Internal Procedure for Reporting Violations of the Law
pursuant to Article 24 of the Act of 14th June, 2024 on the protection of whistleblowers
Article 1
General provisions
1. This procedure ("Procedure") sets out the rules for reporting violations of the law and protecting whistleblowers in the following Comarch Capital Group Companies:
- Comarch S.A.
- iComarch24 S.A.
- Comarch Cloud S.A.
- CA Consulting S.A.
- Comarch Healthcare S.A.
- Comarch Polska S.A.
- KS Cracovia S.A.
- Comarch Technologies Sp. z o.o.
- Comarch Finance Connect Sp. z o.o.
2. The procedure applies to Reports of violations of the law, i.e. acts or omissions resulting in a violation of the law or intended to circumvent the provisions of the law regarding:
a. corruption;
b. public procurement;
c. financial services, products and markets;
d. counteracting money laundering and terrorism financing;
e. product safety and compliance with requirements;
f. transport safety;
g. environmental protection;
h. radiological protection and nuclear safety;
i. food and feed safety;
j. animal health and welfare;
k. public health;
l. consumer protection;
m. protection of privacy and personal data;
n. security of networks and IT systems;
o. the financial interests of the State Treasury of the Republic of Poland, local government units and the European Union;
p. the internal market of the European Union, including public law rules of competition and state aid as well as corporate taxation;
q. constitutional freedoms and rights of humans and citizens – occurring in an individual's relations with public authorities and not related to the areas indicated in points a.-p.
3. Within the established Procedure, only:
- Reports made by persons authorised under this Procedure to submit Reports in the context of their work or cooperation;
- Reports made in a named and anonymous form;
- Reports submitted through the secure reporting channel established in this Procedure.
4. This Procedure applies to persons reporting a violation of the law in a work/cooperation context specified in Article 4 (1) of the Act, in particular to:
- employees, former employees;
- persons providing work on a basis other than an employment relationship, including under a civil law contract, as well as after their termination;
- people applying for work or the provision of services;
- persons performing work under the supervision and direction of a contractor, subcontractor or supplier;
- trainees or trainees.
5. The definitions used mean:
- Act – The protection of whistleblowers Act of 14th June, 2024;
- Report – a written internal Report of a violation of the law, submitted in accordance with the reporting rules specified in this Procedure;
- Date of receipt of the Report – – date of receipt of the Report via the electronic system available at the link: https://comarch.whiblo.pl/;
- Follow-up Actions – – actions taken to assess the accuracy of the information contained in the Report and to prevent the violation of law that is the subject of the Report;
- Retaliatory Actions – direct or indirect action or omission in a work-related context, including in particular the action described in Article 12 of the Act, which is caused by a Report or public disclosure and which violates or may violate the rights of the Whistleblower or causes or may cause unjustified damage to the Whistleblower, including unjustified initiation of proceedings against the Whistleblower;
- Person assisting in submitting the Report – an individual who assists the Whistleblower in reporting or making a public disclosure in a work-related context and whose assistance should not be disclosed;
- Person associated with the Whistleblower – a natural person who may experience retaliation, including a co-worker or family member of the Whistleblower;
- Whistleblower – a natural person reporting information about a violation of the law obtained in a work-related context;
- Committee – a group of impartial persons authorised to consider the Report, the composition of which will be adapted to the nature of the Report;
- Authorised person – a person authorised by the Company's Management Board to accept Reports or to sit on the Committee;
- Whiblo – an electronic system dedicated to making named and anonymous Reports, provided by an independent external entity;
- Company – a company from the Comarch Capital Group, indicated in Article 1 point. 1 of this Procedure to which the Report relates.
Article 2
Purpose of the Procedure
1. This Procedure sets out the rules for submitting Reports regarding violations of law resulting from actual or probable prohibited actions or omissions, within the internal reporting channel by the Whistleblower.
2. The purpose of introducing the Procedure is:
- creating a comprehensive regulation enabling Whistleblowers to submit Reports;
- establishing the rules for submitting Reports;
- supporting and protecting Whistleblowers and other parties involved;
- ensuring a safe channel for submitting Reports.
