Internal rules of Extrapack AD for the protection of persons filing reports or publicly disclosing information about violations
Section I. General Provisions
Art. 1. (1) These Internal Rules cover the procedure and conditions for submitting and considering reports, as well as the conditions, procedure and measures for the protection of persons who report or publicly disclose information on violations of Bulgarian legislation or acts of the European Union that threaten or harm the public interest and European Union law in accordance with Directive (EU) 2019/1937 on the protection of persons who report violations of EU law and in accordance with the Act on the Protection of Persons Reporting or Publicly Disclosing Information on Violations (hereinafter referred to as the “Act/s”).
(2) These Internal Rules have been developed on the basis of Art. 12, para. 1, item 2 of the Act.
(3) These Internal Rules aim to provide protection to persons who file reports or publicly disclose information about violations of Bulgarian legislation or acts of the European Union, which became known to them during or in connection with the performance of their employment or official duties or in another Work context.
(4) The Internal Rules govern the process of receiving, analyzing, and processing reports of violations, including fraud, money laundering, bribery, corruption, unfair practices, insider trading, and other illegal actions, immoral or unethical behavior.
(5) All reports that meet the requirements of the Law and these Internal Rules are reviewed by a responsible employee and form the basis on which the Company takes Subsequent Actions to eliminate the violations found.
(6) Each report should be reviewed in accordance with the legal requirements for confidentiality in order to protect the identity of the sender of the report.
Section II. Definitions
Art. 2. In these Internal Rules, the following terms are used with the following definitions:
• “Violations” are actions or omissions that are:
◦ unlawful and are related to Bulgarian legislation or European Union acts in the areas specified in Art. 3 of the Act, or
◦ contradict the subject matter or purpose of the rules in the European Union acts and the areas specified in Art. 3 of the Act.
• “Employer” is any natural person, legal person, or its division, as well as any other organizational and economic separate entity that independently hires workers or employees under an employment and service relationship, including for performing home work and remote work, and for sending them to perform work in a user enterprise.
• “Information on infringements” is information, including reasonable suspicions, about actual or potential Violations that have been committed or are likely to be committed in the organization where the reporting person works or has worked, or in another organization with which the reporting person is or has been in contact in the course of his/her work, as well as about attempts to conceal Violations.
• “Work context” is current or past work activities in the public or private sector through which, regardless of their nature, individuals receive Information on infringements and within which these individuals may be subject to Retaliation if they report such information.
• “Person concerned” is a natural or legal person who is identified in the reporting or in the public disclosure of information as a person to whom the breach is attributed or with whom this person is associated.
"Retaliation" means any direct or indirect action or inaction that occurs in a Work context, is caused by an internal or external whistleblowing or by a public disclosure, and that causes or may cause adverse consequences that harm a person under Art. 3, para. 1.
•"Follow-up action" means any action taken by the person receiving the report or by a competent authority to assess the accuracy of the allegations made in the report and, where appropriate, to address the reported violation, including through actions such as an internal inquiry, investigation, prosecution, actions to secure funds, or the conclusion of the procedure.
• “Sufficient data” is data from which a reasonable assumption can be made about a violation that falls within the scope of this law.
• “Internal reporting” is the oral or written communication of Information about violations within a legal entity in the private or public sector.
• “External reporting” is the oral or written communication of Information about violations to the competent authorities.
•"Durable medium" is any information carrier enabling the obliged entities under Art. 12, para. 1 of the Act on the Protection of Persons Filing Reports or Publicly Disclosing Information on Violations or the Personal Data Protection Commission to store information, which allows easy use in the future for a period corresponding to the purposes for which the information is intended, and which allows the unchanged reproduction of the stored information.
• A “minor case” exists when the violation committed reveals a clearly insignificant degree of danger in view of the absence or insignificance of the harmful consequences.
Section III. Internal Reporting
Art. 3. (1) These Rules shall apply to a natural person reporting a Violation that has become known to him/her in his/her capacity as:
a) a worker within the meaning of Article 45(1) of the Treaty on the Functioning of the European Union, including a worker, an employee, or any other person who performs paid work for the Company, regardless of the nature of the work, the manner of payment, and the source of financing;
b) a person with the status of a self-employed person within the meaning of Article 49 of the Treaty on the Functioning of the European Union, including a person who performs work without an employment relationship and/or exercises a liberal profession and/or a craft activity;
c) a volunteer, paid or unpaid, and an intern;
d) partners in the Company and managers of the Company;
e) all persons who are contractors of the Company, including employees of partners, contractors, subcontractors, clients, or service providers;
f) a person whose employment relationship with the Company is about to begin in cases where information about the Violations was received during the selection process or other pre-contractual relations;
g) an employee, where the information was received within the framework of an employment relationship with the Company that has been terminated at the time of filing the report or public disclosure.
