1. INTRODUCTION

The approval of Law 2/2023, of February 20, regulating the protection of people who report regulatory infractions and the fight against corruption, (hereinafter "Law 2/2023"), obliges both the public sector and the private sector to have internal information channels designed and implemented to protect people who detect potential infractions in a work or professional context. Specifically, as expressed in art. 13 of Law 2/2023, all entities that make up the public sector will be required to have an internal information system, including among them public sector foundations, as expressed in section 1 letter f).

THE ENTITY, through this Policy, undertakes to adopt the necessary measures to prevent any type of retaliation, including threats of retaliation and attempted retaliation against people who submit a communication, as a means to safeguard and protect people. who communicate in good faith information about acts or omissions that contravene the aforementioned law, the Code of Ethics and Conduct of THE ENTITY or the internal regulations and procedures of this institution.

2. GENERAL PRINCIPLES

The objective of this Policy is to establish the Principles that govern the actions of THE ENTITY in the implementation of the Internal Information System and protection of the informant, in accordance with the provisions of Law 2/2023.

  1. We guarantee accessibility to the Internal Information System and protection of the informant: the Internal Information System must allow the communication, whether in writing, verbally or in person, of information on regulatory infractions and the fight against corruption to all people included in its scope. of application.
  • We guarantee, through the independent action of the System Controller, the completeness, integrity and confidentiality of the information, the prohibition of unauthorized access, the lasting storage of information and respect for good faith. The Internal Information System will be managed by the person responsible with total independence and autonomy with respect to the rest of the areas of THE ENTITY.
  • We guarantee the confidentiality of the identity of the reporting person and of any person mentioned in the communication, as well as the actions carried out in the management and processing of the same. The internal information channel will even allow the presentation and subsequent processing of anonymous communications.
  • We guarantee the protection of the personal data of the affected persons, in compliance with current legislation on this matter.
  • We guarantee the secrecy of communications.
  • We guarantee the safety and protection of reporting and affected people.
  • We guarantee the presumption of innocence and respect for the honor of the affected people.

3. SCOPE OF APPLICATION

  1. This Policy applies to all members of THE ENTITY who report, through the procedures provided therein, of:
    1. Actions or omissions that may constitute a serious or very serious criminal or administrative offense. In any case, all serious or very serious criminal or administrative infractions against or that imply economic loss for the Public Treasury and Social Security will be understood to be included.
  • Conduct that may imply, by action or omission and on the part of a member of THE ENTITY, facts that have an effective implication in the professional relationship with THE ENTITY of the person to whom the communication refers, related to the commission in a context labor or professional of any act contrary to the standards of action of the Code of Ethics of THE ENTITY or the other provisions of the internal regulatory system.
  • Any actions or omissions that may constitute infringements of European Union Law.

Those who are employees and collaborators of the entity at any given time are considered members of THE ENTITY.

  • This Policy is also applicable to informants who, not being members of THE ENTITY, have obtained information about any of the actions or omissions referred to in the previous section in a work or professional context, including in any case:
    • Any person who works for or under the supervision and direction of THE ENTITY, its contractors, subcontractors and suppliers.
    • People who have been members of THE ENTITY in the past, having already ended their employment or statutory relationship with the entity.
  • Volunteers and interns, regardless of whether they receive remuneration or not.
  • People whose employment relationship has not yet begun, in cases where information about infractions has been obtained during the selection or pre-contractual negotiation process.

4. INTERNAL INFORMATION SYSTEM

The Internal Information System referred to in this Policy is the preferred channel for reporting on the actions or omissions provided for in Law 2/2023.

The Internal Information System is composed, mainly, of the communication channel enabled for the reception of the communications provided for in the scope of application of this Policy, of the person responsible for the System and of the management procedure that must be followed for the processing of the aforementioned communications. .

5. CREATION OF THE INTERNAL INFORMATION CHANNEL

The Internal Information System is made up of the Complaint Channel, which is the preferred channel for communicating the conduct provided for in section 3 of this Policy.