Article 3
Rules for submitting Reports
1. The Whistleblower reports via an electronic system that also allows the Whistleblower to remain anonymous in the event of an anonymous Report, available at the link: https://comarch.whiblo.pl/, published on the Intranet and in job advertisements. In the case of anonymous Reports, the system provides the possibility of anonymous communication with the Whistleblower without the need to provide data regarding the Whistleblower (including personal and contact details).
2. The Report may be named or anonymous, depending on the choice and method of submitting it by the Whistleblower.
3. Each Report, both named and anonymous, receives a unique identifier after its submission, which is used by the Company and the Whistleblower for direct communication regarding the Report. In the case of anonymous Reports, communication with the Whistleblower takes place only via the Whiblo system.
4. If the Report contains data of the Whistleblower and/or data of persons indicated in the Report, these data are subject to legal protection under the Act, and their processing by the Company will be in accordance with the provisions on the protection of personal data.
5. The Whistleblower is obliged to:
- act in good faith;
- provide in the Report important information necessary to verify the Report;
- provide necessary explanations at the stage of verification of the Report by the Committee.
6. In order to enable the Report to be considered, the Report should include in particular:
- details of the reporting person, including contact details (in the case of named Reports);
- information about the person or persons concerned by the Report;
- date and place of the violation of law;
- detailed description of the reported violation of law;
- details of other persons who are or may be related to the Report and who can provide information, including their contact details (if the Whistleblower is in possession of such information);
- other information related to the Report that may enable clarification and consideration of the Report;
- indication of evidence confirming the violation of the law described in the Report.
7. If the Whistleblower does not have complete information referred to above, he or she may submit a Report to the extent of the information he or she has.
8. Reports may only be made in good faith, i.e. refer to actual events that may constitute a violation of the law specified in Article 1 point 2.
Article 4
Acceptance and consideration of Reports
1. The internal organisational unit responsible for receiving and handling Reports is the Compliance and Internal Audit Department, and only the Person authorised to receive Reports will be authorised to receive Reports.
2. Confirmation of receipt of the Report is made in writing as information from the Whiblo system, within 7 days from the date of its receipt.
3. A Committee is appointed to consider the Report.
4. The Committee consists of impartial persons with appropriate knowledge and experience that will enable the objective conduct of the explanatory proceedings and are authorised to consider Reports. Persons identified as perpetrators of violations of the law cannot be members of the Committee.
5. The Committee is obliged to:
- provide a preliminary assessment of each Report;
- conduct an internal investigation procedure;
- document the activities undertaken;
- take Follow-up Actions with due diligence;
- summarise the conducted explanatory proceedings regarding the consideration of the Report in the form of a protocol;
- providing feedback to the Whistleblower;
- in situations provided for by law – report the matter to the relevant public authorities.
6. Members of the Committee are entitled to communicate with the Whistleblower and request additional information that will enable the effective conduct of the explanatory proceedings and consideration of the Report.
7. A person authorised to receive and consider Reports is obliged to comply with the provisions of generally applicable law, internal norms and standards of the Company in the course of his/her operation.
8. After completing the explanatory proceedings, the Committee shall provide feedback to the Whistleblower within a period not exceeding 3 months from the confirmation of receipt of the Report.
9. If the Report has been rejected, the Committee will provide the reason for rejecting the Report in its feedback. It may also inform the Whistleblower that the irregularities reported by him do not constitute a violation of the law referred to in Article 1 section 2, and should be subject to another internal procedure established in the Company.\
Article 5
Rules for considering Reports and conducting explanatory proceedings
1. Before joining the case, Authorised Persons sign:
- a declaration of impartiality;
- a declaration of confidentiality of all information obtained as part of the proceedings.
2. The purpose of the explanatory proceedings is:
- explanation of the circumstances of the case;
- collecting, securing and recording evidence in the case;
to the extent enabling the Report to be considered.
3. During the explanatory proceedings, all participants in the proceedings are given the opportunity to express their views on the issues that are the subject of the proceedings, including submitting requests for evidence.
4. Each person participating in the explanatory proceedings aimed at considering the Report, including the Whistleblower, is obliged to maintain the confidentiality of the conducted proceedings.