(2) The persons under para. 1 who acquire data and information in a professional context about possible actions committed by persons having professional relations with the Company, in the course of their activities or influencing it, have the right to protection when submitting a report, to the extent that they have reasonable grounds to believe that the information is correct at the time of submitting the report, such information falls within the scope of art. 3 of the Act, and the report of the violation was submitted under the terms of these Rules and the Act.
(3) The identity of the reporting person may not be disclosed to anyone other than the responsible officer competent to receive and process reports of Violations without the express consent of that person. This also applies to any other information from which the identity of the reporting person can be established.
(4) Exceptions to the prohibition under para. 3 is allowed in the event that this is a necessary and proportionate obligation imposed by a regulatory act in the context of investigations by national authorities, including with a view to protecting the rights of the Person concerned.
Art. 4. (1) The Company shall appoint, by an internal act of the management body, an employee responsible for examining reports under these Internal Rules.
(2) The designated employee under para. 1 may be replaced if necessary in the same manner as he was appointed.
(3) The designated employee under para. 1 must be independent in his activities from the other employees of the Company, in order to avoid situations in which a conflict of interest may arise and to guarantee the confidentiality of the identity of the reporting persons.
Art. 5. (1) These Rules establish an e-mail address: whistleblowing [аt] bags.bg, as an internal channel for reporting Violations.
(2) Reports may also be submitted in the following ways:
a) In writing on paper - to the correspondence address of the Company in the town of Veliko Tarnovo, p.c. 5000, 1 A “Kozludzha” str.
b) Orally - by telephone to the employee responsible for handling reports under these Internal Rules or through other voice messaging systems;
c) Through a personal meeting - at the request of the reporting person, through a personal meeting agreed upon between the parties at a time convenient for them.
Art. 6. (1) Anonymous reports submitted shall not be considered under these Rules. For reports submitted by persons who cannot be contacted, Art. 8, para. 5 shall apply.
(2) Reports relating to Violations committed more than 2 (two) years ago or those that do not fall within the scope of the Act shall not be considered.
(3) All internal channels shall allow for the storage of information recorded on Durable Media for the purposes of checking the report and for further investigations.
(4) Internal reporting channels shall be managed by the employee responsible for handling reports, who shall ensure the confidentiality of the identity of the reporting person and any third party who has filed a report and shall limit access to it by unauthorized employees.
(5) Persons who have anonymously filed a report not in accordance with the procedure of the Act or publicly, but anonymously, have disclosed Information about violations, and have subsequently been identified and have become the subject of Retaliatory Actions, have the right to protection, when the conditions under Art. 6, para. 1 and Art. 7 of the Act are met.
Art. 7. (1) Reports shall be submitted by filling out a form according to a template that can be found on the official website of the Commission for Personal Data Protection (CPDP) https://www.cpdp.bg/index.php?p=sub_rubric&aid=282 and shall contain at least the following data:
a) the sender’s full name, address, and telephone number, as well as an e-mail address, if any;
b) the names of the person against whom the report is being submitted and his/her place of work, if the report is being submitted against specific persons and they are known;
c) specific data on the violation or on the real risk of such a violation being committed, place and period of the violation, if such a violation was committed, description of the act or situation and other circumstances, to the extent that such are known to the reporting person;
d) date of submission of the report;
e) signature, electronic signature, or other identification of the sender.
(2) In case the reporting person does not use the standard form, he/she shall indicate the data under para. 1 in another appropriate manner. In this case, the officer responsible for handling reports shall enter the information from the report into the approved form.
(3) The oral report shall be documented by filling in the form under para. 1 by the officer responsible for handling reports, who shall offer the reporting person to sign it if he/she so wishes and shall note his/her consent or refusal in the appropriate place on the form.
(4) Any type of information sources supporting the statements made therein and/or references to documents may be attached to the report, including an indication of data on persons who could confirm the reported data or provide additional information.
Section IV. Handling of Reports. Internal Review
Article 8. (1) The person responsible for receiving and reviewing reports within the Company shall register the received report with the Commission for Personal Data Protection (CPDP) for the purpose of obtaining a Unique Identification Number (UIN) by entering the following information:
a) name and UIC of the Company;
b) identification data of the employee responsible for reviewing the report;
c) subject of the report;
d) method of receiving the report (written or oral).
