Informant Channel

ELISA RIVERA, SLU

Access to the channel

Internal policy of the whistleblower channel

I. INTRODUCTION, PURPOSE AND APPLICATION

Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption (hereinafter, Law 2/2023) transposes into Spanish law Directive 2019/1937 of the European Parliament and of the Council, of October 23, 2019, on the protection of persons who report violations of Union law.

This policy applies to ELISA RIVERA, SLU with CIF B44845527 and registered office at AVENIDA DE MADRID, 13 LOCAL, 28750, SAN AGUSTIN DEL GUADALIX, Madrid; and aims to establish an internal channel for reporting possible regulatory violations, violations of internal and/or ethical policies and to establish a protection regime for whistleblowers, in compliance with Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption.

Law 2/2023 explains and clarifies in its preamble, Part III, that its purpose is to protect, against possible retaliation, people who, in a work or professional context, detect serious or very serious criminal or administrative violations and report them through the mechanisms regulated in this policy.

This Channel, therefore, is a mechanism that allows the company's employees and other interested parties to report any type of illegal conduct or conduct contrary to our values ​​and ethical principles, without fear of retaliation, strengthening the culture of information, the integrity infrastructures of organizations and the promotion of the culture of information or communication as a mechanism to prevent and detect threats to the public interest. In this way, we seek to promote a culture of transparency, integrity and responsibility in our organization, while protecting those employees who decide to make a report in good faith.

II. INFORMANT CHANNEL

The entity has created a whistleblower channel (hereinafter, the CII) as a preferred channel for receiving information on actions or omissions that may constitute a serious or very serious criminal or administrative offence, and other actions provided for in article 2 of Law 2/2023.

The channel is under the administration of the Internal System Manager of the Channel (hereinafter, the RSII). Access to this channel will be limited, within the scope of its powers and functions, to:

  1. The Person in Charge of the Internal System of the Channel.
  2. To the administrator(s) delegated by the system administrator.
  3. To the managers designated to process certain complaints according to the area to which they correspond.

The functions of these bodies, as appropriate, will be:

  • Reception, registration and management of complaints received through the whistleblower channel.
  • Designation of the person or team in charge of investigating the complaints received.
  • Ensuring the protection of whistleblowers and the confidentiality of complaints received.
  • Evaluation of the veracity and credibility of the complaints received.
  • Making decisions on appropriate measures based on the results of the investigation.
  • Periodic monitoring and review of the complaint management process and the company's internal policy.
  • Preparation of reports and recommendations for senior management on complaints received and measures taken.

The CII must technically guarantee the confidentiality or, eventually, the anonymity of the informant, to protect him against any leak and subsequent retaliation to which he may be subjected.

  • Link to the whistleblower's channel:

https://compliance.legalsending.com/canal/?C=48603319019030121

  • QR Code:

qr-channel-informant

  • Send an email to the following address:

info@eduardorivera.es

  • Postal mail addressed to AVENIDA DE MADRID, 13 LOCAL, 28750, SAN AGUSTIN DEL GUADALIX, Madrid, a/a RSII: Elisa Rivera Moinelo

III. SUBJECTIVE SCOPE - INFORMING SUBJECTS

Those persons who have an employment or professional relationship with the AEPD may use the internal information channel and benefit from the protection granted by Law 2/2023 as informants, in order to communicate information about the actions or omissions described in article 2 of Law 2/2023. This employment or professional relationship, which entails dependence on the AEPD, is what makes special protection against possible reprisals necessary and appropriate.

In any case, the following are considered informants for this AEPD, for the purposes of Law 2/2023:

  • People who have the status of employees or self-employed workers.
  • Self-employed collaborators (freelance).
  • Shareholders, participants and persons belonging to the administrative, management or supervisory body of the company, including non-executive members.
  • Any person who works for or under the supervision and direction of contractors, subcontractors and suppliers.
  • Informants who communicate or publicly reveal information about infringements obtained within the framework of an employment or statutory relationship that has already ended, volunteers, interns, workers in training periods regardless of whether they receive remuneration or not, as well as those whose employment relationship has not yet begun, in cases where the information about infringements has been obtained during the selection process or pre-contractual negotiation.

