1. Introduction
As demonstrated by existing experiences, the possibility of reporting is an essential tool in systems for preventing irregular or unlawful behavior. Having an established reporting channel serves to measure the effectiveness of such systems as it facilitates any individual to be co-responsible in preserving the current legality.
It is considered that a report made responsibly serves to ensure compliance with the law, its Code of Conduct, and its Manual for the Prevention of Criminal Offenses.
This Reporting Channel is part of the requirements demanded by the Spanish Penal Code for the prevention of criminal offenses within companies.
As established in the dissemination section, all individuals working in our company will be previously informed of the existence and purpose of the Reporting Channel, its operation, the guarantee of confidentiality of the reporting person's data, and the guarantee of information to the reported party about the existence of the report.
2. Scope of Application
This Procedure on the Reporting Channel is established for its application in our organization.
3. Definition and Scope
Any person working in the organization or having a relationship with it may submit to the Committee for the Prevention of Criminal Risks, through the defined Channel, doubts or suggestions regarding compliance with or interpretation of the Manual for the Prevention of Criminal Risks. They may also submit relevant reports regarding any behavior, act, event, or indication occurring or carried out within the scope of the company's activities, which may be susceptible to being considered illicit or criminal.
Irregular, unlawful, or criminal behavior is understood as any type of legal infringement or violation of the Code of Conduct or internal procedures aimed at preventing and detecting behaviors that harm the organization or the commission of criminal acts by the individuals working, volunteering, interning, or any other member belonging to the company in the exercise of their activity.
Our organization establishes this reporting procedure which allows employees and any other external person to the company to have a Channel to report any behavior, action or omission, or fact that may be susceptible to a crime or contrary to our internal rules, and that may cause, directly or indirectly, a criminal risk to the organization.
If any employee in the company or any other person associated with it has reasonable grounds to believe that a crime or misconduct is being committed in the organization or on its behalf, they must immediately inform the Compliance Officer through the established Reporting Channel.
All messages sent through this Reporting Channel are exclusively received by the Committee for the Prevention of Criminal Risks through the Compliance Officer.
Any consultation or report submitted will be recorded by the Compliance Officer in a specific register, which will be kept updated with the actions taken and the documentation generated in its processing and resolution.
4. Requirement of Good Faith
Any act of reporting must be carried out in good faith by the reporting party, as otherwise it has a detrimental effect on individuals and organizations. In the case of the Reporting Channel, this is fundamental and enforceable because we can endanger the dignity of individuals and the institution itself.
It is considered that the reporting party does not act in good faith when they are aware of the falsehood of the facts, or act with manifest disregard for the truth, or with the intention of revenge, or to harm the company in any way or to harass the reported individual, or to injure their honor, or to harm them professionally or personally.
The reporting party acts in good faith when:
They report in accordance with what is established in this procedure and the report is based on evidence or facts from which the commission of irregular, unlawful, or criminal behavior may reasonably be inferred. When the report is made without the intention of revenge, moral harassment, causing job or professional harm, or harming the honor of the reported person or a third party. Reporting through the Reporting Channel should always be the first step in preserving the organization's reputation and improving its systems for preventing criminal offenses and its Code of Conduct. This does not mean that it cannot subsequently be brought to the attention of the public or the media if the reporting party deems it appropriate.
In any case, the public reporting of internal company matters that lack public relevance or are manifestly unfounded constitutes a breach of the good faith that should govern relationships, mainly with employees, volunteers, and third parties related to the organization, and may lead to disciplinary sanctions and/or relevant legal actions, if applicable.
5. Protection of the Reporting party
Our organization guarantees the confidentiality of the reporting party's identity and compliance with the rules on the Protection of Personal Data.
If the reporting party acts in good faith, it is also guaranteed that there will be no reprisals for having reported irregularities related to aspects of the company's internal regulations or allegedly criminal acts, classified in the Penal Code, nor for participating, if applicable, in the investigation procedure.
In any case, our company reserves the right to disclose the reporting party's identity if they have acted in bad faith (objectively), as well as in case of a judicial requirement or if the recipient is the competent authority provided for in the Organic Law on Data Protection (LOPD).
6. Protection of the Reported Individual
Our organization guarantees that the reported individual will be informed within a maximum period of 30 days upon receipt of the report:
that their personal data is available through this channel, of the facts under investigation and the departments of the group or third parties collaborating in it, and how to exercise their rights of access and rectification, with the legal safeguard of the identity of the reporting party, unless they have acted in bad faith. In case the reporting party has participated in the commission of the reported incident, it is informed that there are mitigating circumstances by confession if it occurs before the discovery of the infringement, as well as, at any time, if an attempt is made to reduce its effects.
After the relevant investigation, if the report is determined to be false, the reporting party has the right to demand that this be recorded, with a record of the same in the corresponding Register.
7. Protection of personal data
Personal data provided on the occasion of a complaint or obtained as a result of the corresponding internal investigation (hereinafter "Personal Data") will be processed solely for the management and control of the Complaints Channel in case of detecting irregularities. The company is considered responsible for said processing, which will contain personal data related to the person or persons reported, as well as the complainant, and others linked to the complaint. All security measures considered appropriate for achieving the confidentiality, integrity, and availability of the information contained therein are applied to this treatment.
In the establishment of the Complaints channel, all the provisions of Article 24 of the Law ·/2018 on the protection of personal data and guarantee of digital rights have been adopted. Access has been limited to those whose function is internal control tasks, adopting measures to preserve the identity and guarantee the confidentiality of the data corresponding to the affected individuals.