(2) Upon receipt of a report, the employee shall assign it a unique entry number from the Company's document management information system.
(3) The employee responsible for reviewing reports shall confirm receipt of the report within 7 (seven) days of its receipt by sending a written confirmation to the e-mail address or correspondence address specified in the report.
(4) The confirmation shall also send the reporting person the UIN of his/her report and his/her own incoming number from the Company’s document management information system in accordance with para. 1 and 2 above.
(5) If the report does not meet the requirements under Art. 7, para. 1, a message shall be sent to the reporting person (to the extent that it is possible to contact the sender) to eliminate the irregularities within 7 days of receiving the report. If the irregularities are not eliminated within this period, the report, together with its attachments, shall be returned to the reporting person. When, for objective reasons, contact with the reporting person cannot be established, the consideration of the report shall be discontinued.
Art. 9. The officer responsible for handling reports shall be obliged to:
a) ensure that the identity of the reporting person and any other person specified in the report will be duly protected, and to take the necessary measures to limit access to the report by unauthorized persons;
b) maintain contact with the reporting person, requesting additional information from him or her and from third parties if necessary;
c) provide feedback to the sender of the report on the actions taken within a period not exceeding three months after the confirmation of receipt of the report, or if no confirmation has been sent to the reporting person, after the expiry of a period not exceeding three months, counted from the expiry of the period under Art. 8, para. 3;
d) provide the persons wishing to submit a report with clear and easily accessible information on the procedures for External Reporting to the competent central authority, the Commission for Personal Data Protection, and where appropriate - to the institutions, bodies, offices, and agencies of the European Union;
e) provide the Person concerned with the opportunity to present and indicate new evidence to be collected in the course of the inspection.
f) provide the Person concerned with all the evidence collected and provide him or her with the opportunity to object to it within a period of 7 days, while respecting the protection of the reporting person.
Art. 10. The officer responsible for examining reports shall, within the scope of his competence, verify its reliability, and if it contains obviously false or misleading statements of fact, he shall return it with an instruction to the sender to correct the statements and a warning of the liability he bears under Art. 286 of the Criminal Code for persuasion.
Art. 11. (1) The officer responsible for examining reports may request additional information from the reporting person and from third parties to clarify the factual situation of the submitted report.
(2) In the course of the verification, written explanations shall also be heard and/or collected from the person against whom the report was submitted, and additional evidence shall be collected, in case he wishes to present such.
Section V. Follow-up to the Report
Art. 12. (1) If the facts stated in the report are confirmed as a result of the investigation and on the basis of the evidence collected and assessed, the officer responsible for handling reports:
a) organizes the taking of follow-up actions in connection with the report, and for this purpose may require the assistance of other persons or departments of the Company;
b) proposes to the Company to take specific measures in order to stop or prevent the violation in cases where such a violation has been established or there is a real danger of its imminent commission;
c) directs the reporting person to the competent authorities when his rights are affected;
d) forwards the report to the External Reporting Authority of the CPDP if action is required on its part, and the reporting person is notified of the referral in advance;
(2) In case the report is filed against the Company in its capacity as an Employer, the employee responsible for handling reports shall direct the person to simultaneously report to the External Reporting Authority.
Art. 13. As a result of the investigation, the employee responsible for handling reports shall prepare an individual report, briefly describing the information from the report, the actions taken, and the final results of the investigation into the report, which together with the reasons shall be communicated to the reporting person and the person concerned, while respecting the obligation of confidentiality.
Section VI. Termination of the inspection
Art. 14. (1) The officer responsible for reviewing reports may terminate the inspection in the event that:
a) he/she establishes that the reported violation is a Minor case and does not require further Follow-up actions;
b) in the case of repeated reports, there is no new information in connection with an already terminated inspection for a violation, unless new circumstances and facts require the undertaking of Follow-up actions;
c) when data on a committed crime is established. In this case, the report and the materials to it shall be sent immediately to the prosecutor's office.
(2) The reporting person shall be notified of the decision to terminate and the reasons for it.
(3) In cases where the investigation is terminated on the grounds of para. 1, items 1 and 2, the reporting person may file a report to the central body for External Reporting – CPDP
Section VII. Forwarding of the Report
Art. 15. (1) The employee responsible for handling reports shall forward to the CPDP, within 7 days, a report for which it is established that:
a) it was received by an Employer from the private sector who is not an obligated entity within the meaning of the law and is not obliged to establish and maintain an Internal Reporting Channel;
b) reports Violations committed by persons holding high public positions under Art. 6 of the Anti-Corruption and Forfeiture of Illegally Acquired Assets Act, for the purpose of subsequent referral to the Commission for Anti-Corruption and Forfeiture of Illegally Acquired Assets;
c) refers to the activities of another obliged entity under Art. 12, para. 1 of the Act, without it being specifically mentioned in the report;
d) there is a need for action to be taken by the CPDP.
