REPORTING ABUSE AND HANDLING COMPLAINTS POLICY

– abuse reporting and whistleblower protection rules –

§ 1. General provisions

1. This Policy regulates the abuse reporting in connection with Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on the single market for digital services and amending Directive 2000/31/EC (“Digital Services Act“), as well as internal reporting understood as the provision of the information about breaches within a private entity as per Article 5(4) of the Directive of the European Parliament and of the Council (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law ( “Whistleblowing Directive”) and by the September 25th 2024 – Polish Act of Law – Whistleblower Protection Act.

2. The Company provides intermediary services, including hosting services consisting in storing information provided by the Customers and at their request, on the terms set out in the relevant terms of service.

3. Terms used herein shall have the following meanings:

  • Account – the Customer’s account created on the GetResponse platform in accordance with the provisions of the relevant terms of service;
  • Breach – an action or omission that is non-compliant with the law or intended to circumvent the law;
  • Company or Employer – GetResponse S.A. with the registered office in Gdańsk (80-309), Grunwaldzka 413, Poland, entered to the register of entrepreneurs maintained by the District Court Gdańsk – Północ in Gdańsk, 7th Economic Department of the National Court Register under the number KRS: 0000942075, TAX ID number: 9581468984, shared capital of 5,559,840.00 PLN fully paid;
  • Customer – an entity running a business with which the Company has concluded an agreement for the provision of the GetResponse service via the GetResponse platform, a potential client with whom the Company is conducting negotiations regarding the GetResponse platform, or with whom the Company has concluded a confidentiality agreement or any other agreement regarding GetResponse services, as well as a partner with whom the Company has concluded a partnership cooperation agreement that uses GetResponse platform;
  • Employee – a person employed by the Company,
  • Follow-up  actions taken by the Company to assess the truthfulness of allegations contained in the Report and, where applicable, to address the reported breach, e.g. in the form of an internal inquiry, preliminary investigation, removal of Illegal content, blocking the Customer Account on the GetResponse platform, termination of the contract with the Customer who committed the Breach, notifying competent agencies, actions taken to recover funds or procedure closure;
  • GDPR – Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);
  • Illegal content – any information that, in itself or in relation to an activity, including the sale of products or the provision of services, is not in compliance with Union law or the law of any Member State which is in compliance with Union law, irrespective of the precise subject matter or nature of that law;
  • Internal Compliance Team – a team established pursuant to a resolution adopted by the Management Board of the Company, authorized to receive Reports and to follow them up;
  • Policy – this Reporting abuse and handling complaints Policy;
  • Report – information about Breaches submitted via designated communication channels;
  • Retaliation – direct or indirect actions or omissions in a work-related context, caused by the Report and causing or potentially causing unjustified harm to the Whistleblower;
  • Whistleblower – an individual, listed in sec.5 below, reporting a Breach in the context relating to the work (with the meaning attributed in §3 sec. 2 of the Policy).

4. Breach Report may be submitted by any person who has become aware of the Breach or Illegal content as part of the services provided by the Company.

5. Rules set out in the Policy apply also to all Employees irrespectively of the occupied position, type of work performed and type of employment contract as well as:

  • Individuals who report or disclose the information about the breach of the law acquired in a work-related context,
  • Employees – also if no longer employed by the Employer,
  • Individuals applying for employment who have acquired the information about the breach of the law during the recruitment process or during negotiations preceding the execution of a civil law contract,
  • Individuals performing work on the basis of contracts other than the employment contract including a civil-law contract,
  • Entrepreneurs, including individuals rendering services for the Company under cooperation contracts (B2B),
  • Shareholders or partners,
  • Legal person body members,
  • Commercial Proxies,
  • Individuals performing work under the supervision and direction of a contractor, subcontractor or supplier, including work done on the basis of a civil-law contract,
  • Trainees,
  • Volunteers,
  • Interns.

§ 2. Reporting Illegal content

1. The Company establishes the following Report receipt channels:

  • dedicated email: abuse[@]getresponse.com;
  • online form available here.

