Procedimiento interno ENG

SCOPE OF APPLICATION

a) This Policy applies to all members of the ENTITY who report, through the procedures provided therein, the following:

Actions or omissions that may constitute serious or very serious criminal or administrative offenses. In any case, it shall be understood to include all those serious or very serious criminal or administrative offenses that involve financial loss to the Public Treasury and Social Security. Conducts that may imply, by action or omission and on the part of a member of the ENTITY, acts that have a effective involvement in the professional relationship with the ENTITY of the person to whom the communication refers, related to the commission in a work or professional context of any act contrary to the rules of conduct of the ENTITY’s Code of Ethics or other provisions of the internal regulatory system. Any actions or omissions that may constitute infringements of European Union law.

Members of the ENTITY are considered to be those who are currently employed and collaborators of the entity.

b) This Policy also applies to informants who, not being members of the ENTITY, have obtained information about any of the actions or omissions referred to in the previous section in a work or professional context, including in any case:

Any person working for or under the supervision and direction of the ENTITY, its contractors, subcontractors, and suppliers. Persons who have been former members of the ENTITY, having already terminated their employment or statutory relationship with the entity. Volunteers and interns, regardless of whether they receive remuneration or not. Persons whose employment relationship has not yet begun, in cases where information about infringements has been obtained during the selection process or pre-contractual negotiation.

INTERNAL INFORMATION SYSTEM

The Internal Information System referred to in this Policy is the preferred channel for reporting actions or omissions provided for in Law 2/2023.

The Internal Information System mainly consists of the communication channel enabled for receiving the communications provided for in the scope of application of this Policy, the System Manager, and the management procedure that must be followed for the processing of said communications.

CREATION OF THE INTERNAL INFORMATION CHANNEL

The Internal Information System includes the Whistleblower Channel, which is the preferred channel for reporting the conduct provided for in section 3 of this Policy.

The aforementioned Internal Information Channel allows:

Making communications in writing or verbally, or both, under the conditions provided in Law 2/2023. When making the communication, the informant may indicate an address, email, or secure location for receiving notifications. The submission and subsequent processing of anonymous communications. Informing those who make the communication through it, in a clear and accessible manner, about the external channels of information before the competent authorities and institutions. The receipt of any other communications or information not included in the scope established in section 3 of this Policy, although such communications and their senders will be outside the scope of application and protection provided by it. Appropriate measures will be taken to ensure the confidentiality of communications that are sent through channels other than those established or to staff members not responsible for their processing (who must immediately forward it to the Internal Information System Manager).

THE RESPONSIBLE FOR THE INTERNAL INFORMATION SYSTEM

The persons responsible for the system will be a collegiate body or person, internally or externally, with the characteristics provided for in Article 8 of Law 2/2023. The appointments of the members of the collegiate body Responsible for the System will be communicated to the Independent Authority for the Protection of Whistleblowers, in accordance with the provisions of Article 8.3 of Law 2/2023, within ten days from their appointment. Their dismissals, resignations, and the reasons justifying them will also be notified, eventually, within the same period. In the exercise of their functions, the persons responsible for the system will not receive instructions from any superior, will not be subject to hierarchy within the collegiate body, nor can they be removed from their positions for reasons related to their legitimate participation in the internal information system.

PROTECTION OF PERSONAL DATA

The processing of personal data resulting from the application of Law 2/2023 will be governed by the provisions of the GDPR, and in Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPDPGDD), in compliance with what, for such purposes, is determined in Law 2/2023.

The Internal Information System must prevent unauthorized access, preserve the identity, and ensure the confidentiality of the data corresponding to the affected persons and any third party mentioned in the information provided, with special attention to the identity of the informant if identified.

The identity of the informant may only be communicated to the judicial authority, the Public Prosecutor’s Office, or the competent administrative authority within the framework of a criminal, disciplinary, or sanctioning investigation, and these cases will be subject to the safeguards established in the applicable regulations.

