Whistleblower Policy

Initial provisions

This Policy has been formulated considering the guidelines outlined in Law no. 361/2022, focusing on safeguarding whistleblowers in the public interest. It outlines the internal reporting process applicable within Esolutions Grup SRL (hereinafter referred to as the "Company"), regarding the violations listed below.

Applicable principles

The main principles governing this Policy are:

1. The principle of legality, according to which the Company has the obligation to respect fundamental rights and freedoms, ensuring full respect, among others, of freedom of expression and information, the right to the protection of personal data or the right to defence.
2. The principle of responsibility, according to which the person making the report has the obligation to provide data or information regarding the facts reported.
3. The principle of good faith, according to which a person who had reasonable grounds to believe that the information regarding the reported violations was true at the time of reporting and that the information fell within the scope of Law no. 361/2022.
4. The principle of impartiality, according to which the examination and settlement of reports is carried out without subjectivity, regardless of the beliefs and interests of the persons responsible for settlement.
5. The principle of equality for all employees, without discrimination based on gender, sexual orientation, genetic characteristics, age, nationality, race, colour, ethnicity, religion, political choice, social origin, disability, family situation or responsibility, membership or trade union activity .
6. The principle of confidentiality, according to which reports are received, examined and treated confidentially.

Definitions

Violations – facts consisting of an action or inaction that:

• acts of fraud, acts of bribery or corruption;
• violations of the applicable legislation on the prevention of money laundering and terrorist financing, sanctions and export control;
• violations of competition legislation, issued at the local level;
• violations of environmental protection, health and safety regulations;
• violations of human rights;
• non-compliance with the legal provisions regarding the domains: public procurement; services, products and financial markets; product safety and compliance; transport safety; radiological protection and nuclear safety; food and feed safety, animal health and welfare; consumer's protection; the protection of privacy and personal data and the security of computer networks and systems;
• violations that affect the financial interests of the European Union, as mentioned in art. 325 of the Treaty on the Functioning of the European Union and as detailed in the relevant measures of the Union, violations related to the internal market, referred to in art. 26 para. (2) of the Treaty on the Functioning of the European Union, including violations of the European Union's rules on competition and state aid, and violations relating to the internal market as regards the rules on corporate taxation or the mechanisms of which it is intended. obtaining a fiscal advantage that goes against the object or purpose of the applicable law in the matter of company taxation;
• violations of the Company's internal policies/procedures;
• conflicts of interest;
• cases of discrimination or harassment;
• breaches of confidentiality;
• Inappropriate use of Company resources;
• reprisal against any Whistleblower.

Information or Information relating to Violations – information, including reasonable suspicions, regarding actual or potential Violations that have occurred or are likely to occur within the Company, in which the Whistleblower is either currently operating or has carried out the activity in the past or with whom it is or has been in contact through its activity, as well as information regarding attempts to hide such violations;

Reporting – the oral or written communication of Information, regarding any fact that represents a Violation, according to this Policy;

Internal reporting – oral or written communication of Information regarding Violations within the Company. Internal reporting is carried out in accordance with this Policy, through the means made available by the Company for reporting Violations.;

External reporting – the oral or written communication of Information regarding Violations carried out through the external reporting channels represented by the competent authorities;

Public Disclosure – the provision, in any way, in the public space of Information regarding Violations;

Whistleblower in the public interest or Whistleblower – natural person who makes a Report or Publicly Discloses Information regarding Violations, obtained in the context of his professional activities;

Facilitator – the natural person who assists the Whistleblower in the reporting process in a professional context and whose assistance must be confidential;

Professional context – professional activities, current or previous, of any nature, remunerated or not, carried out within the Company, on the basis of which individuals may obtain Information regarding Violations and may suffer reprisals in case of reporting them;

Person Targeted by the Report – the natural or legal person mentioned in the Report or in the Public Disclosure, as the person to whom the Violation is attributed or with whom that person is associated;

Reprisal – any action or omission, direct or indirect, occurring in a professional context, which is determined by internal or external reporting or Public Disclosure and which causes or may cause damage to the Whistleblower;

Subsequent Actions – any action taken by the Company or by the competent authority in order to resolve the report and, where appropriate, to remedy the reported violation;

Notification – the transmission of information to the Whistleblower regarding Subsequent Actions and the reasons behind such actions.

