This policy applies to whistleblowers. Whistleblowers are reporting persons who acquired information on breaches in a work-related context.
This includes, but is not limited to, our current and previous employees, self-employed persons, shareholders and persons belonging to the management or supervisory body of our company, including their non-executive members, as well as volunteers, paid or unpaid trainees, clients, customers and any persons working under the supervision and direction of our joint venture partners, contractors, subcontractors and suppliers.
This policy shall also apply to whistleblowers whose work-based relationship is yet to begin in cases where information on breaches has been acquired during the recruitment process or other pre- contractual negotiations.
Protection under this policy shall also be provided to persons assisting whistleblowers in the reporting process (facilitators), third persons who are connected with the whistleblower (colleagues or relatives) and who could suffer retaliation in a work-related context, and legal entities that the whistleblower owns, works for or is otherwise connected with in a work-related context.
The internal reporting channel is intended for reports, where a whistleblower has at least reasonable suspicion about actual or potential breaches, which occurred, are currently ongoing, or are very likely to occur, and about attempts to conceal such breaches.
A breach is any act or omission that is unlawful and relates to our company, or defeats the object or the purpose of legislation, our policies and/or internal regulations. A breach can include, but is not limited to, the following:
The authorised staff (see below) is available to provide support or advice on the company’s whistleblowing process.
REPORTING CHANNELS
Reports can be submitted by using the company’s web based reporting channel “Trusty.”
Additionally, reports can be submitted via other channels, either listed on the “Trusty” platform or in a separate document. When submitting reports through such channels, whistleblowers are encouraged to provide contact details to which they wish to receive report receipt acknowledgments and feedbacks on their reports from the company.
You can always request for an in-person meeting with the authorised staff and submit your report to them directly.
Whistleblowers are free to report externally, as well. Such reports need to be addressed to competent authorities as listed in a separate document.
CONTENT AND WHISTLEBLOWER’S IDENTITY
A report should include as much details as possible on who, what, where, when, how and why in relation to the reported breach, as well as any evidence in support thereof. Any other information as to how the company might best go about processing the reported breach are also welcome.
Whistleblowers may submit reports anonymously or may choose to disclose their identity.
The “Trusty” platform allows for a two-way anonymous communication even if a whistleblower chooses to report a breach without disclosing his or her identity. Whistleblowers are encouraged to identify themselves. This allows for a more productive and efficient processing of their reports and their protection against retaliation.
The whistleblowers’ identities, as well as any other information from which their identities may be directly or indirectly deduced, shall not be disclosed to anyone beyond the authorised staff members competent to receive and follow up on reports, without whistleblowers’ explicit consents. Notwithstanding the preceding provision, the company shall disclose a whistleblower’s identity when required to do so by law, whereby it shall inform the whistleblower thereof before such disclosure, unless such information would jeopardise the related investigations or judicial proceedings.
Any unauthorised attempts to identify a whistleblower or a concerned person are not allowed and shall be disciplinarily sanctioned.
AUTHORISED STAFF
The company’s internal reporting channel is operated by authorised staff nominated in a separate document. The authorised staff are mandated to receive and follow up on reports.
The authorised staff has direct, unrestricted and confidential access to the company’s governing body and top management to which it directly reports on the performance of the whistleblowing management system. The authorised staff has direct, unrestricted access to adequate resources as necessary to ensure the impartiality, integrity and transparency of the whistleblowing management system and its processes.
PROCESSING OF THE REPORTS
Processing of a report is conducted in the following steps, depending on the content of the report and its nature:
received – the report has been received by the company;
initial triage – the content of the report is being assessed for the purposes of categorization, taking preliminary measures, prioritization and assignment for further handling;
processed – the report is being handled, accuracy of the allegation is being assessed, internal enquiry or action for recovery of funds is being conducted;
in investigation – the allegation is being investigated;
closed – the processing of the report has been completed; either no action is considered necessary in response to a report, fact-finding determines no further investigation is warranted, the report is referred to another process to be dealt with, or the investigation has been completed (whether or not breach is confirmed).
The company aims to process the reports in a timely manner. Circumstances such as the complexity of the reported breach, competing priorities and other compelling reasons may require an extended period for the completion of the processing of the report.
The company processes the reports confidentially, impartially, and without bias or prejudice against the whistleblower or any other person involved in, or any witness to, the reported breach.