2. Reporting Illegal content should include: a sufficient explanation of the reasons why the person or entity concerned alleges that the relevant information constitutes Illegal content; a clear indication of the precise electronic location of the information, such as the precise URL(s) and, where applicable, additional information enabling the identification of the Illegal content, as applicable to the type of content and the specific type of GetResponse service, name and email address of the person or entity submitting the Report, a statement confirming the good faith belief of the person or entity submitting the Report that the information and allegations contained therein are correct and complete.

3. The Company does not provide the possibility to submit Reports anonymously, except for cases of reporting crimes specified in Art. 3-7 of Directive 2011/93/EU (sexual activities involving children). 

4. Without undue delay, but no later than within 7 days from the date of receipt of the Report, the applicant receives confirmation of acceptance of the Report, unless the applicant has not provided contact details to which the confirmation should be sent.

5. The Company shall also notify the applicant without undue delay of its decision regarding the information covered by the Report, providing information on the possibility of appealing against the decision. The maximum deadline for providing feedback to the applicant is 3 months from the confirmation of acceptance of the Report.

6. The reporter may submit the Report immediately to designated state authorities, without the need to submit a prior notification to the Company under this Policy.

§ 3. Reports submitted by Whistleblowers

1. The Breach of the law that can be reported by the Whistleblower consists of the action or omission in violation of the law or striving to circumvent the law and relating to, in particular:

  • Corruption,
  • Public procurement,
  • Financial services, products and markets,
  • Prevention of money laundering and funding of terrorism,
  • Safety of products and their compliance with requirements,
  • Safety of transport,
  • Environmental protection,
  • Radiation protection and nuclear safety,
  • Food and feed safety,
  • Animal health and welfare,
  • Public health,
  • Consumer protection,
  • Protection of privacy and personal data,
  • Safety of the network and IT systems,
  • Financial interests of the European Union,
  • EU internal market, including rules of competition and state aid and corporate taxation.

2. The Report has to be made in the work-related context understood as the entirety of circumstances related to the employment or another legal relationship constituting the basis for work performance within which the information about the Breach was obtained.

3. The Whistleblower can submit a Report in the form of:

  • email sent to whistleblowing[@]getresponse.com;
  • the online form available HERE;
  • in writing by sending a letter via traditional post to the address of the Company disclosed in the current register of entrepreneurs of the National Court Register. The Report mentioned in the preceding sentence has to include the Whistleblower’s correspondence address. Within 7 days of the receipt of the Report, the Company shall send the Report receipt confirmation via traditional post. If the Report mentioned in clause 1 does not contain the address data of the Whistleblower, but includes other data enabling direct contact with the Whistleblower, then the confirmation of receipt of the Report is sent through these channels;
  • verbally to Ms. Aleksandra Bugajska during direct meeting or via MS Teams platform or different electronic communication measures chosen by the Company. The verbal Report may be made by the Whistleblower after prior appointment via the channels specified in sec. a-c) above. The meeting shall be arranged within a reasonable time after the related need has been reported, i.e. not later than within one month.

4. To make it possible for the Company to investigate the matter reliably, the Report shall contain the following information: a brief description of the case (facts), indication of violated regulations, as possible, the indication of a person, unit or organisational entity the Breach refers to and the source of the Whistleblower’s knowledge of the Breach. If the information available to the Whistleblower is incomplete the Report shall include the available information.

5. The deadline for feedback submission is 3 months as of the receipt confirmation or, if no confirmation has been sent to the reporting person, the 3-month period starting 7 days after the Report submission.

6. Within 7 days from the date of receipt of the Report, the Whistleblower receives confirmation of acceptance of the Report, unless he or she has not indicated the contact details to which the confirmation should be sent or this is not apparent from the functionality of the channel through which the Report was submitted.

7. The person submitting the Report can submit an external report for specified state agencies without the prior internal report. External Report may be submitted directly to the Commissioner for Civil Rights Protection or other public administration authorities. An external channel can be used after the prior internal Report or directly via the external channel.

§ 4.Consequences of publishing Illegal content

1. The Company reserves the right to moderate the content of GetResponse Customers if they violate the provisions of applicable law, the provisions of the relevant regulations applicable to the service or good practices.

2. Restrictions on information provided by Customers and measures for content moderation are included in the regulations and policies available on GetResponse websites, including in particular:

  • GetResponse MAX Terms of Service,
  • GetResponse Terms of Service,
  • Anti-Spam Policy,
  • GetResponse Affiliate Program Terms and Conditions,
  • Agency Partner Program Terms of Service.

3. The Company is entitled to:

  • introduce restrictions on the visibility of specific information, including removing content, preventing access to content,
  • suspend, terminate or otherwise limit payments to partners,
  • suspend or terminate the provision of the service in whole or in part,
  • suspend or close Customer Account.

4. Content moderation may be automated or manual.

5. The Company may, after prior warning, suspend for a specified period (for a reasonable period):

  • providing the service to its recipient, who often transmits obviously Illegal content in accordance with the applicable regulations,
  • consideration of reports or complaints by persons or entities who often make obviously unfounded reports or complaints,

6. When making decisions under section 5 above, the Company takes into account the following criteria:

  • the absolute numbers of items of manifestly Illegal content or manifestly unfounded Reports or complaints, submitted within a given time frame;
  • the relative proportion thereof in relation to the total number of items of information provided or notices submitted within a given time frame;
  • the gravity of the misuses, including the nature of Illegal content, and of its consequences;
  • where it is possible, the intention of the Customer, person, entity or complainant, if it can be determined.

§ 5. Internal complaint handling system

1. You can file a complaint against the following decisions of the Company:

  • issued as a result of the Report received by the Company;
  • regarding removal of information or prevention to access it or limit the visibility of information;
  • regarding suspension or termination of the GetResponse service in part or in whole;
  • regarding suspension or closure of the Customer’s Account in the GetResponse service,
  • regarding suspension, termination or otherwise limiting the possibility of monetization of information provided by the Customer.

2. A complaint can be submitted within 6 months of receiving information about the Company’s decision by sending an e-mail to the following address: abuse [@]getresponse.com

3. The complaint should include: identification of the Company’s decision that is the subject of the complaint (date of issue, what the decision concerned), as well as a description and justification of the complaint, name and surname of the complainant, contact e-mail address, as well as information on the status of the trusted flagger designated by the Digital Services Coordinator (if applicable).

4. The person to whom a decision issued by the Company as a result of a complaint is addressed has the right to choose any certified body for out-of-court settlement of disputes regarding decisions made by the Company. Certification of the above-mentioned the body is made by the digital services coordinator of the EU Member State where the extrajudicial dispute resolution body is located.

5. The exercise of the above rights is without prejudice to the right to initiate court proceedings.

§ 6. Personal data processing

1.  In the event of processing personal data of the reporting person, including Whistleblower or other persons in connection with the Report, the provisions of generally applicable law on the protection of personal data shall apply. The scope of processed data may include: name, surname, e-mail address, correspondence address as well as other data included in the Report. 

2. The Company, as the data controller, may process personal data of those reporting Illegal content pursuant to Art. 6 section 1 letter c) GDPR, i.e. fulfillment of the legal obligation arising from the provisions of the Digital Services Act, in turn of the Whistleblower and persons affected by the Report, as well as witnesses of events, in connection with the Report, in order to verify it, including taking Follow-up actions, pursuant to the provision art. 6 section 1 letter f) GDPR, i.e. the legitimate interest of the Company, which is the implementation of the standards of the whistleblower protection directive, and from September 25, 2024, Art. 6 section 1 letter c) GDPR, i.e. fulfilling the legal obligation arising from the provisions of the Act of June 14, 2024 on the protection of whistleblowers. Additionally, the Company may process the data of reporting persons in order to possibly establish or pursue claims or defend against them pursuant to Art. 6 section 1 letter f) GDPR, i.e. the legitimate interest of the Company consisting in the protection of its rights.

