). If the client is not a natural person, the legal basis for data processing related to the handling of contact persons' data is our legitimate interest (Article 6(1)(f) of the GDPR). Our legitimate interest lies in being able to discuss specific issues related to the service, invoice our service fees, and address administrative matters through communication between contact persons as necessary for the performance of the contract.
• When we send information to our clients about our services (e.g., features, updates) or request feedback regarding our services. The legal basis for data processing for natural person clients and sole trader clients is the performance of the contract (Article 6(1)(b) of the GDPR). If our client is not a natural person, the legal basis for data processing related to handling the contact persons' data is our legitimate interest (Article 6(1)(f) of the GDPR). Our legitimate interest lies in communicating the necessary information about the services used for our clients and requesting feedback about our services to improve them.
• When we invoice our service fees. For invoicing, in the case of natural person clients and sole trader clients, we need to know and handle the natural person's name, address, tax identification number, and tax number. In the case of clients who are not natural persons, invoices do not contain personal data; however, the personal data we handle in connection with invoicing are limited to the contact details used to send the invoice and communicate about the invoice (contact person's name, email address, phone number). The purpose of data processing is to enforce the service fees according to the contracts and to send the invoice to the client, and if necessary, to arrange any invoicing-related matters. The legal basis for data processing, in the case of natural person clients, is the performance of the contract (Article 6(1)(b) of the GDPR). If our client is not a natural person, the legal basis for data processing related to the handling of contact persons' data is our legitimate interest (Article 6(1)(f) of the GDPR). Our legitimate interest lies in invoicing the fees according to the contract, sending the invoices to our clients, and communicating about invoicing through the clients' contact persons.
• When we fulfil our legal obligations to retain accounting documents. We are required to keep accounting documents for 8 years following their issuance, according to Sections 168-169 of Act C of 2000 on Accounting. This includes, for example, invoices issued by our company and contracts concluded. The purpose of data processing is the lawful storage of accounting documents and the performance of accounting tasks. The legal basis for data processing is the fulfilment of legal obligations imposed on our company (Article 6(1)(c) of the GDPR).
• When we enforce our claims, assert legal claims, or defend against such claims. During this process, we handle the names and contact details of our clients and their contact persons, as well as the data of individuals authorized to represent our clients. For natural person clients or sole traders, we handle the natural person's name, address, tax identification number, and tax number. The purpose of our data processing is to enforce our claims (e.g., sending payment reminders, warning letters via electronic and postal channels, initiating payment order procedures or other legal proceedings, starting lawsuits, defending ourselves in such proceedings initiated against our company, and forwarding the necessary data for legal representation and advice purposes, e.g., to lawyers, notaries, or courts). The legal basis for our data processing is our legitimate interest (Article 6(1)(f) of the GDPR). Our legitimate interest lies in enforcing our claims under the contract and defending against claims made against us.
• When selecting prospective employees. During the recruitment and selection process, we handle various personal data of job applicants (e.g., CV, name, address, place and date of birth, contact details, information on previous work experience, information on qualifications and education, salary expectations, photo — if included in the CV, and contact details such as email address and phone number). The purpose of data processing is to select the most suitable candidate for the position, conduct online or in-person interviews, and maintain contact with the applicant. We may also check publicly available, relevant data of the applicant (e.g., relevant public information from LinkedIn, Facebook accounts). The legal basis for our data processing is processing necessary for preparing the conclusion of a contract (Article 6(1)(b) of the GDPR).
• When visitors use our website (cookie management). The www.reportee.com website — depending on the visitor's consent — places cookies (small text data files) on the visitor's computer or mobile device. With the help of cookies, our website will remember the user’s device when our web server and the internet browser interact. The main purpose of cookies is to offer a user-specific website to the visitor and provide a more personalized experience tailored to the visitor's needs when they visit and use the website. Cookies also help our website remember settings, such as the visitor's acceptance of cookies. Some cookies are essential for the functioning of the website and are installed without the visitor’s consent. All other cookies used by our website require the user’s consent.

Session cookies are deleted after the browser is closed. In contrast, persistent cookies are those saved on the user's computer that are not automatically deleted when the user's browser is closed. The website uses persistent cookies to recognize the user on their next visit.

