Whistleblowing
I. WHISTLEBLOWING POLICY
1. Introduction
1.1 Definitions
For the purposes of this Policy, the following definitions apply:
Company: As Company is defined «IDEAL Holdings S.A.».
Group of Companies: As Group of companies is defined «IDEAL Holdings Α.Ε.», i.e. the Company and the companies in which it directly or indirectly participates ("subsidiary companies").
Policy: As Policy is defined Whistleblowing Policy
Whistleblowing: As Whistleblowing is defined the voluntary reporting-complaint by anyone regarding significant irregularities and omissions or other criminal acts, within the meaning of Greek law Ν. 4990/2022 and the following Joint Ministerial Decision ΚΥΑ 47312/18.11.2023 ΦΕΚ Β΄ 6994, which is communicated by name or anonymously to the company as to take the necessary measures.
Report: as report is defined the provision of information, orally or in writing, regarding violations, or the concern regarding actual or potential violation.
Whistleblower: is the natural person, who reports or discloses information, which is obtained in the context of her/his work activities, about violations, by providing information about violations.
Reported Person refers to the individual or entity against whom a complaint has been lodged. This can be either a natural person (an individual) or a legal person (such as a company or organization) identified in the report as associated with the alleged violation or with whom the complainant has a relationship.
Retaliation: refers to any direct or indirect act or omission occurring in a work context, in response to a report, that causes or has the potential to cause unjustified harm to the complainant. Examples of retaliation may include harassment, discrimination, unfair performance evaluation, salary freezes or adjustments, changes in job assignments, demotions, employment termination, or promotion denial.
Feedback: refers to the communication of information to the individual submitting the report regarding the actions or steps to be taken in response to the report.
Violation: is the act or omission that is unlawful and related to acts and areas falling within the scope of the Policy.
Good faith: This term refers to the unquestionable belief in the truth of the reported incidents. It denotes the fact that the reporter reasonably believes the transmitted information to be true, relying on reasonable facts and/or circumstances that support the assumption that the report is adequately documented.
Personal Data: refers to any information concerning an identified or identifiable living person. This includes individuals whose identity can be determined directly or indirectly, particularly through identifiers such as location or movement data, online identifiers (IP addresses), or factors that characterize their physical, physiological, genetic, economic, cultural, or social identity. Examples of personal data include the individual's name, professional status, marital status, age, nationality, gender, beliefs, religion, sexual orientation, any criminal charges and convictions, and any other personal characteristic protected by law.
RRMR: Responsible for Receiving and Monitoring Reports of the respective Group company.
1.2 Purpose
The Policy for Submission and Management of Complaints Reports establishes the overarching principles and operational framework governing the receipt, processing, and investigation of both named and anonymous reports pertaining to irregularities, omissions, or other criminal acts. These reports concern violations of EU law that are detrimental to the public interest and have been brought to the attention of staff, customers, suppliers, or other third parties within the Group.
The Policy is issued by the Company and is applicable to all companies within the Group, ensuring uniform adherence and implementation across the organization.
The Group adopts the Policy while adhering to the principle of proportionality and considering factors such as the size, legal structure, nature, and complexity of its activities. This always ensures the establishment of appropriate governance arrangements.
The Policy, along with any proposed amendments, is initiated by the Company's Regulatory Compliance Unit. Subsequently, it undergoes validation by the Company's Audit Committee and final approval by the Board of Directors.
Furthermore, the Group remains steadfast in upholding the highest standards of ethical and professional conduct. It maintains a zero-tolerance stance towards illegal or anti-governance actions, recognizing their potential to tarnish the Group's reputation and credibility.
1.3 Regulatory Framework
The Policy is following Directive (EU) 2019/1937 of the European Parliament and of the Council, which pertains to the protection of individuals who report violations of the law within the association. This directive has been transposed into national law through Law 4990/2022, alongside the implementing Regulation 47312/18.11.2023.
1.4 Scope
The Policy applies to the following categories of individuals eligible to submit reports:
1. All employees of the Group, including those in any form of employment relationship, self-employed individuals who collaborate with the Group in their professional capacity, and individuals engaged by labor force providers.
2. Shareholders and members of the Group's Board of Directors.
3. Contractors, subcontractors, clients, suppliers of the Group, and individuals working under their supervision.
4. Former employees regarding information acquired during their employment,
5. All trainees, both paid and unpaid.
6. Any third-party possessing evidence or information regarding irregular or illegal actions (whether already committed or impending) concerning the Company or Group companies.
General Principles
The Policy aims to safeguard the integrity, internal governance, and reputation of the Group. It serves as a vital tool for risk identification, prevention of unfair practices, and mitigation of illegal behavior. Additionally, it contributes to strengthening the Group's Internal Control System. The established procedures aim at safeguarding our prestige and reputation in the market and society by effectively handling reports of illegal actions.