(2) When referring to Para. 1, the responsible officer shall send to the CPDP all the initial and/or subsequently collected documentation to it, without deleting data, and shall also notify the reporting person thereof.
Section VIII. Register of Reports
Art. 16. (1) The submitted reports shall be entered by the responsible person in a register of reports for Violations, established under these Rules, which shall not be public and shall include the following information:
a) the person who received the report;
b) the date of submission of the report;
c) the affected person, if such information is contained in the report;
d) summary data on the alleged violation, such as the place and period of commission of the violation, description of the act, and other circumstances under which it was committed;
e) the connection of the submitted report with other reports after the establishment and in the process of processing the report;
f) information provided as feedback to the person who submitted the report and the date of its provision;
g) the Follow-up actions taken;
h) the results of the verification of the report;
i) the period of storage of the report;
j) the own entry number from the information system for document flow of the obliged entity or another similar registration number;
k) the unique identification number /UIN/ provided by the CPDP.
(2) In case the report lacks information on any of the details of the form, the officer responsible for reviewing reports shall notify the reporting person in writing of the need to provide additional information within 7 days in order to complete the missing information, giving instructions that failure to provide it will result in termination of the proceedings for reviewing the report. In this case, the addition to the register shall be made immediately after receipt of the additionally provided information.
(3) The entry of the circumstances under para. 1, which are not known at the date of filing the report, and of other additional circumstances and/or notes at the discretion of the responsible officer, shall be carried out in stages in accordance with the information received in the course of examining the report.
(4) When gradually supplementing data in the register, a note shall be made about the current status of the report.
(5) The register shall be kept and maintained on a durable medium within the meaning of § 1, item 18 of the supplementary provisions of the Act by the officer responsible for handling reports. The information entered in the register shall be stored in a manner that guarantees its confidentiality and security. The information from the register shall be stored in a manner that allows reproduction without loss of data.
Section IX. Processing of personal data
Art. 17. (1) Any processing of personal data carried out under these Rules, including the exchange or transmission of personal data, shall be carried out in accordance with Regulation (EU) 2016/679 (GDPR) and national legislation and internal policies of the Company.
(2) Personal data that are not necessary for conducting an investigation into a given report shall not be processed and shall be deleted in a timely manner.
Section X. Retention of reports
Art. 18. The Company shall retain the received reports of Violations, the materials attached to them, including the subsequent documentation related to their consideration for a period of 5 (five) years after the completion of the consideration of the report by it, except in the event of criminal, civil, labor and/or administrative proceedings initiated in connection with the submitted report.
Art. 19. The Company shall provide the Personal Data Protection Commission by January 31 with statistical information for the previous year regarding the number of reports received by them, their UIN, subject, the number of checks carried out, and their results.
Section XI. External Reporting
Art. 20. (1) The Central Authority for External Reporting and for the protection of persons to whom such protection is granted within the meaning of this Act is the Commission for Personal Data Protection (CPDP).
(2) In order to enable the rapid prevention of a violation or the elimination of the consequences of such a violation, the report should be submitted as a priority through the Internal Reporting channel (Chapter Three of these Rules).
(3) In the event that the reporting person is at risk of retaliation, discrimination, and that effective measures will not be taken to verify the report, the report may be submitted through the External Reporting channel in the following ways:
a) in writing:
- by email whistleblowing [аt] cpdp.bg;
- by mail to the address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.;
b) orally – on site at the CPDP at the address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
(4) Persons submitting reports or publicly disclosing Information about violations may choose the method of reporting.
(5) The report may be submitted through an Internal or External reporting channel or both.
Section XII. Final Provisions
Art. 21. These Rules do not replace the existing procedures for considering individual complaints and reports of employees, in accordance with the internal rules and other policies of the Company.
Art. 22. In case of inconsistency between the aforementioned policies, the provisions of these Whistleblowing Rules shall prevail, in case the whistleblowers meet the conditions for receiving protection.
Art. 23. (1) The employee responsible for handling whistleblowing shall familiarize the employees of the Company with these Rules.
(2) The Rules shall be published on the official website of the Company.
Art. 24. The Company shall review these Whistleblowing Rules and their practical application at least once every 3 (three) years and update them if necessary.
Art. 25. These Internal Whistleblowing Rules were approved by Decision of the Company’s Manager on 14.12.2023 and shall enter into force on the date of their approval.