It is important to note that reports made through the whistleblower channel must be in good faith, that is, they must be supported by evidence and concrete facts.

IV. OBJECTIVE SCOPE - REPORTABLE FACTS

As regards the purpose of the information, it follows from Law 2/2023 that the internal information channel may be used to report serious misconduct or alleged corruption, which may constitute serious or very serious criminal or administrative offences related to the activities of the entity, which the informant has observed or about which he or she has received information in the course of his or her work or professional relationship.

Law 2/2023 itself and Directive (EU) 2019/1937 list as such, the information that refers to:

  1. 1. Infringements falling within the scope of the acts of the European Union listed in the Annex to the aforementioned Directive relating to the following areas:
    1. public procurement,
    2. financial services, products and markets, and prevention of money laundering and terrorist financing,
    3. product safety and compliance,
    4. transport safety,
    5. environmental protection,
    6. radiation protection and nuclear safety,
    7. food and feed safety, animal health and animal welfare,
    8. public health,
    9. consumer protection,
    10. protection of privacy and personal data, and security of networks and information systems
  2. That affect the financial interests of the European Union as referred to in Article 325 of the Treaty on the Functioning of the European Union (TFEU).
  3. That have an impact on the internal market, as referred to in Article 26, paragraph 2 of the TFEU, including infringements of European Union competition rules and aid granted by States, as well as infringements relating to the internal market in relation to acts that infringe corporate tax rules or practices whose purpose is to obtain a tax advantage that distorts the object or purpose of the legislation applicable to corporate tax.
  4. Actions or omissions that may constitute a serious or very serious criminal or administrative offence. In any case, all serious or very serious criminal or administrative offences that imply financial losses for the Treasury and for Social Security will be understood to be included.
  5. Breaches of labour law in matters of health and safety at work reported by workers, without prejudice to the provisions of their specific regulations.

The reporting person must provide, at a minimum, a reference to the subjective scope of the infringement (subject matter or regulation infringed: European Union law; criminal infringement; or administrative infringement); and a description of the facts to be reported (relevant information on what happened), as detailed as possible, attaching any documentation available, if applicable.

You may also provide your first and last name and a contact telephone number if you do not choose to make this communication anonymously.

If you know the identity of the person responsible for the reported irregularity, or have brought these facts to the attention of another body or entity through an external channel, you may also provide this information.

V. COMPLAINT PROCEDURE

The information may be communicated to the entity anonymously. Otherwise, the identity of the informant will be kept confidential and will be limited to the knowledge of the RSII, managing directors or appointed managers. These members will carry out their functions independently and autonomously with respect to the rest of the bodies of the entity or organization and may not receive instructions of any kind in their exercise, having all the personal and material means necessary to carry them out.

The Company undertakes to investigate all reports of potential violations or non-compliance received through the reporting channel. All reports will be investigated impartially and confidentially and appropriate action will be taken based on the results of the investigation aimed at the protection of the whistleblower.

The information or complaint will be communicated through the internal information channel using the specific electronic application for this purpose, identified and accessible from the website: _____________________________

At the request of the informant, the complaint may also be submitted through a face-to-face meeting that will take place within a maximum period of seven days. Where appropriate, the informant will be warned that the communication will be recorded and will be informed of the processing of his/her data in accordance with the provisions of the RGPD and the LOPDPGDD. When submitting the information, the informant must indicate an address, email address, or safe place for the purposes of receiving notifications, unless he/she expressly waives the receipt of any communication of actions carried out by the RSII as a result of the information.