We strongly encourage our executives, employees, and partners to promptly report any instances of violations or unethical behavior 'in good faith.' This allows us to take appropriate measures against those responsible.
An inviolable principle of the Policy is the protection of the anonymity and confidentiality of personal data for those submitting reports. For employees of the Group, this includes ensuring impartiality in their professional evaluations.
Reports are submitted both to comply with relevant institutional and regulatory frameworks (such as Directive (EU) 2019/1937 of the European Parliament and Council, incorporated into national law with Law 4990/2022) and to safeguard the interests of the Group and other stakeholders. There is no promise of payment, or any consideration offered to the petitioner.
The reporting process is intended to promote transparency, thereby facilitating the reporting of incidents that involve violations of Company and Group Policies and Procedures. This includes incidents of fraud, corruption, coercion, or any other breaches.
Conditions of Reference
Reports should be based on an honest and reasonable belief that a criminal offense or misconduct has occurred or is likely to occur, concerning:
a) Breaches of Union law in the following sectors:
aa) Public contracts
ab) Financial services, products, and markets, including money laundering and terrorist financing
ac) Product safety and conformity
ad) Transport safety
ae) Environmental protection
af) Radiation protection and nuclear safety
az) Food and feed safety, as well as animal health and welfare
ag) Public health
ah) Consumer protection
ai) Protection of privacy and personal data, as well as network and information system security
aj) Violations affecting the financial interests of the European Union
ak) Violations related to the internal market, concerning acts that contravene rules on corporate taxation.
Exceptions include provisions regarding:
a) Protection of classified information b) Protection of legal and medical professional confidentiality c) Confidentiality of judicial meetings d) Rules of criminal procedure.
The scope and corresponding exceptions are detailed in Part I of the Annex accompanying the legislative text of Law 4990/2022.
Please note that customer complaints concerning the quality of products, goods, and services provided by Group companies are handled by the relevant Customer Service Units and are not covered by this Policy.
Anonymity Protection
To enhance the protection of anonymity, reports can be submitted via multiple channels, including the online platform, telephone, in writing, or by email. Additionally, upon request, individuals can schedule a personal meeting with the Υ.Π.Π.Α by contacting the designated telephone number and indicating their desire for an appointment.
In all circumstances, reporting "in good faith," meaning a sincere belief in the accuracy of the reported incidents, is a prerequisite. Petitioners are safeguarded against any retaliatory actions as follows:
• Confidentiality is guaranteed, and the identity of the petitioner is safeguarded if they opt not to remain anonymous.
• Individuals who report violations or make public disclosures anonymously, but later face identification and retaliation, are entitled to the protections afforded.
• Submitted reports are disclosed solely to designated individuals essential for conducting investigations, and these individuals are obligated to maintain confidentiality. Adherence to these guidelines also ensures the protection of the identities of the individuals mentioned.
The Group takes measures to ensure that the respondent is adequately shielded from potential denials, including threats, opposition, discrimination, or any form of adverse treatment. Specifically, when the report is presented to the petitioner's supervisor and the supervisor renders a decision, the proposed decision is evaluated by a different management body than the one assessing the petitioner's report.
The disclosure of the petitioner's identity may become necessary during judicial or other legal proceedings related to the investigation of the respective case. However, the petitioner is informed before their identity is revealed, unless, at the discretion of the Receiving Officer, such disclosure would compromise the ongoing investigations or legal proceedings, or if requested by competent authorities. In notifying the petitioner, the Company provides an explanation for the disclosure of the specific confidential information.
The Group takes all necessary technical and organizational measures to protect personal data. Any personal data processing under this Policy is done according to the relevant national and European legislation. The data of all involved is protected and processed only to verify its reliability. The Group's Regulatory Compliance Department maintains an electronic file with the necessary security specifications, including all reports submitted and corresponding documents related to them.
Personal Data
i. Any personal data processing under this Policy is done according to the relevant national and European legislation. The data of all involved is protected and processed only to ascertain the validity of the specific report and investigate the specific incident.
ii. In case that persons included in the report are not immediately informed of its content, if they do not take actions to obstruct the investigation and prevent the report, abort or delay follow-up measures, the reasons for the relevant delay should be recorded in writing and the document entered in the case file.
iii. Only those involved in the management and investigation of the incident may have access to the data contained in the reports for the purposes of reviewing or managing the reports. Also, the data included in the reports can be accessed by the people included in the report, witnesses, and anyone else with a legitimate interest. The extent of access granted to each applicant is decided on a case-by-case basis by the Head of the Company's Compliance Unit and varies according to the status of the applicant and the seriousness of the case. When access is granted, the details of the complainant and witnesses are withheld unless they have given express consent, and the report has been proven to be malicious.
iv. Personal data which are obviously not related to the handling of a specific report or are excessive are not collected or if they have been collected accidentally, they are deleted without delay.
v. The Group takes all the necessary technical and organizational measures to protect personal data as a personal data processor in accordance with current legislation.
