FaceUp Technology s.r.o., company ID No.: 061 42 630, with its registered office at Udolni 567/33, 602 00 Brno, Czech Republic registered with the Commercial Register kept by the Regional Court in Brno, Section C, Insert 100325 (hereinafter referred to as "FaceUp" or "we"), in its capacity as a controller or processor of personal data in accordance with Regulation (EU) No. 2016/679 of the European Parliament and of the Council on the Protection of Natural Persons with Regard to the Processing of Personal Data (hereinafter referred to as "GDPR"), informs all its clients and business partners, who are natural persons, or employees of its clients and business partners, or job applicants or visitors to the FaceUp website, as well as users of the FaceUp whistleblowing system (www.faceup.com) (hereinafter referred to as "Data Subjects" or "you"), about the processing of their personal data.
This privacy policy (hereinafter referred to as the "Policy") sets out the basis on which we will process any personal data that we obtain from you or that you provide to us if it meets the specific requirements set out below.
The data controller may be FaceUp, your organization (company, employer, etc.) or your school or other similar establishment from which you received the access code to submit the report or to which the report relates (hereinafter referred to as the "Controller"), as the case may be.
Where the data controller is your organization or your school or other similar establishment from which you have received the access code to submit the report or to which the report relates, FaceUp is the processor of your personal data.
Contact Details of FaceUp:
Please read the following carefully to understand our practices regarding your personal data and how we will handle it.
We take a clear approach to explaining our data protection practices as recommended by supervisory authorities. This means that we strive to provide you with only relevant information on privacy protection regarding your use of FaceUp's services and the www.faceup.comwebsite, and we use this simple Policy to do so. If you have any feedback or questions, please do not hesitate to reach out to us.
Data Processed about You by Us
It is important to us that you know what personal data we process about you, how and for what purposes we use it, in order for us to operate more efficiently in providing you with professional information on data protection and to enable you to obtain essential information on data protection.
We may collect and process data about you when you are about to use or are already using our services, specifically when you enter into a contract with us or otherwise communicate with us or visit our website. However, when you submit a report via the FaceUp platform (www.report.faceup.com), we do not collect any personal data from you unless you voluntarily provide such data to us. However, provision of any personal data of yours is not a precondition for submitting a report. We do not collect personal data from you even in the course of your work at the user interface of administration (www.admin.faceup.com) unless you voluntarily provide such data to us.
We obtain your personal data from several sources. The primary source of your personal data is you personally or your company or the company you represent (e.g. when we enter into a contract with you and you personally or the company you represent provide us with your identification data or payment data for this purpose). In addition, we may also obtain your personal data for the above purposes from publicly available sources such as public lists, registers and indexes (e.g. commercial register or trade register) or it may be provided to us by third parties and/or through the report submitted by you if you voluntarily provide such data to us in accordance with this Policy and the document Information about Personal Data Processing in Connection with Report.
You may provide us with some of this information by communicating with us, e.g. by telephone, email or otherwise. We also collect some of these automatically, for example by using cookies when you visit our website.
Any information is provided on a voluntary basis except where otherwise stated (legal obligation to provide data).