5. After completing the explanatory proceedings, a written final report is drawn up.
6. The Committee presents the final report to the Company's Management Board, and if the proceedings concern a member of the Company's Management Board – – to the Supervisory Board, if it has been established in the Company.
7. In the event of an identified violation of the law, the Company's Management Board (or the Company's Supervisory Board if the violation concerned a member of the Company's Management Board), based on the Committee's recommendations, determines further actions and persons responsible for their implementation.
8. Written documentation prepared as part of the proceedings is stored in the Compliance and Internal Audit Department in a way that prevents access by unauthorised persons.
Article 6
Registration of Reports
1. The entity responsible for maintaining the Register of Reports is the Person authorised to receive Reports.
2. All received Reports are recorded in the Register of Report.
3. The register contains:
- Report number;
- subject of violation of law;
- personal data of the Whistleblower (in the case of named Reports) and the person concerned by the Report, necessary to identify these persons;
- the contact address of the Whistleblower (in the case of named Reports), if it was indicated by the Whistleblower;
- date of submission of the Report;
- information on the Follow-up Actions undertaken;
- date of completion of consideration of the Report.
4. The Register of Report is kept in electronic form and secured in a way that ensures confidentiality.
5. Access to data from the Register of Report is granted only to Authorised persons.
6. Data in the Registry of Reports are kept for a period of 3 years, counted from:
- the beginning of the calendar year following the end of the calendar year in which the Follow-up Actions were completed; or
- the beginning of the year following the end of the calendar year in which the proceedings initiated by these Follow-up Actions were completed.
7. In the case of a Report that has not been further processed, personal data in the Register is stored for a period of 3 years after the end of the calendar year in which the Report was submitted.
8. An Authorised person designated by the Company's Management Board periodically reviews the registered Reports in order to determine whether the data regarding the Report is subject to removal from the Register. The deletion of data from the Register is confirmed by a protocol prepared in electronic form.
Article 7
Rights and obligations of the Whistleblower
1. The identity of the Whistleblower, the content of the Report and the resulting Follow-up Actions are confidential. The identity of the Whistleblower is fully protected at every stage of considering the Report and the ongoing explanatory proceedings, unless the Whistleblower gives written consent to the disclosure of data.
2. It is prohibited to take Retaliatory Actions, as well as attempts or threats of such actions against:
- Whistleblowers;
- People who help in submitting Reports;
- People who are associated with the Whistleblower who may experience retaliation in a work-related context, such as co-workers or relatives of the Whistleblower.
3. The Whistleblower is protected under the Act and this Procedure provided that he or she had reasonable grounds to believe that the information being the subject of the Report is true at the time of making the Report and that it constitutes information about a violation of the law.
4. Taking Retaliatory Actions constitutes a serious violation of employee duties. Notwithstanding the foregoing, a person taking Retaliatory Actions is subject to liability under the Act.
5. A Whistleblower against whom Retaliatory Actions have been committed is entitled to compensation in an amount not lower than the average monthly remuneration in the national economy in the previous year, announced for retirement purposes in the Official Journal of the Republic of Poland "Monitor Polski" by the President of the Central Statistical Office, or the right to compensation.
6. Submitting Reports in bad faith, in particular in the event of knowledge that no violation of the law has occurred, is subject to criminal and compensatory liability. In particular, a person who has suffered damage due to the conscious reporting or public disclosure of false information by a Whistleblower is entitled to compensation or compensation for violation of personal rights from the Whistleblower who made such a Report.
Article 8
Principles of personal data protection in the process of handling Reports
1. The Controller carries out tasks related to the protection of Whistleblowers in accordance with the provisions of the Act.
2. Personal data are processed in accordance with the principles of personal data protection referred to in Article 5 of the GDPR, in particular in accordance with the principles of lawfulness, fairness and transparency and the principle of data minimisation to the extent necessary to verify the Report and take any Follow-up Actions.
3. In order to ensure appropriate security of the processed data, appropriate organisational and technical measures referred to in Article 32 of the GDPR are implemented, ensuring the protection of the data of the Whistleblower, the Person concerned by the Report, as well as the third party indicated in the Report.