II. COMMITTEE AND REPORTING PROCEDURES
1. Governance
When a Group Company has established a Report Evaluation Committee, the Committee assumes responsibility for evaluating and managing reports, proposing necessary measures as deemed appropriate. In Group Companies without such a committee, submitted reports are handled by the Group's Report Evaluation Committee.
The Report Evaluation Committee has four members and is made up of the following Members:
Chair: The Head of Regulatory Compliance.
Members: The Head of Internal Audit, the Head of Human Resources, and the Legal Advisor.
The President appoints a member of the Regulatory Compliance Unit as the Secretary of the Committee. The Secretary, although not a member of the Committee, is tasked with ensuring adherence to its procedures, maintaining records of investigation outcomes for submitted petitions, and facilitating the implementation of its decisions when necessary.
The Petition Evaluation Committee convenes within two (2) months from the sending of the acknowledgment of receipt to the petitioner. If no acknowledgment has been sent, the committee meets within seven (7) working days of the submission of the petition. The President may convene the committee earlier or exceptionally if deemed necessary. The President issues invitations for committee meetings. During the discussion or evaluation of reports, the committee may request the participation or assistance of a member of the administration or any other employee, as appropriate.
The Committee is considered to have a quorum when at least three (3) of its members are present. In case of a tie, the President's vote prevails. If the decision is not unanimous, the case is referred to the Control Committee. The Control Committee may then refer the case, along with reasoned observations, to the Reference Evaluation Committee, which makes the final decision.
If a petition concerns a member of the Petitions Evaluation Committee or if a member has a conflict of interest related to the petition under consideration, that member must abstain from discussion and voting.
Annually, the Chairman of the Report Evaluation Committee prepares an activity report to update the Audit Committee on the reports received and managed during the review period. Additionally, the Audit Committee is promptly informed of any significant developments.
The Group's Report Evaluation Committee receives information on all reports submitted to the Group's companies. This briefing is conducted by the head of the Company's Regulatory Compliance Unit, who serves as Chairman of the Company's Report Evaluation Committee. The briefing includes a concise overview and assessment of the cases along with any actions taken.
The Report Evaluation Committee is authorized to address issues that fall outside the scope of the Policy, provided they necessitate independent management. Such matters may arise from the complaints handling process, Supervisory Authority requests, or complaints from Customers, Suppliers, and Staff via various communication channels.
2. Receive Submitted Reports
To facilitate thorough investigation and evaluation of reported incidents, complainants are encouraged to provide comprehensive information. This includes details about the events that led to the suspicion or concern, such as dates, descriptions of the events, and names of individuals involved. Additionally, any potential witnesses, supporting evidence such as documents, and relevant locations should be provided. By supplying this information, complainants assist in ensuring a more accurate and effective investigation process.
Reports can be submitted through various channels:
· Online Platform: Utilize the whistleblowing platform at https://whistleblowing.idealholdings.gr/#/
· Written Submission: Send reports by post to the following address: Kreontos 25, Athens, 10442, marked "Reference to Law 4990/2020".
· Email: Submit reports via email to whistleblowing@idealholdings.gr
· Phone: Call the number +30 210 5193 970. Calls are answered by an answering machine and recorded with the petitioner's consent.
These communication channels are exclusively dedicated to receiving reports and are always accessible throughout the week. All reports are forwarded to the Petition Evaluation Committee by its Chair.
Upon the petitioner's request, reports may also be submitted through a personal meeting with the Υ.Π.Π.Α and a member of the Committee or the Committee's Secretary. In such cases, the Committee ensures that, with the petitioner's consent, the conversation is recorded in a stable and retrievable format. If the petitioner refuses to record the conversation, the Chair and the member or the Chair and the Secretary of the Committee prepare a detailed transcript of the conversation. The petitioner is given the opportunity to review, correct, and agree to the transcript by signing it. If the petitioner refuses to sign, a note to that effect is included in the minutes.
3. Management of the submitted reports.
The process of handling reports includes the following steps:
· The appointed Υ.Π.Π.Α. The Group company receives the report and confirms its receipt to the petitioner within seven working days from the day of its receipt, if it is by name.
· Υ.Π.Π.Α. facilitates the petitioner in submitting his petition by providing him, upon request, with all the necessary information about his rights and the prescribed procedure for managing petitions.
