INTERNAL REPORTING PROCEDURE OF THE ANDEA GROUP
based on Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law and on the Polish Law of 14 June 2024 on the Protection of Whistleblowers
§ 1. DEFINITIONS
Whenever this document refers to:
- the “Employer,” this shall mean the Andea Group, i.e., ANDEA sp. z o.o. of Kraków (the “Company” and/or “Andea”) as well as the companies in which it holds a majority of shares, both directly and indirectly, and which are based in Poland. The current list of the members of the Group is available at https://www.andea.com/company-entities/and in the Guidelines & Policies folder available to all Andea Group Employees;
- the “Reports Coordinator,” this shall mean the person responsible for verifying Reports and communicating with the Reporting Person, including by means of requesting additional information and providing the Reporting Person with Feedback, and for supervising the entire reporting process and the Follow-Up Actions;
- an “Employee,” this shall mean a person remaining in an employment relationship, as defined in Article 22 § of the Polish Labor Code;
- a “Contractor,” this shall mean a person providing services to the Employer under a civil law agreement;
- a “Person Authorized to File a Report,” this shall mean a person who has the right and obligation to file a Report;
- the “Reporting Person,” this shall mean the person filing a Breach Report via a reporting channel specified in this Procedure;
- the “Person Concerned,” this shall mean a natural person, a legal person, or an organization that does not have legal personality which has legal capacity under statutory regulations, specified in a Report or a Public Disclosure as a person or organization that breached legal regulations, or a person related to that person;
- a “Person Assisting in Filing a Report,” this shall mean a natural person that helps the Reporting Person to file a Report or make a Public Disclosure in a Work-Related Context;
- a “Person Related to the Reporting Person,” this shall mean a natural person who may be a victim of Retaliation, including a person working with the Reporting Person or a member of the Reporting Person’s family;
- the “Whistleblower,” this shall mean the Reporting Person who has been granted the status of a whistleblower on the terms specified in this Procedure;
- “Work-Related Context,” this shall mean all of the circumstances related to an employment relationship or another legal relationship being the basis for rendering work, as part of which the Information on a Breach has been acquired;
- “Acting in Good Faith,” this shall mean acting while believing that the reported information is true at the moment of reporting and that the reported situation constitutes or may constitute a Breach;
- the “Procedure,” this shall mean this Internal Reporting Procedure;
- a “Breach,” this shall mean a factual state of affairs that is a consequence of an action or omission, suggesting a possibility of a situation that breaches or could breach generally applicable legal regulations or internal regulations; this shall also mean any action or negligence that constitutes or may constitute an illegal or unethical action;
- a “Breach Report” (a “Report”), this shall mean provision, following the steps specified in this Procedure, by a Person Authorized to File a Report, of information that may demonstrate the existence of a Breach;
- “Information on a Breach,” this shall mean information, including a justified suspicion, concerning an actual or potential Breach, which has occurred or will likely occur in the organization in which the Reporting Person works or worked or in another organization with which the Reporting Person remains or remained in contact in a Work-Related Context, or concerning an attempt to conceal such a Breach;
- the “Register of Internal Reports” (the “Register”), this shall mean the register maintained in connection with the Reports filed;
- the “Confidential Register,” this shall mean an encrypted register containing personal data, maintained in connection with the Reports filed;
- a “Preliminary Analysis of a Report,” this shall mean a verification of the Report in view of there being reasons to examine it as part of an Investigation and to grant the Reporting Person the status of a Whistleblower, whereby the Reports Coordinator shall have the right to request the Reporting Person to supplement the data contained in the Breach Report by a specific date;
- the “Investigation Commission” (the “Commission”), this shall mean the internal commission appointed by the Reports Coordinator for the purpose of comprehensively clarifying the circumstances described in a Breach Report;
- the “Investigation” (the “Follow-Up Actions”), this shall mean the actions taken by the Employer or by a public authority in order to verify the truthfulness of the claims made in the Report and, in the relevant cases, in order to prevent the Breach being the object of the Report, including by means of carrying out an internal investigation, filing an indictment, taking actions in order to recover funds, or closing the procedure of receiving and verifying the Report;
