Procedure for making internal reports and taking follow-up actions at SoftKraft Sp. z o.o.
The procedure for making internal reports and taking follow-up actions (hereinafter referred to as the “Procedure”) is implemented at SoftKraft Sp. z o. o. (hereinafter referred to as “SOFTKRAFT”) based on:
The purpose of the Procedure is to establish a comprehensive regulation concerning internal reporting, follow-up actions, and the protection of reporting persons.
The Procedure uses terms in accordance with their definitions as contained in the Act, except that whenever the Procedure refers to SOFTKRAFT, it shall mean the legal entity as defined by the Act.
The internal reporting procedure specifies, among other things:
a. definitions of terms used in the Procedure;
b. an internal organizational unit or person within the organizational structure of the legal entity, or an external entity authorized by the legal entity to receive internal reports;
c. an impartial internal organizational unit or person within the organizational structure of the legal entity authorized to undertake follow-up actions, including verification of the internal report and further communication with the reporting person, including requesting additional information and providing feedback to the reporting person; this function may be performed by the internal organizational unit or person referred to in point 1, provided impartiality is ensured;
d. the subject of the internal report and the persons making the reports;
e. types of internal reports;
f. means of submitting internal reports by the reporting person, along with their correspondence address or email address, hereinafter referred to as the “contact address”;
g. the content of the internal report;
h. the register of internal reports;
i. the procedure for handling information about breaches of law reported anonymously;
j. the investigative procedure;
k. the obligation to confirm receipt of the internal report to the reporting person within 7 days from the date of its receipt, unless the reporting person has not provided a contact address to which the confirmation should be sent;
l. confidentiality of reports;
m. protection of personal data;
n. anonymity;
o. protection of persons making internal reports;
p. external reports and public disclosures;
q. updating of the Procedure;
r. final provisions.
The subject of an internal report may include breaches of generally applicable laws, including those related to:
The persons who may make internal reports (hereinafter referred to as “Whistleblowers”) are:
a. employees and former employees;
b. temporary workers and former temporary workers;
c. persons performing work on a basis other than an employment relationship, including under a civil law contract (contractors, subcontractors, collaborators);
d. candidates for employment or service provision;
e. interns;
f. volunteers;
g. apprentices;
h. partners;
i. members of the Management Board and Supervisory Board;
j. proxies;
k. entrepreneurs;
l. persons working under the supervision and direction of a contractor, subcontractor, or supplier;
m. and other persons defined in the Act as Whistleblowers.
Persons responsible for receiving internal reports and those authorized to take follow-up actions are empowered according to the company's internal procedures.
The persons mentioned in point 3 above may grant further authorizations for undertaking follow-up actions.
The handling of the follow-up process includes at least the following actions:
1) receiving reports,
2) maintaining a register of reports,
3) screening reports (distinguishing between irrelevant reports and those requiring further action),
4) informing the whistleblower about the actions taken and, if necessary, about the need to notify other institutions or authorities about suspected legal breaches,
5) conducting investigative procedures,
6) fulfilling the duty to provide information,
7) ensuring confidentiality for the whistleblower and the person to whom the report relates.
Reports can be made in the following forms:
1) non-confidential report,
2) confidential report – when the whistleblower does not consent to the disclosure of their personal data,
The methods of making internal reports are:
1) written reports,
2) oral reports.
Written reports may be submitted via email to whistleblowing@softkraft.co. The message can take the form of a document in the email body, a scanned handwritten signed attachment sent in the email, or an electronic form signed in accordance with Article 78[1] of the Civil Code.
Oral reports can only be made in the form of audio recordings. The recording can be sent via electronic means of communication, in accordance with Article 2 point 5 of the Act of 18 July 2002 on the Provision of Electronic Services (Journal of Laws of 2020, item 344), to the email address whistleblowing@softkraft.co. In the case of an oral report that turns out to be incomplete, the person authorized to receive reports will invite the whistleblower to arrange a meeting to complete the oral report. The completion of the report mentioned in the previous sentence, will be recorded in the form of an audio recording.
The whistleblower should, if possible, make the internal report in accordance with the template attached as Annex 1 to the Procedure.
The internal report may be documented with collected evidence and a list of witnesses.
SOFTKRAFT or the person responsible for receiving reports maintains a register of internal reports.
Internal reports are received by the responsible persons specified in point 2.3. of the Procedure. The procedures following the receipt of an internal report are documented according to the template attached as Annex 2 to the Procedure. The documentation of the follow-up procedure includes, among others: protocols, written explanations, opinions, positions of authorities or institutions, and others.
The person responsible for receiving reports verifies the report and classifies it as:
1) clearly irrelevant or unfounded; or
2) requiring further follow-up actions, such as initiating an investigative procedure and recommending further actions or measures.
During the review of internal reports, all participants in the proceedings are required to exercise due diligence to avoid making decisions based on erroneous and unfounded accusations that are not substantiated by facts and collected evidence, while respecting the dignity and good reputation of employees, collaborators, and other persons concerned by the report.