Designated Person – the person responsible for receiving, registering, examining, and resolving the Report, as well as taking Subsequent Actions. The Designated Person may request the involvement of other persons within the Company to evaluate the Reporting and take further action. The Appointed Person acts impartially and is independent in the exercise of her duties, according to this Policy and the legislation in force.

Application domain

This Policy is applicable:

• employees of the Company;
• associates, persons who are part of the management, management or supervisory bodies of the Company,
• paid or unpaid volunteers and interns;
• persons who carry out an independent activity, within the meaning of article 49 of the Treaty on the Functioning of the European Union and have collaboration contracts with the Company;
• any person who works under the supervision and direction of the Company's contractors, subcontractors and suppliers;
• persons whose employment relationships have not yet begun and who make reports through internal or external reporting channels or publicly disclose information regarding violations of the law obtained during the recruitment process or other pre-contractual negotiations or if the employment relationship has ceased;
• persons who report or publicly disclose information regarding violations of the law anonymously.

This Policy is made known by e-mail, by accessing the Company's web page or its intranet. Any changes to this Policy will be communicated. We reserve the right to update and modify this Policy to reflect changes in our Reporting processing processes or to respond to new legal requirements. In the event of such changes, we will publish the updated version of the Policy on our website and make it available within the Company.

Reporting channels

1. Internal reporting channels

1. in writing, by using the online reporting platform, available at the following address: https://whistleblower.tech.esolutions.ro

The platform allows both nominal and anonymous submission of a report, with each anonymous report receiving a unique reference code used to track the status of the Report.

1. through a face-to-face meeting with the Designated Person organized within a reasonable time interval, at the request of the Whistleblower - a situation in which the Designated Person is obliged to draw up a record, according to the applicable legal provisions. In the situation where the Whistleblower The Whistleblower does not express his consent for the transcript or recording of the conversation, the Reporting will be carried out according to letter a) above.

The Whistleblower who wants to set up a physical meeting with the Designated Person, will send an email to whistleblower@esolutions.ro in order to organize it.

1. External reporting channels

The external reporting channels are represented by the following authorities:

1. the public authorities and institutions that, according to the special legal provisions, receive and resolve reports regarding violations of the law, in their field of competence;
2. National Integrity Agency;
3. other authorities and public institutions to which the National Integrity Agency forwards the reports for competent resolution.

The Whistleblower making a Report and/or publicly disclosing Information is protected if legal requirements are met.

The Company will not tolerate reprisal against any person who, in good faith, makes a Report under this policy against the Facilitator or its Designee.

Content of the Report

The Reporting includes, at least, the following: the name and surname, the contact details of the Whistleblower, the professional context in which the information was obtained, the Targeted Person (if known), the description of the fact likely to constitute a violation of the law, as well as, as the case may be, the evidence in support of the report, the date and signature, as appropriate.

The report can also be made anonymously, in accordance with the applicable legal provisions, thus, the report that does not include the name, surname, contact details or signature of the Whistleblower is examined and resolved to the extent that it contains indications of violations of the law.

The information reported must be of sufficient quality, in terms of volume and level of detail, to present a clear picture of the issues raised.

The Reports are kept for the period provided by law, in compliance with the applicable legal requirements, and after the expiration of the legal retention period, they are deleted.

Preliminary actions

Upon receipt of a Report by the Designated Person, the Designated Person shall send the Whistleblower confirmation of receipt of the Report, within no more than 7 calendar days from its receipt.

The Reporting is entered in an electronic register that will include all the elements required by law.

Review of Reporting

The process of initial review of the Report will be started by the Designated Person based on the information provided by the Whistleblower.

The Designated Person can only adequately review a Report if it contains sufficient data or if there is an opportunity to obtain more information. If necessary for the investigation of the Report, the Designated Person may ask the Whistleblower to provide additional explanations.

