General Policy Internal System Information
1 INTRODUCTION
The transposition of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 into Spanish law with the Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption, has been transposed into Spanish law with Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption.This law implies the incorporation of specific instruments so that those who are aware of illegal or irregular actions can provide useful data and information, ensuring full effective protection of such informants.
In this sense, the aforementioned regulations regulate the minimum aspects that the different internal and external information channels must satisfy, together with the special protection regime for informants who act in good faith and with an honest conscience, in a disinterested manner.
In accordance with the foregoing, the Entity has implemented a Internal Information System (SIIF)which is configured as a fundamental axis for supervision, control and prevention in the area of regulatory compliance. Such system constitutes a preferential channel and a mandatory tool to diligently channel information in order to strengthen the information culture within the organization itself.
The SIIFIF has been designed as a control and prevention tool, which contemplates information channels managed both internally and by a specialized external company. These channels enjoy the highest levels of professionalism, experience, independence, confidentiality, compliance with data protection regulations and other applicable regulatory frameworks. Likewise, SIIF guarantees the basic principles of anonymity, proper recording, preservation and non-alteration, prevention of conflicts of interest, protection of the informant and prohibition of retaliation.
In accordance with the aforementioned Law, it is an indispensable requirement that the SIIF has a Policy that sets forth the general principles of the system and the defense of the informant.duly publicized within the Entity. Therefore, together with the Procedure for the management of information received, this Policy is an essential element of the configuration and operation of SIIFIF.
2 PRINCIPLES OF ACTION AND ESSENTIAL GUARANTEES
The Internal Information System (SIIF) is one of the main axes of the regulatory compliance and criminal prevention systems. In accordance with the highest standards of diligence in this area, the Entity has provided the SIIF with a series of guarantees to ensure its effectiveness, with the collaboration and support of the external expert BONET consulting. Specifically, the basic principles and fundamental guarantees that govern the process and the Entity's actions in relation to the SIIF are as follows:
-
Independence, autonomy, impartiality and absence of conflicts of interest: In the reception and processing of information on violations, reaction mechanisms have been defined to manage and control possible conflicts of interest and/or lack of independence, when those responsible for management, control and/or supervision present a series of characteristics that compromise and condition the performance of their duties. Likewise, all communications received are subject to analysis with the necessary requirements of independence, which guarantee fairness and justice in their treatment.
-
Professionalism and experience: Professionals with expertise in regulatory compliance, criminal prevention and good governance are in charge of the processing and proper management of communications, preserving the rights of whistleblowers and defendants. Completeness, integrity and confidentiality of information: The participants in the different phases of investigation have the duty of confidentiality with respect to any information to which they may have access or knowledge by reason of the exercise of their functions. In addition, access to it by unauthorized personnel is prevented and a durable and secure storage of the same is allowed, through the generation of backup copies of the information and independent files.
-
Data protection and secrecy of communications: The processing of data is adjusted and complies with the highest measures and policies for the protection of personal data, according to the applicable regulations on the Protection of Personal Data. Likewise, there is a duty of secrecy regarding any aspect related to the information communicated.
-
Anonymity and Anonymization: The possibility of submission and subsequent processing of anonymous communications is provided for, as well as the general duty to preserve the identity of the informant who has identified himself/herself when formulating the communication, keeping him/her anonymous and not disclosing his/her identity to third parties.
-
Affordable use, simplicity and free of charge: Simplicity in making the communication is guaranteed, allowing universal access to the system without any associated cost, and the effective application of the legality and ethical principles governing the Entity's activity.
-
Adequate and independent registry: A private book-record of the information received and the internal investigations to which they have given rise is drawn up, as a guarantee of their treatment, management and non-alteration, independently and without conflicts of interest, for a period of time necessary and proportionate in accordance with the legislation in force. In no case will the data be kept for a period of more than ten years.
-
Good monitoring and research practices: In order to verify the veracity of communications, the correct collection of evidence and to guarantee the rights of those affected, the communication life cycle will be regulated in an effective and transparent internal procedure. These practices will be documented in the procedure for the management of information received.
-
Protection of the informant and the persons concerned: Persons who report or disclose wrongdoing are entitled to protective measures and shall not be subject to any retaliation or adverse consequence for their cooperation, including threats of retaliation and attempted retaliation. Likewise, the persons affected by the communication shall be entitled to the same protection established for whistleblowers, preserving their identity and guaranteeing the confidentiality of the facts and data of the procedure.
