WHISTLEBLOWER CHANNEL AND PROTECTION OF THE INFORMANT’S IDENTITY
Management of Resort La Ciguena S.L.
It is the support for the collection of information, through which those events related to materialized risks or those facts that may raise suspicions of the commission of a crime, or that imply a breach of the Code of Ethics, will be received in order to comply with Law 2/2023 of February 20 regulating the protection of individuals who report regulatory violations and fight against corruption.
The company’s management body will be responsible for implementing the internal information system, after consulting with the legal representation of the employees, if applicable, and will be responsible for the processing of personal data:
Email: administracion@ama-resort.com
DPO data: info@seinin.com
Name: GESTIÓN RESORT LA CIGÜEÑA S.L.
VAT/Tax ID: B92994763
Address: PASEO DE LAS CUMBRES S/N, ISLANTILLA – 21449 – LEPE – HUELVA
The reporting channel will be available to all employees of the organization or any third party who maintains a business relationship with the Company, acting in good faith, and will have the confidentiality derived from the application of this Law. And more specifically:
– Employees on payroll and self-employed workers;
– Shareholders, participants, and individuals belonging to the management, direction, or supervision bodies of a company, including non-executive members;
– Any person working for or under the supervision and direction of contractors, subcontractors, and suppliers;
– Informants who communicate information after a terminated employment relationship;
– Volunteers, interns, workers in training periods; those whose employment relationship has not yet started, and are in the process of selection or pre-contractual negotiation.
– The legal representatives of the worker (RLPT) in the exercise of their functions or if they act as informants, will be protected.
– All individuals related to the initial informant who may suffer retaliation. And legal entities for which they work or with which they have a connection.
Communication will be carried out confidentially. Informants who use this tool cannot be retaliated against, discriminated against, or harmed simply for reporting unlawful conduct, as long as they act in good faith.
The whistleblowing channel is based on the following principles:
– Confidentiality.
– Integration into all company procedures.
– Simplicity for the reporter.
– Diversity of access channels, with a preference for communication via email or through another specified channel in this policy.
– Maximum disclosure of its existence.
– Reliability of the information.
The identity of the complainant, as well as the personal data communicated in relation to an irregular action through this channel, will be considered confidential information and, therefore, cannot be disclosed without the express consent of the accused. It is important to emphasize that the confidentiality of the complainant does not necessarily imply anonymity for all purposes, as making a communication or complaint only initiates an investigative process by the RESPONSIBLE FOR THE INTERNAL INFORMATION MANAGEMENT SYSTEM in order to gather information to verify the reported facts. It is important for both the person making the communication and the department responsible for the management to be able to contact the complainant to clarify the information sent or received, according to the needs of the investigation to be conducted.
The complaint channel can be managed internally, in which case the complaints will be received, investigated, and resolved by internal departments of the company, or the management may be outsourced to a third party who will carry out the investigative tasks, if established in this policy. Initially, it is established that the management will be internal.
In all cases, the decision on the resolution of the complaint and the measures to be taken must be made by the RESPONSIBLE FOR THE INTERNAL INFORMATION MANAGEMENT SYSTEM, although they may seek advice from professionals or specialists in the particular field being investigated.
All complaints received must be registered, numbered, investigated properly, and resolved by the department designated by the company. Once the investigation is completed and the incident resolved, the person who made the complaint should be informed of the outcome and the terms of the resolution adopted.
Any complaint or communication received with criminal implications will necessarily initiate a file by the investigating body.
You can report any action or omission that may constitute:
– serious or very serious criminal or administrative infractions
– infractions of European Union Law
For their admission and proper processing, communications or reports must necessarily contain the following data:
– Identified complainant with name and surname optionally. It may be done anonymously.
– Succinct exposition of the facts or arguments supporting the communication/report.
– Person or group against whom the report is directed.
The burden of proof will always fall on the complainant, who must provide the documents on which it is based, and the accused may provide the documents they consider appropriate to counter those of the complainant.
The keys for the whistleblowing channel to function effectively and thus serve to identify irregular behaviors within the organization are fundamentally two aspects:
– That all employees have complete confidence that there will be no reprisals for making reports as long as they are made in good faith.
– That all reports, without exceptions, be investigated to the end and, if irregular behavior is indeed occurring, that there be consequences for the offender. The confidentiality of the complainant will be maintained at all times, unless such information is required by a competent judicial or administrative authority, in which case the company will be obliged to provide that information to the requesting body.