- “Feedback,” this shall mean the information provided to the Reporting Person with respect to the planned or taken Follow-Up Actions and the reasons for taking them;
- “Retaliation,” this shall mean a direct or indirect action or omission resulting from a Report or a Public Disclosure, which violates or may violate the rights of the Reporting Person or causes or may cause damage to the Reporting Person;
- an “Internal Report” (a “Report”), this shall mean provision of Information on a Breach within the Company, in accordance with this Procedure, via the internal communication channels;
- an “External Report,” this shall mean the provision of Information on a Breach to a Public Authority or the Central Authority, i.e., the Polish Ombudsman (RPO);
- the “Central Authority,” this shall mean the public administration authority competent to provide information and support with respect to the reporting and Public Disclosure of Breaches and to accept External Reports concerning Breaches in areas covered by statutory regulations, carry out their preliminary verification, and forward them to the relevant authorities in order for them to take Follow-Up Actions;
- a “Public Authority,” this shall mean a public authority that has set up a procedure for receiving external Reports concerning violations of legal regulations in the area for which this authority is competent;
- “Public Disclosure,” this shall mean making the Information on a Breach available to the public.
§ 2. GENERAL PROVISIONS
- Andea operates strictly in accordance with legal regulations, good practices, and the highest ethical standards.
- The Company’s strategy is based on taking into account a number of aspects, including relations with various groups of stakeholders, responsibility, and prevention of corruption and other Breaches both within the organization and among the entities Andea works with. This Procedure has been developed in order to ensure strict compliance with ethical and legal norms across the entire Company.
§ 3. PURPOSE AND SCOPE
- The fundamental purpose of this Procedure is to:
- prevent Breaches in the Andea Group;
- make it possible to report alleged Breaches, potentially illegal activities, and suspicions of inappropriate conduct on time, securely, and in an open manner;
- establish up a system for informing about Breaches at Andea, by means of setting up reporting channels that prevent the possibility of Retaliation against the Whistleblower;
- ensure a cohesive and timely response;
- encourage ethical and legally compliant conduct.
- This Procedure specifies in particular:
- the scope of Breaches the Procedure applies to;
- the Persons Authorized to File a Report;
- the principles of reporting Breaches by the Persons Authorized to File a Report;
- the responsibilities in the process of managing Breaches;
- the process of examining and managing Reports;
- the principles of confidentiality, including but not limited to the principles of keeping secret the Breach Reports filed by the Whistleblowers and the identity of the Reporting Persons.
- The Procedure and its provisions apply to Reports concerning Breaches in the form actions or omissions that are illegal or intended to circumvent legal regulations on:
- health and safety;
- preventing money laundering and the financing of terrorism;
- financial services, products, and markets;
- corruption;
- product safety and compliance;
- environmental protection;
- consumer protection;
- protection of privacy and personal data;
- network and ICT systems security;
- the financial interests of the Polish State Treasury, local government entities, and the European Union;
- the European Union’s internal market, including the principles of competition and public aid, as well as taxation of legal persons;
- violations of the Code of Conduct or the other policies and procedures in force at the Andea Group.
- The Persons Authorized to File a Report shall be in particular:
- the Employees, Contractors, and former Employees and Contractors of the Andea Group;
- persons acting for and on behalf of the Andea Group;
- any and all other persons related to the Company in any way, including but not limited to: Persons Assisting in Filing a Report, interns, trainees, and candidates for employment (if the information concerning the Breach has been acquired by them during the recruitment process or another process preceding the establishment of an employment relationship).
- A Breach shall mean in particular a situation where a Person Authorized to File a Report is in possession of information that may suggest:
- a suspicion of preparing, attempting, or perpetrating a prohibited act;
- failure to perform duties or abuse of powers;
- failure to exercise due diligence when required in the given circumstances;
- a Breach within the operations of the Company that could result in a prohibited act or that could lead to a loss;
- a Breach of the internal procedures and ethical standards in force at Andea.