Once the information has been submitted, it will be registered in the information management system by assigning an identification code, which will be contained in a secure database with restricted access exclusively to RSII personnel, duly authorized, in which all communications received will be recorded with the following data:

  1. Date of receipt.
  2. Identification code.
  3. Actions carried out.
  4. Measures taken.
  5. Closing date.

Once the information has been received, within a period of no more than 7 calendar days from said receipt, the informant will be acknowledged, unless he or she has expressly renounced receiving communications related to the investigation. These complaints will be handled within a maximum period of 3 months, except in cases of special complexity that require an extension of the period, in which case, this may be extended up to a maximum of another 3 additional months.

Once the information has been recorded, the RSII and its team will proceed to analyze the admissibility in accordance with the material and personal scope provided for in articles 2 and 3 of Law 2/2023.

The company undertakes to inform the whistleblower of the status of the investigation and the measures taken, whenever possible and without compromising the confidentiality and protection of the whistleblower, and may request additional information on the facts reported through the channel.

Furthermore, the company undertakes to monitor all complaints received and the measures taken to ensure the effectiveness of this policy and to continuously improve the process.

Any information that could indicate a criminal offence shall be forwarded to the Public Prosecutor's Office immediately. If the facts affect the financial interests of the European Union, it shall be forwarded to the European Public Prosecutor's Office.

VI. PROTECTION OF INFORMANTS

The company is committed to protecting people who report violations or non-compliance, in accordance with Law 2/2023.

A. Acts constituting retaliation.

Acts of reprisal, including threats of reprisal or attempts at reprisal, against persons who submit a communication pursuant to the law are expressly prohibited.

Reprisal is understood to be any act or omission that is prohibited by law, or that, directly or indirectly, involves unfavorable treatment that places the person who suffers it at a particular disadvantage compared to another in the work or professional context, solely because of their status as informants, or for having made a public revelation.

For the purposes of the provisions of Law 2/2023, and by way of example, reprisals are considered to be those taken in the form of:

  1. Suspension of the employment contract, dismissal or termination of the employment or statutory relationship, including non-renewal or early termination of a temporary employment contract after the trial period has passed, or early termination or cancellation of contracts for goods or services, imposition of any disciplinary measure, demotion or denial of promotions and any other substantial modification of working conditions and non-conversion of a temporary employment contract into an open-ended one, if the employee had legitimate expectations that he or she would be offered an open-ended job; unless these measures were carried out within the regular exercise of management power under the relevant labour legislation or legislation regulating the public employee statute, due to proven circumstances, facts or infringements, and unrelated to the submission of the communication.
  2. Damage, including reputational damage or financial loss, coercion, intimidation, harassment or ostracism.
  3. Negative evaluation or references regarding work or professional performance.
  4. Inclusion on blacklists or dissemination of information in a particular sector, which hinders or prevents access to employment or the contracting of works or services.
  5. Denial or cancellation of a license or permit.
  6. Denial of training.
  7. Discrimination, or unfavorable or unfair treatment.

Any person whose rights have been violated as a result of the communication or disclosure of the data after the two-year period has elapsed may request protection from the competent authority, which may, exceptionally and in a justified manner, extend the period of protection, after hearing the persons or bodies that may be affected. Any refusal to extend the period of protection must be reasoned.

Administrative acts that aim to prevent or hinder the submission of communications and disclosures, as well as those that constitute retaliation or cause discrimination after the submission of those communications and disclosures under this law, shall be null and void and shall give rise, where appropriate, to disciplinary or liability corrective measures, which may include the corresponding compensation for damages to the injured party.

B. Measures to protect whistleblowers from retaliation

Persons who communicate information about the actions or omissions set out in Section FOUR, or who make a public disclosure in accordance with Law 2/2023, shall not be deemed to have infringed any restriction on disclosure of information and shall not incur any liability of any kind in relation to such communication or public disclosure, provided that they had reasonable grounds to believe that the communication or public disclosure of such information was necessary to reveal an action or omission under said law, all without prejudice to the provisions of the specific protection rules applicable in the workplace. This measure shall not affect criminal liabilities.

