Whistleblowing Policy

INTERNAL REPORTING REGULATIONS
Grand Parade Sp. z o.o.

Section I
Preliminary Provisions

§ 1

The Internal Reporting Regulations (hereinafter referred to as the “Regulations”) are issued pursuant to Article 24 (1) of the Whistleblower Protection Act of 14 June 2024 (Journal of Laws 2024, item 928, as amended, hereinafter referred to as the “Act”) and implement the obligations referred to in Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.

§ 2

The Regulations are an internal normative act aimed at creating a comprehensive framework that enables Whistleblowers to make reports, ensures their appropriate protection, including the protection of personal data and protection against retaliatory actions, as well as overseeing the actions of employees, collaborators, and the bodies of Grand Parade Sp. z o.o. (hereinafter referred to as the “Company”), and promoting actions in accordance with the law and ethics.

§ 3

  1. The terms used in these Regulations have the following meanings:

    1. follow-up action – actions taken by the Company to assess the accuracy of the information contained in the report and to prevent the breach that is the subject of the report, including such actions as an investigative procedure, initiating an audit, commencing disciplinary proceedings, filing a notice of suspected criminal activity, or closing the internal procedure if no breach is found;

    2. retaliatory action – any direct or indirect act or omission in a work-related context that is caused by the report or disclosure and that violates or may violate the rights of the Whistleblower or causes or may cause unjustified harm to the Whistleblower, including the unjustified initiation of proceedings against the person making the report;

    3. feedback – information provided to the Whistleblower about the planned or taken follow-up actions and the reasons for such actions;

    4. Investigating Committee – an organisational unit of the Company appointed by the Coordinator supporting him in the correct assessment of the report and taking appropriate follow-up actions.

    5. Coordinator – a person within the organisational structure of the Company authorised to verify the report, communicate with the Whistleblower, and provide feedback, as well as conducting the proceedings and their resolution;

    6. breach – an act or omission that is unlawful or intended to circumvent the law and concerns areas specified in the Act, including, among others:

      • corruption;

      • public procurement;

      • financial services, products, and markets;

      • prevention of money laundering and terrorist financing;

      • product safety and compliance;

      • transport safety;

      • environmental protection;

      • consumer protection;

      • privacy and data protection;

      • security of networks and information systems.

    7. person concerned by the report – a person indicated in the report or public disclosure as having committed a breach of law, or as a person associated with the individual who committed the breach of law;

    8. Whistleblower, reporting person – a natural person who reports or publicly discloses information about a breach obtained in a work-related context, as specifically defined in the Act, including, among others;

      • an employee or job applicant;

      • a person providing work on a basis other than an employment contract, including under a civil law contract, or a candidate to perform such work;

      • a proxy;

      • a shareholder or partner;

      • a person providing work under the supervision and direction of a contractor,

        • subcontractor, or supplier;

      • an intern, volunteer, or apprentice.

    9. report – an oral or written internal or external report, submitted in accordance with the requirements specified in the Act;

    10. internal report – an oral or written communication to the Company of information about a breach of law;

    11. external report – an oral or written communication to the Ombudsman or a public authority of information about a breach of law.

 

Section II

Rules for Submitting a Report

§ 4

  1. A report may be submitted in the following ways, at the Whistleblower’s discretion

    via the form available at:

    1. https://secure.ethicspoint.eu/domain/media/en/gui/107382/index.html

    2. via the hotline +48 800-005-056

  2. The reporting channel specified in Section 1(a) and (b) above are managed by NAVEX Global, Inc. (with a principal office at: 5885 Meadows Road, Suite 500, Lake Oswego, Oregon, 97035 USA), which provides the Ethics Point platform and hotline (hereinafter referred to as “NAVEX”), authorised by the Company as an external entity to receive reports.

  3. Information about the person currently serving as the Coordinator is available on the website: https://grandparade.co.uk/whistleblowing-policy

  4. An oral report made via a recorded telephone hotline or other recorded voice communication system is documented with the Whistleblower’s consent in the form of:

    1. a recording of the conversation, allowing it to be retrieved, or

    2. a complete and accurate transcript of the conversation prepared by NAVEX.

  5. In the case referred to in Section 4 above, the Whistleblower may review, correct, and approve the transcript or record of the conversation by signing it in such a way that the content of the report will be read aloud by a NAVEX employee, giving the Whistleblower the opportunity to modify and verify his/her report.

 

§ 5

  1. The report of a breach should include, in particular:

    1. the details of the person reporting the breach, including contact information (not applicable in cases of anonymous reports)

    2. the date and location of the breach;

    3. a description of the reported breach;

    4. the details of the person or persons concerned by the report – if applicable;

    5. the details of other persons with knowledge of the breach (witnesses, victims, etc.), including their contact information – if applicable;

    6. the details of persons connected with the reporting person – if applicable;

    7. indication of evidence confirming or making the breach of regulations or internal procedures plausible, and which may assist in clarifying the report (any documents or information).

  2. The report may include optional information on whether the Whistleblower is or was an employee of the Company; whether the matter being reported has already been investigated, and if so, with what result; whether superiors were or are involved in the breach; whether superiors were informed of the breach, etc.

