1. PURPOSE & SCOPE
This Policy of IAMEX S.A. aims to create an internal reporting system for violations of EU law, to protect persons who report such violations and to organize the process of submitting, receiving and monitoring reports.
This Policy applies to persons who report information about violations acquired in the work context, i.e.: a) to the employees of the Company, regardless of the type of contract that connects them with the Company, b) to all kinds of partners, in framework of project contracts, independent services, salaried mandate, c) to the shareholders and the persons participating in the Board of Directors of the Company, d) to the persons whose employment relationship has ended for any reason, including retirement, and persons whose employment relationship has not yet begun, in cases where information about violations has been obtained during the recruitment process or at another stage of negotiation before the conclusion of a contract.
2. AUTHORITIES
2.1. Report Receipt and Follow-up Officer (YPPA)
3. GENERAL
This Policy is adapted to the principles of the European Directive 2019/1937 for the protection of persons who report violations, which was incorporated into the national legal order with the law 4990/2022 as well as the international best practices that have been developed for internal reports.
The Policy applies to the protection of persons who report or disclose:
a) violations of acts of the rules of EU law, as specifically defined in Part I of the Annex to Law 4990/2022, as well as acts that may be issued subsequently as secondary acts, in the areas of: i) public contracts , ii) financial services, products and markets, as well as the prevention of money laundering and terrorist financing, iii) security and product conformity, iv) transport safety, v) environmental protection, vi) radiation protection and nuclear safety, vii) food and feed safety, and animal health and welfare animals, viii) public health, ix) consumer protection, x) the protection of privacy and personal data, as well as the security of network and information systems, b) violations affecting the financial interests of the Union of the article 325 of the Treaty on the Functioning of the European Union (TFEU), i.e. cases of fraud or any other illegal activity against the financial interests of the EU, and those specifically defined in the relevant EU measures, c) violations related to the internal market, i.e. the area of the EU. in which the free movement of goods, persons, services and funds is ensured, as mentioned in par. 2 of article 26 of the S.L.E., including violations of the Union's rules on competition and state aid, as well as violations related to the internal market regarding acts that violate the rules on corporate taxation or arrangements, the purpose of which is to secure a tax advantage which defeats the object or purpose of the applicable corporate tax legislation
4. DEFINITIONS
4.1. In this Policy, the following definitions apply:
a. "Report": the provision of information regarding violations of the present to the Company's Report Receiving and Monitoring Officer (Y.P.A.A.). b. "Reporting Party": a natural or legal person named in the report as the person to whom the violation is attributed or related to the person to whom the violation is attributed that falls within the scope of this Agreement. c. "Reporter": the natural person, who makes a report, providing information about violations, which he obtained in the work context. d. "Retaliation": any direct or indirect act or omission, which occurs in the employment context, causes or is likely to cause unjustified harm to the complainant, or puts him at a disadvantage, and is connected with a complaint. e. "Reasonable grounds": the justified belief of a person, with similar knowledge, training and experience to the petitioner, that the information in his possession is true and constitutes a breach of Union law, falling within the scope of this application.
f. "Information": the provision of information to the petitioners about the measures that are planned to be taken or have been taken in the context of the monitoring and the reasons for it. g. "Work context": current, past or anticipated work activities at the Company, regardless of the nature of such activities, through which persons obtain information about violations and in the context of which such persons are likely to suffer retaliation if they report them . or. "Breaches": acts or omissions that are illegal under Union law or contrary to the object or purpose of Union law rules falling within the substantive scope of this. i. "Information about violations": information, including reasonable suspicions, about violations that have been committed or are likely to be committed at the Company, as well as information about attempts to conceal violations. i. "Responsible for Receipt and Follow-up of Reports" or "Responsible for Receipt and Follow-up of Reports": the Responsible for Receipt and Follow-up of Reports regarding violations falling within the scope of application hereof, whose duties are assigned to the head of the Core Regulatory Compliance Function.
5. RESPONSIBLE FOR RECEIVING AND FOLLOWING UP REPORTS
5.1. The H.P.A.A. undertakes the responsibility of managing the system of internal and external reporting of violations of EU law, which is observed and applied in the Company, in accordance with the requirements of article 9 n. 4990/2022.