§ 4. PERSONS RESPONSIBLE FOR MANAGING REPORTS
- The person responsible for receiving Reports at Andea and exercising comprehensive supervision over the process of filing Reports shall be Ms. Justyna Kaczmarek, the Reports Coordinator.
- The persons who, according to a Breach Report, could be in any way negatively involved in an action or omission constituting a Breach shall not be involved in the analysis of that Report.
- The principles of selecting the members of the Investigation Commission and the principles of excluding a member of the Commission from its work shall be specified in a separate Investigation Procedure.
- If a Report concerns the person specified in § 4(1), above, the responsible person shall be Ms. Małgorzata Korzec.
§ 5. WHISTLEBLOWERS
- According to the principle of good faith, every Person Authorized to File a Report should report a Breach if they have reasons to believe that the information is true and falls within the scope of this Procedure.
- The status of a Whistleblower is granted to every Reporting Person, unless a Preliminary Analysis of the Report suggests that the Reporting Person obviously acted in bad faith (presumption of good faith). A Reporting Person is deemed to act in bad faith if they act in order to achieve a goal that is in conflict with legal regulations or the principles of social coexistence.
- The decision on granting the status of a Whistleblower is made by the Reports Coordinator.
- If the Reporting Person did not file the Report anonymously, the Reports Coordinator shall confirm the receipt of the Report within seven days of receiving it.
- The deadline specified in § 5(4), above, may be exceeded exclusively if additional actions need to be taken as part of the Preliminary Analysis of the Report (e.g. the need to supplement the Report or collect additional evidence).
- The maximum deadline for providing the Whistleblower with Feedback shall be not more than three months from the date of confirmation or receipt of the Report or, if the confirmation referred to in § 5(4) is not provided, three months from the lapse of seven days from the date of filing an Internal Report, unless the Whistleblower did not provide a contact address to which the Feedback should be sent.
- If, during the course of the Investigation, it turns out that the Reporting Person, who had been granted the status of a Whistleblower, acted in bad faith, they shall be deprived of the protection guaranteed to Whistleblowers.
§ 6. REPORTING A BREACH
- Breach Reports may be submitted by means of:
- filling out the Breach Report form constituting Appendix No. 1 to this Procedure and sending it to the following correspondence address: ul. Kapelanka 42B, 30-347 Kraków, with a note on the envelope reading: „Do rąk własnych Koordynatora ds. obsługi Zgłoszeń” [“To the hands of the Reports Coordinator”]. A letter containing this note on the envelope will not be subject to compulsory registration and will be forwarded directly to Ms. Justyna Kaczmarek, the Reports Coordinator;
- filling out the Breach Report form constituting Appendix No. 1 to this Procedure and submitting it directly to Ms. Justyna Kaczmarek, the Reports Coordinator;
- filling out the Breach Report form constituting Appendix No. 1 to this Procedure and putting it into the box located in the Fuji Conference Room on Floor 5;
- contacting Ms. Justyna Kaczmarek, the Reports Coordinator, personally;
- calling Ms. Justyna Kaczmarek, the Reports Coordinator, at +48 536-536-240.
- A verbal Report submitted via a non-recorded phone line shall be documented in the form of minutes of the conversation precisely specifying its course, to be drafted by the Reports Coordinator. The Reporting Person shall have the right to verify, correct, and approve the minutes of the conversation by signing it.
- At the request of the Whistleblower, a verbal Report may be submitted during a face-to-face meeting organized within 14 days of receiving the request. In such a case, with consent from the Whistleblower, the Report shall be documented in the form of minutes of the meeting precisely specifying its course, to be drafted by the Reports Coordinator.
- In the case referred to in § 6(3), above, the Whistleblower shall have the right to verify, correct, and approve the minutes of the meeting by signing it.