3. Personal data of the reporting person, the Whistleblower and other persons related to the Report will be available only to a limited group of people in the Company authorized to receive Reports and take follow-up actions in connection with them, including explanatory actions.

4. Personal data of the reporting party, including the Whistleblower, may be made available to external entities only in the context of explanatory or judicial proceedings conducted by competent national or EU authorities, on the basis of applicable legal provisions authorizing such an authority, as well as to entities providing courier, postal services or IT tool suppliers in connection with sending the Report and responding to it. .

5. The Company has appointed a Data Protection Officer, who can be contacted here.

6. In particular, the Company as the data controller shall guarantee the implementation of the rights of persons whose data is processed in connection with the Report, including:

  • The right to be informed about personal data processing rules within the limits set out, respectively, in Article 13, 14 and 15 GDPR. The information communicated pursuant to Article 14 and 15 with regard to the source of personal data cannot disclose the Whistleblower’s identity.
  • The right to access the data subject to the terms set out in Article 15 GDPR,
  • The right to correct or supplement personal data subject to the terms set out in Article 16 and 19 GDPR,
  • The right to delete personal data subject to the terms set out in Article 17 and 19 GDPR,
  • The right to limit the processing of personal data subject to the terms set out in Article 18 GDPR,
  • The right to object to the processing of personal data subject to the terms set out in Article 21 GDPR.

7. Personal data are acquired adequately to the purpose of their processing. Personal data obviously not relevant to the examination of a specific Report are not collected and, if collected accidentally, they are deleted with no undue delay, in particular, from the documentation relating to the Report.

8. The Company establishes and maintains technical, technological and organisational measures to protect personal data from their illegal deletion, unauthorised access, disclosure or modification including, in particular:

  • Individuals able to access the personal data have been informed about their processing rules and are aware of the consequences of their illegal processing,
  • The Company has appropriate internal regulations describing data processing rules, including rules regulating the access to such data and the management of personal data protection breaches,
  • The documentation relating to Reports is stored and made available in a manner guaranteeing access control limited to authorized persons mentioned in clause 3;

9. All individuals authorized to receive the Report or to follow up the received Report containing the information enabling the identification of the Whistleblower or the person accused of a Breach are strictly obliged to maintain the confidentiality of this information.

10. Personal data of Whistleblower processed in connection with a Report are deleted from the documentation of the Report after 3 years of the Report receipt date. Personal data of other reporters are processed no longer than the limitation period for claims.

11. Providing data is necessary to submit a Report, except for cases where an anonymous Report is allowed, and to respond to it to the reporting person.

12. . Personal data may be transferred to third countries, i.e. outside the European European Area, in connection with the Company’s use of information society tools and services. Data may only be transferred to third countries or entities for which an adequate level of data protection has been determined by the European Commission. In the absence of a decision by the European Commission, personal data may be transferred to a third country on the basis of appropriate safeguards, including: standard data protection clauses adopted by the European Commission. In connection with the transfer of data outside the EEA, you may request information about the safeguards used in this respect, obtain a copy of these safeguards or information about the place where they are made available by contacting the Data Protection Officer.

§ 7. Rules for archiving Reports

1. The Company keeps record of all the Reports received (“the Report record”) as per the provisions of this Policy. Reports are retained for the period set out in § 6 clause 10 of the Policy.

2. Reports submitted via the form, or by email, or in writing are recorded on carriers assigned to these channels.

3. Verbal Reports are not recorded, which is why they are documented in the form of a report from the conversation compiled by the person receiving the Report. The Company makes it possible for the Whistleblower to check, correct and approve the report from the conversation mentioned in the preceding sentence by signing it.

4. The Report made during direct meeting is documented in the form of a report reflecting the meeting and the contents of the Report compiled by the receiving person. The Company makes it possible for the Whistleblower to check, correct and approve the report from the conversation mentioned in the preceding sentence by signing it.

5. The person receiving the Report can ask the reporter, including Whistleblower to provide further information and provide feedback to the Report. 

