protection of persons who report breaches or publicly disclose information about breaches
Legal ground and purpose
Art. 1.1. These Internal Rules protection of persons who report breaches or publicly disclose information about breaches (“Internal Rules” or “Rules”) are adopted on the basis of Art. 13 et seq. of the Protection of Persons who Report Breaches or Publicly Disclose Information about Breaches Act (“Act” or PPRBPDIBA).
Art. 1.2. The purpose of the Rules is to determine the procedure for submitting and evaluating the internal report of a breach, as well as the conditions for ensuring the protection of persons who submit reports or publicly disclose information about breaches of Bulgarian legislation or acts of the European Union that have become known to them during or on the occasion of the performance of their work or official duties or in another work-related context.
Art. 1.3. The obliged person pursuant to Art. 12, Para 1 of the Act, is the company “FIRST ESTATES” OOD, UIC 202967885, having its seat and registered office in Sofia, 27A “Moskovska: str., floor 1, ap. 4 (“Company“).
Art. 1.4. For the purpose of the Internal Rules the following definitions shall have the meaning as per PPRBPDIBA, namely:
a) “breaches” shall mean acts or omissions that are unlawful and/or contradict to the Bulgarian legislation or the European Union acts and areas falling within the material scope referred to in Article 3 of PPRBPDIBA or contradict to the material scope or purpose of the European Union acts in the material scope as per Article 3 of PPRBPDIBA.
b) “information on breaches” means information, including reasonable suspicions, about actual or potential breaches, which occurred or are very likely to occur in the organisation of the Company and about attempts to conceal such breaches.
c) “work-related context” means current or past work activities through which, irrespective of the nature of those activities, persons acquire information on breaches and within which those persons could suffer retaliation, if they reported such information.
d) “reporting person” means a natural person who reports or publicly discloses information on breaches acquired in the context of his or her work-related activities.
e) “concerned person” means a natural or legal person who is referred to in the report or public disclosure as a person to whom the breach is attributed or with whom that person is associated.
f) “follow-up” means any action taken by the recipient of a report or any competent authority, to assess the accuracy of the allegations made in the report and, where relevant, to address the breach reported, including through actions such as an internal enquiry, an investigation, prosecution, an action for recovery of funds, or the closure of the procedure.
g) „feedback“ means the provision to the reporting person of information on the action envisaged or taken as follow-up and on the grounds for such follow-up.
h)“retaliation” means any direct or indirect act or omission which occurs in a work-related context, is prompted by internal or external reporting or by public disclosure, and which causes or may cause unjustified detriment to the reporting person.
i) “external reporting” means the oral or written communication of information on breaches to the competent authorities.
j) “internal reporting” means the oral or written communication of information on breaches within a legal entity in the Company.
k) „competent authority“ that designated to receive reports under PPRBPDIBA, is the Commission on Personal Data protection (CPDP):
https://www.cpdp.bg/ - link to the electronic page of CPDP;
https://www.cpdp.bg/ - link to the electronic portal for external reporting
address: Sofia 1592, 2 “Prof. Tsvetan Lazarov” Blvd.
2. MATERIAL SCOPE
Art. 2.1. The Internal Rules apply for persons who report breaches in the following area (to the extent they relate to the business activity of the Company):
2.1.1. Breaches of the Bulgarian legislation or acts of the European Union in the field of:
a) public procurement;
b) financial services, products and markets and the prevention of money laundering and terrorist financing;
c) product safety and compliance;
d) transport safety;
e) protection of the environment;
f) radiation protection and nuclear safety;
g) food and feed safety, animal health and animal welfare;
h) public health;
i) consumer protection;
j) protection of privacy and personal data;
k) the security of networks and information systems.
l) breaches affecting the financial interests of the European Union as referred to in Art. 325 of the Treaty on the Functioning of the European Union;
m) breaches relating to the internal market as referred to in Art. 26, paragraph 2 of the Treaty on the Functioning of the European Union, including the rules of the European Union and Bulgarian legislation on competition and state aid;
n) breaches relating to cross-border tax schemes, the purpose of which is to obtain a tax advantage that is contrary to the object or purpose of the applicable law in the field of corporate taxation.
o) a committed crime of a general nature, which the person learned about in connection with the performance of his work or in the performance of his official duties.