These situations mainly include:
Data Subject | Categories of Personal Data | Role of FaceUp |
Whistleblower – an individual who submits a report concerning a registered organization or company | We do not collect any personal data unless the whistleblower voluntarily provides such data to us – typical examples are identifying information (e.g. name, surname and, if applicable, other identifying information), as well as personal data provided as part of the submitted report, as the case may be | Processor |
Whistleblower – an individual who submits a report in relation to attendance at an educational establishment registered with FaceUp | We do not collect any personal data unless the whistleblower voluntarily provides such data to us – typical examples are identifying information (e.g. name, surname and, if applicable, other identifying information), as well as personal data provided as part of the submitted report, as the case may be | Processor |
Whistleblower – an individual who submits a report in relation to attendance at an educational establishment not registered with FaceUp | We do not collect any personal data unless the whistleblower voluntarily provides such data to us – typical examples are identifying information (e.g. name, surname and, if applicable, other identifying information), as well as personal data provided as part of the submitted report, as the case may be | Controller |
Business partners – natural persons | Identifying information (e.g. name, surname, date of birth or personal identification number /if necessary/, permanent residence or residence or registered office, company ID No., VAT number) Contact details (e.g. mailing address, email address, telephone number) Billing and payment details (e.g. account number and bank details) Business details Data obtained from mutual communication | Controller |
Employees, board members, or other users of the FaceUp app, or associated persons with whom FaceUp has an agreement | Identifying information (e.g. name, surname, date of birth, permanent residence or residence or registered office) Contact details (e.g. mailing address, email address, login to the FaceUp platform, telephone number) Information about the employer or relationship with a client or business partner Data obtained from mutual communication | Processor and controller |
Users of FaceUp administration (relevant persons and their representatives or account administrators within FaceUp administration) | Identifying information (e.g. name, surname, date of birth, permanent residence or residence or registered office) Contact details (e.g. mailing address, email address, login to the FaceUp platform, telephone number) Information about the employer or relationship with a client or business partner Data obtained from mutual communication | Processor |
Website visitors | We collect personal data during a visit to the website only in the course of common website browsing for marketing purposes, not in connection with the use of our services at the web interface www.report.faceup.com and/or www.admin.faceup.com - typical examples are data on Cookies (see more in the Cookie Policy) IP address Browser, information system and resolution data. These data are not collected in the course of use of our services. | Controller |
Website visitors using the chat | Email address Name and surname (if provided or if it appears in the e-mail address) Data obtained from mutual communication | Controller |
Subscribers to the newsletter, e-book, etc. | Email address Name and surname (if provided or if it appears in the e-mail address) Phone number Identification of your organization Data obtained from mutual communication | Controller |
This is especially the case when:
i. it is necessary for the performance of a contract (e.g. provision of whistleblowing system services, employment contract, cooperation agreement or other contract) to which you or a company or other legal entity to which you have a relationship are a party or for the performance of a pre-contractual measure (e.g. a selection procedure with job applicants or negotiations with potential clients and partners) (Section 6(1)(b) of the GDPR), or
ii. we are required to do so by applicable law (e.g. labor legislation, tax legislation) (Section 6(1)(c) of the GDPR), or
iii. you have given us your consent (e.g. email address for sending marketing communications), where you can withdraw your consent at any time (Section 6(1)(a) of the GDPR or Section 9(2)(a) of the GDPR), or
If you have given us your consent to the processing of your personal data, you have the right to withdraw this consent at any time, by post to our registered office or by email to info@faceup.com.
iv. the processing is necessary for the protection of the vital interests of the Data Subject or of another individual (Section 6(1)(d) of the GDPR) or the processing is necessary for the protection of the vital interests of the Data Subject or of another individual where the Data Subject lacks the physical or legal capacity to give consent (Section 9(2)(c) of the GDPR), or
v. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (e.g. in the case of the obligation to inform legal representatives of a child in the event of suspected bullying at school) (Section 6(1)(e) of the GDPR) or the processing is necessary for reasons of substantial public interest based on Union or Member State law which is proportionate to the aim pursued, respects the essence of the right to data protection and provides suitable and specific safeguards for the protection of the fundamental rights and interests of the Data Subject (Section 9(2)(g) of the GDPR), or
vi. it is our legitimate interest to do so in the interest of improving the quality of our services provided to you, in connection with the follow-up information on news regarding FaceUp to our clients or, for example, to protect the network against harmful practices (Section 6(1)(f) of the GDPR).
We respect the principle of data minimization by storing only personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Use of Information
In particular, we use the information we collect about you to provide you with our services, to fulfil our contractual obligations to you or our business or other partners, to comply with our legal obligations, to notify you of changes to our services and/or to improve our services.
We use your personal data for the purposes for which we collected it.
We also use your selected data (email address) for direct marketing purposes. These activities include, in particular, the use of your email addresses for the purpose of sending you our newsletters if you have consented to such newsletters. You can quickly and easily stop receiving these marketing communications at any time by using the unsubscribe link included in each newsletter. You can also inform us at the email address below.
The processing of your personal data does not involve any decision-making based solely on automated processing, including profiling, which would have legal effects on you or would significantly affect you in a similar way.
Disclosing Your Information
We will not disclose your personal data to anyone except as described in this Policy.
Where FaceUp is the processor of personal data, it discloses personal data of Data Subjects, or provides access to personal data of Data Subjects, to organizations with which the whistleblower has a relationship, as well as to school establishments of which the whistleblower concerned is a student. FaceUp may also disclose your personal data in its promotional materials if agreed in advance with the Data Subject.