- Diligent action, responsibility and good faith of the informant: The use of the system is based on the principles of responsibility, diligence and good faith, so that every informant must have reasonable grounds to believe that the information is truthful at the time of its communication. The communication of unfounded, false or misrepresented facts, as well as the remission of information obtained in an unlawful manner, with a malicious and morally dishonest attitude, is a breach of the principle of good faith and may result in the application of disciplinary measures.
PERSON IN CHARGE OF THE INTERNAL INFORMATION SYSTEM
For the effectiveness of the Internal Information System (SIIF) it is essential to designate a person responsible for its correct operation, organization and diligent processing of information. Likewise, he/she shall be responsible for ensuring the proper communication and dissemination of the IFRS, as well as for carrying out and updating the relevant training plan.
The administrative or governing body of the Entity is the competent body for the appointment and communication to the competent authority of the individual or collegiate body responsible for the management of said system and for its dismissal or removal (hereinafter, the "Director"). System Manager).
The System Manager performs his or her functions in the following waysndependent and autonomous with respect to the rest of the Entity's organizational bodies, avoiding possible situations of conflict of interest with the ordinary performance of his/her duties. However, the System Manager may resort to other third parties for specialized support and/or to comply with the independence requirements, to ensure the proper performance of his/her functions.
In particular, for the exercise of his functions, the System Manager shall coordinate with the following subjects:
- The Head of Human Resources, when disciplinary measures could be taken against the persons involved and/or coordinate the implementation of protective measures.
- Those responsible for regulatory compliance and/or the Entity's legal services, should it be necessary to adopt measures of a legal or regulatory compliance nature that must be taken into consideration by them in relation to the communications received in the SIIF.
- The persons in charge of the processing that may eventually be appointed.
- The Delegate / Data Protection Officer.
- Other persons and/or entities involved in the management of the SIIF.
INDEPENDENT AUTHORITY FOR THE PROTECTION OF THE INFORMANT
The Internal Information System (SIIF). The Entity's Internal Information System (SIIF) is the priority and mandatory means of communication of any unlawful conduct or violations of which the Entity is aware, as it ensures that protection measures are duly adopted and promotes a culture of information within the organization.
However, other "external" information channels have been determined, in order to offer citizens an alternative where to submit a report and/or complaint, in the event that the internal channels do not comply with the guarantees required by the applicable regulations, the pertinent protection measures are not applied or people are exposed to reprisals due to their status as whistleblowers.
Therefore, any natural person may report directly to the Independent Authority for Whistleblower Protection, I.A.P.A.. of the commission of any actions or omissions constituting an infringement of the legal system, through the external information channel of this specialized public authority. Access to this external information channel and the Authority's contact details are published on its website.
CONFIDENTIALITY AND PROTECTION OF PERSONAL DATA
The processing of personal data deriving from the Internal Information System (SIIF) are governed by the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, Organic Law 3/2018 of 5 December and Organic Law 7/2021 of 26 May. Therefore, at the time of collection, data subjects are informed of the processing of their data and of their rights, in accordance with the regulations in force.
In compliance with the principle of data minimizationThe personal data collected are those necessary and relevant for the processing of the communication. In the event that data are collected by accident, which are not necessary for the knowledge and investigation of the actions or omissions, they will be deleted without undue delay. Likewise, the data will be kept for the time necessary to decide on the precedence of initiating an investigation.
On the other hand, the design of the SIIF guarantees the confidentiality of the identity of the informant and of any third party mentioned in the communication, as well as of the actions carried out in the management and processing of the same. In this sense, access to personal data and other information contained in the system is limited to those responsible for management, within the scope of their powers and functions. Therefore, appropriate technical and organizational measures are in place to preserve the identity of those affected and prevent access by unauthorized persons.
In the event of any doubts or queries regarding the processing of personal data carried out within the Entity in relation to the SIIF, any interested party may contact the Delegate / Data Protection Officer designated, through the contact details that have been previously communicated to him/her and which are at his/her disposal.
PROTECTION MEASURES
Persons communicating or disclosing breaches by using the Internal Information System (SIIF) of the Entity have entitled to protectionThe Entity is entitled to protection under the same conditions as those who report through external channels, provided that they have reasonable grounds to believe that the information referred to is true at the time of communication or disclosure, even if they do not provide conclusive evidence.
In this sense, the following are expressly prohibited retaliationincluding threats and attempts, against persons submitting a communication are expressly prohibited. Retaliation is understood to mean:
- Acts or omissions prohibited by law.
