Reporting

 INFORMATION ON WHISTLEBLOWING

according to

The Whistleblower Protection Act (WPA)


I. INFORMATION ON THE INTERNAL WHISTLEBLOWING PROCEDURES IN THE COMPANIES OF THE UNIMASTERS LOGISTICS PLC GROUP

This information is provided in accordance with the requirements of Article 12(4) of the Whistleblower Protection Act (WPA).

  1. The following persons are entitled to report violations:
  • current or former employees;
  • persons working under a civil contract;
  • persons exercising a freelance profession or trade;
  • volunteers and trainees;
  • partners, subcontractors, suppliers;
  • Employee applicants who have participated in a recruitment process and have received information about a breach in that capacity;
  • persons who have become aware of infringements in a work context.

Important! Anonymous reports will NOT be considered.

  1. 2. What violatons can be reported?

The scope of the law includes violations of Bulgarian and European legislation related to:

  • public procurement;
  • financial services, products and markets and the prevention of money laundering and terrorist financing;
  • product safety and compliance;
  • environmental protection;
  • consumer protection;
  • protection of privacy and personal data;
  • security of networks and information systems;
  • public health;
  • transport safety;
  • offences relating to cross-border tax schemes;
  • offences of a general nature;
  • employment law;
  • legislation relating to the performance of public service;
  • the rules on payment of outstanding public state and municipal debts, and other areas specified in the WPA.

Important! Whistleblowing that do not fall within the scope of the law, as well as signals of infringements committed more than two years ago, are not subject to examination.

  1. Ways to report violations to“Unimasters Logistics” PLC and the companies of the “Unimasters Logistics” PLC Group.

You may submit a written whistleblowing report by completing a template form, in any of the following ways:

  • by e-mail: signali@unimasters.com
  • by phone: +359 887 259 714 , +359 887 726 514;
  • during a personal meeting with the official;
  • by mail to the following addresses: BG-1592 Sofia, Bulgaria, 12 Prodan Tarakchiev street; BG-9000 Varna, 40 Graf Ignatiev street.

Important! Alerts must be signed by the persons submitting them. If submitted electronically, the form shall be signed with a qualified electronic signature. Important!

The form is not compulsory, but for convenience and it contains the mandatory data to be filled in. If the signal does not comply with any of the legal requirements, the officer will inform you by sending a notice to rectify the irregularities. If the deficiencies are not corrected within 7 days, the signal and its appendices will be returned to you.

  1. Actions on our part after the signal has been submitted:

We will acknowledge receipt within 7 days and register it with a unique identification number. If the signal does not meet the requirements of the law, we will notify you to correct the irregularities within 7 days.

The signal will be investigated by a person who does not have a conflict of interest.

Within three months of acknowledging receipt of the signal, we will provide you with feedback on the results of the verification and the actions taken.

  1. What protection do whistleblowers have?

Whistleblowers and persons associated with them (e.g. colleagues and relatives) are protected against unwarranted disclosure of their identity, except as permitted by law.

Retaliation against protected persons is prohibited, namely: suspension, dismissal, demotion, negative performance evaluation, application of financial and disciplinary liability, physical and verbal coercion, intimidation, hostility and violation of their dignity, discrimination, etc.

  1. What are the conditions for granting protection?

The whistleblower must have reasonable cause to believe that the information provided about the breach in the whistleblower's report was correct at the time of submission, and that the information falls within the scope of the WPA, and that the whistleblower's report was made under the terms and procedures of the Act.

Important! Persons named in the whistleblower report as violators are entitled to compensation for all pecuniary and non-pecuniary damages when it is established that the whistleblower knowingly submitted a report with false information.

  1. How can you file a report to the Commission for Personal Data Protection (CPDP)?

The Commission for Personal Data Protection is the Central authority for external whistleblowing. You can also report your whistleblowing directly to the CPDP in one of the following ways:

In writing:

  • by e-mail - whistleblowing@cpdp.bg;
  • by mail to: Sofia 1592, 2. „Prof. Tsvetan Lazarov” blvd.;
  • via the Secure Electronic Delivery System;
  • orally - at the CPDP office at the following address: Sofia 1592, 2. „Prof. Tsvetan Lazarov” blvd ”.

You can use the template for registering a whistleblower report on the CPDP website. The form is not mandatory. If you decide to use it, you only need to fill in Parts I to V inclusive and sign it: when sending the form by post - with a handwritten signature; when sending it by e-mail - with a qualified electronic signature. If you are using the Secure Electronic Delivery System, the CPDP responsible for handling the report will contact you to complete a Report of Violation Registration Form under the WPA.