If the received information contains special categories of personal data, subject to special protection, their immediate deletion will proceed, unless the processing is necessary for reasons of an essential public interest in accordance with Article 9(2)(g) of the GDPR, as provided for in Article 30(5) of Law 2/2023.

In any case, personal data whose relevance is not evident for processing specific information will not be collected, or if collected accidentally, they will be promptly deleted.

Communications that have not been processed will only be recorded in an anonymized form, without the obligation of blocking provided for in Article 32 of the LOPDPGDD being applicable.

PROTECTION MEASURES FOR INFORMANTS

Individuals who report violations shall be entitled to the protection measures established in Law 2/2023, provided the following circumstances concur:

They have reasonable grounds to believe that the information disclosed is truthful at the time of communication or disclosure, even if conclusive evidence is not provided, and that said information falls within the scope of this policy. The communication or disclosure has been made in accordance with the requirements established in this policy and Law 2/2023. Those persons who report or disclose the following are expressly excluded from the protection provided for in Law 2/2023:

Information contained in communications that have been rejected by any internal information channel or for any of the following reasons:

• When the reported facts lack all credibility.
• When the reported facts do not constitute a violation of the legal framework included in the scope of this policy.
• When the communication is manifestly unfounded or there are rational indications that it has been obtained by committing a crime.
• When the communication does not contain new and significant information about violations compared to a previous communication for which the corresponding procedures have concluded, unless new factual or legal circumstances justify a different follow-up.
• When the communication does not contain new and significant information about violations compared to a previous communication for which the corresponding procedures have concluded, unless new factual or legal circumstances justify a different follow-up. Information that is already fully available to the public or that constitutes mere rumors.

Information relating to actions or omissions not covered by the scope of this policy.

PROTECTION MEASURES FOR AFFECTED PERSONS

During the processing of the case, persons affected by the communication shall have the right to the presumption of innocence, the right to defense, and the right to access the case file under the terms provided in Law 2/2023, as well as the same protection established for informants, preserving their identity and ensuring the confidentiality of the facts and data of the procedure.

APPROVAL, ENTRY INTO FORCE, AND DISSEMINATION

This Policy shall be effective from the moment of its approval by the Management of the ENTITY, proceeding to its publication on the entity’s corporate websites.

This Policy shall be reviewed and updated whenever it is necessary to make any modifications.

OBJECTIVE

The procedure for managing the Internal Information System aims to regulate those acts and procedures carried out by the ENTITY as a result of the presentation of information referred to in Law 2/2023, of February 20, regulating the protection of persons who report legal infringements and fight against corruption (hereinafter, Law 2/2023).

REGULATIONS AND REFERENCE LEGISLATION

Law 2/2023, of February 20, regulating the protection of persons who report legal infringements and fight against corruption, by transposing Directive 2019/1937 of the European Parliament and of the Council of October 23, 2019, on the protection of persons who report infringements of Union law. Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation or GDPR). Organic Law 3/2018, of December 5, on the protection of personal data and guarantee of digital rights (LOPD GDD). SCOPE OF APPLICATION

This regulation applies to the entire scope of action of the ENTITY, and its contents derive from the general guidelines defined in the Information Security Policy of the entity.

It shall be mandatory for all personnel who, permanently or occasionally, provide their services to the ENTITY, including personnel from external providers when they are users of the ENTITY’s Information Systems.

DEFINITIONS

For the purposes of this regulation, the following terms shall have the following meanings:

