Internal information procedure

INTERNAL INFORMATION SYSTEM POLICY AND PROCEDURE

The approval of Law 2/2023, of February 20, regulating the protection of people who report regulatory infractions and the fight against corruption, (hereinafter "Law 2/2023"), obliges both the public sector and the private sector to have internal information channels designed and implemented to protect people who detect potential infractions in a work or professional context. Specifically, as expressed in art. 13 of Law 2/2023, all entities that make up the public sector will be required to have an internal information system, including among them public sector foundations, as expressed in section 1 letter f).

THE ENTITY, through this Policy, undertakes to adopt the necessary measures to prevent any type of retaliation, including threats of retaliation and attempted retaliation against people who submit a communication, as a means to safeguard and protect people. who communicate in good faith information about acts or omissions that contravene the aforementioned law, the Code of Ethics and Conduct of THE ENTITY or the internal regulations and procedures of this institution.

GENERAL PRINCIPLES

The objective of this Policy is to establish the Principles that govern the actions of THE ENTITY in the implementation of the Internal Information System and protection of the informant, in accordance with the provisions of Law 2/2023.

  1. We guarantee accessibility to the Internal Information System and protection of the informant: the Internal Information System must allow the communication, whether in writing, verbally or in person, of information on regulatory infractions and the fight against corruption to all people included in its scope. of application.
  2. We guarantee, through the independent action of the System Controller, the completeness, integrity and confidentiality of the information, the prohibition of unauthorized access, the lasting storage of information and respect for good faith. The Internal Information System will be managed by the person responsible with total independence and autonomy with respect to the rest of the areas of THE ENTITY.
  3. We guarantee the confidentiality of the identity of the reporting person and of any person mentioned in the communication, as well as the actions carried out in the management and processing of the same. The internal information channel will even allow the presentation and subsequent processing of anonymous communications.
  4. We guarantee the protection of the personal data of the affected persons, in compliance with current legislation on this matter.
  5. We guarantee the secrecy of communications.
  6. We guarantee the safety and protection of reporting and affected people.
  7. We guarantee the presumption of innocence and respect for the honor of the affected people.

AREA OF APPLICATION

a) This Policy applies to all members of THE ENTITY who report, through the procedures provided therein, of:

  • Actions or omissions that may constitute a serious or very serious criminal or administrative offense. In any case, all serious or very serious criminal or administrative infractions against or that imply economic loss for the Public Treasury and Social Security will be understood to be included.
  • Conduct that may imply, by action or omission and on the part of a member of THE ENTITY, facts that have an effective implication in the professional relationship with THE ENTITY of the person to whom the communication refers, related to the commission in a context labor or professional of any act contrary to the standards of action of the Code of Ethics of THE ENTITY or the other provisions of the internal regulatory system.
  • Any actions or omissions that may constitute infringements of European Union Law
Those who are employees and collaborators of the entity at any given time are considered members of THE ENTITY.

b)This Policy is also applicable to informants who, not being members of THE ENTITY, have obtained information about any of the actions or omissions referred to in the previous section in a work or professional context, including in any case:

  • Any person who works for or under the supervision and direction of THE ENTITY, its contractors, subcontractors and suppliers.
  • People who have been members of THE ENTITY in the past, having already ended their employment or statutory relationship with the entity.
  • Volunteers and interns, regardless of whether they receive remuneration or not.
  • People whose employment relationship has not yet begun, in cases where information about infractions has been obtained during the selection or pre-contractual negotiation process.

INTERNAL INFORMATION SYSTEM

The Internal Information System referred to in this Policy is the preferred channel for reporting on the actions or omissions provided for in Law 2/2023.

The Internal Information System is composed, mainly, of the communication channel enabled for the reception of the communications provided for in the scope of application of this Policy, of the person responsible for the System and of the management procedure that must be followed for the processing of the aforementioned communications. .

CREATION OF THE INTERNAL INFORMATION CHANNEL

The Internal Information System is made up of the Complaint Channel, which is the preferred channel for communicating the conduct provided for in section 3 of this Policy.

The aforementioned Internal Information Channel allows:

  1. Make communications in writing or verbally, or in both ways, under the conditions provided for in Law 2/2023.
  2. When making the communication, the informant may indicate an address, email or safe place for the purpose of receiving notifications.
  3. The presentation and subsequent processing of anonymous communications.
  4. Inform those who communicate through it, in a clear and accessible manner, about the external information channels before the competent authorities and institutions.
  5. to receive any other communications or information not included in the scope established in section 3 of this Policy, although said communications and their senders will be outside the scope of application and protection provided by it.
  6. Appropriate measures will be adopted to guarantee the confidentiality of communications that are sent through channels that are not established or to members of staff not responsible for their treatment (who must immediately forward it to the Head of the SII).