- Acts or omissions that directly or indirectly result in unfavorable treatment, placing the individual at a disadvantage compared to another.
By way of example and not limitation, retaliation is considered:
- Suspension of the employment contract, dismissal or termination of the relationship, early termination, cancellation of the employment and/or commercial contract, disciplinary measures, reprimand or other sanction, demotion or denial of promotion, substantial modification of conditions and failure to convert the temporary contract into an indefinite contract or equivalent measures.
- Damages (including reputational), economic losses, coercion, intimidation, harassment or ostracism.
- Negative evaluation or references about work or professional performance.
- Blacklisting or dissemination of information that hinders or prevents access to employment / contracts for works or services.
- Denial or cancellation of license or permit.
- Denial of training. Discrimination, unfavorable or unfair treatment.
- Denial of incentives, benefits, bonuses, commissions and any other type of compensation.
- Early termination, suspension, alteration or cancellation of contracts for goods or services.
These acts shall be null and void and shall give rise, as the case may be, to disciplinary or liability corrective measures, which may include the corresponding compensation for damages to the injured party. In order to guarantee the informant's right to protection and that of the persons affected by the communication, the Entity has established the following technical and organizational measures, which are applied from the initial moment in which the communication is received:
-
Configuration of the SIIFThe SIIF has been designed with the appropriate technical and organizational measures to ensure the protection of the identity of the informant, as well as of the data and information derived from the communications submitted. In this sense, the Entity has enabled a series of internal information channels, which allow submitting communications anonymously. These channels are:
▪ On-line / digital channelDigital platform for the submission of written communications.
▪ Face-to-face channel: The system for receiving communications by face-to-face meeting or videoconference.
Regardless of the channel used, SIIFIF ensures the effective application of the basic principles and guarantees specified in this Policy, in order to comply with the requirements of the regulatory framework and protect the rights of informants and affected persons.
-
Responsible for SIIFIn order to ensure the proper application of the SIIFIF, the Entity has designated a person in charge whose role is to supervise, monitor and control its operation. In this regard, the person in charge, together with the external expert, shall adopt the necessary protection measures and shall ensure their proper monitoring and application. The participation of the external expert provides the duties of the person in charge with the elements of autonomy and independence required by the regulations in force. Likewise, the Controller will be in charge of carrying out a preliminary analysis of the communications received for the purpose of determining the suitability of adopting specific protection measures with respect to the informant and/or third parties affected. In addition, depending on the nature and scope of the information, the Controller shall have the support and advice of the heads of the different operational areas of the Entity, for the successful completion of the investigation. He/she may also resort to other specialized third parties in those matters that require an expert opinion.
- Custody, management and security of the SIIF information.The Entity has a document management system configured with the appropriate security and control measures, in order to evidence the effectiveness of the IFRS. It should be noted that such system includes anonymization processes, so as not to allow the identification of informants. Additionally, the Entity has adopted reasonable technical measures for the safe preservation, recovery and disposal of information, as well as the implementation of access controls to prevent unauthorized use.
However, information submitted that is false, misrepresented, manifestly lacks all credibility and foundation or there are reasonable indications that it was obtained through the commission of a crime is excluded from the aforementioned protection. This is due to the fact that all communications must be made under the principle of good faith and, therefore, the informant must have reasonable grounds to believe that the information is truthful at the time of communication. In short, the principle of good faith requires that in no case may it be inferred that there is falsehood, untruthfulness, intent of revenge or intent to harm a third party.
It is important to remember that the protection measures are not only directed in favor of the informants. Also those persons to whom the facts related in the communication refer. (affected persons) have a unique protection against the risk that the information, even with apparent signs of truthfulness, has been manipulated, is false or responds to other motivations. During the processing of the file, these persons have the right to the presumption of innocence, to judicial protection and defense, to access to the file, as well as to the confidentiality of the facts and data of the procedure and to the confidentiality of their identity. In conclusion, they have the same protection and rights as the informant.
DISCIPLINARY REGIME
Failure to comply with the applicable regulations and conduct contrary to the instructions, policies, codes, procedures and protocols of the Entity is grounds for application of the disciplinary regime at the labor and commercial levelIn coordination with the provisions of the applicable Collective Bargaining Agreement, the Workers' Statute and other applicable regulations.
The Entity shall notify and sanction the actions or omissions contrary to this Policy incurred by employees, collaborators or any member related to the Entity and, in particular:
- Failure to report any suspicion or knowledge of breaches and non-compliance with the regulatory framework and the Entity's internal protocols and rules through the SIIF.