There is the possibility that the whistleblowing channel may receive, through any of the means that allow it, some type of communication where the complainant’s data is not included, and although the spirit of the channel is to comply with what was stated by the legal department of the A.E.P.D. in 2007, Report on the Creation of internal whistleblowing systems in companies (mechanisms of “whistleblowing”), so as to avoid anonymous communications as much as possible, they will not be automatically rejected, although they can never serve as the sole proof of the commission of an irregularity or a crime.
– Functions:
– Ensure compliance with the established prevention model, carrying out periodic updates that may be necessary.
– Carrying out instruction and management tasks of the complaints channel, trying to maintain a colegial nature, if applicable.
– Composition:
– According to current regulations, GESTIÓN RESORT LA CIGÜEÑA S.L. has decided appoint as joint managers of this system:
Name: JUAN MANUEL SÁNCHEZ MÁRQUEZ and MARÍA MATEOS CRUZ.
DNI: 29777644G and 47345739D
Address: PASEO DE LAS CUMBRES S/N, ISLANTILLA – 21449 – LEPE – HUELVA
Email: jmanuel.sanchez@ama-resort.com.
The entity may appoint as responsible for this management system an internal body whose components must be identified in this document or outsource this function, also identifying the third party in question in this document. In case of outsourcing the service, the data controller will have the assigned functions described in the Service Provision Contract signed between both Companies, in which the scope and content of the mandate will be precisely delimited. Likewise, a contract for access to third-party data will be established in accordance with European and national regulations on the protection of personal data.
They may be incorporated into it punctually, and, for each specific case, the person(s) of the organization who decide so at any given moment according to the nature of the reported fact.
– Procedures related to the management of the Reporting Channel and the management of the Reports Received.
– THE RESPONSIBLE FOR THE SYSTEM will carry out, among others, the following functions:
a) Reporting channel management:
1.- Receipt of reports
2.- Classification of reports
b) Management of received reports
1.- Investigation of the report
2.- Preparation of a report addressed to the decision-making body
To carry out these functions, some basic guidelines are detailed below, purely indicative character, allowing the RESPONSIBLE FOR THE SYSTEM to consider in each specific case the performance of any modifications deemed appropriate to better achieve its objectives. This last paragraph shall not apply to those files with criminal significance.
A) Management of the reporting channel
Regarding the management of the received reports, it will be the RESPONSIBLE FOR THE SYSTEM’s responsibility to make duly justified decisions corresponding to permissions for access, writing, printing, deletion, or blocking of stored data, the deadlines for their definitive cancellation, or the reasons why access to blocked data could be granted, prior consultation with the DPO (Data Protection Officer) appointed by the entity, if this figure exists.
In compliance with data protection regulations, access to the data stored by an interested third party shall be limited to the personal data subject to processing, and data concerning third parties cannot be considered included in this right, so both the data of the reporter(s) must be kept strictly confidential at all times, as well as any other data concerning third parties included in the report received or in the file that is initiated.
Any act of retaliation, including threats of retaliation and attempted retaliation, against individuals who file a report is expressly prohibited. Retaliation is understood as any acts or omissions that are prohibited by law, or that, directly or indirectly, put individuals at a particular disadvantage in the workplace or professionally solely because they are whistleblowers. In the workplace, retaliatory actions may include, if not properly justified, but not limited to:
– Suspension of employment contract, termination of employment, or substantial modification of work conditions, lack of contract conversions, etc.
– Damages, including reputational harm, or economic losses, coercion, intimidation, harassment or ostracism.
– Negative evaluation or references regarding work performance.
– Inclusion in blacklists or dissemination of information that obstructs or prevents access to employment or contracting for works or services.
– Denial or cancellation of a license or permit.
– Denial of training.
– Discrimination, or unfair or unjust treatment.
The legitimizing basis for this treatment is by legal obligation and will be subject to the current data protection regulations. Regarding the period of conservation of this type of personal data being processed, Law 2/2023 in its article 32 paragraph three establishes that personal data can be kept in the information system for the time necessary to decide whether to initiate an investigation into the reported facts. Furthermore, this article in its fourth paragraph establishes that, in any case, three months after receiving the communication without any investigation actions being initiated, the data must be deleted, unless the purpose of the conservation is to provide evidence of the system’s operation.
Communications that have not been processed can only be recorded in an anonymized form, without the obligation of blocking as provided for in article 32 of the data protection law.
The informant has the possibility to exercise the following rights over their personal data: right of access, rectification, deletion or forgetting, limitation, objection, portability, and to withdraw consent given. For this purpose, they may send an email to the Internal Information System MANAGER, the DATA PROCESSING MANAGER, or the DATA PROTECTION OFFICER (DPO).
Furthermore, the interested party can address the competent Data Protection Authority to obtain additional information or file a complaint.
[[common.action.login]]