- The Breach Report should contain a clear and exhaustive explanation of the object of the Report and should contain at least the following information:
- the details of the Reporting Person, including contact details (except where the Report if filed anonymously);
- the date and the place of the Breach or the date and the place of acquiring Information on the Breach;
- a description of a specific situation or circumstances in which the Breach occurred;
- indication of the entity the Breach Report concerns;
- if applicable, the details of other persons who have knowledge of the Breach (witnesses, aggrieved persons, etc.);
- specification of evidence confirming a Breach of legal regulations or internal procedures (any documents in any format) or additional information making plausible the occurrence of a Breach or justifying the suspicion of a Breach or potentially facilitating the clarification of the Report.
- The Reporting Person shall treat as secret the information concerning a suspicion of a Breach that is in their possession and shall refrain from holding public conversations about the reported suspicion of a Breach, unless they are required to do so under legal regulations.
- If the Report is submitted over the phone or during a meeting with the Reports Coordinator, the Reporting Person shall specify a phone number or an address to which Feedback is to be sent.
§ 7. ANONYMOUS REPORTING
- It shall be permitted to file a Breach Report anonymously: in writing, using the Breach Report form constituting Appendix No. 1 to this Procedure, or over the phone.
- Each anonymous Report shall be entered into the Register. If an anonymous Report is not examined, the Reports Coordinator shall specify the reasons for the decision not to examine the Report.
- If, in the course of examining an anonymous Report, the identity of the Reporting Person is determined, the Reports Coordinator shall immediately grant them the status of a Whistleblower.
§ 8. FALSE REPORTS
- A Report may be filed exclusively when Acting in Good Faith.
- It is prohibited to file false Breach Reports.
- If, following a Preliminary Analysis of the Report or in the course of the Investigation, it is determined that the Reporting Person consciously provided false information or concealed the truth in the Breach Report, the Reporting Person who is an Employee may suffer disciplinary liability in accordance with the Polish Labor Code. This may also be classified as a gross violation of fundamental employee duties and, as such, result in termination of the employment contract without observing the notice period, a fine, community work, or imprisonment of up to two years.
- In the case of a Reporting Person who provides services or goods to Andea under a civil law agreement, determining that a false Breach Report has been filed may result in termination of the agreement and definite termination of cooperation between the parties.
- Irrespective of the consequences specified above, a Reporting Person who knowingly files a false Breach Report may be held liable for damages if a loss occurs in connection with the false Report.
§ 9. FOLLOW-UP ACTIONS
- Access to the channels for reporting Breaches shall be granted exclusively to the persons responsible for managing the Reports.
- After receiving a Breach Report, the Reports Coordinator shall carry out a Preliminary Analysis of the Report immediately, but not later than within three days from receiving the Report.
- The Reports Coordinator shall inform the Reporting Person, within seven days of receiving the Report, about accepting the Report and granting the Reporting Person the status of a Whistleblower.
- If the Report is rejected, the Reports Coordinator shall inform the Reporting Person of that fact, informing them of the reason for rejection.
- If the Report is fit to be examined, the Reports Coordinator shall initiate an Investigation.
- Supervision over the Investigations carried out by the Investigation Commission shall be exercised by the Reports Coordinator.
- A Breach Report shall be examined without undue delay, within not more than 30 days from the date of initiation of the Investigation, provided that the Commission is able to collect the necessary documents and evidence in that time.
- In a particularly complex case, examining a Breach Report may take longer, but not more than 90 days from the date of initiation of the Investigation.
- The Commission shall produce a report on the Investigation.
- The report shall contain the Commission’s recommendations with respect to handling the case; the potential consequences for the perpetrator(s) of the Breach or the Reporting Person who knowingly filed a false Report shall be specified by the Employer.
- The Reports Coordinator shall inform the Whistleblower about how the case has been handled, i.e., provide information about the Follow-Up Actions planned or taken and about the reasons for taking them, within note more than three months of confirming the receipt of the Report.
§ 10. CONFIDENTIALITY OF INFORMATION
- The Company shall provide appropriate technical and organizational measures in order to ensure the confidentiality of the identity of the Reporting Person, the Person Concerned, and the other persons mentioned in the Report, as well as the persons whose personal data was acquired in the course of the Investigation, including but not limited to the Persons Assisting in Filing the Report, witnesses to the Breach, and the Persons Related to the Reporting Person.