The provisions of the preceding paragraph extend to the communication of information made by workers' representatives, even if they are subject to legal obligations of confidentiality or of not revealing confidential information. All of this without prejudice, equally, to the specific protection rules applicable in the workplace.

The whistleblower protection measures shall also apply, where appropriate, to:

  1. natural persons who assist the informant in the process;
  2. natural persons who are related to the informant and who may suffer retaliation, such as co-workers or family members of the informant;
  3. legal entities, for which you work or with which you maintain any other type of relationship in a work context or in which you hold a significant stake.

For these purposes, participation in the capital or in the voting rights corresponding to shares or interests is understood to be significant when, due to its proportion, it allows the person who owns it to have the capacity to influence the legal entity in which it is held.

Informants shall not incur liability for the acquisition of or access to information that is communicated or disclosed publicly, provided that such acquisition or access does not constitute a crime.

Any other potential liability of whistleblowers arising from acts or omissions that are not related to communication or public disclosure, or that are not necessary to disclose an infringement under Law 2/2023, will be enforceable in accordance with applicable regulations.

In proceedings before a court or other authority concerning harm suffered by whistleblowers, once the whistleblower has reasonably demonstrated that he or she has communicated or made a public disclosure in accordance with Law 2/2023 and that he or she has suffered harm, it shall be presumed that the harm occurred in retaliation for reporting or making a public disclosure. In such cases, it shall be for the person who took the harmful measure to prove that that measure was based on duly justified reasons unrelated to the communication or public disclosure.

In legal proceedings, including those relating to defamation, infringement of copyright, breach of confidentiality, infringement of data protection rules, disclosure of trade secrets, or claims for compensation based on labour or statutory law, informants shall not incur any liability of any kind as a result of communications or public disclosures protected by Law 2/2023. Such persons shall have the right to claim in their defence and within the framework of the aforementioned legal proceedings, that they have communicated or made a public disclosure, provided that they had reasonable grounds to believe that the communication or public disclosure was necessary to reveal an infringement under Law 2/2023.

Those persons who communicate or reveal the following are expressly excluded from the protection provided for by law:

  1. Information contained in communications that has been rejected by any internal information channel or for any of the reasons provided for by law.
  2. Information related to claims regarding interpersonal conflicts or that affects only the informant and the persons to whom the communication or disclosure refers.
  3. Information that is already fully available to the public or that constitutes mere rumors.
  4. Information relating to actions or omissions not covered by the law.
C. Measures for the protection of affected persons

During the processing of the file, the persons affected by the communication will have the right to the presumption of innocence, the right of defense and the right of access to the file under the terms provided for in Law 2/2023, as well as the same protection established for informants, preserving their identity and guaranteeing the confidentiality of the facts and data of the procedure.

The Independent Authority for the Protection of Informants, AAI, may, within the framework of the sanctioning procedures it conducts, adopt provisional measures in accordance with the terms established in article 56 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations.

D. Assumptions of exemption and mitigation of the sanction

When a person who participated in the commission of the administrative infringement that is the subject of the information is the one who reports its existence by submitting the information and provided that it was submitted before the initiation of the investigation or sanctioning procedure was notified, the body competent to resolve the procedure, by means of a reasoned resolution, may exempt him from compliance with the administrative sanction that corresponds to him provided that the following aspects are proven in the file:

  1. Having ceased to commit the infringement at the time of submission of the communication or disclosure and having identified, where applicable, the rest of the persons who participated in or favoured it.
  2. Having cooperated fully, continuously and diligently throughout the entire investigation process.
  3. Having provided truthful and relevant information, evidence or significant data for the accreditation of the facts investigated, without having proceeded to destroy them or conceal them, nor having revealed their content to third parties, directly or indirectly.
  4. Having proceeded to repair any damage caused that is attributable to him/her.

Where these requirements are not fully met, including partial reparation of the damage, it will be up to the competent authority, after assessing the degree of contribution to the resolution of the case, to mitigate the sanction that would have corresponded to the infringement committed, provided that the informant or author of the disclosure has not been previously sanctioned for acts of the same nature that gave rise to the initiation of the procedure.