Section I. General Provisions
Art. 1. (1) These Internal Rules cover the procedure and conditions for submitting and considering reports, as well as the conditions, procedure and measures for the protection of persons who report or publicly disclose information on violations of Bulgarian legislation or acts of the European Union that threaten or harm the public interest and European Union law in accordance with Directive (EU) 2019/1937 on the protection of persons who report violations of EU law and in accordance with the Act on the Protection of Persons Reporting or Publicly Disclosing Information on Violations (hereinafter referred to as the “Act/s”).
(2) These Internal Rules have been developed on the basis of Art. 12, para. 1, item 2 of the Act.
(3) These Internal Rules aim to provide protection to persons who file reports or publicly disclose information about violations of Bulgarian legislation or acts of the European Union, which became known to them during or in connection with the performance of their employment or official duties or in another Work context.
(4) The Internal Rules govern the process of receiving, analyzing, and processing reports of violations, including fraud, money laundering, bribery, corruption, unfair practices, insider trading, and other illegal actions, immoral or unethical behavior.
(5) All reports that meet the requirements of the Law and these Internal Rules are reviewed by a responsible employee and form the basis on which the Company takes Subsequent Actions to eliminate the violations found.
(6) Each report should be reviewed in accordance with the legal requirements for confidentiality in order to protect the identity of the sender of the report.
Section II. Definitions
Art. 2. In these Internal Rules, the following terms are used with the following definitions:
• “Violations” are actions or omissions that are:
◦ unlawful and are related to Bulgarian legislation or European Union acts in the areas specified in Art. 3 of the Act, or
◦ contradict the subject matter or purpose of the rules in the European Union acts and the areas specified in Art. 3 of the Act.
• “Employer” is any natural person, legal person, or its division, as well as any other organizational and economic separate entity that independently hires workers or employees under an employment and service relationship, including for performing home work and remote work, and for sending them to perform work in a user enterprise.
• “Information on infringements” is information, including reasonable suspicions, about actual or potential Violations that have been committed or are likely to be committed in the organization where the reporting person works or has worked, or in another organization with which the reporting person is or has been in contact in the course of his/her work, as well as about attempts to conceal Violations.
• “Work context” is current or past work activities in the public or private sector through which, regardless of their nature, individuals receive Information on infringements and within which these individuals may be subject to Retaliation if they report such information.
• “Person concerned” is a natural or legal person who is identified in the reporting or in the public disclosure of information as a person to whom the breach is attributed or with whom this person is associated.
"Retaliation" means any direct or indirect action or inaction that occurs in a Work context, is caused by an internal or external whistleblowing or by a public disclosure, and that causes or may cause adverse consequences that harm a person under Art. 3, para. 1.
•"Follow-up action" means any action taken by the person receiving the report or by a competent authority to assess the accuracy of the allegations made in the report and, where appropriate, to address the reported violation, including through actions such as an internal inquiry, investigation, prosecution, actions to secure funds, or the conclusion of the procedure.
• “Sufficient data” is data from which a reasonable assumption can be made about a violation that falls within the scope of this law.
• “Internal reporting” is the oral or written communication of Information about violations within a legal entity in the private or public sector.
• “External reporting” is the oral or written communication of Information about violations to the competent authorities.
•"Durable medium" is any information carrier enabling the obliged entities under Art. 12, para. 1 of the Act on the Protection of Persons Filing Reports or Publicly Disclosing Information on Violations or the Personal Data Protection Commission to store information, which allows easy use in the future for a period corresponding to the purposes for which the information is intended, and which allows the unchanged reproduction of the stored information.
• A “minor case” exists when the violation committed reveals a clearly insignificant degree of danger in view of the absence or insignificance of the harmful consequences.
Section III. Internal Reporting
Art. 3. (1) These Rules shall apply to a natural person reporting a Violation that has become known to him/her in his/her capacity as:
a) a worker within the meaning of Article 45(1) of the Treaty on the Functioning of the European Union, including a worker, an employee, or any other person who performs paid work for the Company, regardless of the nature of the work, the manner of payment, and the source of financing;
b) a person with the status of a self-employed person within the meaning of Article 49 of the Treaty on the Functioning of the European Union, including a person who performs work without an employment relationship and/or exercises a liberal profession and/or a craft activity;
c) a volunteer, paid or unpaid, and an intern;
d) partners in the Company and managers of the Company;
e) all persons who are contractors of the Company, including employees of partners, contractors, subcontractors, clients, or service providers;
f) a person whose employment relationship with the Company is about to begin in cases where information about the Violations was received during the selection process or other pre-contractual relations;
g) an employee, where the information was received within the framework of an employment relationship with the Company that has been terminated at the time of filing the report or public disclosure.