After examining the Report, the Designated Person will communicate to the Whistleblower how to resolve the reported situation. At the same time, the management will be notified about the way to solve the reported situation.

Subsequent Actions

If the Reporting does not lead to an official investigation (disciplinary investigation/referral to the competent authorities), the Designated Person will evaluate other appropriate measures for the respective situation.

If the Reporting results in an official investigation, it will be conducted in accordance with applicable law and internal regulations.

The Designated Person will carefully carry out the Subsequent Actions and inform the Whistleblower of the progress of these actions within no more than 3 months after confirmation of receipt or, if receipt of the Report has not been confirmed, within 7 days after the expiry of the period of receipt of the Report. It will also communicate any progress in the Subsequent Actions, except where this notification could negatively affect the process.

Closing a Reporting

A report is closed when:

• It does not contain the mandatory elements, other than the identification data of the Whistleblower, and the Designated Person requested its completion within 15 days, without this obligation being fulfilled. The classification solution is communicated to the Whistleblower, indicating the legal basis;
• It is submitted anonymously and does not contain sufficient information regarding violations of the law, which would allow the analysis and resolution of the report, and the Designated Person requested its completion within 15 days, without this obligation being fulfilled.

If a person makes several Reports with the same object, they are connected, and the Whistleblower will receive only one information. If, after sending it, a new report is received with the same object, without presenting additional information to justify a different subsequent action, it is classified.

The Designated Person may decide to close the procedure if, after reviewing the report, it is determined that the violation is clearly minor and does not require additional Follow-up Actions other than closing the procedure. This provision does not affect the obligation to maintain confidentiality, to inform the Whistleblower and does not affect any other obligations or other applicable procedures to remedy the reported violation.

The closing solution is communicated to the Whistleblower, indicating the legal basis.

Confidentiality 

The Company encourages the immediate reporting of any Violation, in accordance with applicable law, and guarantees the existence of a secure online reporting platform system to maintain confidentiality.

The Designated Person has the obligation not to reveal the Whistleblower's identity nor the information that would allow his direct or indirect identification, except in the case where he has his express consent.

However, the identity of the Whistleblower, including the information that would allow his direct or indirect identification, may be disclosed if this is an obligation imposed by law, in compliance with the conditions and limits provided by it. In this case, the Whistleblower is previously informed, in writing, about the disclosure of the identity and the reasons for the disclosure of the confidential data in question. The obligation does not exist if the information would compromise the investigations or legal proceedings.

The information contained in the Reports that constitute trade secrets cannot be used or disclosed for purposes other than those necessary for the resolution of the Report.

The obligation to maintain confidentiality does not exist if the Whistleblower has intentionally disclosed his identity in the context of a public disclosure.

The obligation to maintain confidentiality is maintained even if the Reporting mistakenly reaches another person within the Company, other than the appointed person. In this case, the Reporting is forwarded, immediately, to the Designated Person.

Processing of personal data

Any personal data provided voluntarily through reporting channels in the sense of Law no. 361/2022 on the protection of whistleblowers in the public interest will be processed by the Company, as the operator of personal data (referred to below as the "Operator"), in accordance with data protection legislation.

You can contact the data protection officer at the email address dataprotection@esolutions.ro or at the address in Bucharest, district 1, 28C G-ral Constantin Budisteanu Street, 4th floor.

Purpose and basis of processing

The processing of the personal data of the whistleblower, the reported person or any other third party involved will be carried out for the following purposes:

• pursuing a legitimate interest of the Operator in accordance with art. 6 para. (1) letter f of Regulation (EU) 2016/679, in facilitating the provision of information to the Operator regarding a suspected breach of compliance with the applicable legislation, regarding the Operator's actions, and to counteract any unacceptable conduct;
• managing reporting channels, including for the assessment and resolution of reported facts/conduct, as well as generating reports on the operation and results of the Whistleblower reporting platform;
• ensuring the Operator's rights are respected before the courts, to the extent strictly necessary to warrant these rights.