The aforementioned Internal Information Channel allows:

  1. Make communications in writing or verbally, or in both ways, under the conditions provided for in Law 2/2023.
  2. When making the communication, the informant may indicate an address, email or safe place for the purpose of receiving notifications.
  3. The presentation and subsequent processing of anonymous communications.
  4. Inform those who communicate through it, in a clear and accessible manner, about the external information channels before the competent authorities and institutions.
  5. The reception of any other communications or information not included in the scope established in section 3 of this Policy, although said communications and their senders will be outside the scope of application and protection provided by it.
  6. Appropriate measures will be adopted to guarantee the confidentiality of communications that are sent through channels that are not established or to members of staff not responsible for their treatment (who must immediately forward it to the Head of the SII).

6. THE RESPONSIBLE FOR THE INTERNAL INFORMATION SYSTEM

  1. The persons responsible for the System will be a collegiate body or person, internally or externally, with the characteristics provided for in article 8 of Law 2/2023.
  • The Independent Authority for the Protection of Informants will be notified, in accordance with the provisions of article 8.3 of Law 2/2023, of the appointments of the members of the collegiate body Responsible for the System, within a period of ten days from their appointment. Their terminations, resignations and the reasons justifying them will also be notified eventually, within the same period.
  • In the exercise of their functions, the persons responsible for the System will not receive instructions from any superior, they will not be subject to hierarchy within the collegiate body, nor can they be removed from their positions for issues related to their legitimate participation in the internal information system.

7. PROTECTION OF PERSONAL DATA

The processing of personal data resulting from the application of Law 2/2023 will be governed by the provisions of the RGPD, and Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights. (LOPDPGDD), in compliance with what, for such purposes, is determined in Law 2/2023.

The internal Information System must prevent unauthorized access, preserve the identity and guarantee the confidentiality of the data corresponding to the affected persons and any third party mentioned in the information provided, with special attention to the identity of the informant in the event that would have been identified.

The identity of the informant may only be communicated to the judicial authority, the Public Prosecutor's Office or the competent administrative authority within the framework of a criminal, disciplinary or sanctioning investigation, and these cases will be subject to the safeguards established in the applicable regulations.

If the information received contains special categories of personal data, subject to special protection, it will be immediately deleted, unless the processing is necessary for reasons of essential public interest in accordance with the provisions of article 9.2.g) of the RGPD. as provided in article 30.5 of Law 2/2023.

In any case, personal data whose relevance is not evident to process specific information will not be collected or, if collected by accident, will be deleted without undue delay.

Communications that have not been processed may only be recorded in anonymized form, without the blocking obligation provided for in article 32 of the LOPDPGDD being applicable.

8. PROTECTION MEASURES FOR THE INFORMANT

People who report violations will have the right to the protection measures established in Law 2/2023, provided that the following circumstances apply:

  1. They have reasonable grounds to believe that the information referred to is true at the time of communication or disclosure, even if they do not provide conclusive evidence, and that the aforementioned information falls within the scope of application of this policy.
  2. The communication or disclosure has been made in accordance with the requirements provided for in this policy and in Law 2/2023.

Those persons who communicate or reveal are expressly excluded from the protection provided for in Law 2/2023:

  • Information contained in communications that have been inadmissible through any internal information channel or for any of the following reasons:
    • When the facts reported lack all plausibility.
    • When the events reported do not constitute a violation of the legal system included in the scope of application of this policy.
    • When the communication is manifestly unfounded or there are rational indications that it was obtained through the commission of a crime.
    • When the communication does not contain new and significant information about infringements compared to a previous communication in respect of which the corresponding procedures have been concluded, unless new factual or legal circumstances arise that justify a different follow-up.
  • Information linked to claims about interpersonal conflicts or that affect only the informant and the people to whom the communication or disclosure refers.
  • Information that is already completely available to the public or that constitutes mere rumors.
  • Information that refers to actions or omissions not included in the scope of this policy.

9. PROTECTION MEASURES FOR AFFECTED PEOPLE

During the processing of the file, the people affected by the communication will have the right to the presumption of innocence, the right of defense and the right of access to the file in the terms provided in Law 2/2023, as well as the same protection established for informants, preserving their identity and guaranteeing the confidentiality of the facts and data of the procedure.

10. APPROVAL, ENTRY INTO FORCE AND DISSEMINATION

This Policy will be effective from the moment of its approval by the Management of THE ENTITY, proceeding to its publication on the entity's corporate websites.

This Policy will be reviewed and updated whenever it is necessary to make any modifications.