(2) The persons under para. 1 who acquire data and information in a professional context about possible actions committed by persons having professional relations with the Company, in the course of their activities or influencing it, have the right to protection when submitting a report, to the extent that they have reasonable grounds to believe that the information is correct at the time of submitting the report, such information falls within the scope of art. 3 of the Act, and the report of the violation was submitted under the terms of these Rules and the Act.
(3) The identity of the reporting person may not be disclosed to anyone other than the responsible officer competent to receive and process reports of Violations without the express consent of that person. This also applies to any other information from which the identity of the reporting person can be established.
(4) Exceptions to the prohibition under para. 3 is allowed in the event that this is a necessary and proportionate obligation imposed by a regulatory act in the context of investigations by national authorities, including with a view to protecting the rights of the Person concerned.
Art. 4. (1) The Company shall appoint, by an internal act of the management body, an employee responsible for examining reports under these Internal Rules.
(2) The designated employee under para. 1 may be replaced if necessary in the same manner as he was appointed.
(3) The designated employee under para. 1 must be independent in his activities from the other employees of the Company, in order to avoid situations in which a conflict of interest may arise and to guarantee the confidentiality of the identity of the reporting persons.
Art. 5. (1) These Rules establish an e-mail address: whistleblowing [аt] bags.bg, as an internal channel for reporting Violations.
(2) Reports may also be submitted in the following ways:
a) In writing on paper - to the correspondence address of the Company in the town of Veliko Tarnovo, p.c. 5000, 1 A “Kozludzha” str.
b) Orally - by telephone to the employee responsible for handling reports under these Internal Rules or through other voice messaging systems;
c) Through a personal meeting - at the request of the reporting person, through a personal meeting agreed upon between the parties at a time convenient for them.
Art. 6. (1) Anonymous reports submitted shall not be considered under these Rules. For reports submitted by persons who cannot be contacted, Art. 8, para. 5 shall apply.
(2) Reports relating to Violations committed more than 2 (two) years ago or those that do not fall within the scope of the Act shall not be considered.
(3) All internal channels shall allow for the storage of information recorded on Durable Media for the purposes of checking the report and for further investigations.
(4) Internal reporting channels shall be managed by the employee responsible for handling reports, who shall ensure the confidentiality of the identity of the reporting person and any third party who has filed a report and shall limit access to it by unauthorized employees.
(5) Persons who have anonymously filed a report not in accordance with the procedure of the Act or publicly, but anonymously, have disclosed Information about violations, and have subsequently been identified and have become the subject of Retaliatory Actions, have the right to protection, when the conditions under Art. 6, para. 1 and Art. 7 of the Act are met.
Art. 7. (1) Reports shall be submitted by filling out a form according to a template that can be found on the official website of the Commission for Personal Data Protection (CPDP) https://www.cpdp.bg/index.php?p=sub_rubric&aid=282 and shall contain at least the following data:
a) the sender’s full name, address, and telephone number, as well as an e-mail address, if any;
b) the names of the person against whom the report is being submitted and his/her place of work, if the report is being submitted against specific persons and they are known;
c) specific data on the violation or on the real risk of such a violation being committed, place and period of the violation, if such a violation was committed, description of the act or situation and other circumstances, to the extent that such are known to the reporting person;
d) date of submission of the report;
e) signature, electronic signature, or other identification of the sender.
(2) In case the reporting person does not use the standard form, he/she shall indicate the data under para. 1 in another appropriate manner. In this case, the officer responsible for handling reports shall enter the information from the report into the approved form.
(3) The oral report shall be documented by filling in the form under para. 1 by the officer responsible for handling reports, who shall offer the reporting person to sign it if he/she so wishes and shall note his/her consent or refusal in the appropriate place on the form.
(4) Any type of information sources supporting the statements made therein and/or references to documents may be attached to the report, including an indication of data on persons who could confirm the reported data or provide additional information.
Section IV. Handling of Reports. Internal Review
Article 8. (1) The person responsible for receiving and reviewing reports within the Company shall register the received report with the Commission for Personal Data Protection (CPDP) for the purpose of obtaining a Unique Identification Number (UIN) by entering the following information:
a) name and UIC of the Company;
b) identification data of the employee responsible for reviewing the report;
c) subject of the report;
d) method of receiving the report (written or oral).
(2) Upon receipt of a report, the employee shall assign it a unique entry number from the Company's document management information system.