2.1.2. Breaches of Bulgarian legislation in the field of:
a) the rules for payment of due public state and municipal receivables;
b) labor legislation;
c) the legislation relating to the performance of public service.
3. PERSONAL SCOPE. REPORTING PERSONS WHO ARE SUBJECT TO PROTECTION
Art. 3.1. The Internal Rules shall apply to the following categories of reporting persons:
3.1.1. current employees of the Company;
3.1.2. former employees of the Company, in cases in which they report violations that became known to them before termination of the employment relationship;
3.1.3. job candidates who participated in a competition or other form of selection for employment at the Company and received in this capacity information about a breach;
3.1.4 shareholders, members of the management or control body of the Company;
3.1.5. persons who work for a natural or legal person, its subcontractors or suppliers of the Company;
3.1.6. any other reporting persons who report a breach that became known to them in a work-based relationship.
4. CONDITIONS FOR PROTECTION
Art. 4.1. A reporting person shall qualify for protection, in case of either internal, or external reporting, provided that:
4.1.1. they had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the scope of the Act; and
4.2.1. they reported in accordance with the Act and the Internal Rules.
5. INTERNAL REPORTING. FOLLOW-UP
Art. 5.1. The Company, acting as an obliged person under Art. 12 of PPRBPDIBA, shall establish a channel for internal reporting of breaches.
Art. 5.2. The reporting person may file a report through the internal channel for reporting of breaches, subject to the conditions described in the Internal Rules and the Act.
Art. 5.3. The internal reporting does not deprive the reporting person of the right to report to the competent authority – CPDP, through the external reporting channel.
Art. 5.4. The reporting person can submit a report via an electronic message to the following e-mail address: email@example.com. or orally, (by phone or by means of a personal meeting with the person under item 5.4.3.).
5.4.1. The electronic message must contain a duly completed reporting form, according to the template – Enclosure No. 1 to the Internal Rules, containing at least the following information:
• Three names, address and phone, and email address.
• The names of the person against whom the report is filed (concerned person) and his workplace, if the report is filed against specific persons and they are known;
• Specific data on a breach or on a real danger that it will be committed; place and period of commission of the violation, if such was committed; description of the act or situation and other circumstances, as far as they are known to the reporting person;
• Date of submission of the report;
• Signature, electronic signature or other identification of the reporting person;
• The report must also include any kind of sources of information supporting the statements in the report, including documents, indication of persons who could confirm the information or to provide additional information.
5.4.2. When the report is submitted orally, the person under item 5.4.3 shall fill out the template – Enclosure No. 1, shall provide it for verification of the content to the reporting person, after which the reporting person shall sign it. An oral report must meet all requirements specified for a written report.
5.4.3. The reports shall be processed and checked by a person, designated by the Company with an order of the Managing Director.
5.4.4. The reports will not be processed in the following cases:
a) the report does not fall within the material scope of the Act and the Internal Rules;
b) the content of the report gives no reason for credibility of the report;
c) the report contains obviously false or misleading statements, which are not corrected even after the reporting person being notified by the Company;
d) the report is anonymous;
e) the report relates to violations committed more than two years ago.
Art. 5.5. The Company shall organize the processing of reports in accordance with PPRBPDIBA.
5.5.1. Employees, responsible for processing the reports, shall confirm the receipt of the report within 7 days after receiving it.
5.5.2. In the event that the report does not meet the requirements of the Act, the reporting person shall be notified and instructed to correct the irregularities within a 7-day term as of receipt of the report. If the irregularities are not corrected within term as indicated by the Company, the report, together with its attachments, shall be returned to the reporting person and the procedure will be terminated.
