Mailbox procedure
INTERNAL INFORMATION SYSTEM MANAGEMENT INTERNAL INFORMATION SYSTEM
INDEX
- OBJECTIVE
- REFERENCE LAWS AND REGULATIONS
- SCOPE OF APPLICATION
- DEFINITIONS
- RIGHTS AND GUARANTEES OF INFORMANTS
- OBLIGATIONS OF THE INFORMANTS
- THIRD PARTY RIGHTS
- RIGHTS OF AFFECTED PERSONS
- THE PERSON RESPONSIBLE FOR THE INTERNAL INFORMATION SYSTEM
- ACCESS TO PERSONAL DATA IN THE INTERNAL INFORMATION SYSTEM
- PROCEDURAL DEADLINES
- PROTECTION OF PERSONAL DATA
- PROCEDURE
1. OBJECTIVE
The purpose of the management procedure of the Internal Information System is to regulate those acts and procedures carried out by TABLEROS HISPANOS S.L.U. hereinafter “THE COMPANY” as a result of the submission of information referred to in Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption (hereinafter Law 2/2023).
2. REGULATIONS AND LEGISLATION OF REFERENCE
- Law 2/2023 of February 20, regulating the protection of persons who report regulatory infringements and the fight against corruption, by transposition of Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation or GDPR).
- Organic Law 3/2018 of December 5, 2018, on the protection of personal data and guarantee of digital rights (LOPD GDD).
3. SCOPE OF APPLICATION
This regulation applies to the entire scope of action of THE COMPANY and its contents are derived from the more general guidelines defined in the entity’s Information Security Policy.
It shall be mandatory for all personnel who, on a permanent or temporary basis, provide their services to THE COMPANY, including the personnel of external suppliers when they are users of THE COMPANY’s Information Systems.
4. DEFINITIONS
For the purposes of this regulation, the following definitions shall apply:
1.- Informant: natural or legal person who has obtained information on infringements in an employment or professional context and who brings them to the attention of THE COMPANY, including in any case those provided for in Article 3, paragraphs 1 and 2 of Law 2/2023.
Person concerned: natural person to whom the informant attributes the commission of the infringements referred to in article 2 of Law 2/2023. Affected persons shall also be considered to be those who, without having been informed by the informant, have become aware of the alleged commission by them of the aforementioned infringements through the acts of investigation of the procedure.
3.- Third parties: natural persons who may have knowledge of aspects related to the reported infringement, either as direct or indirect witnesses and who may contribute information to the procedure.
4.- Internal Information System: is the information channel established in THE COMPANY to report on the actions or omissions provided for in Article 2 of Law 2/2023, with the functions and contents set forth in Article 5.2 of said law. It includes the Internal Information Channel and the Information Management System.
5.- Internal Information Channel: is the channel specifically enabled by THE COMPANY to receive information related to the object of this procedure, under the administration of the person responsible for the Internal Information System of THE COMPANY.
Information Management System: technological platform integrated in the Internal Information System, the purpose of which is to keep, record and conserve the actions that take place as a result of the presentation of information to which Law 2/2023 is applicable.
5. RIGHTS AND GUARANTEES OF INFORMANTS
Informants shall be guaranteed the effective exercise of the following rights, without prejudice to any other rights recognized by the Constitution and the law:
- To submit information anonymously and to remain anonymous during the procedure.
- To formulate the communication orally or in writing. In the case of a verbal communication, the reporting person shall be given the opportunity to verify, rectify and accept the transcription of the message by signing it.
- To indicate an address, e-mail or safe place to receive communications from the System Manager.
- To appear before the System Manager or the delegated manager on their own initiative.
- To waive the right to communicate with the person in charge of the system or the delegated manager in charge of the procedure and, if applicable, to revoke such waiver at any time.
- To the preservation of their identity. The identity of the informant may not be disclosed without his or her express consent to any person who is not competent to receive and handle complaints, with the exceptions established by European Union law or Spanish regulations in the context of investigations carried out by the authorities or in the course of judicial proceedings.
- To the protection of your personal data.
- To know the identity of the delegated manager who will be in charge of the procedure.
- Confidentiality of communications.
- To protection and support measures under the terms of Law 2/2023.
- To file a complaint with the Independent Whistleblower Protection Authority.
- Not to be subject to retaliation, even if the result of the investigations verifies that there has been no breach of the applicable regulations or the Code of Ethics of THE COMPANY, provided that he/she has not acted in bad faith.
6. OBLIGATIONS OF THE INFORMANTS
Reporting persons, with respect to the submission of their communications through the Internal Reporting Channel, shall be subject to the following obligations:
- Have reasonable or sufficient indications as to the accuracy of the information they are communicating, and may not make generic communications in bad faith or with abuse of rights, in which case they could incur in
civil, criminal or administrative liability
- Describe in as much detail as possible the facts or conduct reported, providing all available documentation on the situation described or objective evidence to obtain proof.