The persons concerned, i.e. the persons referred to in the reports, shall enjoy the presumption of innocence. They may be notified of the respective reports at an appropriate time. Any investigation shall be conducted in a manner that preserves confidentiality to the extent possible and appropriate to ensure that the persons concerned are not exposed to reputational harm (information is shared on a strictly need-to-know basis).
COMMUNICATION WITH WHISTLEBLOWERS
After submitting a report the whistleblower shall receive a receipt acknowledgment forthwith and no later than within seven days of that receipt.
The receipt acknowledgment is sent to the email address which is provided by the whistleblower during the on-line report submission process on the whistleblowing platform “Trusty”. The confirmation of the receipt of the report is also provided in the whistleblower’s inbox which is accessible on the “Trusty” platform using the log-in credentials which are provided to the whistleblower upon the completion of the report submission process. The latter are provided also to anonymous whistleblowers.
If the report is submitted through other available internal reporting channels, the receipt acknowledgment is sent to the contact details provided by the whistleblower.
The authorised staff maintains communication with the whistleblower and, where necessary, asks for further information or evidence from and provide feedback to the whistleblower. The said communication is conducted through the whistleblower’s inbox on the “Trusty” platform, or through other communication channels agreed with the whistleblower.
The feedback to the whistleblower is provided no later than 3 months from submitting the report. The feedback includes information on the action envisaged or taken as follow-up and on the grounds for such follow-up. The feedback can be limited to avoid compromising any investigation or other legal proceedings, as well as due to legal restrictions on what can be communicated about the follow-up and findings. In such a case and where possible, the whistleblower shall be notified of the reasons of the limited feedback communication.
The company may decide to acknowledge and give recognition to the whistleblower for reporting a breach, with prior consent of the whistleblower (including, but not limited to, expressing gratitude and public commendation by the top management).
PROHIBITION OF RETALIATION
Retaliation means any threatened, proposed or actual, direct or indirect act or omission which occurs in a work-related context, is prompted by internal or external reporting or by public disclosure, and which causes or may cause unjustified detriment to the whistleblower.
Retaliation may include, but is not limited to, the following:
The company has zero tolerance policy for retaliation. Any form of retaliation, including threats of retaliation and attempts of retaliation, are prohibited and must be reported immediately. Such reports may be submitted using the company’s internal reporting channel.
Anyone engaged in retaliation may face serious internal – and potentially external – consequences under applicable legislation or regulations. If the company identifies anyone involved in retaliation, these individuals will be subject to disciplinary action, which may include dismissal.
Action to deal with a whistleblower’s own breach, wrongdoing, performance or management, unrelated to their role in whistleblowing, is not considered retaliation.
PROTECTION AGAINST RETALIATION
The company shall take all reasonable steps to protect whistleblowers from retaliation.
If it is established that retaliation is occurring or has occurred, the company shall take reasonable steps to stop and address such conduct and support the whistleblower. If remediation is required, the company shall, to the greatest extent possible, restore the whistleblower to a situation that would have been theirs had they not suffered retaliation. For example:
After a report is made the authorised staff shall make an assessment of the risk of retaliation against the whistleblower. Depending on the likely sources of harm identified through the risk assessment the authorised staff shall identify and implement strategies and actions to prevent such retaliation or contain identified retaliatory conduct to prevent further harm, for example:
The authorised staff shall monitor and review risks at various points in the process, such as when a decision is made to investigate, during the investigation into the report and once the outcome of an investigation is known, as well as, where appropriate, after the case has been closed.
The protections under this policy apply to the whistleblower even if the reported breach is not substantiated, if the whistleblower had reasonable grounds to believe that the information on the breach reported was true at the time of reporting. Also, whistleblowers who reported or publicly disclosed information on breaches anonymously, but who are subsequently identified and suffer retaliation, shall qualify for the protection under this policy.
Any person who knowingly makes false reports shall be subject to disciplinary and/or other legal actions, which may include dismissal.
If a reported breach is not substantiated by the authorised staff and the respective data are not required by the company for any further proceedings, the report and all the gathered information related to the report and its processing shall be permanently deleted after closing the case and after the retention period defined in a separate document has lapsed.
If a reported breach is substantiated, the report and all the gathered information related to the report and its processing shall be stored for as long as necessary for the assertion and exercise of, or defence against respective legal claims.