THE RESPONSIBLE FOR THE INTERNAL INFORMATION SYSTEM

  1. The persons responsible for the System will be a collegiate body or person, internally or externally, with the characteristics provided for in article 8 of Law 2/2023.
  2. The Independent Authority for the Protection of Informants will be notified, in accordance with the provisions of article 8.3 of Law 2/2023, of the appointments of the members of the collegiate body Responsible for the System, within a period of ten days from their appointment. Their terminations, resignations and the reasons justifying them will also be notified eventually, within the same period.
  3. In the exercise of their functions, the persons responsible for the System will not receive instructions from any superior, they will not be subject to hierarchy within the collegiate body, nor can they be removed from their positions for issues related to their legitimate participation in the internal information system.

PERSONAL DATA PROTECTION

The processing of personal data resulting from the application of Law 2/2023 will be governed by the provisions of the RGPD, and Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights. (LOPDPGDD), in compliance with what, for such purposes, is determined in Law 2/2023.

The internal Information System must prevent unauthorized access, preserve the identity and guarantee the confidentiality of the data corresponding to the affected persons and any third party mentioned in the information provided, with special attention to the identity of the informant in the event that would have been identified.

The identity of the informant may only be communicated to the judicial authority, the Public Prosecutor's Office or the competent administrative authority within the framework of a criminal, disciplinary or sanctioning investigation, and these cases will be subject to the safeguards established in the applicable regulations.

If the information received contains special categories of personal data, subject to special protection, it will be immediately deleted, unless the processing is necessary for reasons of essential public interest in accordance with the provisions of article 9.2.g) of the RGPD. as provided in article 30.5 of Law 2/2023.

In any case, personal data whose relevance is not evident to process specific information will not be collected or, if collected by accident, will be deleted without undue delay.

Communications that have not been processed may only be recorded in anonymized form, without the blocking obligation provided for in article 32 of the LOPDPGDD being applicable.

INFORMANT PROTECTION MEASURES

People who report violations will have the right to the protection measures established in Law 2/2023, provided that the following circumstances apply:

  1. They have reasonable grounds to believe that the information referred to is true at the time of communication or disclosure, even if they do not provide conclusive evidence, and that the aforementioned information falls within the scope of application of this policy.
  2. The communication or disclosure has been made in accordance with the requirements provided for in this policy and in Law 2/2023.

Those persons who communicate or reveal are expressly excluded from the protection provided for in Law 2/2023:

Information contained in communications that have been inadmissible through any internal information channel or for any of the following reasons:

  • When the facts reported lack all plausibility.
  • When the events reported do not constitute a violation of the legal system included in the scope of application of this policy.
  • When the communication is manifestly unfounded or there are rational indications that it was obtained through the commission of a crime.
  • When the communication does not contain new and significant information about infringements compared to a previous communication in respect of which the corresponding procedures have been concluded, unless new factual or legal circumstances arise that justify a different follow-up.
  • When the communication does not contain new and significant information about infringements compared to a previous communication in respect of which the corresponding procedures have been concluded, unless new factual or legal circumstances arise that justify a different follow-up.

Information that is already completely available to the public or that constitutes mere rumors.

Information that refers to actions or omissions not included in the scope of this policy.

PROTECTION MEASURES FOR AFFECTED PEOPLE

During the processing of the file, the people affected by the communication will have the right to the presumption of innocence, the right of defense and the right of access to the file in the terms provided in Law 2/2023, as well as the same protection established for informants, preserving their identity and guaranteeing the confidentiality of the facts and data of the procedure.

APPROVAL, ENTRY INTO FORCE AND DISSEMINATION

This Policy will be effective from the moment of its approval by the Management of THE ENTITY, proceeding to its publication on the entity's corporate websites.

This Policy will be reviewed and updated whenever it is necessary to make any modifications.

AIM

The purpose of the management procedure of the Internal Information System is to regulate those acts and procedures carried out by THE ENTITY as a consequence of the presentation of information referred to in Law 2/2023, of February 20, regulating the protection of people who report regulatory infractions and the fight against corruption (hereinafter, Law 2/2023).