5.2. Specifically, Y.P.A.A. undertakes the following responsibilities:
a) provides the appropriate information regarding the possibility of submitting a report within the Company and communicates the relevant information in a prominent place,b) receives reports, whether they are submitted in writing or orally or via an electronic platform, regarding the violations that fall within the scope of application of n. 4990/2022, c) confirms the receipt of the petition to the petitioner within a period of seven (7) working days from the day of receipt, d) takes the necessary actions, in order for the competent bodies of the Company or the relevant agencies to deal with the petition, or terminates the process, by filing the report, if it is incomprehensible or is submitted abusively or does not contain facts which, and assumed to be true, establish violation of EU law or there are no serious indications of such a violation and the notification of the relevant decision to the petitioner, who, if he considers that it was not dealt with effectively, may resubmit it to the National Transparency Authority, which, as an external channel, exercises the powers of article 12 n. 4990/2022, e) ensures the protection of the confidentiality of the identity of the petitioner and any third party named in the petition, preventing access - to it - by unauthorized persons,
f) monitors reports and maintains contact with the petitioner and, if necessary, requests further information from him, g) provides information to the petitioner on the actions taken within a reasonable period of time, which does not exceed three (3) months, from the acknowledgment of receipt, or, if no acknowledgment has been sent to the petitioner, three (3) months from the end of seven (7) working days from the submission of the petition, h) provides clear and easily accessible information for the procedures under which reports can be submitted to the National Transparency Authority and, as the case may be, to public bodies or institutions and other bodies or organizations of the European Union, i) plans and coordinates educational actions related to ethics and integrity, participates in drawing up internal policies to strengthen integrity and transparency in the Company and j) ensures that the exercise of his duties as a Lawyer in the Company does not risk his independence as a H.P.A.P.A. and not to create a conflict of interest, in relation to the above-mentioned responsibilities. k) Keeps a relevant record of reports.
5.3. The H.P.A.A. undertakes the general obligation to: a) carry out his duties with integrity, objectivity, impartiality, transparency and social responsibility, b) respect and observe the rules of confidentiality and confidentiality for matters of which he became aware during the performance of his duties, c) abstains from the management of specific cases, declaring an obstacle if there is a conflict of interest.
5.4. As Y.P.A.A. has been appointed by the Company for three (3) calendar years, i.e. from October 10, 2024 until October 9, 2027 Ms. Maria Chronaki.
6. REPORT SUBMISSION PROCEDURE
6.1. The Company establishes easily accessible reporting channels, encourages the reporting of incidents within the scope of this Policy and guarantees that all reports received are treated confidentially. 6.2. The ways of submitting the reports are as follows: a) in writing, by sending an email to the address compliance@iamex.gr or b) in writing, by sending a postal letter to Y.P.A.A. of the Company at the address of Achaia number 5, Nea Kifisia, Postal Code. 144 64, or c) verbally, by telephone at +30 210 6298412 or another telephone message system, as well as a personal meeting with the VPPA. within a reasonable period of time, at the request of the petitioner6.3. When a hotline or other telephone messaging system is used to make a report, recording of the conversation is permitted if the reporting party has lawfully consented. The H.P.A.A. has the right to document the oral reporting either by recording the conversation in a stable and retrievable form or by a full and accurate transcript of the conversation, giving the complainant the opportunity to verify, correct and agree to the transcript of the conversation by signing it. 6.4. When a telephone line or other telephone messaging system is used to submit a report without a recording of the conversation, the H.P.A.P.A. has the right to document the oral submission of a report in the form of accurate minutes of the conversation, which he draws up, giving the petitioner the opportunity to verify, correct and agree with the minutes of the conversation by signing them.6.5. When a person requests a meeting with the H.P.A., to file a report, subject to the petitioner's consent, full and accurate minutes of the meeting are kept in a fixed and retrievable form, either by recording the conversation in a fixed and retrievable form, or with accurate minutes of the meeting, prepared by the Y.P.A.A., providing the petitioner with the opportunity to verify, correct and agree with the minutes of the meeting meeting, signing them. 6.6. In all the above circumstances, if the petitioner refuses to sign the minutes, the Y.P.A.P.A. must make a relevant mention in the text of the minutes. 6.7. Reports must be governed by the principle of good faith on the part of the petitioner, that is, the petitioner has reasonable grounds to reasonably believe that the information he is providing is true.