(3) The employee responsible for reviewing reports shall confirm receipt of the report within 7 (seven) days of its receipt by sending a written confirmation to the e-mail address or correspondence address specified in the report.
(4) The confirmation shall also send the reporting person the UIN of his/her report and his/her own incoming number from the Company’s document management information system in accordance with para. 1 and 2 above.
(5) If the report does not meet the requirements under Art. 7, para. 1, a message shall be sent to the reporting person (to the extent that it is possible to contact the sender) to eliminate the irregularities within 7 days of receiving the report. If the irregularities are not eliminated within this period, the report, together with its attachments, shall be returned to the reporting person. When, for objective reasons, contact with the reporting person cannot be established, the consideration of the report shall be discontinued.
Art. 9. The officer responsible for handling reports shall be obliged to:
a) ensure that the identity of the reporting person and any other person specified in the report will be duly protected, and to take the necessary measures to limit access to the report by unauthorized persons;
b) maintain contact with the reporting person, requesting additional information from him or her and from third parties if necessary;
c) provide feedback to the sender of the report on the actions taken within a period not exceeding three months after the confirmation of receipt of the report, or if no confirmation has been sent to the reporting person, after the expiry of a period not exceeding three months, counted from the expiry of the period under Art. 8, para. 3;
d) provide the persons wishing to submit a report with clear and easily accessible information on the procedures for External Reporting to the competent central authority, the Commission for Personal Data Protection, and where appropriate - to the institutions, bodies, offices, and agencies of the European Union;
e) provide the Person concerned with the opportunity to present and indicate new evidence to be collected in the course of the inspection.
f) provide the Person concerned with all the evidence collected and provide him or her with the opportunity to object to it within a period of 7 days, while respecting the protection of the reporting person.
Art. 10. The officer responsible for examining reports shall, within the scope of his competence, verify its reliability, and if it contains obviously false or misleading statements of fact, he shall return it with an instruction to the sender to correct the statements and a warning of the liability he bears under Art. 286 of the Criminal Code for persuasion.
Art. 11. (1) The officer responsible for examining reports may request additional information from the reporting person and from third parties to clarify the factual situation of the submitted report.
(2) In the course of the verification, written explanations shall also be heard and/or collected from the person against whom the report was submitted, and additional evidence shall be collected, in case he wishes to present such.
Section V. Follow-up to the Report
Art. 12. (1) If the facts stated in the report are confirmed as a result of the investigation and on the basis of the evidence collected and assessed, the officer responsible for handling reports:
a) organizes the taking of follow-up actions in connection with the report, and for this purpose may require the assistance of other persons or departments of the Company;
b) proposes to the Company to take specific measures in order to stop or prevent the violation in cases where such a violation has been established or there is a real danger of its imminent commission;
c) directs the reporting person to the competent authorities when his rights are affected;
d) forwards the report to the External Reporting Authority of the CPDP if action is required on its part, and the reporting person is notified of the referral in advance;
(2) In case the report is filed against the Company in its capacity as an Employer, the employee responsible for handling reports shall direct the person to simultaneously report to the External Reporting Authority.
Art. 13. As a result of the investigation, the employee responsible for handling reports shall prepare an individual report, briefly describing the information from the report, the actions taken, and the final results of the investigation into the report, which together with the reasons shall be communicated to the reporting person and the person concerned, while respecting the obligation of confidentiality.
Section VI. Termination of the inspection
Art. 14. (1) The officer responsible for reviewing reports may terminate the inspection in the event that:
a) he/she establishes that the reported violation is a Minor case and does not require further Follow-up actions;
b) in the case of repeated reports, there is no new information in connection with an already terminated inspection for a violation, unless new circumstances and facts require the undertaking of Follow-up actions;
c) when data on a committed crime is established. In this case, the report and the materials to it shall be sent immediately to the prosecutor's office.
(2) The reporting person shall be notified of the decision to terminate and the reasons for it.
(3) In cases where the investigation is terminated on the grounds of para. 1, items 1 and 2, the reporting person may file a report to the central body for External Reporting – CPDP
Section VII. Forwarding of the Report
Art. 15. (1) The employee responsible for handling reports shall forward to the CPDP, within 7 days, a report for which it is established that:
a) it was received by an Employer from the private sector who is not an obligated entity within the meaning of the law and is not obliged to establish and maintain an Internal Reporting Channel;
b) reports Violations committed by persons holding high public positions under Art. 6 of the Anti-Corruption and Forfeiture of Illegally Acquired Assets Act, for the purpose of subsequent referral to the Commission for Anti-Corruption and Forfeiture of Illegally Acquired Assets;
c) refers to the activities of another obliged entity under Art. 12, para. 1 of the Act, without it being specifically mentioned in the report;
d) there is a need for action to be taken by the CPDP.