The user can enable or disable the use of cookies by changing the settings in their internet browser. Do Not Track options are available in most browsers, such as:

• Firefox 
• Chrome 
• Safari 
• Opera

Please note that if you completely disable the use of cookies, some functions of our website may be limited or may not work at all.

You can read about the names, providers, purposes, and expiration dates of individual cookies in the detailed list displayed in the cookie banner. You can also give your consent or set your preferences for cookie management there.

Application of Legitimate Interest as a Legal Basis

When the data controller intends to rely on legitimate interests in the course of data processing, the GDPR requires the data controller to identify both its own and the data subjects' interests and fundamental rights. The controller must also thoroughly assess the necessity and proportionality of the data processing. The outcome of this balancing test should determine whether the controller's interests override the rights and freedoms of the data subjects. In accordance with this, we have considered the interests identified above on the Red Raccoon Digital website and identified the data subjects' fundamental rights for the protection of their personal data, particularly their right to the confidential handling of personal data such as their name and contact information during the data processing activities described above. We evaluated the necessity and proportionality of the data processing and assessed whether we have access to less restrictive means to achieve the objectives of the data processing. We took into account that the contact persons of our non-natural person clients, who contract with us, always provide workplace, business-related contact information for the purpose of fulfilling the contract. Therefore, the impact of data processing (e.g., business communication) on their privacy is insignificant. We also considered that the data processing activities described above do not come as a surprise to the data subjects. Moreover, we use only existing, business-relevant contact information for marketing purposes or obtain data from public sources that are business-related. Therefore, the data subjects can reasonably expect to receive communications of a similar nature from our company. There are no alternative solutions for communication in the context of contract fulfilment, nor are there any alternative solutions for marketing communications that would allow our company to achieve its goals. Our assessment concluded that the data processing activities are necessary, proportionate, and suitable for achieving the specified purposes; therefore, the data processing is permissible.

2. Who is affected by data processing?

Individuals affected by our company’s data processing include natural persons with whom we have contracts, contact persons of non-natural persons (such as employees or workers of our clients), representatives and executives of our clients, individuals interested in Reportee, individuals subscribed to our newsletters, potential clients and their contact persons, individuals applying for open positions at our company, and visitors to our company’s website.

3. What are the categories of personal data processed by Red Raccoon Digital as a data controller?

In our data processing activities, we typically handle the name and contact information (such as email and phone number) of our clients’ or potential clients’ contact persons. These are usually "business" contact details provided by the organization employing the individual.

We also process the personal data of our clients' executives, which are included in the contracts we enter into, as well as in company extracts or other official records, such as authorizations, signature specimens, and signature samples.

In the case of individual or sole proprietor clients, we process the client's name, address, tax identification number/tax number, and their contact details (email and phone number).

During recruitment and selection, we handle the personal data of applicants as listed above.

4. How long do we store the data?

In accordance with the principle of limited data retention, we process personal data only for as long as necessary to achieve the specified data processing purposes.

Documentation related to the preparation and conclusion of our contracts (including offers sent to potential clients) and any relevant communication regarding the provision of services, as well as documentation related to complaint management, is retained for 5 years after the termination of the contract, in line with the civil law statute of limitations.

In cases of debt recovery, claim enforcement, or legal disputes, personal data necessary to support our claims or protect our rights will be retained for 5 years following full settlement of the claim or the final resolution of the legal dispute.

Accounting documents (such as invoices and contracts) are kept for 8 years, as required by accounting regulations.

For data processing related to direct marketing (e.g., communications, notifications), personal data will be retained as long as the specific data remains relevant or until the data subject objects, whichever occurs earlier.

When personal data is processed based on the data subject’s consent, it is retained until the purpose of the data processing is achieved or until  consent is withdrawn, whichever comes first.

Data related to recruitment and selection is processed until the position is filled (up to 3 months following the decision on the position). Applicants may give consent for their data to be retained beyond the closing of the position to be informed of future job opportunities. In such cases, the data is retained and used for recruitment purposes for up to one year after the position is filled, based on the applicant’s consent.

If a potential claim or legal dispute arises regarding the applicant's job application (e.g., regarding equal treatment), the personal data will be retained within the statute of limitations or claim enforcement period (e.g., one year for initiating proceedings related to equal treatment violations by applicants). In this case, the legal basis for data processing will be our company’s legitimate interest. The data processing will be restricted, meaning the personal data cannot be used for recruitment or selection purposes, and access to the data will be limited.