7. REPORT MANAGEMENT PROCEDURE
Once any report is submitted, the following management and investigation process will be followed: The H.P.A.: 1) Confirms receipt of the report to the petitioner immediately and in any case within seven (7) working days from the day of receipt. 2) Takes the necessary actions, in order for the report to be taken up by the competent bodies of the Company or the competent bodies, as the case may be, or terminates the procedure, by archiving the report, if it is incomprehensible or submitted abusively or does not contain incidents which, and true allegedly constitute a breach of Union law or there are no serious indications of such a breach and the communication of the relevant decision to the petitioner, who, if he considers that it has not been effectively dealt with, may resubmit it to the National Transparency Authority. Instructions regarding the process of submitting a report to the E.A.D. are posted on its website www.aead.gr. 3) Provides information to the petitioner on the actions taken within a reasonable period of time, which does not exceed three (3) months from the acknowledgment of receipt, or if no acknowledgment has been sent to the petitioner, three (3) months from the end of seven (7) working days from the submission of the report. D) Depending on the results of the investigation, the Report Manager proposes corrective or disciplinary/legal actions. These actions may include (indicative and not limited to): (a) additional training of employees, (b) establishment of new internal control mechanisms, (c) modifications to existing policies and/or procedures, (d) disciplinary sanctions including final removal/dismissal or (e) legal action.
8. RIGHTS OF THE REPORTER AND THE REPORTED
8.1. The petitioner has the right to be informed both of the receipt of his petition (within 7 working days at the latest) and of the outcome of the investigation (within 3 months at the latest).
8.2. The identity of the petitioner remains confidential. Exceptionally, if the Report turns out to be malicious, and if the person being reported so requests, they can be informed of the identity of the person reporting, in order to exercise their legal rights.
8.3. Individuals included in reports have the right to be informed immediately of the misconduct of which they are accused, of the individuals who have access to the data included in the report or report, and of the right to be called to account.
9. PROTECTION OF PERSONS SUBMITTING REPORTS
9.1. The Company protects whistleblowers of violations within the scope of this Policy and ensures non-retaliation. In this context, any form of negative behavior/retaliation against anyone who has made a report is prohibited, including threats and retaliation. In particular, the following forms of retaliation are prohibited: a) suspension, dismissal or other equivalent measures, b) demotion, omission or deprivation of promotion, c) removal of duties, change of place of work, reduction of salary, change of working hours, d) deprivation of training, e) negative performance evaluation or negative professional recommendation, f) reprimand, imposition of disciplinary or other measure, including monetary penalty, g) coercion, intimidation, harassment or marginalization, h) discrimination or unfair treatment, i) failure to convert a fixed-term employment contract into an open-ended one, j) non-renewal or early termination of a fixed-term employment contract, k) intentional damage, including defamation, in particular on social media, or financial loss, including business loss and loss of income, l) spamming ("blacklisting"), based on a sectoral or sectoral formal or informal agreement, which may imply that the person will not find a job in the sector or industry in the future, m) early termination or cancellation of a contract for goods or services, i ) revocation or cancellation of diploma or license, o) referral for psychiatric or medical follow-up, p) refusal or deprivation of reasonable accommodations to persons with disabilities.
10.REPORT RECORD KEEPING
10.1. The Company through the H.P.A. maintains a relevant file of reports, in accordance with confidentiality requirements, for a reasonable and necessary period of time, in order to be recoverable and to comply with the requirements imposed by this, the Union or national law and however, until the completion of any investigation or legal proceedings that have been initiated as a consequence of the report against the person reported, the petitioner or third parties.
11. OBLIGATION OF CONFIDENTIALITY
11.1. Personal data and any information that leads, directly or indirectly, to the identification of the petitioner, is not disclosed to anyone other than the authorized staff members who are competent to receive, or monitor the petitions, unless the petitioner consents. To this end, the Y.P.A.P.A. takes appropriate technical and organizational measures, such as pseudonymization techniques, when monitoring the report and communicating with the relevant authorities.
11.2. As an exception and only, the disclosure of the identity of the petitioner, as well as any other relevant information, is permitted in the cases required by EU or national law, in the context of investigations by competent authorities or in the context of judicial proceedings, and if this is necessary for the serving the purposes hereof or to ensure the defense rights of the said. In these cases, any disclosures are made after the petitioner has been informed in writing about the reasons for disclosing his identity and other confidential information, unless this information undermines investigations or legal proceedings. Unjustified failure to inform constitutes a disciplinary offence.