II. WHISTLEBLOWING DATA PROTECTION

  1. II. WHISTLEBLOWING DATA PROTECTION

Personal data controller and data subject under Art. 12, par. 1(2) of the WPA is:

"Unimasters Logistics" PLC, with registered office and registered address in Varna, 40 Graf Ignatiev street ul. UIC: 148038718.

  1. Purpose of this notice / whistleblower privacy policy /

The purpose of this policy is to inform all individuals whose personal data is collected through the internal whistleblowing system about the manner in which the controller processes personal data when whistleblowing.

This notice does not replace the Privacy Statement disclosed in accordance with Regulation (EU) 2016/679 and the Personal Data Protection Act (PDPA), but applies only in cases of internal whistleblowing and the need to process personal data in these cases, as required by the WPA.

Any processing of personal data carried out pursuant to the WPA, including the exchange or transfer of personal data by competent authorities, shall be carried out in accordance with Regulation (EU) 2016/679 as well as the Personal Data Protection Act and, where the transfer involves institutions, bodies, offices or agencies of the European Union, in accordance with Regulation (EU) 2018/1725.

This notice (policy) applies to:

- The whistleblower as defined in Article 5(2) of the WPA;

- all persons concerned within the meaning of § 1(5) of the DG from WPA.

  1. Where is the personal data collected from?

The controller collects personal data provided by the whistleblower through the internal whistleblowing channel. In addition, personal data is collected from the controller's other internal systems as well as from third parties as necessary during the investigation of the whistleblowing.

Personal data concerning data subjects are collected from the data subjects themselves when they have made a whistleblowing report using their name. Data about data subjects may also be collected from sources other than the data subjects themselves, for example where a signal submitted by a data subject contains personal data about another person. In the course of processing alerts, the controller may also become aware of other data concerning data subjects which the whistleblowers themselves provide voluntarily or which are obtained from other sources in a manner permitted or required by applicable law.

  1. Purposes and reason for processing

4.1. Purpose of processing

We process your personal data for the following purpose: collecting and processing internal whistleblowing to comply with the Whistleblower Protection Act.

When you provide your personal data in a whistleblowing submission, we will collect and store your personal data in order to investigate your whistleblowing and to carry out an investigation into it. The information you provide to us will be kept strictly confidential and secure.

4.2. Reason for processing

The processing of personal data is lawful if one of the legal grounds set out in the applicable law (Article 6 of the GDPR - General Data Protection Regulation) is present.

We process personal data on the following grounds:

Legal obligation - we will process your personal data in order to comply with our obligations under the Whistleblower Protection Act. The legal basis we rely on is Article 6(1)(c) of the GDPR.

If the information we receive in connection with a whistleblowing contains special category data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning an individual's health, sex life, sexual orientation, etc., then the legal basis on which we will process that personal data is Article 9(2)(g) of the GDPR because the processing is necessary for reasons of important public interest based on Union and Bulgarian law.

Data relating to criminal offences, convictions and security measures may be processed under the conditions set out in Article 10 of the GDPR and the Personal Data Protection Act.

  1. Data subjects

For the purposes of the GDPR, a data subject in relation to the alert may be:

  • the author of the alert (also referred to as the whistleblower);
  • the person against whom the alert is lodged or persons related to him (persons concerned);
  • the witness(es) and other persons whose personal data may come to light in the course of the investigation.
  1. What personal data do we collect?

When you disclose information about wrongdoing (i.e. report possible wrongdoing), you are asked to provide at least the following personal information:

  • three names, address and telephone number, as well as e-mail address if available;
  • your capacity as a whistleblower, for misconduct of which you are aware in a work context - worker, employee, freelancer, etc;
  • the name of the person being reported and their place of work if the report is made against specific persons and they are known;
  • signature, electronic signature or other identification of the sender.

If necessary, we may request additional information so that we can investigate all the grounds for your whistleblowing, together with any supporting documents or evidence.

6.1. Categories of personal data that may be affected by the processing of the alert
We recognise that personal information in a whistleblowing report may relate to the whistleblower(s), the person against whom the report is made, witnesses to the breach or other individuals who are mentioned in the report (affected persons).