REGULATIONS AND REFERENCE LEGISLATION

  • Law 2/2023, of February 20, regulating the protection of people who report regulatory infractions and the fight against corruption, by transposition of Directive 2019/1937 of the European Parliament and of the Council, of October 23, 2019 , relating to the protection of persons who report infringements of Union law.
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation or GDPR).
  • Organic Law 3/2018, of December 5, on the protection of personal data and guarantee of digital rights (LOPD GDD).

AREA OF APPLICATION

This regulation applies to the entire scope of action of THE ENTITY and its contents derive from the more general guidelines defined in the entity's Information Security Policy.

It will be mandatory for all personnel who, permanently or occasionally, provide their services to THE ENTITY, including the personnel of external suppliers when they are users of THE ENTITY's Information Systems.

DEFINITIONS

For the purposes of this regulation it will be understood as:

  1. Informant: natural or legal person who has obtained information about violations in a work or professional context and who brings them to the attention of THE ENTITY, including in all cases those provided for in Article 3 sections 1 and 2 of Law 2/2023.
  2. Affected person: natural person to whom the informant attributes the commission of the infractions referred to in article 2 of Law 2/2023. Affected persons will also be considered those who, without having been the subject of information by the informant, through the acts of investigation of the procedure, have become aware of the alleged commission by them of the aforementioned infractions.
  3. Third parties: natural persons who may have knowledge of aspects related to the reported infringement, either as direct or indirect witnesses and who can provide information to the procedure.
  4. Internal Information System: is the information channel established in THE ENTITY to report on the actions or omissions provided for in article 2 of Law 2/2023, with the functions and contents included in article 5.2 of said regulation. It includes the internal information channel and the information management system.
  5. Internal Information Channel: is the channel specifically enabled by THE ENTITY to receive information related to the purpose of this procedure, under the administration of the person responsible for the Internal Information System of THE ENTITY.
  6. Information Management System: technological platform integrated into the Internal Information System, whose purpose is the maintenance, registration and conservation of the actions that take place as a result of the presentation of information to which Law 2/2023 is applicable.

RIGHTS AND GUARANTEES OF INFORMANTS

Informant persons will be guaranteed the effective exercise of the following rights, without prejudice to any others recognized by the Constitution and the laws:

  1. To present information anonymously and to maintain anonymity during the procedure.
  2. To formulate the communication verbally or in writing. In the case of presentation of the communication verbally, the reporting person will be offered the opportunity to verify, rectify and accept the transcription of the message by signing.
  3. To indicate an address, email or safe place to receive communications made by the System Manager.
  4. To appear before the System Manager or the delegated manager on his own initiative.
  5. To the waiver of communicating with the System Manager or the delegated manager who instructs the procedure and, where appropriate, to the revocation of said waiver at any time.
  6. To preserve your identity. The identity of the informant may not be revealed without their express consent to any person who is not competent to receive and manage complaints, with the exceptions established by European Union law or Spanish regulations in the context of investigations carried out by the authorities or in the course of judicial processes.
  7. To protect your personal data.
  8. To know the identity of the delegated manager who instructs the procedure.
  9. To the confidentiality of communications.
  10. To protection and support measures in the terms provided in Law 2/2023.
  11. To file a claim with the Independent Whistleblower Protection Authority.
  12. Not to be subject to retaliation, even when the result of the investigations will verify that there has been no breach of the applicable regulations or the Ethical Code of THE ENTITY, provided that it has not acted in bad faith.

OBLIGATIONS OF INFORMANTS

The reporting persons, with regard to the presentation of their communications through the Internal Information Channel, will be subject to the following obligations:

  1. Have reasonable or sufficient indications about the certainty of the information they communicate, and generic communications cannot be made, in bad faith or with abuse of rights, in which case they could incur civil, criminal or administrative liability.
  2. Describe in the most detailed way possible the facts or behaviors they communicate, providing all available documentation on the situation described or objective evidence to obtain evidence.
  3. Refrain from formulating communications with a purpose different from that intended by the Channel or that violate the fundamental rights to honor, image and personal and family privacy of third parties or that are contrary to the dignity of the person.

RIGHTS OF THIRD PARTIES

The following rights will be recognized for persons considered as third parties in the procedure, without prejudice to the possibility of extending to them, to the extent possible, the measures of support and protection of the informant provided for in Law 2/2023.