Informant: a natural or legal person who has obtained information about infringements in a work or professional context and who reports them to the ENTITY, including in all cases those provided for in Article 3, paragraphs 1 and 2 of Law 2/2023. Affected person: a natural person to whom the informant attributes the commission of the infringements referred to in Article 2 of Law 2/2023. Persons affected shall also include those who, without having been the subject of information by the informant, through the acts of instruction of the procedure, have become aware of the alleged commission of such infringements. Third parties: natural persons who may have knowledge of aspects related to the reported infringement, whether as direct or indirect witnesses, and who may provide information to the procedure. Internal Information System: the information channel established in the ENTITY to report on actions or omissions provided for in Article 2 of Law 2/2023, with the functions and contents set forth in Article 5.2 of said regulation. It includes the Internal Information Channel and the Information Management System. Internal Information Channel: the channel specifically enabled by the ENTITY to receive information related to the subject matter of this procedure, under the administration of the person responsible for the ENTITY’s Internal Information System. Information Management System: a technological platform integrated into the Internal Information System, whose purpose is the management, registration, and conservation of actions that take place as a result of the presentation of information to which Law 2/2023 applies.

RIGHTS AND GUARANTEES OF INFORMANTS

Informants shall be guaranteed the effective exercise of the following rights, without prejudice to any others recognized to them by the Constitution and the laws:

• To submit information anonymously and to maintain anonymity during the procedure.
• To make the communication verbally or in writing. In the case of verbal communication, the informant shall be offered the opportunity to verify, rectify, and accept by signing the transcription of the message.
• To provide an address, email, or secure location to receive communications from the person responsible for the system.
• To appear before the person responsible for the system or the delegated manager on their own initiative.
• To waive communication with the person responsible for the system or the delegated manager conducting the procedure, and, if applicable, to revoke such waiver at any time.
• To preserve their identity. The identity of the informant shall not be disclosed without their express consent to any person who is not competent to receive and manage reports, with the exceptions established by European Union law or Spanish regulations in the context of investigations carried out by authorities or in the course of judicial proceedings.
• To the protection of their personal data.
• To know the identity of the delegated manager conducting the procedure.
• To the confidentiality of communications.
• To protection and support measures as provided in Law 2/2023.
• To file a complaint with the Independent Authority for the Protection of Whistleblowers. Not to be subject to reprisals, even if the outcome of the investigations verifies that there has been no breach of applicable regulations or the ENTITY’s Code of Ethics, provided that they have not acted in bad faith.

OBLIGATIONS OF INFORMANTS

Individuals providing information through the Internal Information Channel shall be subject to the following obligations:

To have reasonable or sufficient indications regarding the accuracy of the information they provide, and not to make generic, bad-faith, or abusive communications, as doing so may incur civil, criminal, or administrative liability. To describe the facts or behaviors they report in as much detail as possible, providing all available documentation on the described situation or objective evidence to obtain proof. To refrain from making communications for a purpose other than that intended by the Channel or that violate the fundamental rights to honor, image, and personal and family privacy of third parties, or that are contrary to human dignity.

RIGHTS OF THIRD PARTIES

Persons considered as third parties in the procedure shall be entitled to the following rights, without prejudice to the possibility of extending to them, as far as possible, the support and protection measures for informants provided for in Law 2/2023.

To provide an address, email, or secure location to receive communications from the person responsible for the System. To appear before the person responsible for the System or the delegated manager on their own initiative. To preserve their identity. The identity of the third party shall not be disclosed without their express consent to any person who is not competent to receive and manage reports, with the exceptions established by European Union law or Spanish regulations in the context of investigations carried out by authorities or in the course of judicial proceedings. To the protection of their personal data. To the confidentiality of communications. To not be subject to reprisals.

RIGHTS OF AFFECTED PERSONS

Affected persons shall have the rights recognized by the Constitution and the laws, for which compliance the person responsible for the System shall be responsible. In particular, they shall have the following rights:

• To be informed, as soon as possible, of the information affecting them.
• To honor and privacy.
• To the presumption of innocence and to use all valid means in law for their defense.
• To be assisted by a lawyer.
• To access the proceedings against them, without prejudice to the temporary limitations that may be adopted to ensure the outcome of the proceedings.
• To know the identity of the delegated manager conducting the procedure.
• To preserve their identity, against anyone outside the person responsible for the System.
• To the protection of their personal data.
• To the confidentiality of communications.
•  

THE RESPONSIBLE FOR THE INTERNAL INFORMATION SYSTEM

The Responsible for the System is the person or collegiate body referred to in Article 8 of Law 2/2023, who shall be appointed by the Management. The Responsible for the System, in the exercise of their competences, cannot receive instructions from any other area of the ENTITY, nor can they be removed from their positions for reasons related to their participation in the Internal Information System. Likewise, they are independent in the exercise of their functions and are not subject to hierarchy within said collegiate body.

