Internal Information System
I.- INTERNAL INFORMATION SYSTEM
In accordance with Law 2/2023 of 20th February 2023 governing the protection of people who report regulatory infringements and the fight against corruption, GIRBAU, S.A. states that it has an
In order to strengthen the culture of information and integrity infrastructures at GIRBAU, S.A. and to foster a culture of communication as a mechanism for preventing actions or omissions that might represent offences within the EU, serious or very serious criminal or administrative offences, as well as offences in the employment field in health and safety at work, the company has appointed the person in the position of Compliance Officer as the person responsible for the Internal Information System (IIS) and set up - by several means - an Internal Information Channel:
- By mail to the address: Carretera de Manlleu, km. 1, Vic (Barcelona) - to the attention of the Compliance Officer and responsible for IIS.
- By email to the address: compliance@girbau.com.
- In writing, handed over to the Compliance Officer and responsible for IIS.
The informant may request a face-to-face meeting with the Compliance Officer and responsible for IIS, within a maximum period of seven days.
Verbal reports made in a face-to-face meeting with the Compliance Officer and responsible for IIS shall be documented in one of the following ways, with the prior consent of the informant:
- a) by recording the conversation in a secure, durable and accessible format, or
(*) The informant is to be warned that the conversation will be recorded and informed that their data will be processed in accordance with the stipulations of EU Regulation 2016/679 of the European Parliament and Council, of 27th April 2016.
- b) through a complete and accurate transcription of the conversation made by the Compliance Officer and responsible for IIS.
Without prejudice to his or her rights under data protection regulations, the informant will be given the opportunity to verify, rectify and accept the transcription of the conversation by signing it.
The IIS meets the requirements of Article 5.2 of the aforesaid law:
a).- It allows people to whom the law (Article 3) applies to pass on information, by various means, about the offences set forth in Article 2 thereof.
b).- It is managed securely, guaranteeing that communications can be dealt with effectively within the company, that the informant's identity is kept confidential, as is that any third person mentioned in the report and the steps taken to deal with and process it, as well as assuring data protection, by preventing access by unauthorized persons.
c).- There is a Protocol governing the Internal Information System, the use of the Internal Information Channel and the actions by the Compliance Officer and responsible for the Internal Information System, which establishes guarantees to protect informants:
- Acknowledgment of receipt within seven calendar days of receiving the information.
- A maximum period of three months in which to take steps to investigate, on the terms of Article 9 of the law, duly completing and keeping a record book of information received.
- The possibility of further communication with the informant.
- The person affected is entitled to be informed of the actions or omissions attributed to them and to respond.
- Confidentiality is guaranteed when the information is sent through reporting channels other than the established ones or to anyone not responsible for dealing with them, as well as an obligation for the person receiving it to pass it on immediately to the person responsible for IIS.
- Respect for the presumption of innocence and the right to honor of the people affected.
- Respect for Data Protection regulations (Section VI of the aforesaid law).
- Obligation to send information to the Spanish Public Prosecutor's Office immediately in the event that the facts in question might constitute a crime.
II.- PROCESSING OF PERSONAL DATA
As data Controller, GIRBAU, S.A. will process the personal data included in reports received, which are protected by Law 2/2023, for the purpose of beginning, if appropriate, the pertinent investigative procedure. The legal basis for processing is compliance with a legal obligation, arising from the aforesaid law. If the report contains data of a special nature, the legal basis shall be essential public interest and other provisions laid down in paragraph 2 of art. 9.2. of EU Regulation 2016/679 of the European Parliament and Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data.
It has also been stated that these personal data may be processed and transferred by the people authorized to do so only when this is necessary to take corrective measures at GIRBAU, S.A. or to process any sanction or criminal proceedings that might be necessary. The personal data will be kept for the time essential to decide whether it is appropriate to begin an investigation of the facts reported. In any case, should this decision not be taken within a period of three months, the personal data contained in the report will be deleted, except for the purpose of keeping evidence of the operation of the system.
Any personal data not considered truthful will also be deleted, except where such a lack of truthfulness might constitute a criminal offence, in which case the information will be kept for the time necessary for court proceedings to be processed.
Finally, it is noted that the informant may at any time ask the data controller for access to their personal data, correction or deletion of these or restriction on their processing, or object thereto, or else exercise their right to portability of their data, by applying in writing, enclosing a photocopy of their identity document, to the postal address Carretera de Manlleu km 1 (08500) Vic or to the email address dataprotection@girbau.com. Should you disagree with the processing of your data, you can lodge a complaint with the Spanish Data Protection Agency, the supervisory body in this area, at C / Jorge Juan 6, (28001) Madrid (www.aepd.es).
III.- NON-RETALIATION
GIRBAU, S.A. expressly undertakes not to take any action constituting retaliation, including threats or attempts at retaliation against people lodging a report in accordance with the provisions of Law 2/2023, and to take measures during processing of a file to protect the people affected by any such report.
IV.- EXEMPTION FROM AND MITIGATION OF THE SANCTION
When a person who has sat on the committee for an administrative offence that forms the object of the information is the one who submits the information and providing it had been submitted prior to notification of the beginning of the process of investigation or sanction, the competent body to settle the procedure with a reasoned decision may exonerate them from execution of the administrative sanction to which they may be liable, providing the circumstances set forth in Article 40 of the aforesaid law are proven.
(*) The Internal Information Channel allows the submission of anonymous communications.
(**) While reports are to be submitted preferably and whenever possible via the internal channel, informants may also, if appropriate, send them to the Independent Authority for the Protection of the Informant (for these purposes the Anti-Fraud Office of Catalonia), the Spanish Public Prosecutor's Office or the European Public Prosecutor's Office, as appropriate.