(2) When referring to Para. 1, the responsible officer shall send to the CPDP all the initial and/or subsequently collected documentation to it, without deleting data, and shall also notify the reporting person thereof.
Section VIII. Register of Reports
Art. 16. (1) The submitted reports shall be entered by the responsible person in a register of reports for Violations, established under these Rules, which shall not be public and shall include the following information:
a) the person who received the report;
b) the date of submission of the report;
c) the affected person, if such information is contained in the report;
d) summary data on the alleged violation, such as the place and period of commission of the violation, description of the act, and other circumstances under which it was committed;
e) the connection of the submitted report with other reports after the establishment and in the process of processing the report;
f) information provided as feedback to the person who submitted the report and the date of its provision;
g) the Follow-up actions taken;
h) the results of the verification of the report;
i) the period of storage of the report;
j) the own entry number from the information system for document flow of the obliged entity or another similar registration number;
k) the unique identification number /UIN/ provided by the CPDP.
(2) In case the report lacks information on any of the details of the form, the officer responsible for reviewing reports shall notify the reporting person in writing of the need to provide additional information within 7 days in order to complete the missing information, giving instructions that failure to provide it will result in termination of the proceedings for reviewing the report. In this case, the addition to the register shall be made immediately after receipt of the additionally provided information.
(3) The entry of the circumstances under para. 1, which are not known at the date of filing the report, and of other additional circumstances and/or notes at the discretion of the responsible officer, shall be carried out in stages in accordance with the information received in the course of examining the report.
(4) When gradually supplementing data in the register, a note shall be made about the current status of the report.
(5) The register shall be kept and maintained on a durable medium within the meaning of § 1, item 18 of the supplementary provisions of the Act by the officer responsible for handling reports. The information entered in the register shall be stored in a manner that guarantees its confidentiality and security. The information from the register shall be stored in a manner that allows reproduction without loss of data.
Section IX. Processing of personal data
Art. 17. (1) Any processing of personal data carried out under these Rules, including the exchange or transmission of personal data, shall be carried out in accordance with Regulation (EU) 2016/679 (GDPR) and national legislation and internal policies of the Company.
(2) Personal data that are not necessary for conducting an investigation into a given report shall not be processed and shall be deleted in a timely manner.
Section X. Retention of reports
Art. 18. The Company shall retain the received reports of Violations, the materials attached to them, including the subsequent documentation related to their consideration for a period of 5 (five) years after the completion of the consideration of the report by it, except in the event of criminal, civil, labor and/or administrative proceedings initiated in connection with the submitted report.
Art. 19. The Company shall provide the Personal Data Protection Commission by January 31 with statistical information for the previous year regarding the number of reports received by them, their UIN, subject, the number of checks carried out, and their results.
Section XI. External Reporting
Art. 20. (1) The Central Authority for External Reporting and for the protection of persons to whom such protection is granted within the meaning of this Act is the Commission for Personal Data Protection (CPDP).
(2) In order to enable the rapid prevention of a violation or the elimination of the consequences of such a violation, the report should be submitted as a priority through the Internal Reporting channel (Chapter Three of these Rules).
(3) In the event that the reporting person is at risk of retaliation, discrimination, and that effective measures will not be taken to verify the report, the report may be submitted through the External Reporting channel in the following ways:
a) in writing:
- by email whistleblowing [аt] cpdp.bg;
- by mail to the address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.;
b) orally – on site at the CPDP at the address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
(4) Persons submitting reports or publicly disclosing Information about violations may choose the method of reporting.
(5) The report may be submitted through an Internal or External reporting channel or both.
Section XII. Final Provisions
Art. 21. These Rules do not replace the existing procedures for considering individual complaints and reports of employees, in accordance with the internal rules and other policies of the Company.
Art. 22. In case of inconsistency between the aforementioned policies, the provisions of these Whistleblowing Rules shall prevail, in case the whistleblowers meet the conditions for receiving protection.
Art. 23. (1) The employee responsible for handling whistleblowing shall familiarize the employees of the Company with these Rules.
(2) The Rules shall be published on the official website of the Company.
Art. 24. The Company shall review these Whistleblowing Rules and their practical application at least once every 3 (three) years and update them if necessary.
Art. 25. These Internal Whistleblowing Rules were approved by Decision of the Company’s Manager on 14.12.2023 and shall enter into force on the date of their approval.