- Any attempt or effective action to hinder the submission of communications or to prevent, frustrate or slow down their follow-up.
- The use of the SIIF in bad faith, for example, with the provision of information or documentation knowing it to be false.
- The adoption of any retaliation arising from the communication against the informants or other persons concerned.
- Violation of the guarantees of confidentiality and anonymity, revealing the identity of the persons concerned and breaching the duty of secrecy of the information.
- Failure to comply with the obligation to collaborate with the investigation of information.
COMMUNICATION, REVISION AND UPDATING
The present Policy, as well as all the necessary information on the use of the Internal Information System (SIIF) implemented, is available in a separate and quickly identifiable section, so that all interested parties have it at their fingertips in a clear and easily accessible manner. However, any person may request additional information from the Entity through the contact details of the person in charge.
The System Manager shall periodically review and, where appropriate, propose to the management body or governing body of the Entity the updating of this Policy, in order to adapt it to all those circumstances and changes that may arise, as well as to the regulations or jurisprudence that may be issued. All this, with the aim of adapting the SIIFIF to the maximum requirements of regulatory compliance for its proper functioning and effectiveness.
Likewise, the Entity is open to any suggestions and/or proposals that may improve its ethical performance and promote a culture of compliance, stressing the need for all employees and members related to the Entity or third parties to collaborate in order to comply with its values and principles.
INTERNAL INFORMATION CHANNELS
In order to comply with the provisions of Law 2/2023, the Entity has implemented a system configured with the technical and procedural requirements required by said Law for the proper handling of communications. The purpose of all this is to offer informants a secure, confidential or even anonymous communication environment with the Entity, and to process information in an efficient, professional and independent manner.
To this end, the Entity has provided itself with material, technical and human resources to enable different internal channels that allow the submission of communications in written or verbal format. These channels are configured, designed and supported by an external expert in order to provide the highest levels of professionalism, experience, independence, confidentiality, data and informant protection, and other applicable areas for this type of channels.
It should be noted that the information provided through any of the internal channels will be treated confidentially, and only authorized personnel will have access to it for its proper management and processing.
Below are the channels available to any employee or third party linked to the Entity for the submission of communications:
On-line/Digital Channel
The Entity has a digital tool that allows submitting written communications by means of a form, which allows attaching files. Once the form has been filled in, the tool automatically generates a code that allows due follow-up and management by the person responsible for the processing. Likewise, a confirmation is sent to the informant regarding the entry and registration of the communication in the system, which contains a summary of the information provided, as well as the code so that the informant can also carry out the follow-up.
This tool has security measures that guarantee the protection of the information, the identity of the informant and the identity of those affected by it, as well as the confidentiality and reserve of the entire process of management and processing of the communication. In this sense, the Entity guarantees a secure and diligent communication environment for the reception of communications.
The tool also allows the submission of communications anonymously. Thanks to its communication and follow-up system, the informant and the System Manager can communicate through the tool, regardless of whether the communication has been submitted anonymously.
The link to access this tool and its scope of use is available on the Entity's website.
Face to face channel
Another of the channels that the Entity makes available to its employees and those third parties that relate to it is the face-to-face / "face to face" channel, the purpose of which is to allow the presentation of verbal communications through a face-to-face meeting or by videoconference. In this case, and taking into account the complexity involved for the Entity in guaranteeing the anonymity of the informant in those cases where this is requested, the Entity has entrusted this function to the external expert BONET consulting, which is responsible for receiving and managing communications with these characteristics, as well as those others in which the informants are identified and face-to-face management is required. In this sense, the external expert guarantees the protection of the informant's identity both in the process of requesting an appointment, in the presentation of a communication in face-to-face format, as well as in the place where the communication is made.
In order to ensure security and preserve the integrity of the information provided by the informant, the meeting will be recorded in accordance with the provisions of the Law and with the prior consent of the informant. This meeting will be documented in a secure format, with the security and anonymization measures required by the regulatory framework. In this line, BONET consulting has and will enable the necessary technological mechanisms for sending additional documentation to the information provided at the meeting.
In order to make use of this channel, the Entity has enabled a contact telephone and e-mail to request the submission of communications in this format, whose attention and coordination of the meeting will be carried out exclusively by BONET consulting. The contact details to make this request are duly published on the Entity's website.
COPYRIGHT
The content of this general policy on the internal information system is subject to copyright. Consequently, in order to proceed with its distribution or communication to other entities, the express consent of the copyright holder is required..