- Refrain from making communications with a purpose other than that envisaged by the Channel or that violate the fundamental rights to honor, image and personal and family privacy of third parties or that are contrary to the dignity of the person.
7. RIGHTS OF THIRD PARTIES
The following rights shall be recognized to the persons considered as third parties in the procedure, without prejudice to the possibility of extending to them, as far as possible, the measures of support and protection of the informant provided for in Law 2/2023.
- To indicate an address, e-mail or safe place to receive the communications made to the person in charge of the System.
- To appear before the System Manager or the delegated manager on their own initiative.
- To the preservation of their identity. The identity of the third party may not be disclosed without its express consent to any person who is not competent to receive and handle the complaints, with the exceptions established by European Union law or Spanish regulations in the context of investigations carried out by the authorities or in the course of judicial proceedings.
- To the protection of your personal data.
- Confidentiality of communications.
- To be free from retaliation.
8. RIGHTS OF AFFECTED PERSONS
The affected persons shall have the rights recognized by the Constitution and the laws, and the person in charge of the System shall have the obligation to ensure compliance with such rights. In particular, they shall have the following rights:
- To be informed, as soon as possible, of the information that affects them.
- To honor and privacy
- To the presumption of innocence and to use all legally valid means of defense.
- To be assisted by a lawyer.
- Access to the proceedings against them, without prejudice to any time limitations that may be adopted to ensure the outcome of the proceedings.
- To know the identity of the delegated manager who will be in charge of the procedure.
- To the preservation of their identity, against any person outside the person in charge of the System.
- To the protection of your personal data
- Confidentiality of communications
9. THE PERSON RESPONSIBLE FOR THE INTERNAL INFORMATION SYSTEM
- The System Manager is the person or collegiate body referred to in Article 8 of Law 2/2023, who shall be appointed by the Management.
- The System Manager, in the exercise of his/her competencies, cannot receive instructions from any other area of THE COMPANY, nor can he/she be removed from his/her position for issues related to his/her participation in the Internal Information System. Likewise, they are independent in the exercise of their functions and are not subject to hierarchy within said collegiate body.
10. ACCESS TO PERSONAL DATA IN THE INTERNAL INFORMATION SYSTEM
Access to personal data in the Internal Information System by the personnel of THE COMPANY shall be limited, within the scope of their competencies and functions and regardless of the professional responsibilities of the persons who finally form part of the collegiate body responsible for the System, to:
- The System Manager or the person delegated by him/her.
- The person in charge of People Management, when disciplinary measures may be taken against an employee of THE COMPANY.
- The person in charge of the Legal Office, should legal action be taken in relation to the facts described in the communication.
- The persons in charge of the treatment that eventually may be designated.
- The Data Protection Officer of THE ENTITY
The processing of data by other persons, or even their communication to third parties, will be lawful when necessary for the adoption of corrective measures in the entity or the processing of sanctioning or criminal proceedings that, where appropriate, may be applicable.
11. DEADLINES OF THE PROCEDURE
- The time limit for resolving the investigative actions to which the information management procedure gives rise cannot be longer than 3 monthsexcept in cases of special complexity, in which case the System Manager may agree to extend this period by the System Manager up to a maximum of three additional months.
- The computation of the period referred to in the preceding paragraph starts from the receipt of the communication by the System Manager or, if no acknowledgement of receipt is sent to the informant, from the expiration of the seven-day period after receipt of the communication.
Time periods expressed in months shall be computed from date to date.
- The time periods in days referred to in this rule shall be considered working days, unless expressly indicated as calendar days.
Saturdays, Sundays and public holidays are excluded from the calculation of the period in working days.
12. PROTECTION OF PERSONAL DATA
- The processing of personal data arising from the processing of this information management procedure will be carried out in accordance with the provisions of Title VI of Law 2/2023.
- The internal information system must prevent unauthorized access and preserve the identity and guarantee the confidentiality of the data corresponding to the persons concerned and to any third party mentioned in the information provided, especially the identity of the informant in case he/she has been identified.
The identity of informants may only be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority in the context of a criminal, disciplinary or sanctioning investigation, and these cases shall be subject to the safeguards established in the applicable regulations.
- If the information received contains special categories of data, it will be deleted immediately, unless the processing is necessary for reasons of essential public interest as provided for in Article 9.2.g) of the General Data Protection Regulation, as provided for in Article 30.5 of Law 2/2023.
- Personal data will not be collected if it is manifestly not relevant to the processing of specific information or, if collected by accident, will be deleted without undue delay.
- In any case, once 3 months have elapsed since the receipt of the communication without any investigation actions having been initiated, it must be deleted, unless the purpose of the conservation is to leave evidence of the operation of the system.