The verification procedure will be concluded if the report is deemed clearly irrelevant or unfounded, particularly in cases where the reported breach is found to be clearly and objectively of minor significance, lacks substance, aims to insult another person or persons, concerns a fact that cannot be changed, or does not require further follow-up or investigative actions. If it is determined that the internal report requires further investigative or follow-up actions, the person or persons responsible for receiving reports will conduct the investigative procedure.
The person or persons responsible for receiving reports of breaches confirm receipt of the internal report to the whistleblower in a document, written form, or another format. This does not apply to anonymous reports, which will not be considered. If the whistleblower does not specify the preferred form of correspondence with SOFTKRAFT, the persons responsible for receiving reports will choose how to provide this information: via the email address indicated in the report, in document or written form, orally, or in another form that ensures the effective delivery of information to the whistleblower.
Feedback regarding:
1) the receipt of the report is provided to the whistleblower within 7 days from the date of receipt of the internal report;
2) planned or undertaken follow-up actions and the reasons for such actions are provided to the whistleblower within 3 months from the date of receipt of the internal report.
In the course of the investigative procedure, the persons responsible for receiving reports of breaches gather the necessary information from employees and collaborators to clarify the matter and decide on the appropriate way to handle it. Before obtaining information from employees and collaborators, they must be informed about the processing of their personal data, the purpose of the processing, and the legal basis for such action.
The investigative procedure includes (depending on the factual circumstances), among other things:
1) interviewing the whistleblower, if possible,
2) interviewing the person or persons mentioned in the internal report who are the subject of the report,
3) interviewing the person suspected of the breach,
4) obtaining information from supervisors/collaborators who may be related to the breach or have knowledge of it,
5) analyzing data and evidence in the form of documents,
6) witness statements,
7) accepting statements and information in written or electronic form,
8) other actions that prove necessary for the proper clarification of the matter.
The investigative procedure is conducted by a committee appointed by the persons responsible for receiving reports, consisting of individuals responsible for conducting follow-up actions.
A protocol of the investigative procedure is prepared in document/written form.
After completing the investigative procedure and determining the causes and reasons for the breaches, SOFTKRAFT or the persons responsible for follow-up actions implement measures aimed at eliminating the effects of the breach and preventing similar occurrences in the future.
The management of personal data will be conducted in accordance with the provisions and principles of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as well as other applicable data protection laws.
SOFTKRAFT is the data controller for the data collected in the Register of Internal Reports.
The personal data of whistleblowers and other data that may identify them shall not be disclosed unless the whistleblower has given consent in the internal report.
The template for the personal data processing clause is attached as Annex 3 to the Procedure.
Only persons with written authorization from SOFTKRAFT may be allowed to receive and verify internal reports, undertake follow-up actions, and process personal data. Authorized persons are obliged to maintain confidentiality. The template for the confidentiality clause is attached as Annex 4 to the Procedure.
The person responsible for receiving reports sends the whistleblower confirmation of receipt of the report within 7 days, along with information on the processing of personal data, the purpose of processing, and the legal basis for such action. The person or persons responsible for receiving reports and follow-up actions may process the data of the person concerned by the report even without their consent. Article 14(2)(f) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2016, p. 1, as amended) does not apply unless the whistleblower acted in violation of Article 6 of the Act.
SOFTKRAFT implements technical and organizational measures to ensure that the whistleblower's personal data is stored separately from the document or other information medium containing the report, including, where appropriate, the removal of the whistleblower's personal data from the document or other medium.
SOFTKRAFT prevents unauthorized persons from accessing information covered by the report and ensures the confidentiality of the identity of the whistleblower and the person concerned by the report.
Each internal report must be recorded in the Register of Internal Reports. The Register is managed by the person(s) responsible for receiving reports.
The Register of Internal Reports includes:
Data in the Register of Internal Reports is stored for a period of 3 years after the end of the calendar year in which the follow-up actions were completed or after the conclusion of proceedings initiated by those actions.
Every whistleblower is entitled to full protection against retaliatory actions, discrimination, and any other forms of unfair treatment that constitute or may constitute a result of the report made.
No retaliatory actions may be taken against the whistleblower, including, in particular, the actions mentioned in the Act.
Protection against retaliatory actions applies to:
Making false reports of breaches, using the reporting mechanism in bad faith, or in a manner that demeans others is prohibited and does not entitle the whistleblower to any legal protection.
Adverse treatment due to making a report or public disclosure also includes threats or attempts to impose such treatment.
A whistleblower providing services to SOFTKRAFT under a legal relationship other than employment cannot be treated adversely due to making a report or public disclosure. Adverse treatment includes, in particular, termination, withdrawal, or refusal to establish a legal relationship with the whistleblower, unless the other party proves that it was acting for objectively justified reasons.
A report may, in any case, also be made to the Ombudsman or a public authority without following the procedure provided in the internal reporting regulations.
Information on the rules for making external reports is available on the Ombudsman's website.
The whistleblower has the right to make a public disclosure under the terms specified in the Act.
The Procedure is introduced for an indefinite period and comes into force on 25 September 2024.
The Procedure requires review and updating at least once a year.
In matters not regulated by this Procedure, the Act shall apply, followed by the relevant provisions and stipulations of the Directive.