Whistleblowing channel

Internal Information System

Ways to access the internal information channel

Those interested may find more information regarding failures of compliance at the following link.

Without prejudice to the rights granted by data protection regulations, informed persons are offered the opportunity to inspect, rectify, and accept the conversation transcription via signature.

Communication management procedures

In the event of differences in interpretation of internal policies or information provided through communications which generates a conflict, the Compliance and Integrity Department will respond as quickly as the complexity of the issue allows.

If the communication involves infractions against the Rights of the European Union, severe or highly severe penal or administrative infractions, the sender will be sent an acknowledgment of receipt within seven (7) calendar days.

The following steps are taken once communications are received:

  • The plausibility of the communication is verified. If not considered admissible, a report will be created explaining the reasons for the communication being archived.
  • If considered admissible, an internal investigation will be carried out to determine the veracity of the facts contained and whether, if appropriate, a disciplinary and sanctioning record should be produced against the responsible party once the internal investigation has concluded. This is carried out notwithstanding any other legal sanctions that may apply.

The deadline for investigation action response time will be three (3) months beginning from the end of the seven (7) calendar days allotted for the acknowledgment of receipt. In especially complex cases, pending justification of the decision by the individual responsible for the Internal Information System, the deadline may be extended by a maximum of three (3) months.

Confidentiality regulations applicable to communications and information regarding personal data handing

Guarantee regarding personal data handling

All personal data handling done within the confines of a sanction or internal investigation will be performed according to and in compliance with the regulations established in the GDPR and the LOPGDD.

The confidential treatment of any data belonging to the parties involved in any sanctions or investigations is guaranteed. The identity of the whistleblower, investigator, and other interested parties will not be revealed to anyone, beyond those strictly necessary, without the consent of the interested parties.

As such, the following categories are established among the interested parties: the informer, which may be defined, among others, in article 3 of Law 2/2023, as well as those subject to the investigation. Additionally, this applies to any data handling for third parties not subject to the investigation for fact-finding purposes.

An internal information system consistent with data protection regulations

The internal information system is designed and managed in such a way as to guarantee data security, confidentiality, and protection. As such, privacy criteria are applied by default and by design, as well as any security measures considered opportune. This system is designed to guarantee complete data anonymization.

Any type of communication, pursuant to law, contains the correct, pertinent, and sufficient information for interested parties, applying data handling principles to all categories of personal data. Additionally, pursuant to the criteria defined in article 30 of Law 2/2023 and article 6.1 and 9.2 of the GDPR, the bases for legitimate interest and circumstances which permit handling, accounting for the particular nature of the Group’s companies as well as the handling being carried out. Finally, the right to exercise data protection rights is guaranteed, within the restrictions or limitations established by this law.

Role of the Data Protection Officer

The data protection officer, in line with the role of this position as outlined by law, participates in the definition and the applicable guarantees within the internal information system. Similarly, they will inform and advise on the internal processes resulting from information, supervising compliance with data protection regulations.

In any case, those interested may contact the data protection officer, who will provide additional information regarding data handling, within the limitations that may apply to the investigation process. Those interested may contact the data protection officer at the following email address dpd@grupoproeduca.com.

Procedures for protection against retaliation and consulting availability

Those who provide information regarding infractions have the right to protection against retaliation, meaning that they cannot be subject to discrimination, harassment, intimidation, firing, sanctions, or any other type of unjust action as a result of informing of an infraction.

In order to ensure that informers do not suffer such retaliation, the Group’s Director of Compliance and Integrity or designated committee will monitor and follow up with the informer or any person who participates in the investigation.

This monitoring requires that the Compliance and Integrity Director for the Group be informed prior to the approval of any disciplinary measures, or the committee designated for this function.

Conditions for access to protection according to Law 2/2023 of 20 February, which regulates the protection of persons who provide information regarding regulatory infractions and fight against corruption

Persons who provide information regarding infractions the Internal Information System may access the protection measures established in Law 2/2023 of 20 February, which regulates the protection of persons who provide information regarding regulatory infractions and fight against corruption, as long as they work in the private or public sectors and have obtained information regarding infractions in a labor or professional context, which comprises the following:

  1. Persons who are employed by any of the companies or institutions belonging to the Proeduca Group;
  2. Self-employed workers who provided services to any of the companies or institutions belonging to the Proeduca Group;
  3. Shareholders, participants, and persons belonging to the administrative, executive, or supervising branches, including non-executive members in any of the companies or institutions belonging to the Proeduca Group;
  4. Any person working for or under the supervision and management of contractors, subcontractors, and providers who provide services for any of the companies or institutions belonging to the Proeduca Group.

Additionally, those persons who provide information regarding infractions in the framework of a terminated labor relationship, volunteers, interns, workers in training whether compensated or not, as well as those whose labor relationship has not yet begun, during the candidacy or precontractual negotiation phases may also have access to protection measures.

The legal representatives of these working persons also fall under the protection of this law in the exercise of their consulting and supporting duties to the informer.

Finally, these protection measures also apply to physical persons related to the informer and to the legal entities for which they work or participate significantly.

The following infractions are established which may be subject to reporting through the internal information system:

  1. Actions or omissions which constitute infractions of the Rights of the European Union.
  2. Actions or omissions which may constitute penal, severe, or highly severe administrative infractions.

The protection afforded by Law 2/2023 of 20 February, which regulates the protection of persons who provide information regarding regulatory infractions and fight against corruption, will not be applicable to reports regarding classified information, the professional confidentiality of those practicing medicine or law, the right to confidentiality for Armed Forces members, or that of judicial confidentiality.

Ways to access the external information channel

Additionally, any of the physical persons mentioned above may inform the Independent Informer Protection Authority of any of the actions or omissions described in the first section, either directly or through the Group’s internal communications and reporting channel.

Independent Informer Protection Authority contact information

Pending until the new applicable Independent Informer Protection Authorities information for the Group’s companies is determined.