1. Introduction
The sole director of Avature Spain, S.L.U. (hereinafter, “Avature” or the “Company“), in furtherance of its commitment to the current legislation and the highest ethical and professional standards, has prepared and approved this Policy of the Internal Information System of the Company (hereinafter, the “Policy“).
Through this Policy, the Company complies with the requirements derived from Law 2/2023, of February 20, regulating the protection of persons who report regulatory infringements and the fight against corruption (hereinafter, the “Law 2/2023“), approved as a result of the transposition of Directive (EU) 2019/1937 of the European Parliament and of the Council, of October 23, 2019, on the protection of persons who report infringements of Union law.
2. Object
This Policy is a core element of Avature’s Internal Information System (hereinafter, the “IIS“) and seeks to provide Avature with the resources and principles of action required to promote the use of Avature’s Internal Whistleblowing Channel (hereinafter, the “Channel“) and to ensure the rights of all parties involved, particularly the guarantee of confidentiality, the prohibition of retaliation, and the right to defense and the right to honor and presumption of innocence of those affected by the communications.
Avature’s IIS is mainly formed by the following:
- This Policy.
- The Communications’ Management Procedure (the “Procedure”), which develops this Policy and establishes the guidelines to follow when submitting a communication about ethic concerns regarding potential irregularities or non-compliances, as well as the procedure to be followed by Avature when receiving and managing the communications submitted through the Channel.
- The IIS Manager is in charge of the IIS management and the handling of the investigation files.
3. Subjective scope of application
This Policy applies and extends Avature’s IIS protection to:
a) Members of the management body of Avature, including non-executive members, where applicable.
b) Any employee of the Company, including trainees, apprentices, trainees, as well as those whose employment relationship has not yet commenced where the information about violations they intend to report was obtained during the recruitment process or pre-contractual negotiation.
c) Anyone working for or under the supervision and direction of Avature contractors, subcontractors and suppliers.
d) The legal representatives of the employees in the exercise of their duties to advise and support the reporting person.
e) Natural persons who, within the framework of the organization in which the reporting person provides services, assist the reporting person in the process.
f) Natural persons who are related to the reporting person and who may suffer reprisals, such as co-workers or relatives of the reporting person.
g) Legal persons for whom the reporting person works or with whom he/she maintains any other type of relationship in a work context or in which he/she holds a significant shareholding – significant being understood as that which allows the person to have the capacity to influence the legal person.
4. Material scope of application
This Policy protects against any kind of retaliation that could be directed against a natural or legal person who uses Avature’s Channel in order to report any actions or omissions that could constitute:
(i) European Union’s Law infractions related to, among others, the following areas: public procurement, financial sector, prevention of money laundering or terrorist financing, product safety and compliance, transport safety, environmental protection, radiation protection and nuclear safety, food and feed safety, animal health and animal welfare, public health, consumer protection, protection of privacy and personal data, and security of networks and information systems, Union financial interests and internal market.
(ii) Criminal offenses or serious or very serious administrative infractions, including those involving financial loss to the Treasury and Social Security.
(iii) Occupational health and safety offenses under labor law.
(iv) Violations of Avature’s Code of Conduct and any other policies or procedures implemented.
Avature Channel is not enabled for filing grievances or raising human resources concerns, such as performance review, compensation, career development and other human resources-related issues. Local grievance communication channels should be used for these matters.
The protection afforded by this Policy and the rest of the IIS elements shall not exclude the application of the rules relating to criminal proceedings and is without prejudice to the protection provided by the labor law on occupational health and safety for those persons who report violations in this area.
5. Principles statement
The IIS will be the preferred channel for reporting any non-compliance within its scope of application and will be governed by the following operating and management principles:
1. Effectiveness and accessibility: the IIS must guarantee ease in the formulation of the communications, as well as their effective management, favoring that the entity itself is the first to know about any possible irregularity.
2. Independence: all those involved in the management of the IIS must offer a guarantee of independence, particularly the IIS Manager, in such a way that any possible conflicts of interest or personal or professional ties that could affect the good judgment or credibility of those involved in the communications management process are beyond suspicion.
3. Confidentiality: the IIS shall be designed and managed in such a way as to guarantee the confidentiality of the identity of the reporting person, of the persons affected and of any third party mentioned in the communications, as well as of the actions carried out in the management and processing thereof. The register of communications supervised by the IIS Manager shall be regulated in such a way as to guarantee not only the protection of personal data, but also the due restriction of access to unauthorized personnel.
4. Presumption of innocence and right to honor: the affected persons shall have the right to the presumption of innocence and the right to defense in such a way that under no circumstances may a presumption contrary to the affected person be assumed when investigating or resolving a communication submitted.
For these purposes, and with the aim of making these rights real, the affected persons shall have the right to access the file under the terms set forth in Law 2/2023, to receive the same protection as the reporting person and to be heard and to be able to present allegations in the internal investigation procedure whenever they deem it appropriate.
5. Prohibition of retaliation: retaliation against those who report or collaborate in a communication or information process included in the scope of protection of this Policy is expressly prohibited.
Retaliation shall be understood as any act or omission prohibited by law or that, directly or indirectly, involves unfavorable treatment that places the person who suffers it at a particular disadvantage in the work or professional context solely because of his or her status as a reporter or because of his or her collaboration in the management of information.
By way of example, the following may be considered retaliation:
a) Suspension of the employment contract, dismissal or termination of employment or non-renewal – unless done within the regular exercise of managerial power under labor law.
b) Damages, including reputational damage, economic loss, coercion, intimidation, harassment or ostracism.
c) Negative references regarding professional work.
d) Inclusion in black lists or dissemination of information in a sector that hinders access or promotion at work.
e) Denial or cancellation of leave or training.
6. Principle of good faith: Just as the imposition of retaliation is prohibited, Avature will not permit the use of the IIS for illegitimate, personal or unlawful purposes or contrary to good faith.
In the event of misuse of the IIS by any reporting person or third party involved, such action may result in the imposition by the Company of the corresponding disciplinary sanction, if applicable, or the exercise of civil or criminal actions that may be appropriate.
6. IIS Manager
In compliance with its obligations related to the supervision and promotion of the IIS, the sole director of Avature has proceeded to the appointment of the IIS Manager, who will hold this position indefinitely.
The Independent Authority for the Protection of the Informant shall be notified within ten (10) working days of the appointment or removal of the individually designated natural person, specifying, in the case of removal, the reasons for such removal.
The IIS Manager will perform his/her duties independently and autonomously from the rest of the Company’s bodies and in accordance with the Communications’ Management Procedure. The IIS Manager’s functions include:
- To continuously promote and supervise the implementation and effectiveness of this Policy.
- Ensuring access to this Policy to all Avature members and interested third parties.
- Implementing procedures to manage communications received through the Channel.
- Knowing, instructing and issuing the reports corresponding to the investigations arising from the communications received through the Channel.
- To inform the Avature’s sole director of the most relevant results of the activity of the Channel within the framework of its reporting tasks in order for the first to make the final decisions in this regard.
7. Publicity of the Channel
In accordance with the provisions of Law 2/2023, Avature has published on its website, in a separate and easily accessible section, access to the Channel and to this Policy.
The Company undertakes to give this Policy and the existence of the Channel the due dissemination, providing all members of the entity and third parties linked to its professional activity the information and, where appropriate, necessary training on the subject to ensure free access to them and all the tools of the IIS by which to assert their legitimate rights.
Likewise, the persons to whom the Policy is applicable, may report to the Independent Authority for the Protection of the Informant or to the competent regional authorities or bodies and, where appropriate, to the institutions, bodies and agencies of the European Union, the commission of any actions or omissions that may involve a breach or irregularity included in the scope of this Procedure, either directly or after communication through Avature’s Channel.
8. Data protection
From the point of view of personal data protection, the main aspects that are applicable within the framework of the IIS are provided for in Title VI of Law 2/2023 and are detailed below:
- The processing of personal data deriving from the application of Law 2/2023 shall be governed by the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), in the Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (PPGDR), in the Organic Law 7/2021, of 26 May, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offenses and the execution of criminal penalties, and in Title VI of Law 2/2023.
- Personal data shall not be collected if it is manifestly not relevant to the processing of specific information or, if collected by accident, shall be deleted without undue delay.
- Processing of personal data necessary for the implementation of Law 2/2023 shall be considered lawful.
- As the Company is an entity obliged to have an IIS, the processing of personal data, in cases of internal communication, shall be considered lawful under the provisions of Articles 6.1.c) of the RGPD – the processing is necessary for compliance with a legal obligation applicable to the controller – and 11 of the Organic Law 7/2021, of May 26.
- In the case in which the processing of special categories of personal data is carried out for reasons of essential public interest, it may be carried out in accordance with the provisions of Article 9.2.g) of the GDPR.
- When their personal data is obtained directly from data subjects, they will be provided with the information referred to in Articles 13 of the RGPD and 11 of the PPGDR as set forth in the privacy policy governing the IIS and the Channel.
- Reporting persons and those who carry out a public disclosure will be furthermore expressly informed that their identity will, in any case, be reserved and that it will not be communicated to the persons to whom the facts reported refer or to third parties.
- The person to whom the reported facts refer shall in no case be informed of the identity of the reporting person or of the person who has made the public disclosure.
- Data subjects may exercise the rights referred to in Articles 15 to 22 of the GDPR.
- In the event that the person to whom the facts related in the communication or to whom the public disclosure refers exercises the right to object, it will be presumed that, unless proven otherwise, there are compelling legitimate grounds that legitimize the processing of his or her personal data.
- The IIS will not obtain data allowing the identification of the reporting person and has adequate technical and organizational measures to preserve the identity and ensure the confidentiality of the data corresponding to the persons concerned and to any third party mentioned in the information provided, especially the identity of the reporting person in case he/she has identified himself/herself.
- The identity of the reporting person may only be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority in the context of a criminal, disciplinary or sanctioning investigation.
- The processing of the data by other persons, or even their communication to third parties, shall be lawful when it is necessary for the adoption of corrective measures in the Company or the processing of the procedures that, if applicable, may be required.
- Access to the personal data contained in the IIS shall be limited to the Controller and, if applicable, to the person authorized by the Controller for such purpose.
- The Data Protection Officer may be contacted through privacyofficer@avature.net.