Mailbox Policy
INTERNAL INFORMATION SYSTEM POLICY INFORMATION
INDEX
- INTRODUCTION
- GENERAL PRINCIPLES
- SCOPE OF APPLICATION
- INTERNAL INFORMATION SYSTEM
- CREATION OF THE INTERNAL INFORMATION CHANNEL
- THE PERSON RESPONSIBLE FOR THE INTERNAL INFORMATION SYSTEM
- PROTECTION OF PERSONAL DATA
- WHISTLEBLOWER PROTECTION MEASURES
- PROTECTION MEASURES FOR AFFECTED PERSONS
- APPROVAL, ENTRY INTO FORCE AND DISSEMINATION
- VERSION HISTORY
1. INTRODUCTION
The approval of Law 2/2023, of February 20, 23, regulating the protection of persons who report regulatory violations and the fight against corruption, (hereinafter “Law 2/2023”), obliges both the public and private sectors to have internal reporting channels designed and implemented to protect persons who, in a work or professional context, detect potential violations. Specifically, as stated in art. 13 of Law 2/2023, all public sector entities shall be obliged to have an internal information system, including public sector foundations, as stated in paragraph 1 letter f) thereof.
TABLEROS HISPANOS S.L.U. hereinafter “THE COMPANY”, by means of this Policy, undertakes to adopt the necessary measures to prevent any type of retaliation, including threats of retaliation and attempted retaliation against persons who submit a communication, as a means to safeguard and protect persons who communicate in good faith information about acts or omissions that contravene the aforementioned law, the Code of Ethics and Conduct of THE COMPANY or the internal regulations and procedures of this institution.
2. GENERAL PRINCIPLES
The purpose of this Policy is to establish the Principles that govern the actions of THE COMPANY in the implementation of the Internal Information System and whistleblower protection, in accordance with the provisions of Law 2/2023.
- We guarantee accessibility to the Internal Reporting System and whistleblower protection: the Internal Reporting System must allow the communication, either in writing, verbally or in person, of information on regulatory and anti-corruption violations to all persons within its scope of application.
- We guarantee, through the independent action of the System Manager, the completeness, integrity and confidentiality of the information, the prohibition of unauthorized access, the durable storage of the information and the respect for good faith. The Internal Information System will be managed by the person in charge with total independence and autonomy with respect to the rest of the areas of THE COMPANY.
- We guarantee the confidentiality of the identity of the informant and of any person mentioned in the communication, as well as of the actions carried out in the management and processing of the same. The internal reporting channel will even allow the submission and subsequent processing of anonymous communications.
- We guarantee the protection of the personal data of the persons concerned, in compliance with current legislation in this area.
- We guarantee the secrecy of communications.
- We guarantee the safety and protection of informants and affected persons.
- We guarantee the presumption of innocence and respect for the honor of the affected persons.
3. SCOPE OF APPLICATION
- This Policy is applicable to all members of THE COMPANY who report, through the procedures provided herein, of:
- Actions or omissions that may constitute a serious or very serious criminal or administrative offense. In any case, all serious or very serious criminal or administrative infractions against or involving economic losses for the Public Treasury and Social Security shall be understood to be included.
- Conduct that may imply, by action or omission and on the part of a member of THE COMPANY, facts that have an effective implication in the professional relationship with THE COMPANY of the person to whom the communication refers, related to the commission in a work or professional context of any act contrary to the rules of conduct of the Code of Ethics of THE COMPANY or to the other provisions of the internal regulatory system.
- Any acts or omissions that may constitute breaches of European Union law.
Members of THE COMPANY are considered to be those who at any time are employees and collaborators of the entity.
- This Policy is also applicable to informants who, not being members of THE COMPANY, have obtained information about any of the actions or omissions referred to in the previous section in a work or professional context, including in any case:
- Any person working for or under the supervision and direction of THE COMPANY, its contractors, subcontractors and suppliers.
- Persons who have been members of THE ENTITY in the past, having terminated their employment or statutory relationship with the entity.
- Volunteers and interns, regardless of whether or not they receive remuneration.
- Persons whose employment relationship has not yet begun, in cases where information on violations has been obtained during the selection process or pre-contractual negotiation.
4. INTERNAL INFORMATION SYSTEM
The Internal Reporting System referred to in this Policy is the preferred channel for reporting actions or omissions under Law 2/2023.
The Internal Information System is composed, mainly, of the communication channel enabled for the reception of the communications foreseen in the scope of application of this Policy, the System Manager and the management procedure to be followed for the processing of the aforementioned communications.
5. CREATION OF THE INTERNAL INFORMATION CHANNEL
The Internal Information System is integrated by the Whistleblower Channel, which is the preferred channel for the communication of the conducts set forth in section 3 of this Policy.