5.5.3. Within 3 (three) months after confirmation of receipt of the report, The Company shall provide feedback to the reporting person with information on the follow-up actions.
Art. 5.6. The person under item 5.4.3., respectively the Company, may take any of the follow-up actions, which will depend on the specific case:
a) Keeps contact with the reporting person, in case there is contact data;
b) Upon their discretion, can require additional information on the report by the reporting person;
a) Takes action to stop the breach or prevent it if it has not started;
b) Directs the reporting person to the competent authorities, when his rights are affected;
c) Forwards the report to CPDP, if it is necessary to take action on his part, and the reporting person shall be notified in advance of the forwarding;
In case the reporting person is an employee of the Company, the person under item 5.4.3 above shall direct the reporting person to simultaneous reporting to CPDP.
d) Shall terminate the procedure in the following cases:
• when the breach, for which the report was filed, is a minor case and does not require additional follow-up actions;
In this case, the reporting person may file a report to CPDP.
• on a repeated signal that does not contain new information of essential importance for a breach, in respect of which there is already a completed investigation, unless new legal or factual circumstances justify the taking of subsequent actions.
In this case, the reporting person may file a report to CPDP.
• when data on a committed crime is established;
In this case, the report and the materials to it shall be sent immediately to the prosecutor's office.
Art. 5.8. After the completion of the internal check, the person under item 5.4.3 shall draft a report, which will briefly outline the information from the report, the follow-up actions taken, the final results of the report internal check-in. This final report, together with the reasons, shall be send to the reporting person and to the concerned person.
Art. 5.9. Every report shall be registered in Internal register of the reports of the Company, which is not public.
6. EXTERNAL REPORTING
Art. 6.1. External reporting shall be done in front of the national authority for processing of reports – Commission on Personal Data protection.
Art. 6.2. Persons filing reports or publicly disclosing information about violations may choose the reporting method - 1). through internal channel only, 2). only through an external channel or 3). through internal and external channel simultaneously.
Art. 6.3. The reports shall be submitted to the following link:
whereas the reporting person should fill in the form – Enclosure No 1 to the Internal Rules.
Art. 6.4. For more detailed information the reporting persons can refer to the website of CPDP: www.cpdp.bg.
7. PROTECTION MEASURES
Art. 7.1. Any form of retaliation, in the form of repression and positioning the persons in a disadvantageous position, as well as threats or attempts of such actions, are prohibited, including in the form of:
7.1.1. temporary suspension, dismissal or application of another ground for termination of the legal relationship under which a person is employed;
7.1.2. demotion or withholding of promotion;
7.1.3. change in the place or nature of work, the duration of working hours or a reduction in wages;
7.1.4. withholding of training to maintain and increase the professional qualification of the employee;
7.1.5. negative performance assessment of work, including in a employment reference;
7.1.6. imposition of financial penalty and or disciplinary liability, including imposition of disciplinary penalties;
7.1.7. coercion, rejection, threat of retaliation or actions of in physical, verbal or in any way, which aim to harm the dignity of the person and create a hostile professional environment;
7.1.8. direct or indirect discrimination, disadvantageous or unfair treatment;
7.1.9. failure to convert a temporary employment contract into a permanent one, where the employee had legitimate expectations that he or she would be offered permanent employment;
7.1.10. early termination of, a temporary employment contract or failure to renew a temporary employment contract when such is permissible by law;
7.1.11. harm, including to the person's reputation, particularly in social media, or financial loss, including loss of business and loss of income;
7.1.12. blacklisting on the basis of a sector or industry-wide informal or formal agreement, which may entail that the person will not, in the future, find employment in the sector or industry;
7.1.13. early termination or cancellation of a contract for goods or services;
7.1.14. cancellation of a license or permit;
7.1.15. psychiatric or medical referrals.