  1. To indicate an address, email or safe place to receive communications made to the person responsible for the System.
  2. To appear before the System Manager or the delegated manager on his own initiative.
  3. To preserve your identity. The identity of the third party may not be revealed without their express consent to any person who is not competent to receive and manage the complaints, with the exceptions established by European Union law or Spanish regulations in the context of investigations carried out by the authorities or in the course of judicial processes.
  4. To protect your personal data.
  5. To the confidentiality of communications.
  6. Not to be subject to retaliation.

RIGHTS OF AFFECTED PEOPLE

The affected people will have the rights recognized by the Constitution and the laws, for whose compliance the Person Responsible for the System will have the obligation to ensure. In particular, they will have the following rights:

  1. To be informed, as soon as possible, of the information that affects them.
  2. To honor and privacy
  3. To the presumption of innocence and to use all legally valid means for his defense.
  4. To be assisted by a lawyer.
  5. To access the actions taken against them, without prejudice to the time limitations that may be adopted to guarantee the result of the actions.
  6. To know the identity of the delegated manager who instructs the procedure.
  7. To preserve your identity, against any person other than the System Controller.
  8. To protect your personal data
  9. To the confidentiality of communications

THE RESPONSIBLE FOR THE INTERNAL INFORMATION SYSTEM

  1. The System Manager is the person or collegiate body referred to in article 8 of Law 2/2023, who will be designated by the Management.
  2. The System Manager, in the exercise of their powers, cannot receive instructions from any other area of ​​THE ENTITY, nor can they be removed from their positions for issues related to their participation in the Internal Information System. Likewise, they are independent in the exercise of their functions and are not subject to hierarchy within said collegiate body.

ACCESS TO PERSONAL DATA IN THE INTERNAL INFORMATION SYSTEM

Access to personal data in the Internal Information System by THE ENTITY's staff will be limited, within the scope of their powers and functions and regardless of the professional responsibilities of the people who ultimately form part of the collegiate body Responsible for the System. to:

  1. The person responsible for the system or whoever he delegates.
  2. The person responsible for People Management, when disciplinary measures could be adopted against an employee of THE ENTITY.
  3. The person in charge of the Legal Office, if the adoption of legal measures is appropriate in relation to the facts reported in the communication.
  4. Those in charge of the treatment that are eventually designated.
  5. The Data Protection Officer of THE ENTITY
The processing of data by other people, or even its communication to third parties, will be lawful when it is necessary for the adoption of corrective measures in the entity or the processing of sanctioning or criminal procedures that, where appropriate, may apply.

PROCEDURE DEADLINES

  1. The period for resolving the investigative actions to which the information management procedure gives rise cannot be longer than 3 months, except in cases of special complexity in which case the extension of said period may be agreed upon, with reasons, by the Person Responsible for the System. up to a maximum of another three additional months.
  2. The calculation of the period referred to in the previous section begins from the receipt of the communication by the System Manager or, if an acknowledgment of receipt is not sent to the informant, from the expiration of the period of seven days after receipt. the communication.
  3. Terms expressed in months will be computed from date to date.
  4. The deadlines in days referred to in this rule will be considered business days, unless it is expressly indicated that they are calendar days.
  5. Saturdays, Sundays and declared holidays are excluded from the calculation of the period in business days.

PERSONAL DATA PROTECTION

  1. The processing of personal data arising from the processing of this information management procedure will be carried out in accordance with the provisions of Title VI of Law 2/2023.
  2. The internal information system must prevent unauthorized access and preserve the identity and guarantee the confidentiality of the data corresponding to the affected persons and any third party mentioned in the information provided, especially the identity of the reporting person in the event that it is would have identified.
  3. The identity of the informants may only be communicated to the judicial authority, the Public Prosecutor's Office or the competent administrative authority within the framework of a criminal, disciplinary or sanctioning investigation, and these cases will be subject to the safeguards established in the applicable regulations.
  4. If the information received contains special categories of data, it will be immediately deleted, unless the processing is necessary for reasons of essential public interest in accordance with the provisions of article 9.2.g) of the General Data Protection Regulation, according to Article 30.5 of Law 2/2023 provides.
  5. Personal data that is not clearly relevant to processing specific information will not be collected or, if collected by accident, will be deleted without undue delay.
  6. In any case, after 3 months have elapsed since receipt of the communication without investigation actions having been initiated, it must be deleted, unless the purpose of conservation is to leave evidence of the operation of the system.
  7. Communications that have not been processed may only be recorded in anonymized form, without the blocking obligation provided for in article 32 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.

PROCEDURE Phase of receiving information

The information on the commission of infractions referred to in article 2.1 of Law 2/2023, as well as any other derived from the processing of this procedure, will be communicated in writing or verbally through the electronic means established for this purpose in the channel. internal information enabled on the ENTITY's website.