Therefore, in connection with your whistleblowing, we will also store the following personal information:

  • identity and contact details of witnesses;
  • identity, functions and contact details of the persons involved in the processing of the alert;
  • information collected in the context of verifying the reported facts;
  • information collected in the context of verifying the reported facts;

6.2. Obligation to provide your personal data

The processing of the above personal data is necessary for the verification of the information provided in the whistleblowing report. Failure to provide this data would prevent the processing of the alert and the related investigation.

According to the Bulgarian Whistleblower Protection Act, no proceedings are initiated in respect of anonymous whistleblowers.

  1. Who has access to the personal data and whether the data is disclosed to third parties?

We take appropriate measures to protect information related to whistleblowing and to protect the identity of whistleblowers by ensuring that only employees who need the data to perform their duties have access to the information. Our aim is at any time to ensure, as far as possible, the confidentiality of the information received and to protect the identity of the whistleblower and any other persons involved. The identity of the whistleblower shall not be disclosed to the persons against whom the allegations are made. The identity of the whistleblower shall only be disclosed if the whistleblower consents to it or if disclosure of the identity of the whistleblower is required in criminal proceedings or if the whistleblower has made a false report for malicious purposes. Personal data may be disclosed to third parties, such as public authorities or external inspectors, where this is a necessary and proportionate obligation imposed by Bulgarian or European Union law in the context of investigations by national authorities or judicial proceedings, including with a view to ensuring the right of defence of the person concerned. In these cases, we will notify the whistleblower of the need for disclosure before disclosing the identity or information relating to the whistleblowing. The notification shall be in writing and shall state the reasons. The whistleblower shall not be notified where doing so would jeopardise the investigation or legal proceedings.

  1. Transfer of personal data outside the European Union/European Economic Area

Personal data obtained in the course of an alert shall not be transferred outside the EU or EEA.

  1. Storage period of personal data

The personal data will only be processed for the performance of the obligations on which the processing is based - in this case to comply with the requirement to provide a whistleblowing channel. Personal data will not be processed for a longer period than is necessary to fulfil this purpose.

No personal data will be collected if it is clearly not relevant for the administration of the specific alert. If such data is collected in error, it will be deleted as soon as possible.

We are obliged to keep alerts and the materials attached to them, including subsequent documentation relating to their handling, for a period of 5 years after the conclusion of the handling of the alert, unless there are criminal, civil, labour and/or administrative proceedings in connection with the alert.

We apply the following storage periods:

  • If the whistleblower is found to be non-compliant/incompliant with the Whistleblower Protection Act (WPA) - The data shall be destroyed immediately;
  • In case the whistleblowing has not resulted in any consequences - the data shall be destroyed after a period of 5 years from the conclusion of the whistleblowing investigation;
  • In the event of disciplinary or judicial proceedings being initiated as a result of the whistleblowing - the data shall be destroyed at the end of the proceedings, or the limitation period for appealing the decision.

After the retention period, the personal data shall be destroyed or anonymised. In the latter case, this means that it will be impossible to identify you by this data.

  1. How do we keep your information safe and secure?

We have technical and organisational measures in place to enable the protection of your personal data and take reasonable steps to protect your data from loss, misuse, unauthorised access, disclosure, modification or destruction.

We manage, maintain and protect all information in accordance with legislation, our policies and best practice. All information is stored, processed and transmitted securely. Access to all personal information is strictly controlled.

We provide training to staff who handle personal information, including how to report data breaches to the whistleblower or others involved.

  1. Confidentiality

We will keep your identity confidential unless we are required to disclose it by law or obtain your express consent.

We will notify you if we need to disclose your identity to investigating authorities.

  1. What rights do you have as a data subject?

Under the General Data Protection Regulation you have the following rights:

  • Right of access: you have access to the personal data we hold about you.
  • Right to rectification: you can ask us to correct data that is inaccurate or incomplete.
  • Right to erasure (right to be forgotten): you have the option, subject to certain conditions, to have the personal data we hold about you erased. However, we have the option not to respond positively to your request, especially in the event that we need your personal data to comply with a legal obligation.
  • Right to restriction of processing, in particular in the event that you challenge the accuracy of the personal data we hold about you.
  • Right to object: you may object, for reasons relating to your particular situation and subject to certain conditions, to the processing of data concerning you.

To exercise the above rights or for any questions regarding personal data, please send any request to the Data Protection Officer at the following email address: data.privacy@unimasters.com

You have the right to submit a complaint with the supervisory authority if you believe that the processing of your personal data violates the GDPR and the PDPA - Commission for Personal Data Protection, https://www.cpdp.bg/.

The document is valid from: 17.12.2023

Last revision: