Whistleblowing Channel Policy

WHISTLEBLOWING CHANNEL POLICY

This policy applies at TPF Factory, S.L.U. as of 20/06/2024.

1. INTRODUCTION

The approval of Law 2/2023, of 20 February, regulating the protection of persons who report regulatory breaches and fight against corruption (hereinafter, “Law 2/2023”), requires both the public and private sectors to have internal reporting channels designed and implemented to protect individuals who, in a work or professional context, detect potential infringements.

TPF Factory, S.L.U., hereinafter THE ENTITY, through this Policy, undertakes to adopt the necessary measures to prevent any type of retaliation, including threats of retaliation and attempts of retaliation against persons who submit a report, as a means of safeguarding and protecting individuals who, in good faith, report information about acts or omissions that contravene the aforementioned law, THE ENTITY’s Code of Ethics and Conduct, or its internal regulations and procedures.

2. GENERAL PRINCIPLES

The purpose of this Policy is to establish the principles governing THE ENTITY’s implementation of the Internal Information System and protection of whistleblowers, in accordance with Law 2/2023.

We guarantee accessibility to the Internal Information System and protection of whistleblowers: the Internal Information System must allow reporting, whether in writing, verbally or in person, of information on regulatory breaches and anti-corruption matters to all persons within its scope of application.
We guarantee, through the independent operation of the System Manager, the completeness, integrity and confidentiality of the information, the prohibition of unauthorised access, the long-term storage of information and respect for good faith. The Internal Information System shall be managed by the responsible person with full independence and autonomy from the rest of THE ENTITY’s areas.
We guarantee the confidentiality of the identity of the reporting person and any person mentioned in the communication, as well as the actions carried out in its management and processing. The internal reporting channel shall allow the submission and subsequent processing of anonymous reports.
We guarantee the protection of the personal data of the affected persons, in compliance with applicable legislation.
We guarantee the secrecy of communications.
We guarantee the safety and protection of reporting and affected persons.
We guarantee the presumption of innocence and respect for the honour of affected persons.

3. SCOPE OF APPLICATION

a) This Policy applies to all members of THE ENTITY who report, through the procedures set forth herein:

Acts or omissions that may constitute criminal or serious or very serious administrative offences. In any case, this includes all serious or very serious criminal or administrative infringements that cause or involve financial harm to the Public Treasury and Social Security.
Conduct that may involve, by action or omission, acts by a member of THE ENTITY that have an actual impact on the professional relationship with THE ENTITY of the person referred to in the report, related to the commission, in a work or professional context, of any act contrary to the rules of conduct of THE ENTITY’s Code of Ethics or other provisions of its internal regulatory system.
Any actions or omissions that may constitute breaches of European Union law.

Members of THE ENTITY are understood to be those who, at any given time, are employees and collaborators of the entity.

b) This Policy also applies to whistleblowers who, without being members of THE ENTITY, have obtained information on any of the actions or omissions referred to above in a work or professional context, including in all cases:

Any person working for or under the supervision and direction of THE ENTITY, its contractors, subcontractors and suppliers.
Persons who were formerly members of THE ENTITY, whose employment or statutory relationship has already ended.
Volunteers and interns, regardless of whether they receive remuneration or not.
Persons whose employment relationship has not yet begun, where the information on infringements was obtained during the recruitment process or pre-contractual negotiations.

4. INTERNAL INFORMATION SYSTEM

The Internal Information System referred to in this Policy is the preferred channel for reporting the acts or omissions provided for in Law 2/2023.

The Internal Information System is mainly composed of the communication channel enabled for receiving reports within the scope of this Policy, the System Manager, and the management procedure to be followed for processing such communications.

5. ESTABLISHMENT OF THE INTERNAL REPORTING CHANNEL

The Internal Information System includes the Whistleblowing Channel, which is the preferred means of communication for the conduct described in section 3 of this Policy.

The aforementioned Internal Information Channel allows:

a) Submitting reports in writing or verbally, or both, under the conditions established in Law 2/2023.

b) When submitting the report, the whistleblower may indicate an address, email or safe location for receiving notifications.

c) The submission and subsequent processing of anonymous reports.

d) Informing those who submit reports through this channel, in a clear and accessible manner, about external reporting channels before the competent authorities and institutions.

e) The receipt of any other communications or information not included within the scope defined in section 3 of this Policy, although such communications and their senders will fall outside the scope of application and protection granted by it.

f) Appropriate measures shall be adopted to ensure the confidentiality of communications sent through channels other than those established or to staff not responsible for their processing (who must immediately forward them to the SII Manager).

6. INTERNAL INFORMATION SYSTEM MANAGER

The System Manager shall be a collegiate body or an individual, internal or external, with the characteristics provided for in Article 8 of Law 2/2023.
The appointment of the members of the collegiate body acting as System Manager shall be communicated to the Independent Authority for Whistleblower Protection, in accordance with Article 8.3 of Law 2/2023, within ten days of their appointment. Any dismissals, resignations and the reasons for them shall also be notified within the same period.
In the performance of their duties, the System Managers shall not receive instructions from any superior, shall not be subject to hierarchy within the collegiate body, and may not be removed from their positions due to their legitimate participation in the Internal Information System.

7. PERSONAL DATA PROTECTION

Personal data processing arising from the application of Law 2/2023 shall be governed by the GDPR and Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDPGDD), in compliance with Law 2/2023.

The Internal Information System must prevent unauthorised access, preserve identity, and ensure the confidentiality of data relating to affected persons and any third party mentioned in the information provided, with special attention to the identity of the whistleblower where identified.

The identity of the whistleblower may only be disclosed to the judicial authority, the Public Prosecutor’s Office, or the competent administrative authority within the framework of criminal, disciplinary or sanctioning proceedings, and in all cases subject to the safeguards established in applicable regulations.

If the information received contains special categories of personal data requiring special protection, it shall be immediately deleted unless processing is necessary for reasons of substantial public interest in accordance with Article 9.2(g) GDPR, as provided in Article 30.5 of Law 2/2023.

In any case, personal data that is not manifestly relevant for handling a specific report shall not be collected, or if collected accidentally, shall be deleted without undue delay.

Reports that are not processed may only be recorded in anonymised form, and the blocking obligation provided for in Article 32 of the LOPDPGDD shall not apply.

8. WHISTLEBLOWER PROTECTION MEASURES

Persons reporting infringements shall be entitled to the protection measures established in Law 2/2023, provided that the following conditions are met:

a) They have reasonable grounds to believe that the information reported is true at the time of reporting, even if no conclusive evidence is provided, and that such information falls within the scope of this policy.

b) The report has been made in accordance with the requirements set out in this policy and in Law 2/2023.

The following are expressly excluded from protection under Law 2/2023:

Information contained in reports that have been inadmitted through an internal reporting channel for any of the following reasons:
- The reported facts are manifestly implausible.
- The reported facts do not constitute an infringement of the legal system within the scope of this policy.
- The report is manifestly unfounded or there are reasonable indications that it was obtained through the commission of a crime.
- The report does not contain new and significant information compared to a previous report for which proceedings have already concluded, unless new factual or legal circumstances justify further follow-up.
Information related to complaints about interpersonal conflicts or issues affecting only the whistleblower and the persons referred to in the report.
Information already fully available to the public or that constitutes mere rumours.
Information relating to actions or omissions not covered by the scope of this policy.

9. PROTECTION MEASURES FOR AFFECTED PERSONS

During the processing of the investigation, persons affected by the report shall be entitled to the presumption of innocence, the right to defence and the right of access to the file under the terms provided for in Law 2/2023, as well as the same protection granted to whistleblowers, with their identity preserved and the confidentiality of the facts and data of the procedure guaranteed.