12. PROCESSING OF PERSONAL DATA
12.1. Any processing of personal data that takes place in the context of the implementation of this, including the exchange or transmission of personal data by and to the competent authorities, is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27 2016, for the protection of natural persons against the processing of personal data and for the free movement of such data, subject to the more specific provisions of this and more specific regulations that concern the processing of personal data by the competent authorities.
12.2. Any processing of personal data, which takes place in the context of this, is carried out to fulfill the obligation to establish reporting channels and take the necessary measures for their monitoring. The concept of the above processing of personal data includes, in particular, any information related to violations in the context of internal and external reports, including their exchange and/or transmission. It is permitted to transmit to the competent supervisory and investigative authorities the information obtained in the reports, which can be used as evidence in administrative, civil and criminal investigations and proceedings.
12.3. In this sense, the Company is, in accordance with the law 4990/2022 and according to the definitions of the legislation on personal data, Responsible for Processing.
12.4. The Data Controller takes the appropriate technical and organizational measures so that, when submitting and monitoring the reports, the absolutely necessary and appropriate personal data to achieve the purposes herein are collected. Personal data, which are obviously not related to the handling of a specific report, or are excessive, are not collected, or if they have been collected accidentally, they are deleted without delay.
12.5. By way of derogation from approx. A' of par. 1 of article 5, articles 12 and 13, par. 1 to 4 of article 14 and article 34 of the G.K.P.D. no relevant information about the processing of personal data is provided to the person referred to and to any third person in their capacity as the subject of the data named in the report or the personal data resulting from monitoring measures and in particular about the source of origin according to c. in par. 2 of article 14 of the G.K.P.D., pursuant to par. 5 of article 14 of the G.K.P.D., in conjunction with article 23 of the G.K.P.D., for as long as necessary and as long as it is deemed necessary for the purpose of preventing and dealing with attempts to prevent reporting, obstructing, thwarting or delaying follow-up measures, in particular with regard to investigations, or attempts to identify the reporting party, as well as to protect them against reprisals.
12.6. The Data Controller may not satisfy the rights provided by articles 15 to 22 of the GDPR, when exercised by the mentioned and third parties named in the report, or resulting from monitoring measures in accordance with those defined in par. 5.
12.7. In the cases of limiting the rights of the data subjects provided for in the two previous paragraphs, the Processing Manager takes all the necessary technical and organizational measures to protect the rights and freedoms of the persons.
12.8. In particular, with regard to the rights of natural persons with regard to the processing of their personal data and the way of submitting relevant requests, the Company as the Data Controller hereby refers to the Privacy Policy and the more specific Information regarding the processing of personal data that it provides to natural persons with which is traded on a case-by-case basis.
12.9. The Processing Manager, in the event of a breach of personal data, does not make an announcement according to par. 1 of article 34 of the G.K.P.D. to the data subject, as long as this announcement may be detrimental to the intended purposes of the present and informs the A.P.D.P.X., which may, after investigating the assistance of the reasons invoked, request making the announcement, if it considers that the conditions for omitting the announcement are not met.
13. CONSEQUENCES OF VIOLATING THE POLICY
13.1. The Company reserves the right to take any appropriate measure against any employee or partner of any kind, if it arises or is established in any way that a) prevented or attempted to prevent the submission of a report, in cases of violations that fall within the scope of this, b) exposed any person who submitted a report based on this Policy of any form of adverse treatment, c) retaliated against or took malicious proceedings against a person who submitted a report based on this Policy, d) breached the obligation to maintain the confidentiality of the identity of the petitioner. The same procedure can also be carried out in the event that an employee, counterparty or partner of any kind intentionally misled the Company on any matter under investigation under this Policy or made false allegations against a colleague, counterparty or partner of the Company.
14. UPDATE ON THIS POLICY
The H.P.A.A. ensures that all persons to whom this Policy applies are expressly informed of its content. The information is provided through the sending of informative material, emails, newsletters or in another convenient way.
15. HISTORY OF THE DOCUMENT
Ed. Date Description of Change Version From1 15/07/2024 Initial Version YSDD