Communications that have not been acted upon may only be recorded in anonymized form, without the blocking obligation provided for in Article 32 of Organic Law 3/2018, of December 5, 2018, on Personal Data Protection and guarantee of digital rights being applicable.
13. PROCEDURE Information reception phase
The information on the commission of infringements referred to in Article 2.1 of Law 2/2023, as well as any other information derived from the processing of this procedure shall be communicated in writing or verbally through the electronic means established for this purpose in the internal information channel enabled on the website of THE COMPANY.
At the informant’s request, it may also be submitted by means of a face-to-face meeting within a maximum period of seven days.
Verbal communications, including those made through a face-to-face meeting, by telephone or voice messaging system, should be documented in one of the following ways, subject to the informant’s consent:
- by a recording of the conversation in a secure, durable and accessible format; or
- through a complete and accurate transcription of the conversation made by the staff responsible for handling it.
Without prejudice to his or her rights in accordance with the regulations on personal data protection, the informant will be given the opportunity to verify, rectify and accept the transcription of the conversation by signing it.
In any case, the communication shall contain at least the following information:
- Identification of the reporting person, unless the reporting person chooses to report anonymously.
- Description of the facts and, if applicable, determination of the affected standard.
- Identification of the affected person or persons.
- Identification, if applicable, of third parties that may provide relevant information.
- If the right to waive communication with the System Administrator is exercised
The reporting person may indicate an address, e-mail, or safe place to receive communications.
Once the communication has been received, within seven calendar days following its receipt, receipt shall be acknowledged and the justification shall be communicated to the informant, unless no means of contact has been provided or the right to waive the right to communicate with the System Manager or the delegated manager in charge of the procedure is exercised.
Admission phase
Once the communication has been registered, the person in charge of the System shall verify whether it sets forth facts or conduct that fall within the subjective scope of application provided for in article 3 of Law 2/2023 and, within a period of ten working days from the date of entry of the information in the registry will be able to:
- Inadmit the communication, in any of the following cases:
- When the facts reported lack all plausibility
- When the facts reported do not constitute an infringement of the legal system within the scope of application of Law 2/2023.
- When the communication is unfounded or there are reasonable grounds to believe that it was obtained through the commission of a crime. In the latter case, in addition to the inadmissibility, a detailed account of the facts deemed to constitute a crime shall be sent to the Public Prosecutor’s Office.
- When the communication does not contain significant new information on infringements in comparison with a previous communication in respect of which the corresponding procedures had been concluded, unless there are new circumstances that justify a different follow-up.
- The informant will be notified of the inadmissibility within five working days, unless the communication was anonymous or the informant has waived the right to receive communications.
- Admit the communication for processing. The informant will be notified of the admission for processing within the following five working days, unless the communication is anonymous or the informant has waived the right to receive communications.
- Immediately forward the information to the Public Prosecutor’s Office when the facts may be indicative of a crime or to the European Public Prosecutor’s Office in the event that the facts affect the financial interests of the European Union.
- Forward the communication to the authority, entity or organism considered competent for its processing.
Preliminary phase
The investigation will include all those actions aimed at verifying the verisimilitude of the facts reported.
The delegated manager appointed by the System Manager shall be considered as the instructor of the procedure.
Within a maximum period of 15 days from the admission decisionThe affected person shall be informed of the existence of the proceedings and of the facts reported in a succinct manner, unless such communication may facilitate the concealment, destruction or alteration of evidence, in which case, the delegated manager may modify such term, giving reasons, until such circumstances disappear.
In no case will the identity of the informant be communicated to the subjects concerned, nor will access to the communication be given.
In order to guarantee the right of defense of the person concerned, he/she shall have access to the file without disclosing information that could identify the informant, and may be heard at any time, and shall be advised of the possibility of appearing with the assistance of a lawyer.
The affected person has the duty to maintain the confidentiality of the information to which he/she has knowledge as a result of access to the file, being prohibited any action aimed at identifying the informant or third parties, without prejudice to the obligations arising from compliance with the regulations on protection of personal data.
Completion phase
Once the actions have been concluded, the System Manager will issue a report that will be sent to the Managing Director of THE ENTITY and that will contain at least:
- A statement of the facts related together with the file number, the date of registration and the date of the admission agreement.
- The actions carried out in order to verify the verisimilitude of the facts that will include, at least and succinctly, the allegations made by the affected person, including the interview, if applicable, the documentation provided by the affected person or obtained by the System Manager through third parties and any other information on which the resolution adopted is based.
- The conclusions reached in the investigation and the assessment of the proceedings and the evidence supporting them.
- Decisions adopted.
Likewise, the report will be notified to the informant, to the extent that he/she is identified and has not made use of the right to waive the right to communicate with the person responsible for the system, and to the person concerned.
The term to complete the proceedings and provide a response to the informant, as the case may be, may not exceed three months from the entry into the register of the information management system, without prejudice to the extension of the term provided for in Article 9 of Law 2/2023.