8. PRIVACY AND PROCESSING OF PERSONAL DATA
Art. 8.1. The Company shall ensure the protection of whistleblower information and the protection of the whistleblower's identity by providing access to the information only to its employees who need such data to perform their duties:
8.1.1. Any processing of personal data carried out pursuant to these Rules, including the exchange or transmission of personal data, shall be carried out in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680, the Personal Data Protection Act, the applicable legislation regulating the Company's activities, as well as the Company's personal data protection policy, which can be found at www.first.bg.
8.1.2. No personal data is collected that is clearly not relevant to the consideration of a specific signal, and if it is accidentally collected, it is deleted without undue delay.
8.1.3. We do not collect personal data that is obtained illegally or when it is no longer necessary.
8.1.4. Only the persons responsible for processing the reports have access to the personal data of the persons related to the report. Personal data may be disclosed in accordance with applicable law.
8.1.5. Categories of personal data processed on the occasion of the submission of reports:
a) full names of the reporting person;
b) contact details of the reporting person: telephone and e-mail;
c) names of the concerned person and his/her working place;
d) other data, collected and necessary in relation to the processing of the report.
Art. 8.2. The processed personal data shall be kept electronically and/or paper, depending on the way of submission of the report.
8.2.1. Paper carriers of personal data are kept in a separate archive, with limited access only to the employees responsible for processing the reports.
8.2.2. A separate file is created for each case, which is kept in a binder, and the binder is kept by the employee responsible for processing the reports.
8.2.3. The employee responsible for processing the reports is obliged not to distribute or share information that became known to him/her during and on the occasion of processing the reports. The sharing of information shall be done in compliance with the provisions of the Act and the Directive.
8.2.4. The person responsible for processing the reports has no right to leave documents and media related to the report unattended at his/her workplace.
8.2.5. Data on electronic media shall be processed by the employee responsible for processing reports only on his/her work computer.
8.2.6. The employee creates an electronic file in an electronic folder to which only he/she has access. The electronic folder is protected by a password created by the employee.
8.2.7. The work computer of the person responsible for processing the reports shall be automatically locked when not in use by the employee.
8.2.8. In the event of a personal meeting with the reporting person, the meetings shall be held only in the presence of the reporting person and the person responsible for processing the reports.
Art. 8.3. The signals and the data processed in connection with them are stored for a period of 5 years, counted from the date of the opinion on the measures taken and/or counted from the date of completion of administrative proceedings or judicial proceedings, or for a period longer than that when Law or another normative act of the Bulgarian legislation requires this. In the event that the report does not meet the requirements introduced by the Act and its deficiencies have not been remedied in time, as well as when the report does not contain data on breaches, the data is deleted immediately after the opinion of the person responsible for receiving the reports.
8.3.1. After the expiration of the storage period, the data shall be destroyed.
Art. 8.4. The disclosure of the identity of the whistleblower and the information related to the submitted violation report is permitted only with the express written consent of the whistleblower, except in cases where this is a necessary and proportionate obligation imposed by Bulgarian legislation or the law of the European Union in the context of investigations by CPDP or legal proceedings, including with a view to guaranteeing the right of defence of the person concerned.
8.4.1. In these cases, the Company will notify the whistleblower of the need for disclosure with a written, motivated notification. The whistleblower is not notified when the investigation or legal proceedings are jeopardized.
9. CLOSING PROVISIONS
§ 1. These Internal Rules have been adopted by Order No WBD/20.04.2023 by the Managing Director of “FIRST ESTATES” OOD.
§ 2. Amendments and supplements to the Internal Rules shall be made in the order of their adoption.
§ 3. The internal rules also apply to the activity of FIRST APPRAISAL OOD, UIC 203219713.
§ 4. An integral part of the Internal Rules is:
Enclosure No 1 – template of a report, approved by CPDP.
These Internal Rules enter into force on 04.05.2023.