Compliance Channel

Objective

To determine how to report any perceived or evidenced breach of the behavioural guidelines described in the Code of Conduct, Code of Conduct for suppliers, the Harassment Protocol in the System's procedures or any of the legal and labour requirements that Vicomtech must comply with, including possible criminal risks that may result in a crime, according to article 31 bis of the Criminal Code in force, the good practices to which the Centre adheres and the guidelines to be complied with derived from the Policy and Values.

Scope

Everyone who has a professional or employment relationship with Vicomtech, including subcontractors and suppliers or people working under the supervision and direction of Vicomtech, as well as those who have already terminated their professional relationship or even people who participate in recruitment processes.

The scope of the Procedure is also extended to individuals who aid or support to the informant, to persons around the informant who may suffer reprisals, as well as to legal persons owned by the informant.

Definitions

For this procedure the following terms are defined:

• Compliance Channel: communication channel with the Compliance Committee to report, request information, or send suggestions on issues relating to compliance or non-compliance with requirements.
• Code of Conduct: a set of behavioural guidelines, aligned with the Centre's corporate policy and values, which serves as a reference framework for people in the development of their activities and which must be complied with.
• Compliance Committee: committee responsible for compliance with the requirements in the organisation and receiving and managing body for non-compliance requests.
• Compliance: compliance with all regulatory requirements affecting the centre.
• Penal Compliance: compliance with regulatory requirements.
• Communication: any form of communication that the persons included in the Scope of Vicomtech's Compliance Channel Management policy make to the Compliance Committee through the means made available to it.

Responsibility

Vicomtech’s Management is responsible for:

• Provide the Compliance Committee with autonomous power of initiative and control in the management of the Compliance Channel.
• Appoint a Compliance Committee Manager (CCM), as well as a Compliance Channel System Manager, to manage the procedure as well as requests in the Compliance Channel.
• Provide the necessary resources to carry out the activities.

The Compliance Committee:

• It shall be made up of a Manager who shall lead the management of the communications made in the Compliance Channel.
• The Head of the Compliance Committee, based on the type of communication, shall compose the CC that will manage the communication.
• There shall be a Compliance Channel System Manager, who shall oversee the proper functioning of the procedures and tools.

Operating Systematics

Sending of information

Vicomtech enables a communication channel, called Compliance Channel, to report the perception or evidence that one or more persons do not comply with the behavioural guidelines described in the Code of Conduct, Code of Conduct for suppliers, Harassment Protocol, Policy and Values as well as requirements included in different procedures of the System, or legal requirements, including possible criminal risks that may result in a crime, according to article 31 bis of the Criminal Code in force.

The Compliance Channel allows anonymous communications to be made and they may be made by:

• Writing.
• Verbally: It will be recorded, and the person will be informed of the processing of his or her data following the provisions of the GDPR. Verbal communications shall be documented through a recording of the conversation in a secure, durable, and accessible format or through a full and accurate transcription of the conversation by the staff responsible for processing it. This type of communication may be made:
• Through voice messaging.
• By meeting: Within a maximum period of seven days from the request.

Access to this channel for reporting non-compliance will be through Vicomtech's corporate website. It consists of a communication channel addressed to the person in charge of the Compliance Committee. The technology used allows the secure transfer of relevant information. In addition, through this channel, the Compliance Committee can be asked for clarifications or make contributions or suggestions related to regulatory compliance, the Code of Conduct or the Compliance Channel itself.

All persons in management or responsible positions in the organisation who have received information of non-compliant conduct must immediately report it to the CC, keeping such information confidential. All information received through this channel shall always be treated as confidential.

Vicomtech considers this channel a very important way to communicate facts that could damage the reputation of the centre as well as its staff or students and affect its economic viability, therefore, it must be used responsibly and with the conviction that this is an act that favours the organisation. All communication made through the Compliance Channel may be made anonymously, always guaranteeing the confidentiality of the informant. The identity of informants shall in all cases be kept confidential and shall not be communicated to the persons to whom the facts reported refer or to third parties. The identity of the informant may only be communicated to the judicial authority, the Public Prosecutor's Office, or the competent administrative authority in the context of a criminal, or disciplinary investigation. Likewise, the confidentiality of the data corresponding to the persons concerned and to any third party mentioned in the information provided shall be guaranteed. If an act of retaliation against the persons who reported a breach is detected and confirmed, the applicants will be investigated and, if appropriate, sanctioned.