ACCESS TO PERSONAL DATA IN THE INTERNAL INFORMATION SYSTEM

Access to personal data in the Internal Information System by ENTITY personnel shall be limited, within the scope of their competences and functions, and regardless of the professional responsibilities of the individuals who ultimately form part of the collegiate body Responsible for the System, to:

• The Responsible for the System or their delegate. The personnel management officer, when disciplinary measures may be taken against an ENTITY worker. The legal department head, if legal measures are to be taken in relation to the facts reported in the communication. The data processors that may be designated. The Data Protection Officer of the ENTITY.
• The processing of data by other individuals, or even their communication to third parties, shall be lawful when necessary for the adoption of corrective measures in the ENTITY or the processing of sanctioning or criminal procedures, if applicable.

PROCEDURE DEADLINES

• The deadline for resolving the investigative actions resulting from the information management procedure cannot exceed 3 months, except in cases of special complexity, in which case the Responsible for the System may, for reasons given, extend the deadline for an additional three months. 
• The calculation of the deadline referred to in the preceding paragraph starts from the receipt of the communication by the Responsible for the System or, if no acknowledgment of receipt is sent to the informant, from the expiration of the seven-day period after the communication is received. 
• The deadlines expressed in months shall be computed from date to date. The deadlines in days referred to in this regulation shall be considered business days, unless expressly stated otherwise. Saturdays, Sundays, and declared holidays shall be excluded from the calculation of business days.

PERSONAL DATA PROTECTION

• The processing of personal data arising from the processing of this information management procedure shall be carried out in accordance with the provisions of Title VI of Law 2/2023.
•  
• The internal information system must prevent unauthorized access and preserve the identity and ensure the confidentiality of the data concerning the affected persons and any third party mentioned in the provided information, especially the identity of the informant in case it has been identified.
• The identity of informants may only be disclosed to the judicial authority, the Public Prosecutor’s Office, or the competent administrative authority within the framework of a criminal, disciplinary, or sanctioning investigation, and these cases shall be subject to the safeguards established in the applicable regulations.
• If the received information contains special categories of data, their immediate deletion shall be carried out, unless the processing is necessary for reasons of essential public interest as provided for in Article 9(2)(g) of the General Data Protection Regulation, as stated in Article 30(5) of Law 2/2023.
• Personal data that is not relevant for processing specific information shall not be collected, or if collected accidentally, it shall be promptly deleted.
• In any case, if 3 months have elapsed since the receipt of the communication without any investigative actions being initiated, its deletion shall be carried out, unless the purpose of retention is to provide evidence of the system’s operation.
• Communications that have not been processed shall only be anonymized, and the obligation to block provided for in Article 32 of Organic Law 3/2018, of December 5, on Data Protection and Digital Rights Guarantee, shall not apply.
•  

PROCEDURE Phase of receiving information

Information regarding the commission of offenses referred to in Article 2.1 of Law 2/2023, as well as any other derived from the processing of this procedure, shall be communicated in writing or verbally through the electronic means established for this purpose in the internal information channel enabled on the website of THE ENTITY.

At the request of the informant, it may also be presented through a face-to-face meeting within a maximum period of seven days.

Verbal communications, including those made through face-to-face meetings, telephone calls, or voice messaging systems, must be documented in one of the following ways, with the prior consent of the informant:

• Through a recording of the conversation in a secure, durable, and accessible format, or
• Through a complete and accurate transcription of the conversation conducted by the personnel responsible for handling it.