- The information acquired in the course of processing the Breach Report that allows for directly or indirectly identifying the identity of the above persons shall also be confidential.
- Access to personal data and the information contained in the Report shall be granted exclusively to the persons who have been authorized to process it, to the extent necessary to carry out the tasks related to processing the Reports and taking Follow-Up Actions.
- Any and all data allowing for identifying the Reporting Person may be disclosed exclusively on the basis of their prior and express written consent.
- The Company may disclose the data of the Reporting Person without their express consent if the disclosure is made to the relevant public authorities or courts or if the disclosure is a necessary and proportional obligation resulting from legal regulations in the context of the investigations or the preparatory or court proceedings carried out by these public authorities or courts, including in order to guarantee the Person Concerned with the right to defend.
- A violation of the confidentiality obligation may result in legal and/or disciplinary procedures being initiated with respect to the violator.
§ 11. PROTECTION OF WHISTLEBLOWERS
- The Management Board of Andea hereby introduces a strict prohibition of Retaliation against Whistleblowers, including if the Report was made in good faith and the Investigation showed that no Breach had taken place.
- A Whistleblower shall be fully protected against repression, discrimination, and other forms of unfair treatment.
- The employment relationship or a mutual agreement with a Whistleblower shall not be terminated purely on the basis of the fact that the Whistleblower has filed a Breach Report.
- No protection shall be granted to a Whistleblower who is also the perpetrator or joint perpetrator of the Breach or assists in committing the Breach.
- Detailed information about the protection of Whistleblowers is contained in Appendix No. 5 to this Procedure.
§ 12. REGISTER OF INTERNAL REPORTS
- In each individual case, a Breach Report shall be entered into the Register of Internal Reports and the Confidential Register, irrespective of the further course of the Investigation.
- The person responsible for keeping the Register of Internal Reports and the Confidential Register shall be Ms. Justyna Kaczmarek, the Reports Coordinator.
- The Register of Internal Reports kept by the Reports Coordinator shall contain at least the following information:
- case number;
- object of the Breach;
- date of filing the Internal Report;
- information concerning the Follow-Up Actions taken;
- date of closing the case.
- A specimen of the Register of Internal Reports constitutes Appendix No. 3 to this Procedure.
- The Confidential Register kept by the Reports Coordinator shall contain at least the following information:
- the contact details of the Whistleblower (unless the Report was filed anonymously) and the date and number of the case;
- all of the detailed information held about the Breach Report;
- the course of the process of analyzing and examining the Breach Report;
- the persons and bodies involved in the process of analyzing and examining the Breach Report;
- all decisions and escalations (if any).
- A specimen of the Confidential Register constitutes Appendix No. 4 to this Procedure.
- In addition to maintaining the Registers, the Reports Coordinator shall keep, in compliance with the principle of confidentiality, any and all evidence, documents, and information collected in the course of analyzing and examining Reports, for three years from the end of the calendar year in which the Follow-Up Actions are completed or from the completion of the proceedings initiated as a result of these Actions.
§ 13. EXTERNAL AND PUBLIC REPORTS
- The Reporting Person may file an External Report without filing an Internal Report first.
- The Central Authority is the Polish Ombudsman (RPO). The RPO’s website contains detailed information on how to file an External Report.
- The Public Authority that receives Reports is the authority accepting External Reports concerning Breaches within the areas of competence of that authority.
- The Polish Ombudsman and the Public Authorities are separate controllers of the personal data contained in an External Report received by these entities.
§ 14. FINAL PROVISIONS
- The Employer shall cause each Employee to read and understand this Procedure prior to permitting them to commence work.
- This Procedure shall be periodically reviewed, at least one a year.
- This Procedure is implemented for an indefinite period of time.
- The following are attachments to the Procedure:
Appendix No. 1 – Internal Report form
Appendix No. 2 – Confirmation of receipt of an Internal Report
Appendix No. 3 – Register of Internal Reports
Appendix No. 4 – Confidential Register
Appendix No. 5 – Procedure for protecting Whistleblowers in connection with a Report
Appendix No. 6 – GDPR data privacy notice