At the request of the informant, it may also be presented through a face-to-face meeting within a maximum period of seven days.

Verbal communications, including those made through a face-to-face meeting, telephone or voice messaging system, must be documented in one of the following ways, with the prior consent of the informant:

  1. by recording the conversation in a secure, durable and accessible format, or
  2. through a complete and accurate transcription of the conversation carried out by the personnel responsible for processing it.

Without prejudice to the rights that correspond to them, in accordance with the regulations on the protection of personal data, the informant will be offered the opportunity to verify, rectify and accept the transcription of the conversation by signing.

In any case, the communication must contain at least the following information:

  • Identification of the reporting person, unless he or she chooses to present the information anonymously.
  • Description of the facts and, where applicable, determination of the affected standard.
  • Identification of the affected person or persons.
  • Identification, if applicable, of third parties who can provide relevant information.
  • If the right to waive is exercised to communicate with the System Manager

The reporting person may indicate an address, email, or safe place for the purpose of receiving communications.

Once the communication is received, within a period of seven calendar days following its receipt, receipt will be acknowledged and the justification communicated to the informant, unless no means of contact has been provided or the right to waive communication with the Person Responsible for the System or the delegated manager who instructs the procedure.

Admission phase

Once the communication is registered, the System Manager must check whether it exposes facts or conduct that are within the subjective scope of application provided for in article 3 of Law 2/2023 and, within a period of ten business days from the date By entering the information in the registry you will be able to:

Disallow communication, in any of the following cases:

  • When the facts reported lack all plausibility
  • When the events reported do not constitute a violation of the legal system within the scope of application of Law 2/2023.
  • When the communication lacks foundation or there are rational indications that it was obtained through the commission of a crime. In the latter case, in addition to the inadmissibility, a detailed list of the facts that are considered to constitute a crime will be sent to the Public Prosecutor's Office.
  • When the communication does not contain new and significant information about infringements compared to a previous communication in respect of which the corresponding procedures have been concluded, unless new circumstances arise that justify a different follow-up.
  • The inadmissibility will be communicated to the informant within the following five business days, unless the communication was anonymous or the informant had renounced receiving communications.

Admit the communication to processing. Admission for processing will be communicated to the informant within the following five business days, unless the communication was anonymous or the informant had waived receiving communications.

Immediately send the information to the Public Prosecutor's Office when the facts could indirectly constitute a crime or to the European Public Prosecutor's Office in the event that the facts affect the financial interests of the European Union.

Send the communication to the authority, entity or body that is considered competent for its processing.

Instruction phase

The instruction will include all those actions aimed at verifying the verisimilitude of the events reported.

The delegated manager designated by the System Manager will be considered an instructor of the procedure.

Within a maximum period of 15 days from the admission decision, the affected person will be informed of the existence of the actions and the facts briefly reported, unless said communication may facilitate the concealment, destruction and alteration of evidence. in which case, the delegated manager, with reasons, may modify said period until said circumstances disappear.

In no case will the identity of the reporting person be communicated to the affected subjects nor will access to the communication be given.

In order to guarantee the right of defense of the affected person, they will have access to the file without revealing information that could identify the reporting person, and may be heard at any time, and they will be warned of the possibility of appearing assisted by a lawyer.

The affected person has the duty to maintain the confidentiality of the information to which they become aware as a result of access to the file, and any action aimed at identifying the informant or third parties is prohibited, without prejudice to the obligations that arise from compliance with the regulations. on protection of personal data.

Completion phase

Once the actions are completed, the System Manager will issue a report that will be sent to the Managing Director of THE ENTITY and will contain at least:

  1. A statement of the facts reported along with the file number, the date of registration and the date of the admission agreement.
  2. The actions carried out in order to verify the verisimilitude of the facts that will include, at least and succinctly, the allegations made by the affected person, including the interview where appropriate, the documentation provided by the latter or collected by the person responsible for the System. through third parties and any other information on which the resolution adopted is based.
  3. The conclusions reached in the investigation and the assessment of the proceedings and the evidence that supports them.
  4. The decisions taken.

Likewise, the report will be notified to the informant, to the extent that he/she is identified and has not made use of the right of waiver to communicate with the System Controller and the affected person.

The period to complete the actions and respond to the informant, if applicable, may not exceed three months from the entry into the registry of the information management system, without prejudice to the extension of the period provided for in article 9 of the Law 2/2023.