§ 8. Protection of Whistleblowers

1. The Company guarantees and takes necessary measures set out in clause 2 below to eliminate all forms of retaliation possible against Whistleblowers, referred to in Art. 12 of the Whistleblower Protection Act, including threats of retaliation and attempts to take retaliatory actions, in particular in the form of: suspension, enforced unpaid leave, dismissal or equivalent measures; degradation or suspension of promotion, transfer of duties, change of workplace, salary reduction, change of working hours, suspension of training, negative evaluation of work results or a negative opinion about work done, imposing or applying any disciplinary measure, reprimand or other penalty (including financial penalty); coercion, intimidation, mobbing or exclusion; discrimination; unfavourable or unfair treatment, the failure to transform the fixed-term contract into a contract for an indefinite period if the employee could rationally expect to be offered permanent employment; the failure to renew or an early termination of the fixed-term contract; a loss including damage to the person’s reputation, especially on social media or financial losses, including economic losses and loss of income; blacklisting on the basis of an informal or formal sectoral or industry agreement that can potentially make it impossible for the person to find employment in a sector or industry; early termination or notice of termination with regard to a contract relating to goods or a service contract; withdrawal of a license or permit, referral to psychiatric or medical examination.

2. Measures aimed at the elimination of the risk of all forms of retaliation:

  • appointing an impartial person to follow up on Reports, to receive Reports, communicate with the Whistleblower and request further information from that person, as well as provide feedback.
  • ensuring the conduct of explanatory proceedings guaranteeing all the rights of the Whistleblower, witnesses and persons concerned by the Report (including the right to testify, the right not to incriminate themselves, presumption of innocence).

3. The Whistleblower’s protection does not cover the Whistleblower who is also the perpetrator, co-perpetrator or accessory to the irregularity covered in the Report. While deciding to potentially terminate the employment or civil-law contract with the Whistleblower who is at the same time the perpetrator, co-perpetrator or accessory to the irregularity disclosed in the Report, the Team shall always consider the fact that the Whistleblower has disclosed all the material circumstances of the irregularities disclosed in the Report.

4. The Whistleblower shall be protected provided that he/she has had reasonable grounds to believe that the information on the breach of law that was the subject of the report or public disclosure is true at the time of reporting or public disclosure and that such information constitutes information about the breach of law. Irregularities can only be reported in good faith. The conscious submission of false Reports does not make the Whistleblower eligible for the protection set out in this Policy.

5. If the Company determines that a Report containing untruth or concealing the truth was knowingly submitted by the Employee, then such person may be subject to disciplinary liability defined in the provisions of the Labour Code. Such behaviour can also be classified as a serious breach of basic employee duties and, as such, shall result in the termination of the employment contract without notice.

6. For Whistleblowers providing services or delivering goods for the Company pursuant to a civil-law contract, a false Report may result in the termination of the related contract for reasons not attributable to the Company.

7. Irrespectively of the consequences specified in clauses 4 and 5 above, the person falsely reporting irregularities can be held liable for damages in the event of a loss incurred by the Company in connection with the false Report.

§ 9. Point of contact and legal representative under Digital Services Act

1. The Company designates a single point of contact enabling direct electronic communication with recipients of the Company’s services at abuse@getresponse.com or via the form available here. 

2. The Company designates a single poinf of contact enabling direct electronic communication with the authorities of the Member States, the Commission and the Digital Services Council – abuse@getresponse.com To communicate with the contact point, use Polish or English language. 

3. The Company has been elected as the legal representative to be addressed by the competent authorities of the Member States, the Commission and the European Board for Digital Services in relation to all matters necessary to receive, comply with and enforce decisions issued in connection with the Digital Services Act. The company is the legal representative of GetResponse Inc.

§ 10. Final provisions

1. This Policy is implemented for an indefinite period.

2. This Policy comes into force on its publication date.

3. The Policy may be amended or supplemented in a manner appropriate for its adoption or in another manner determined by the Company.

4. The Policy is made available to the Employees in a manner customary for the Company.

Last updated: 25 September 2024