Whistleblowing Notice

HOW TO REPORT BREACHES

HANDBOOK

of

EKO Bulgaria EAD

This Handbook is issued pursuant to the Protection of Persons Who Report or Publicly Disclose Information on Breaches Act.

This Handbook is to inform you of the terms and conditions under which you may report breaches, including reasonable suspicions of actual or potential breaches, at or affecting EKO Bulgaria EAD (the "Company").

  1. Who can report?

You can and should report if, in the course of your employment or official duties or in any other work-related context, you become aware of information about a breach at or affecting the Company. Our reporting channel is open not only to our employees, but to all persons who have information about breaches at or affecting the Company. 

  1. What kind of breaches can you report?

You can report if you believe that you have information about breaches of Bulgarian and European legislation in connection with or arising from the Company's activities.

Attention! You should not be concerned if you do not have sufficient knowledge to identify the breach, but you have reliable information or a reasonable suspicion that it may have been committed or is very likely to be committed.  Please notify the Company as set out below in any such case. 

Specifically, you may report if you have information or suspicions about the following breaches at or affecting the Company:

ü  Breaches of applicable legislation in the area of public procurement

ü  Breaches of applicable legislation in the area financial services, prevention of money laundering and financing terrorism

ü  Breaches of product safety regulations or other product-related regulations

ü  Breaches of transport safety regulations

ü  Breaches of applicable legislation in the area of protection of the environment

ü  Breaches of radiation protection and nuclear safety regulations

ü  Breaches of food and feed safety, animal health and welfare regulations

ü  Breaches of public health regulations

ü  Breaches of applicable legislation in the area of consumer protection

ü  Breaches of privacy, personal data protection regulations, and network and information systems security

ü  Breaches affecting the financial interests of the European Union, and breaches of internal market rules, including rules on European Union and Bulgarian legislation on competition and State aid

ü  Breaches of corporate tax rules or arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law

ü  General offences of which you became aware in a work context

ü  Violation of the rules for payment of outstanding public state and municipal entitlements

ü  Labour law violations and violations related to the performance of government service.

  1. How can you report it?

You can report in one or both of the following ways:

ü  through the Company's internal reporting channel, or

ü  through the Commission for Personal Data Protection (CPDP), at the following address: 1592 Sofia, 2, Prof. Tsvetan Lazarov Blvd., email: whistleblowing@cpdp.bg,  website: www.cpdp.bg,  or

We encourage you to prioritise reports via the internal reporting channel of the Company so that they can be handled promptly and efficiently.

The Company has undertaken to provide timely and adequate processing of a report submitted via the internal reporting channel, so choosing this method would not hinder or delay in any way the actions for curing the breach, if such is ascertained.

Apart of the reporting methods described above, you can publicly disclose the information about the breach, subject to the conditions laid down in the Protection of Persons Who Report or Publicly Disclose Information on Breaches Act.

  1. How can you use the internal channel of the Company?

You may report a breach by submitting your report to the following employee who has been appointed by the Company to be responsible for the handling of reports ("Contact Person"): Ms. Desislava Vasileva, Compliance Manager in one of the following ways:

4.1                   by email, to the following email address for reports: whistleblowing@eko.bg , or

4.2                   by post, to the address of the Company: city of Sofia, 1797, 3 Lachezar Stanchev Str, Litex Tower, 9th floor, with a note on the envelope stating that the item is “private” to the attention of the Contact Person, or

4.3                   by calling the following telephone number of the Contact Person: +359 2 448 5530, or

4.4                   through a personal meeting arranged with the Contact Person.

When you have reason to believe that a conflict of interest would arise when submitting the report to the Contact Person, you may submit your report to the Substitute Contact Person, Mr Atanas Smilianov Deputy Director Supply Division (contact details: tel. +359 2 448 5553, e-mail: whistleblowing2@eko.bg, address: Sofia, 1797, 3 Lachezar Stanchev Str, Litex Tower, 9th floor)

Verbal reports (by telephone and by arranging a personal meeting) can be submitted during Company business hours.

Written reports (by email or by post) can be submitted at any time.

When submitting a written report, please complete the Report Form, approved by CPDP, which can be downloaded from HERE. You can also submit a written report in free form. When submitting a free-form report, please provide your contact details so that we can contact you if necessary to clarify the information in the report and to inform you of the progress and action taken on your report.

Your report must be as complete, truthful, objective, and unbiased as possible and contain sufficient specific information to allow verification. The report must contain specific details of the breach or of a real risk of it being committed; the place and time of the breach; a description of the act or the circumstances and such other circumstances as far as they are known. You may attach to your report any documents or information to support your allegations, and you may also refer to persons who could confirm the data reported by you or provide additional information.

We encourage you to report a breach as soon as you become aware of it or have established it so that we can act on it as promptly and effectively as possible. We will not consider reports relating to breaches committed more than two years ago. 

  1. What happens after you report a breach?

Where you report a breach through the Company's internal channel, the Contact Person will notify you within 7 days after receipt of the report that the report has been received.

The Contact Person will verify reports that are plausible. Reports that contain clearly false or misleading statements shall be returned to you with instructions to rectify the statements and inform you of your liability for making false accusations. The report will be returned to you if it does not contain the necessary information for verification and you have not rectified the irregularities within the additional time limit allowed.

The Contact Person will get in touch with you if you have to provide further information for the purpose of verification of the report.

No later than three months after the acknowledgment of receipt of the report, the Contact Person will provide feedback to you on the actions taken in relation to your report. The information will be provided irrespective of whether the verification has been completed or is still ongoing. Notwithstanding the foregoing, you may at any time request information from the Contact Person regarding the report you sent.

Upon completion of the verification, you will be informed of the final result of this verification.

  1. What protection do you have if you REPORT A BREACH?

When you report a breach, the report is not anonymous and you had grounds to believe that the information on the breach in the report was correct at the time of its submission, you are guaranteed the following protections:

6.1                   Confidentiality

Your identity will be kept confidential and will not be disclosed to others, either during or after the completion of the verification of your report, unless absolutely necessary or with your written consent.

6.2                   Protection from retaliation

You will be protected from any retaliation, threats or attempts to retaliate in connection to your report. If, as a Reporting Person, you become the target of such retaliation, please notify the Contact Person so that you can be immediately assisted.

6.3                   Exemption from liability for obtaining, accessing and disclosing the information

You will not be held liable for obtaining or accessing the information reported unless it constitutes a criminal offence. You will not be held liable for the disclosure of information, provided that there were reasonable grounds for you to believe that the information was true, and that reporting was necessary to reveal the breach.

  1. Where to find more information?

If you have any questions on how to report breaches and the protection of Reporting Persons, please get in touch with the Contact Person listed in section 4 above. 

Information on the reporting of breaches through external channels or through public disclosure can be obtained from the website of the Commission for Personal Data Protection, as follows: www.cpdp.bg   

The Handbook was adopted on 17.12.2023

EKO Bulgaria EAD