Recipients or categories of recipient of Personal Data
The recipients of your personal data may include:
We ensure the highest possible standard of security of your personal data. However, if it is necessary for the performance of the contractual relationship or for the normal operation of FaceUp, we may, in exceptional cases, share your personal data to the necessary extent with FaceUp's contractual partners (e.g. IT services, attorneys etc.). As a prerequisite for such sharing of your personal data, you must always enter into a data processing agreement with each such FaceUp contractual partner that guarantees the highest standard of protection for your personal data.
If required by law or our legitimate interests, we may, in very exceptional cases, transfer your personal data to state authorities (in particular law enforcement authorities, courts and tax authorities) to the necessary extent, but always in accordance with the law and only if the law imposes such an obligation on us or if it is necessary to protect our legitimate interests.
Personal Data of Third Parties
Personal data of third parties, which means personal data of employees and partners or associates of clients or business partners of FaceUp and other individuals involved in cooperation with FaceUp, or other data that FaceUp receives from a client or business partner in connection with the conclusion or performance of a contract, will be processed in accordance with applicable data protection legislation.
FaceUp uses personal data for the purpose of performance of contracts with clients or suppliers. FaceUp will process the personal data of third parties for the duration of the contractual relationship and for the period provided for by special legislation, if any. They will be stored for a longer period if there is a justified need to store the data in relation to a specific case.
Data Protection
We ensure adequate procedures are in place to prevent unauthorized access to and misuse of personal data.
We use necessary and appropriate systems and procedures to protect and secure the personal information you provide to us. We also employ security procedures and technical and physical restrictions on access to and use of personal information on our servers. Only authorized personnel who work with the data have access to personal data.
The security of your data is our top priority and we use the following technical measures:
Period for Which Personal Data Are Stored
When handling your personal data for specific purposes, we respect the principle of storage limitation, whereby we keep your personal data only for the necessary period of time, usually five (5) years from the date of the submission of the report.
FaceUp processes the personal data of third parties for the duration of the legal basis for processing and for the period provided for by special legislation, if any. They will be stored for a longer period if there is a justified need to store the data in relation to a specific case.
We store your personal data for the duration of our contractual relationship for the purpose of exercising the rights and obligations arising from it, and after its termination for other necessary purposes, such as compliance with our legal obligations, contractual obligations, dispute resolution and legal enforcement of legitimate claims or for the purposes of possible administrative proceedings. These needs vary depending on the specific reason for storage, and therefore the period of storage for different types of your personal data varies significantly in specific cases and can be up to 5 years from the end of the contractual relationship, except in cases of longer storage required by law (e.g. payroll records).
In exceptional cases, for example in the course of litigation, certain documents containing your personal data may be stored for a longer period of time in order to protect our legitimate interests. This is particularly the case when we would have to submit these documents as evidence in litigation, in administrative proceedings or for the enforcement of a decision.
Your Rights
As a data subject, you have rights under the law in relation to the processing of your personal data, which you can exercise at any time. These are the right (i) of access to personal data, (ii) to rectification and completion of inaccurate and incomplete personal data, (iii) to erasure of personal data (the so-called "right to be forgotten"), (iv) to restriction of processing of personal data, (v) to data portability and (vi) to object.
Please also note that if you have given us your consent to the processing of your personal data, you have the right to withdraw this consent at any time, by post to our registered office or by email to info@faceup.com.
We would also like to draw your attention to the possibility of lodging a complaint with the relevant supervisory authority for personal data protection, which is in the Czech Republic the Office for Personal Data Protection, based at: Pplk. Sochora 727/27, 170 00 Prague 7 – Holešovice, email: posta@uoou.cz, if you believe that the processing of your personal data violates a legal regulation or your rights.
If you wish to exercise any of your rights, please contact us by email: info@faceup.com or by post at our registered office.
Please note that due to the specific nature of activities of FaceUp (in particular, the provision of services under the Whistleblowing Act), the exercise of certain rights of Data Subjects may be significantly restricted.
Obligations of FaceUp as a Personal Data Processor
As a processor, we undertake to comply with applicable and effective legal regulations on the protection of personal data and privacy, mainly but not exclusively the GDPR and Act No. 110/2019 Coll., on the Processing of Personal Data, as amended, in relation to processing personal data.