Finally, in compliance with data protection regulations, data subjects who provide personal data may adhere to all the rights set out in REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data and will be informed of:

• The identity and contact details of the data controller and, where applicable, his or her representative.
• The contact details of the data protection officer.
• The purposes of the processing for which the personal data are intended and the legal basis for the processing.
• The legitimate interests of the controller or a third party.
• The recipients or categories of recipients of the personal data.
• The period for which the personal data will be kept.
• The existence of the right to request from the controller access to personal data relating to the data subject, and their rectification or erasure, or the restriction of their processing, or to object to their processing, as well as the right to data portability.
• The right to complain to a supervisory authority.

Receipt of information

The information sent to the CCM must meet, to be considered as a request, minimum requirements to enable an investigation to be initiated, if necessary, with a detailed description of the event, approximate dates of its occurrence and some evidence of the event, if applicable. If the communication is not anonymous, the identity of the applicant will always be protected.

The CCM sends an acknowledgement of receipt of the communication to the informant (within seven calendar days of receipt), unless this could jeopardise the confidentiality of the communication and, depending on the elements provided, decides whether or not to process the request, within a maximum of 5 (five) working days, to proceed immediately with the investigation.

Investigation

If the request for investigation is accepted, the CCM initiates an investigation, which should be objective and impartial. Considering the time limits for resolution set out in the following section.

• The person who is the subject of the request is heard and notified of the request within a maximum period of 1 (one) month from the date of the start of the investigation.
• The person who is the subject of the request is allowed to make his/her allegations within 10 (ten) days of being informed of the fact and to be able to provide all relevant documentation based on said allegations. The investigation process associated with the requests with possible Disciplinary Offence is immediately activated, being able to activate, consequently, the monitoring and access to any information created, received, or sent through Vicomtech's computer equipment, as well as the collection of images from the video surveillance cameras. It is explicitly stated that the IT equipment is part of the centre's technological platform and must be used only for purposes related to the centre's corporate activity (not for personal use) as expressed in the Code of Conduct.
• All relevant information is gathered to make an assessment (The CCM may seek external legal advice, always ensuring the confidentiality of the information).
• The CCM should prepare a report on the outcome of the investigation, which is sent to the organisation's management.
• The organisation's Management decides whether to apply the Sanctioning Regime and determines the Offence to be imposed, which may lead to direct dismissal if there is evidence to justify it. Management will meet with the person who is the subject of the request to communicate the decision taken and show the investigation carried out.

In addition, when the facts could be suspected of constituting a crime, the information will be sent immediately to the Public Prosecutor's Office, and if the facts affect the financial stakeholders of the European Union, it will be sent to the European Public Prosecutor's Office.

Decision and deadline for resolution

The report drawn up by the CCM with the result of the investigation is sent to the Management, which has the authority to impose and execute the corresponding sanctions, considering the organisation's Disciplinary Regime and the labour agreement in force, or to file the case.

The maximum resolution period varies according to the type of sanction to be applied, being 2 months, extendable by a further 1 month (depending on its complexity) from the date of communication in the case of an investigation without an associated offence.

If it contains associated misconduct, it shall be 10 days from its communication in the case of minor misconduct, 20 days in the case of serious misconduct and 60 days in the case of very serious misconduct.

In all cases, investigations shall be completed within 3 months from the date on which the non-compliance was committed.

Communications, case closure and archiving

Once the Human Resources Department or Management has decided to dismiss the case and close it or to apply the corresponding sanctions, it will proceed to communicate it to the interested parties, protecting the identity of the applicant.

Once 3 months have elapsed since the closure of the specific case, the documentation generated in the investigation process (communications, evidence, reports) will be archived, unless a legal proceeding related to the case is in force in the Compliance Channel.

Data retention

The data processed shall be kept in the information system only for the time necessary to decide whether an investigation into the facts reported should be initiated.

The confidentiality of data relating to the persons concerned and to any third parties mentioned in the information provided shall be guaranteed.

If it is accredited that the information provided or part of it is not truthful, it shall be immediately deleted as soon as this circumstance comes to light, unless this lack of truthfulness may constitute a criminal offence, in which case the information shall be kept for the necessary time during the legal proceedings.

In any case, if three months have elapsed since the receipt of the communication without any investigation having been initiated, it shall be deleted, unless the purpose of storage is to leave evidence of the operation of the system. Communications that have not been processed may only be recorded in anonymised form, without the obligation to block provided for in article 32 of Organic Law 3/2018, of 5 December, being applicable.