The owners of the Personal Data may exercise their rights of access, rectification, erasure, portability, and restriction of processing when applicable, in accordance with the provisions of personal data protection regulations, by sending a written request with a copy of their ID to the attention of the Data Protection Officer of the company. They may also, if their rights are not properly addressed, file a complaint with the Spanish Data Protection Agency.
However, the exercise of such rights shall not proceed in the following cases:
When the reported person exercises their right of access, the identifying data of the complainant will not be communicated to them. When the exercise of these rights is carried out regarding a complaint related to the prevention of money laundering and terrorist financing, in which case the provisions of Article 32 of Law 10/2010 of April 28, on the prevention of money laundering and terrorist financing will apply. Personal Data obtained on the occasion of the complaint will be deleted three months after the end of the internal investigation initiated as a result thereof, except in the case of complaints archived as unfounded, which will be deleted immediately. Cancellation involves blocking Personal Data so that it can only be kept in separate custody, for the prescription period of the responsibilities related to the complaint, for their availability to the authorities.
LOPD Clause:
In compliance with the legal provisions established in Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as well as in Organic Law 3/2018 on the Protection of Personal Data and guarantee of digital rights or any future legislation that may be enacted on this matter, we inform you that the personal data that may be included in your complaint will be processed in files for which our company is responsible, with its registered office at Bº Sierrapando, 508 (39300 Torrelavega) and CIF G-39041710, which complies with the security measures legally required and guarantees the confidential treatment of the data collected for the development of the actions.
8. Access to the Complaints Channel
Access to the Complaints Channel is done through the company's website.
Once access is gained to this space, you can choose between making a complaint or an inquiry. In the case of clicking to enter these sections, a document will be opened explaining how the Complaints channel works. The complainant must give their consent to this document before making the corresponding complaint.
The complaint can be made:
Anonymously While it is completely lawful to make the complaint in this way, it must be clarified that if the complainant does not provide their data or is not properly identified, it would hinder the processing and study of the complaint and make it more difficult to protect their rights. This may lead to the complaint not being analyzed.
Identified complainant The complainant provides the requested data in the form displayed on the screen.
Complainant identified with name and surname and ID number or equivalent. As exhaustive an exposition as possible of the facts or arguments supporting the communication/complaint. Individual or group against whom the complaint is directed. Estimated dates of the event. Any annexed document considered relevant regarding the reported event may be included.
Complaints received through other channels will not be accepted, as they involve more external factors and elements to the entity that do not allow the proper maintenance of the confidentiality of all the information received. Therefore, it is recommended that communication be made directly through the Complaints Channel proposed for this purpose.
9. Complaints Channel Operations
Upon receipt of a complaint, acknowledgment will be sent to the complainant through the same channel.
The Compliance Officer, as the recipient of the complaints, knows, processes, and resolves the complaints received, giving them the treatment deemed most appropriate.
Once the complaint is received, the Compliance Officer will open an appropriately coded file for control and monitoring.
The Compliance Officer will proceed with its classification, being able to: Archive the matter for considering that there are no rational indications of non-compliance or criminality, or transfer complaints referring to other issues outside the scope of this to the responsible parties for further action. instruct an investigation file. In this case, part of the investigation of the reported facts or actions may be entrusted to other areas/third parties when deemed appropriate, with full confidentiality safeguarded regarding the complainant. The reasons for the decision on its classification will be substantiated in the file itself.
If necessary, the Risk Prevention Committee will take the necessary measures to prevent the possible harm derived from the reported event from being maintained or increased. The Risk Prevention Committee will ensure that the rights of the complainant, the reported person, and those individuals or entities involved in the complaint are respected. The Risk Prevention Committee will inform the complainant about the measures taken.
10. Investigation of complaints filed
The actions aimed at verifying the reported facts will be carried out by the Risk Prevention Committee, conducting thorough analyses to verify the truthfulness of possible non-compliance.
With the aim of clarifying the facts subject to complaint, only those employees who are strictly necessary will be involved.
If any of the individuals affected by the complaint are members of the Risk Prevention Committee, they must be replaced by another in the investigation tasks directly related to the complaint in question.
Once the investigation file has been instructed, the Risk Prevention Committee will issue a report of conclusions that includes a clear account of the facts, decisions, and recommendations.
If the complaint turns out to be well-founded, the Risk Prevention Committee will define an intervention and action plan, and our organization must adopt the appropriate disciplinary measures and any others deemed necessary for the proper continuity of its activity.
The processing period for a complaint file and the decision to be taken in this regard shall not exceed 60 calendar days from the date of its opening.
In the event of the appreciation of a crime, the company reserves the right to inform the Public Prosecutor's Office and/or the corresponding authorities.
The Risk Prevention Committee will periodically inform the company's Executive Committee about the complaints received and the result of the activities and actions carried out.
11. Evaluation and monitoring of the Complaints Channel
The Risk Prevention Committee will annually assess the operation of the Channel for possible adaptation or improvement.
A set of indicators will be prepared for monitoring the complaints or inquiries submitted, which will be included in the corresponding report of the Risk Prevention Committee. At least the following information will be included:
- Number of complaints received Origin of the complaints
- Type of complaint (according to the offense)
- Number of complaints being investigated, archived, transferred, and instructed.
- Corrective measures adopted.