· If the report is unintelligible or is submitted abusively or does not contain incidents that document a violation of EU law or there are no serious indications of such a violation, Υ.Π.Π.Α. terminates the report investigation process. If it is a report that does not document a violation of EU law and is not unfounded, according to the criteria of the previous paragraph, it is referred to the Internal Auditor.
· If the report contains incidents that may prove a violation of EU law, the Υ.Π.Π.Α takes the necessary actions such as indicatively the collection of further data and investigation, communication with the petitioner for additional data.
· Υ.Π.Π.Α. keeps a file, which for each report contains the following information: a) ascending numbering, subject, category and origin of the report, b) report on the investigation of each report and c) recommendation to the Report Evaluation Committee.
· Υ.Π.Π.Α. submits to the Report Evaluation Committee its recommendations for each report received, making available all the collected data, at its scheduled meeting or on an emergency basis if required.
· Τhe Petition Evaluation Committee, during its regular or emergency meetings, reviews the submitted petitions and considers the recommendations provided by the Υ.Π.Π.Α. The Committee makes individual decisions for each report, determining whether to conclude the investigation process or proceed if the report suggests irregularities, omissions, or criminal acts. In such cases, the Committee refers the report to relevant units within the Group Company or initiates an investigation by the Internal Audit Unit on a case-by-case basis. Subsequently, the Committee assesses whether to close the case or inform the Company's Management of any identified violations.
· If a subsidiary has a Report Evaluation Committee, the Regulatory Compliance Unit receives minutes and supporting materials, presenting them to the Report Evaluation Committee. The Committee validates decisions or refers reports for further action within the Group Company's units or to the Internal Control Unit for investigation.
· When the individual mentioned in the report is a member of the Board of Directors of the Company or its subsidiary, the Report Evaluation Committee forwards the case to the Company's Board of Directors for decision-making and implementation of measures. This is done with the support and proposals of the Audit Committee.
· In cases where the individual is not a member of the Board of Directors, the case is referred to the Executive Committee. This committee consists of the Executive Members of the Board of Directors and the Company's legal advisor, who make decisions and impose necessary measures.
· The Report Evaluation Committee maintains detailed minutes of its investigations into all received and managed reports. These results are communicated through its President to the Audit Committee. Additionally, the Board of Directors of the Company is informed through quarterly reports and whenever necessary.
· Υ.Π.Π.Α. ensures that the petitioner is informed of the actions taken within a reasonable timeframe, not exceeding three (3) months from the receipt of the petition.
Access to report data is granted exclusively to the competent authorities and only to manage the submitted reports.
The Directors and Heads of Departments and/or Departments in the Company and in the companies of the Group must:
(i) inform their subordinates regarding this Policy and related procedures,
(ii) encourage their subordinates to adopt a positive, open work attitude so that they feel they can easily express their concerns, and
(iii) apply the decisions of the competent bodies of the Group to deal with possible reports/complaints.
Group employees must:
(iv) be aware of this Policy and related procedures,
(v) when making a report, make it in good faith and with integrity, and
(vi) declare whether they have a direct personal interest related to the matter.
4. Record Keeping and data analysis
i. The Group maintains a file in the Company's Regulatory Compliance Unit, either in electronic or paper form, with the necessary security specifications. This file includes all the reports received and the related documents from the time of their submission, and it is retained for a minimum period of five (5) years from the date each item came into possession. This timeframe is essential for effectively managing complaints and addressing issues that arise, including evaluation and analysis procedures of incidents to rectify malfunctions and prevent future occurrences, especially in cases of recurring irregularities. The five-year period is deemed proportionate to these purposes and aligns with the legal limitation period for claims arising from tort.
ii. The Company's Compliance Unit conducts ongoing qualitative and quantitative analysis, in an anonymized form, of data concerning the handling of reports. This is done to identify and address any recurring or systemic problems and potential legal and operational risks. For example: a) Identifying the Group Units that are most frequently reported. b) Analyzing the causes of individual reports to identify common root causes. c) Examining whether the identified root causes potentially affect other processes or functions of the Group d) Submitting proposals for corrective measures where deemed reasonable. This analysis enhances the reporting process's effectiveness and mitigates risks within the organization.
III. FINAL PROVISIONS- APPROVAL, REVISION, UPDATE
The Regulatory Compliance Unit communicates the Policy to staff members and ensures it is posted on the Company's website for easy access and reference, www.idealholdings.gr .
The Company's Regulatory Compliance Unit is tasked with evaluating and conducting an annual review of the Policy. If necessary, it proposes amendments to the Company's Audit Committee to reflect changes in the regulatory framework and enhance its efficiency and effectiveness continuously.
Following approval by the Company's Board of Directors, the Policy is adopted by its subsidiary companies upon approval by their respective Boards of Directors.