I.- INTERNAL INFORMATION SYSTEM
We welcome you to the internal information system of the Vilar Riba Group, formed by the companies VILAR RIBA SAP, VILAR RIBA LEGAL SLUP, VIR AUDIT SLP, VILAR RIBA DATYA SL., VILAR RIBA & FABRA SLP AND VRB LABORAL SL.. In compliance with Law 2/2023, of February 20, regulating the protection of people who report on regulatory violations and the fight against corruption, the companies of the Vilar Riba Group state that they have an Internal Information System , VILAR RIBA LEGAL SLUP being the person responsible for the processing of personal data in accordance with the provisions of current legislation in this area. With the purpose of strengthening the culture of information and of the Group’s integrity infrastructures and of promoting the culture of communication as a mechanism for preventing actions or omissions that may constitute violations in the field of EU law, serious or very serious criminal or administrative violations, as well as labor violations in the field of health and safety at work, the Group has a person Responsible for Criminal Compliance (RCP), who has also been appointed , Person Responsible for the Internal Information System (RSIIF). This RCP/RSIIF person is currently in charge of the procedural area of the Group[1].
The mentioned information can be sent to the RCP/RSIIF by any of the following means:
– Email to the address: canaletic@vilarriba.com
– Ordinary mail to the address: Carrer Solsona, number 2, in Vic (Barcelona); to the attention of the CPR/RSIIF person.
– Through writing delivered to the RCP/RSIIF person.
– In a telephone conversation with the RCP/RSIIF person, on telephone 938833212.
– Requesting a face-to-face visit with the RCP/RSIIF person, within a maximum period of seven days.
Verbal information collected through a telephone call or face-to-face visit must be documented in one of the following ways, with the prior consent of the person reporting:
a) by recording the conversation in a secure, durable and accessible format, or
(*) The reporting person will be warned that the communication will be recorded and will be informed of the processing of their data in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27 of 2016.
b) through a complete and exact transcription of the conversation carried out by the staff responsible for dealing with it.
(*) Without prejudice to the rights that correspond to him in accordance with the regulations on data protection, the reporting person will be offered the opportunity to check, rectify and accept through his signature the transcript of the conversation.
The Group’s Internal Information System complies with the requirements of article 5.2 of Law 2/2023:
a).- It allows the people to whom the aforementioned Law applies (Article 3) to communicate information, by various means, about the infractions provided for in Article 2.
b).- It is managed securely, guaranteeing that the communications can be treated effectively within the organization, as well as the confidentiality of the identity of the reporting person and of any third person mentioned in the communication and of the actions that take place in the management and processing thereof, as well as data protection, preventing access by unauthorized personnel.
c).- It has a Protocol that establishes guarantees for the protection of informants:
– Proof of receipt within seven calendar days of receiving the information.
– A maximum period of three months to respond to the actions of the investigation, under the terms of article 9 of the Law of reference, by diligently completing and keeping a Book-Register of Information.
– Possibility of maintaining communication with the reporting person.
– Establishment of the right of the affected person to be informed of the actions or omissions attributed to him and to be heard.
– Guarantee of confidentiality when the communication is sent through reporting channels other than those established or to personnel not responsible for its treatment, as well as the obligation for the person who receives it to immediately forward it to the RCP/RSIIF person.
– Respect for the presumption of innocence and the honor of the people affected.
– Regarding the provisions on Data Protection (Title VI Reference Law).
– Commitment to send the information to the Public Prosecutor’s Office immediately, when the facts could be indicative of a crime.
II.- PROCESSING OF PERSONAL DATA
VILAR RIBA LEGAL, SLUP will treat the personal data included in the communications that are received and are protected by Law 2/2023, as the person responsible for the treatment, in order to be able to manage them and initiate, if necessary, the procedure of the corresponding investigation and adopt the corrective measures that, if applicable, proceed.