5. What are the sources of personal data, and what are the consequences of not providing them?

In most cases, personal data is provided directly by the data subjects to our company. However, we may also obtain data from our clients or the employees of prospective clients. As previously mentioned, we may acquire the contact details of potential clients from public sources, and we may also obtain data on the executive officers of our prospective or current clients from public sources, such as company registries.

Providing data is a requirement for contract conclusion only in the following cases: for individual clients or sole proprietors, personal data necessary for contract conclusion, as well as the personal data of our clients’ executives and representatives that must be included in the contract.

Other personal data is not a prerequisite for contract conclusion, but failure to provide contact details could hinder the performance of the contract and, in some cases, may even lead to termination of the contract.

In other data processing activities, the absence of personal data may have specific consequences depending on the processing. For example, the individual may not receive newsletters, offers, notifications, or other information from our company, and we may be unable to assess their professional suitability during a job application process.

6. To whom do we transfer personal data?

We handle personal data securely, ensuring that only our authorized employees, who are fulfilling their duties, and subcontractors (data processors) bound by confidentiality obligations have access to the data.

To ensure our technical operations, we employ data processors, such as those providing hosting services. These processors cannot make any substantive decisions regarding data processing, may only process personal data according to our instructions, and cannot process data for their own purposes. They are required to store and retain personal data according to our guidelines. We have entered into data processing agreements with our data processors in accordance with Article 28 of the GDPR.

We may transfer personal data to our contractual partners, but only for the purpose of fulfilling a contract with the data subject or their employer (in the latter case, based on our legitimate interest). Additionally, if necessary, for example, in the context of a legal dispute or for financial and accounting assessments related to a business transaction, we may transfer personal data to service providers such as lawyers, auditors, or financial advisors. These service providers are subject to professional or contractual confidentiality obligations.

If our clients are interested in legal advice, whistleblowing legal services, or other related services, we may transfer the personal data (name and contact details) of clients or contact persons to a relevant service provider who has been pre-agreed with the client.

Personal data may also be transferred to third parties in the event that our company intends to sell shares or assets. If a third party seeks to acquire our company or its assets in total, the personal data we store regarding the data subjects may be transferred as part of the transaction, based on our legitimate interest. In such cases, we conduct a legitimate interest assessment prior to the transfer.

Our company does not transfer personal data to third countries (non-EEA countries).

7. How can you contact us?

Name: Red Raccoon Digital Kft. (Data Controller)

Address: 1027 Budapest, Bem József utca 6. ground floor

Email: hello@reportee.com

8. What rights do data subjects have under the GDPR?

The data subject may request the following from Red Raccoon Digital:

• Access to personal data (Article 15 GDPR): The data subject has the right to be informed if their personal data is being processed, to access the processed personal data, and to receive a copy. They are also entitled to receive information on matters relevant to data protection (e.g., categories of recipients, storage duration, guarantees of transfer to third countries, etc.).
• Rectification of personal data (Article 16 GDPR): The data subject may request correction of incorrect data or completion of incomplete data.
• Erasure of personal data (Article 17 GDPR): The data subject may request the deletion of their personal data under certain conditions.
• Restriction of processing (Article 18 GDPR): The data subject may request that their data processing be limited in specific cases.
• Withdrawal of consent: In cases where data processing is based on consent, the data subject may withdraw their consent at any time. However, this does not affect the lawfulness of processing carried out before the withdrawal.
• Objection to data processing (Article 21 GDPR): The data subject may object to the processing of their personal data based on legitimate interest or for direct marketing purposes, at any time, based on their personal situation.
• Submission of requests: To exercise these rights, the data subject can contact us via the contact details provided in this notice (hello@reportee.com). We will respond to the request as soon as possible, but no later than 30 days, informing them of the actions taken or the reasons for any refusal.
• Right to lodge a complaint: The data subject has the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) (Address: 1055 Budapest, Falk Miksa utca 9-11.; Website: www.naih.hu; Email: ugyfelszolgalat@naih.hu; Phone: +36-1-391-1400). Before submitting a complaint to the authority, we recommend that you first contact us at hello@reportee.com to give us the opportunity to address and resolve the issue.
• Right to judicial remedy: If the data subject believes their rights have been violated, they may take the matter to court. The competent court is the district court. The data subject may choose to bring the case before the court with jurisdiction over their place of residence.

‍