Categories of personal data processed and recipients of personal data

The personal data that will be processed by the Operator will be limited to the data that you provide voluntarily and that are necessary to support the legitimacy of the reports made, for example, name, surname, e-mail address, and/or phone number.

Sensitive personal data, such as ethnic or racial origin, political opinions, religious confession or philosophical beliefs, health data or data on sex life, and sexual orientation will only be provided if they are relevant to the reported case, and the Operator will process them exclusively for purposes related to and necessary to verify the veracity of the reports made.

 The personal data processed in the process of investigating the reports made can be accessed exclusively by the people who need this data for the purpose of performing their duties, namely the employees involved in the investigation of the reports.

Also, Personal Data may be communicated to recipients in the fulfillment by the Operator of some legal obligations, such as when it is requested by the competent authorities in the framework of a subsequent criminal procedure, in the situation where the whistleblower provides with bad intent false information.

We highlight that the Operator has implemented the "Google reCAPTCHA" service (hereinafter referred to as "reCAPTCHA") offered by Google Inc. ("Google") in the Whistleblower reporting platform to prevent various types of data processing abuse attempts, for example phishing. Thus, reCHAPTA analyzes various information of the respective visitor (IP address, mouse movements of the user, length of stay on the platform). By using reCAPTCHA, data is transferred to Google, which is used to determine whether the visitor is a human being or a (spam) bot. Data processing is based on Art. 6 para. (1) lit. f of Regulation (EU) 2016/679, the Operator having a legitimate interest in protecting the Whistleblower reporting platform against abusive automated espionage, against spam and in protecting third parties against such attacks.

You can read which data is collected by Google and what this data is used for at https://policies.google.com/privacy. You can read the terms of use for Google services and products at https://policies.google.com/terms.

Data retention period

Personal data will be processed only for the period necessary to achieve the purposes identified above, but not more than 5 years from the receipt of the report.

After the expiration of the processing period and after the Operator no longer has legal or legitimate reasons for processing the Personal Data, they will be deleted in accordance with the Operator's procedures, which may involve archiving, anonymizing or destroying them.

Your rights

When we process your personal data, it is very important to know that you have the following rights:

• The right to access the personal data we process about you: you have the right to obtain a confirmation whether or not we process your personal data, and, if so, to have access to the type of personal data and to the conditions of processing, by sending us a request in this regard.
• The right to correct personal data: you have the right to obtain the rectification of inaccurate personal data concerning you. If your data needs to be updated you also have the possibility to correct, delete inaccuracies and/or update the data.
• The right to erase the personal data we process about you: we strive to only process and retain your data for as long as we need to. In certain circumstances stipulated by GDPR you have the right to request us to erase your personal data that we hold. As always, if you wish the Company to erase your personal data from our records, please contact us at privacy@esolutions.com and we will respond within a reasonable time. If necessary, given each particular case, we may be required to retain certain information for performing the agreement, legitimate business purposes and by law.
• The right to request the restriction of processing: you have the right to ask for the restriction of processing in cases where: (i) you consider that the personal data processed is inaccurate, for a period enabling us to verify the accuracy of the personal data; (ii) the processing is unlawful, however you don’t want us to erase your personal data, but to restrict the use of data; (iii) in case we no longer need your personal data for the purposes we described in this policy, but you are requiring the data for establishing, exercising or defending a legal claim or (iv) you have objected to processing pending the verification whether our legitimate grounds prevail.
• The right to object to our processing your personal data on the grounds of our legitimate interest.
• The right to data portability, meaning the right to receive your personal data, which you provided us in a structured, commonly used and machine-readable format and the right to transfer those data to another controller, where: the processing is based on consent or on a contract and the processing is carried out by automated means, in accordance with GDPR.
• The right to file a complaint with the Data Protection Authority (ANSPDCP) and the right to address to the competent courts of law.

You may exercise your rights at any time.

For any questions regarding your rights please write to us at dataprotection@esolutions.ro.

Final provisions

This Policy is supplemented by the provisions of Law no. 361/2022 and with other internal regulations applicable within the Company.

Abuse in the use of the internal reporting channel is considered a disciplinary offense and is sanctioned according to specific legal provisions.