The legal basis of the treatment will be the fulfillment of a legal obligation, derived from Law 2/2023. If the communication contains data of a special nature, these will only be processed when it is strictly necessary for the adoption of corrective measures and/or the initiation of the corresponding investigation procedure and/or the processing of disciplinary or criminal procedures that, if where applicable, proceed in accordance with current legislation and, in these cases, the legal basis will be the essential public interest. The processing of personal data will be indispensable when without them the objectives and obligations stipulated by Law 2/2023 cannot be met.
Personal data may be processed and transferred by Grup Vilar Riba staff authorized for this purpose only when necessary for the investigation of violations in the scope of European Union Law, serious or very serious criminal or administrative violations, as well such as labor violations in the field of health and safety at work, for the adoption of corrective measures, or for the processing of disciplinary or criminal procedures that, if applicable, proceed. Likewise, personal data may be communicated to third parties in case of legal obligation, and may be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority within the framework of the aforementioned investigation.
The personal data will be kept for the necessary time to decide on the origin of starting an investigation on the facts reported. Should it be appropriate to adopt corrective measures, the data will be kept for as long as the application of these measures lasts. On the other hand, if it is necessary to start the processing of disciplinary or criminal procedures, the data will be kept for the entire period that the disciplinary or criminal procedure lasts.
In any case, if the decision on the origin of starting an investigation on the facts reported is not adopted within a period of three months, the personal data contained in the communication will be deleted, except for those data that are strictly necessary to be preserved blocked to maintain evidence of the operation of the SIIF in accordance with Law 2/2023.
Those personal data that reveal conduct that is not included in the scope of application of Law 2/2023 will also be deleted, as well as those personal data not considered truthful, with the exception that this lack of truthfulness may constitute a criminal offense, in which case the information will be kept for the necessary time during which the judicial procedure is processed.
Finally, it is noted that at any time the communicating person may ask the person responsible for the treatment, access to their personal data, their rectification or deletion, or the limitation of their treatment, or object, as well as the right to data portability, by sending a letter to the postal address Carrer Solsona, number 2, in Vic (Barcelona) or to the email address lopd@vilarriba.com. In the event of disagreement with the processing of your data, you may submit a complaint to the Spanish Data Protection Agency, the body that holds the control authority in the matter, located at C/ Jorge Juan, 6 (28001) Madrid (www.aepd.es).
III.- NO RETALIATION
The companies of the Vilar Riba Group undertake, respectively and expressly, not to carry out acts constituting reprisal, including threats or attempts of reprisal against persons who present a communication in good faith in accordance with the provisions of Law 2/2023, and to apply protection measures during the processing of a file, with respect to the people affected by a possible communication.
IV.- EXEMPTION AND MITIGATION OF THE SANCTION
It is informed for the appropriate purposes that, in accordance with the provisions of Law 2/2023, when the person who had participated in the commission of the administrative infraction that is the subject of the information is the one who reports its existence through the presentation of the information (and as long as this had been presented before the initiation of the investigation or sanctioning procedure had been notified), the body competent to solve the procedure, through a reasoned resolution, may exempt the aforementioned person from complying with the administrative sanction that corresponds to him as long as the extremes mentioned in article 40 of the reference Law are proven.
(*) The Internal Information Channel allows the submission of anonymous communications.
(**) Although, whenever possible, the Internal Information Channel will be the preferred way of communication, the communications protected by Law 2/2023 may be forwarded in their case, when the object and seriousness of the situation so require and the informant deems it appropriate, to the Independent Authority for the Protection of the Informant (Antifraud Office of Catalonia in the scope of the CA of Catalonia), to the Ministry of Finance, to the European Prosecutor’s Office, or to the competent body in each case , as appropriate.
[1] Also, the Group has an alternative person in charge in the event that the information indicates that the person responsible for the amended violations is the RCP/RSIIF person or this raises a conflict of interest to the latter, who is, currently, the person responsible for the mercantile area of the Group.