Without prejudice to the rights conferred by data protection regulations, the informant shall be offered the opportunity to verify, rectify, and accept the transcription of the conversation by signing it.

In any case, the communication must contain at least the following information:

• Identification of the informant, unless the informant chooses to provide the information anonymously.
• Description of the facts and, if applicable, determination of the affected rule.
• Identification of the affected person or persons.
• Identification, if applicable, of third parties who may provide relevant information.
• If the right to refuse to communicate with the Responsible Party is exercised, the informant may indicate a domicile, email address, or secure location for receiving communications.

Upon receipt of the communication, within seven natural days following its receipt, an acknowledgment of receipt shall be sent, and justification shall be communicated to the informant, unless no contact information has been provided or the right to refuse to communicate with the Responsible Party or the delegated manager instructing the procedure has been exercised.

Admission Phase

Once the communication has been registered, the Responsible Party shall verify whether it exposes facts or behaviors that fall within the subjective scope of application provided for in Article 3 of Law 2/2023, and within ten business days from the date of entry of the information in the registry, it may:

• Reject the communication in any of the following cases:

  • When the reported facts lack all credibility.
  • When the reported facts do not constitute an infringement of the legal system within the scope of application of Law 2/2023.
  • When the communication lacks foundation or there are reasonable indications that it has been obtained through the commission of a crime. In the latter case, in addition to rejection, a detailed report of the facts deemed to constitute a crime shall be sent to the Public Prosecutor’s Office.
  • When the communication does not contain new and significant information about infringements compared to a previous communication for which the corresponding procedures have concluded, unless new circumstances justify a different follow-up.

  Rejection shall be communicated to the informant within the following five business days, unless the communication was anonymous or the informant has renounced receiving communications.

• Admit the communication for processing. Admission for processing shall be communicated to the informant within the following five business days, unless the communication was anonymous or the informant has renounced receiving communications.

• Immediately forward the information to the Public Prosecutor’s Office when the facts may be indicatively constitutive of a crime or to the European Public Prosecutor’s Office in the event that the facts affect the financial interests of the European Union.

• Forward the communication to the authority, entity, or organization deemed competent for processing.

• 
  

Instruction Phase

The instruction shall include all actions aimed at verifying the credibility of the reported facts.

The delegated manager appointed by the Responsible Party shall be considered the instructor of the procedure.

Within a maximum period of 15 days from the admission decision, the affected person shall be informed of the existence of the actions and the reported facts succinctly, unless such communication may facilitate the concealment, destruction, and alteration of evidence, in which case, the delegated manager, for justified reasons, may modify said period until such circumstances disappear.

In no case shall the identities of the informants be communicated to the affected parties or shall access to the communication be granted.

To ensure the defense rights of the affected person, the affected person shall have access to the file without revealing information that could identify the informant, may be heard at any time, and shall be informed of the possibility of appearing assisted by a lawyer.

The affected person has the obligation to maintain the confidentiality of the information to which they have access as a result of accessing the file, and any action aimed at identifying the informant or third parties is prohibited, without prejudice to the obligations arising from compliance with data protection regulations.

Closing Phase

Once the actions have been completed, the Responsible Party shall issue a report to be transferred to the Managing Director of THE ENTITY, which shall include at least:

• An exposition of the reported facts together with the file number, the date of registration, and the admission agreement date.
• The actions taken to verify the credibility of the reported facts, which shall include, at least and succinctly, the allegations made by the affected person, including the interview if applicable, the documentation provided by the affected person or obtained by the Responsible Party through third parties, and any other information on which the adopted decision is based.
• The conclusions reached in the instruction and the assessment of the measures and evidence supporting them.
• The decisions made.

Likewise, the report shall be notified to the informant, to the extent that they are identified and have not exercised the right to refuse to communicate with the Responsible Party, and to the affected person.

The deadline for completing the actions and responding to the informant, if applicable, shall not exceed three months from the registration in the information management system, without prejudice to the extension of the deadline provided for in Article 9 of Law 2/2023.