4. Only necessary data are collected. Data that are irrelevant to the consideration of the Report are not collected, and if they are accidentally collected, they are immediately deleted, no later than 14 days from the moment it is determined that they are not relevant to the consideration of the Report.
5. Personal data processed in connection with accepting the Report, taking Follow-up Actions and documents related to this Report are stored for a period of 3 years after the end of the calendar year in which the Report was submitted or Follow-up Actions were completed or after the completion of proceedings initiated by these actions.
6. Access to the Whistleblower's personal data and the data contained in the Report is granted only to the Person authorised to process personal data.
7. Authorised persons are obliged to keep confidential information and personal data obtained as part of the entrusted tasks related to handling Reports submitted by Whistleblowers, i.e. accepting and verifying Reports and taking Follow-up Actions.
8. Whistleblower data may only be made available to:
a. entities authorised to process them under the law;
b. competent authorities, in the event of taking Follow-up Actions and conducting proceedings;
c. external entities supporting the Controller in accepting Reports, based on a data processing agreement, specifying in particular the subject matter, duration of the processing, nature and purpose of the processing, type of personal data, rights and obligations of the Controller in accordance with Article 28 of the GDPR. Such an entity will be verified to determine whether it ensures an adequate level of personal data protection in relation to the entrusted task.
9. The Whistleblower's data may be disclosed to the persons concerned by the Report or to third parties indicated in the Report if the Whistleblower has consented to the disclosure of his identity, as well as if he is not subject to the protection specified in the Act due to failure to meet the conditions regarding this protection. Disclosure is based on the request of these persons for access to their personal data processed by the Controller.
10. In the case of an anonymous Report, the Whistleblower is not required to provide additional data enabling his/her identification than that indicated by him/her in the Report submitted.
11. If the Report is received through a channel other than the one approved for receiving Reports, such Report will not be considered as a Whistleblower Report within the meaning of the Act and this Procedure. The person who receives it is obliged to immediately delete all data related to such Report (e.g. from e-mail).
12. The person designated to receive Reports, immediately after receiving the Report, pseudonymises the data, giving the Whistleblower an identifier, which is then used instead of the Whistleblower's personal data as part of the explanatory proceedings.
13. Information on the principles of personal data processing is provided to the Whistleblower pursuant to Article 13 of the GDPR at the time of submitting the Report. The information about the processing of personal data is available on Whiblo, through which the Whistleblower submits the Report.
14. Information about the processing of personal data is provided to the persons concerned by the Report, other persons indicated in the Report, pursuant to Article 14 of the GDPR at the first contact, no later than within one month of receiving the data, unless there is an exception under Article 14 (5) of the GDPR.
15. The controller ensures the implementation of the data subject rights of persons whose data are processed as part of handling Reports submitted by Whistleblowers, indicated in the information about the processing of personal data addressed to the Whistleblower, the person to whom the Report concerns and the person indicated in the Report, subject to point 16.
16. The implementation of certain data subjects’ rights is subject to the limitations referred to in Article 8 (5 and 6) of the Act:
a. the Controller does not inform persons whose data are processed pursuant to Article 14 of the GDPR (the person concerned by the Report and the person indicated in the Report) about the source of personal data, unless the Whistleblower does not meet the conditions specified in Article 6 of the Act or has expressed express consent to such transfer;
b. as part of the exercise of the right to access personal data, the Controller does not provide information about the source of the data, unless the Whistleblower does not meet the conditions specified in Article 6 of the Act or has expressed express consent to such transfer.
Article 9
External Reports
1. Notwithstanding the provisions of this Procedure, an external report may be made to a public authority or the Ombudsman in accordance with the provisions of the Act. The external report may be made without following the rules and procedures specified in this Procedure.
2. A notifier may submit an external Report without first submitting an internal Report.
3. The external report may take the form of public disclosure. In such a case, in order to be protected, the notifier must meet the conditions specified in the Act.
Article 10
Final provisions
1. The Company's Management Board is responsible for the implementation of and compliance with this Procedure.
2. In matters relating to this Procedure, please contact the Compliance and Internal Audit Department via the following e-mail address: compliance@comarch.pl
3. The provisions of this Procedure should be interpreted in accordance with generally applicable laws.
Information about processing personal data. Download the pdf. file