The mitigation of the sanction may be extended to the rest of the participants in the commission of the infringement, depending on the degree of active collaboration in the clarification of the facts, identification of other participants and repair or reduction of the damage caused, as assessed by the body in charge of the resolution.

Law 2/2023 excludes from the provisions of this section the infringements established in Law 15/2007, of July 3, on Defense of Competition.

VII. CONFIDENTIALITY AND DATA PROTECTION

The processing of personal data will be carried out in compliance with Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption, Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights and Organic Law 7/2021, of May 26, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offenses and the execution of criminal penalties.

The personal data being processed, the documents provided and any other information provided in the complaint containing personal information will be treated confidentially by those responsible for the channel, as well as by the administrators and possible managers, in order to comply with the obligation to investigate and manage the complaint filed as well as to comply with the legal obligations established in Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption.

The internal information system must prevent unauthorized access and preserve the identity and guarantee the confidentiality of the data corresponding to the affected persons and any third party mentioned in the information provided, especially the identity of the informant if he or she has been identified. The identity of the informant may only be communicated to the judicial authority, the Public Prosecutor's Office or the competent administrative authority within the framework of a criminal, disciplinary or sanctioning investigation, and these cases will be subject to safeguards established in the applicable regulations.

If the information received contains special categories of personal data, subject to special protection, it will be immediately deleted, unless the processing is necessary for reasons of essential public interest as provided for in article 9.2.g) of the GDPR, as provided for in article 30.5 of Law 2/2023.

In any case, personal data whose relevance is not manifestly clear for the processing of specific information will not be collected or, if collected by accident, will be deleted without undue delay.

Communications that have not been processed may only be recorded in an anonymous form, without the blocking obligation provided for in article 32 of the LOPDPGDD being applicable.

Access to personal data contained in the internal information system will be limited to:

  1. The Person in Charge of the Internal System of the Channel.
  2. To the administrator(s) delegated by the system administrator.
  3. To the managers designated to process certain complaints according to the area to which they correspond.
  4. The data may be disclosed to the Legal Department, Lawyers, Judicial Bodies and State Security Forces and Corps in the event that any of the information received could be considered a crime or legal infringement of any kind.

Legal basis for processing: The processing of personal data, in cases of internal communication, shall be deemed lawful pursuant to the provisions of Articles 6.1.c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, 8 of Organic Law 3/2018 of 5 December, and 11 of Organic Law 7/2021 of 26 May, when, in accordance with the provisions of Articles 10 and 13 of the Law, it is mandatory to have an internal information system. If it is not mandatory, the processing shall be presumed to be covered by Article 6.1.e) of the aforementioned regulation. The processing of personal data in the case of external communication channels shall be deemed lawful pursuant to the provisions of Articles 6.1.c) of Regulation (EU) 2016/679, 8 of Organic Law 3/2018, of December 5, and 11 of Organic Law 7/2021, of May 26.

Rights of the interested party: access, rectification, deletion, limitation, portability and opposition, free of charge by email to: marketing@eduardorivera.es in the legally provided cases.

Conservation: The data will be kept for the legal period established for the processing of the file and for the time necessary for the exercise of legal actions or if it is necessary to leave evidence of the management of the channel. The interested party also has the right to file a claim with the AEPD at www.aepd.es to request the protection of their rights.

VIII. COMMUNICATION AND REVIEW OF POLICIES AND PROCEDURES

The company will conduct regular training and awareness-raising campaigns to foster a culture of integrity and transparency, and to inform employees and other stakeholders about the whistleblowing channel. It will also provide information on the rights and protections offered to whistleblowers under Law 2/2023.

The company undertakes to disseminate this policy to all employees and interested parties, and will update, at least every three years, and, where appropriate, modify this internal channel policy, taking into account the experience acquired and the recommendations of the Competent Authority.

In SAN AGUSTIN DEL GUADALIX on February 1, 2024