Furthermore, we undertake to process personal data only on the basis of documented instructions from the Controller, including issues of transfer of personal data to a third country or an international organization, unless such processing is already required by European Union or Member State law to which we are subject.
We will maintain the confidentiality of all personal data provided or disclosed to us by the Controller, or which we will collect in connection with the provision of services to the Controller, except for the transfer of such data to sub-processors and our service providers.
We will ensure that all of our employees, members of our bodies and our business partners with authorized access to (or authority to process) the personal data processed undertake to observe appropriate confidentiality conditions or are duly informed of their legal obligation of confidentiality, if applicable, before fulfillment the first task in connection with the provision of services.
We undertake to apply at all times technical and organizational measures to protect personal data processed against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, which must be proportionate to the risks of varying likelihood and severity to the rights and freedoms of the individuals whose data are processed, taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of the processing, including, where appropriate, measures for pseudonymization and encryption of the personal data processed, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services, the ability to restore the availability of and access to the personal data processed in a timely manner in the event of physical or technical incidents, and the process of regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures in place to ensure the security of the processing.
We will provide the Controller with such assistance, assistance and information as the Controller reasonably requests and as we are reasonably able to provide to enable the Controller to comply with its obligations under applicable and effective data protection and privacy laws and to cooperate with the competent authorities in relation to the personal data processed, including, where appropriate, providing support to the Controller where relevant to the nature of the processing.
We undertake not to involve any other processor in the processing without the prior specific or general written permission of the Controller. In the case of a general written permission, we undertake to inform the Controller of any intended changes concerning the admission of additional processors or their replacement, thus giving the Controller the opportunity to object to these changes. The following entities are expressly permitted processors and sub-processors in terms of the provision of services:
The following entities are expressly permitted processors and sub-processors in terms of common website browsing:
We will only entrust the processing of processed personal data to other processors or sub-processors who provide a sufficient level of security of personal data at least to the extent required by applicable and effective data protection and privacy laws.
We will promptly notify the Controller in writing and in reasonable detail as soon as we become aware or reasonably suspect that there has been a personal data breach or other serious incident that compromises or exposes a material weakness in the security of personal data while in our possession or control (hereinafter referred to as the "Personal Data Security Incident").
In the event of a Personal Data Security Incident, we undertake to:
We will disclose to the Controller any information it may reasonably request.
We will promptly notify the Controller in writing if we believe that compliance with the Controller's instruction may violate applicable and effective data protection and privacy laws.
Audits and Inspections at the Processor
The Controller (or its authorized auditors) shall be entitled to carry out reasonable audits and/or inspections necessary to verify our compliance with this Policy upon prior written request, which must be delivered to us as a processor at least one month in advance. We undertake to allow reasonable audits and inspections to take place and to provide all necessary assistance to the Controller in carrying them out.
The Controller shall, for so long as its employees or its authorized auditors are on our premises during any such audit or inspection, prevent (or if this is not possible, at least minimize) any damage, personal injury or disruption to the premises, equipment, employees and our business.
We are entitled to claim reimbursement from the Controller for the necessary costs associated with the audits and inspections carried out, as well as reimbursement for our lost time and that of our staff involved in the audit or inspection, or for any downtime in our work caused by the audit or inspection.
We are not obliged to allow access to our premises for the purposes of such an audit or inspection:
Changes to Our Privacy Policy
Any changes we may make to this Policy in the future will be posted on this page and, if appropriate, we will notify you by email. So please check this page for any updates and changes to our Privacy Policy.
Contact Us
You can contact us at any time regarding the processing of your personal data by sending an email to info@faceup.com or by post to the address of our registered office.
We provide all communications and statements regarding the rights you have exercised free of charge. However, if the request is manifestly unfounded or unreasonable, in particular because it is repetitive, we are entitled to charge a reasonable fee taking into account the administrative costs involved in providing the information requested. In the event of repeated requests for copies of the personal data processed, we reserve the right to charge a reasonable fee for administrative costs for this reason.
We will provide you with a statement and, where appropriate, information on the measures taken as soon as possible, but no later than one (1) month after receipt of the complete communication. We are entitled to extend the deadline by two (2) months if necessary and in view of the complexity and number of requests. We would inform you about the extension including the reasons.
This Policy is effective as of 1 April 2022.