The aforementioned Internal Information Channel allows:
- To make communications in writing or verbally, or both, under the conditions provided for in Law 2/2023.
- When making the communication, the informant may indicate an address, e-mail or safe place to receive notifications.
- The submission and subsequent processing of anonymous communications.
- Inform those who communicate through it, in a clear and accessible manner, about the external information channels with the competent authorities and institutions.
- The receipt of any other communications or information not included in the scope established in section 3 of this Policy, although such communications and their senders shall be outside the scope of application and protection provided by this Policy.
- Appropriate measures shall be taken to ensure the confidentiality of communications sent through channels other than those established or to personnel not responsible for their processing (who shall immediately forward them to the IIS Manager).
6. THE PERSON RESPONSIBLE FOR THE INTERNAL INFORMATION SYSTEM
- The Persons Responsible for the System shall be a collegiate body or person, internally or externally, with the characteristics provided for in Article 8 of Law 2/2023.
- The Independent Authority for the Protection of the Informant shall be notified, in accordance with the provisions of article 8.3 of Law 2/2023, of the appointments of the members of the collegiate body Responsible for the System, within ten days of their appointment. They shall also be notified, within the same period, of their dismissals, resignations and the reasons justifying them.
- In the exercise of their functions, the persons in charge of the System shall not receive instructions from any superior, shall not be subject to hierarchy within the collegiate body, nor may they be removed from their posts for issues related to their legitimate participation in the internal information system.
- The management of TABLEROS HISPANOS S.L.U. has appointed an external third party to manage the Whistleblower Channel, thus guaranteeing its independence. We appointed Legalforma Servicios de Consultoría.
7. PROTECTION OF PERSONAL DATA
The processing of personal data arising from the application of Law 2/2023 shall be governed by the provisions of the RGPD, and the Organic Law 3/2018 of December 5, 2018, on the Protection of Personal Data and guarantee of digital rights (LOPDPGDD), in compliance with what, for such purposes, is determined in Law 2/2023.
The internal information system must prevent unauthorized access, preserve the identity and guarantee the confidentiality of the data corresponding to the persons concerned and to any third party mentioned in the information provided, with special attention to the identity of the informant in case he/she has been identified.
The identity of the informant may only be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority in the context of a criminal, disciplinary or sanctioning investigation, and these cases shall be subject to the safeguards established in the applicable regulations.
If the information received contains special categories of personal data, subject to special protection, it will be immediately deleted, unless the processing is necessary for reasons of essential public interest as provided for in Article 9.2.g) of the GDPR, as provided for in Article 30.5 of Law 2/2023.
In any case, personal data will not be collected if it is not manifestly relevant to the processing of specific information or, if collected by accident, will be deleted without undue delay.
Communications that have not been followed up may only be recorded in anonymized form, without the blocking obligation provided for in article 32 of the LOPDPGDD being applicable.
8. WHISTLEBLOWER PROTECTION MEASURES
Persons who report violations shall be entitled to the protection measures set forth in Law 2/2023, provided that the following circumstances are met:
- Have reasonable grounds to believe that the information is true at the time of communication or disclosure, even if they do not provide conclusive evidence, and that the information is within the scope of this policy.
- The communication or disclosure has been made in accordance with the requirements set forth in this policy and in Law 2/2023.
Those persons who communicate or disclose the information are expressly excluded from the protection provided for in Law 2/2023:
- Information contained in communications that have been rejected by any internal information channel or for any of the following reasons:
- When the facts reported lack any verisimilitude.
- When the facts reported do not constitute an infringement of the legal system included in the scope of application of this policy.
- When the communication is manifestly unfounded or there are reasonable grounds to believe that it was obtained through the commission of a crime.
- When the communication does not contain significant new information on infringements in comparison with a previous communication in respect of which the corresponding procedures have been concluded, unless there are new factual or legal circumstances that justify a different follow-up.
- Information related to complaints about interpersonal conflicts or that affect only the informant and the persons to whom the communication or disclosure refers.
- Information that is already fully available to the public or that constitutes mere hearsay.
- Information concerning actions or omissions outside the scope of this policy.
9. PROTECTION MEASURES FOR AFFECTED PERSONS
During the processing of the file, the persons affected by the communication shall have the right to the presumption of innocence, the right of defense and the right of access to the file under the terms set forth in Law 2/2023, as well as the same protection established for informants, preserving their identity and guaranteeing the confidentiality of the facts and data of the procedure.
10. APPROVAL, ENTRY INTO FORCE AND DISSEMINATION
This Policy shall be effective from the moment of its approval by the Management of THE COMPANY, proceeding to its publication on the corporate web pages of the entity.
This Policy will be reviewed and updated whenever it becomes necessary to make any changes.