 

§ 6

  1. A report of a breach may refer only to actual events that may constitute a breach. Only reports made in good faith will be considered in a manner that guarantees the Whistleblower protection against retaliatory actions. A report made in good faith is understood to mean a report that the Whistleblower had reasonable grounds to believe was necessary to disclose a breach of the law in accordance with the Act.

  2. Knowingly reporting or disclosing false information or making a report in bad faith may result in the Whistleblower being held liable for damages or subject to disciplinary action.

  3. In case of doubts regarding the independence and impartiality of the Coordinator or a member of the Investigating Committee, the report of a breach should be directed to Company’s commercial proxy. In such a case, the report should be sent to the address of the Company's registered office. This person will act as the Coordinator handling the report.

  4. A report made in any other way than specified in this Section will not be considered in accordance with the procedure provided for in the Regulations.

 

Section III

Providing Feedback

§ 7

  1.  After making a report in accordance with the principles outlined in these Regulations, the Whistleblower will be informed that the report has been accepted for investigation within a period not exceeding 7 days from the date of receipt of the report.

  2. Within a period not exceeding 3 months from the confirmation of receipt of the report (or, if no confirmation is provided, from the date of the report), the Whistleblower will receive feedback.

  3. If the Coordinator decides not to forward the report (i.e., not to accept it for investigation), they will inform the Whistleblower of this decision and provide a justification for not forwarding the report.

 

§ 8

  1. The Whistleblower will receive feedback only if the report has been made in a way that allows contact with the Whistleblower. Otherwise, the Company will be exempt from the obligation to provide feedback, noting this fact in the Internal Reports Register.

  2. If the report is made via the hotline or the form available on the website, https://secure.ethicspoint.eu/domain/media/en/gui/107382/index.html, the Whistleblower will receive a report key (referred to as the “Report Key”), i.e., a code that, along with a password, will provide access to the Whistleblower’s account where feedback will be sent.

 

Section IV

Handling of Reports

§ 9

  1. Upon receiving a report of a breach, the Coordinator will conduct a preliminary review of the report in the following areas:

    1. whether the report was made by an authorised person;

    2. whether the report concerns at least one of the breaches specified in the Act;

    3. whether the report contains the information necessary for its consideration;

    4. whether there are grounds to refrain from forwarding the report at the verification stage.

  2. If the preliminary review does not reveal any formal deficiencies and there are no reasons to refrain from forwarding the report, the Coordinator will forward the report for further consideration in the investigative procedure.

  3. The Coordinator may refrain from forwarding the report at the verification stage if:

    1. the report does not concern a breach specified in the Act;

    2. the report was made by an unauthorised person;

    3. the report has already been considered or previously refrained from being forwarded under this procedure, and no new evidence has been presented that indicates the need for reconsideration;

    4. the report is or was the subject of an external report to the Ombudsman or other public authorities;

    5. the report contains formal deficiencies that have not been corrected within the timeframe (or correction is not possible due to the Whistleblower’s failure to provide contact details);

    6. the report is highly likely to contain false information or was made in bad faith.

 

§ 10

  1. If the report is forwarded to an investigative procedure, the Coordinator will decide whether to appoint an Investigating Committee for this purpose.

  2. The Coordinator is the chair of the Investigating Committee and it’s member.

  3. The Investigating Committee will consist of individuals with the appropriate knowledge and experience required to address the case.

 

§ 11

  1. If the circumstances related to the report require it, the composition of the Committee may be changed during the procedure. The Coordinator may appoint additional individuals, including external experts, if necessary to properly assess the reported breach and take follow-up actions.

  2. Members of the Investigating Committee should not be individuals who pose a high risk of lack of objectivity and impartiality regarding the report in question.

  3. Before allowing members of the Committee to consider the case, each member must sign a declaration of impartiality and confidentiality, in accordance with the template specified in Attachment 1 to these Regulations.

  4. Additionally, before allowing members of the Committee to consider the case, the Company authorises the Committee members to process personal data for the duration necessary to conduct the investigative or subsequent procedure, according to the template in Attachment 2 to the Regulations.

 

§ 12

  1. If information is received that there are any circumstances which might raise reasonable doubts about the objectivity and impartiality of a member of the Investigating Committee, such a member shall be promptly excluded from the Committee by the Coordinator.

  2. If the Investigating Committee finds that there are any circumstances which might raise reasonable doubts about the objectivity and impartiality of the Coordinator, the Committee shall inform the Company's management board or commercial proxy, which may immediately exclude the Coordinator from further participation in the proceedings and appoint a new person in his place to fulfil the duties of the Coordinator.

  3. The Coordinator decides on the way of conducting the proceedings, its results and the adoption of follow-up recommendations.

  4. The Coordinator and the Investigating Committee conduct their activities with due diligence.

  5. Requests for the exclusion of a member of the Investigating Committee or the Coordinator due to circumstances that might raise reasonable doubts about their objectivity and impartiality may be submitted by the Whistleblower.

 

Section V

Investigative procedure and follow-up actions

§ 13

  1.  If it is determined that the information provided may be insufficient to assess the validity of the report, the Coordinator may contact the person who reported the breach to request additional information or evidence to support the claim.

  2. The Coordinator or the Investigating Committee may also request further information or documents from other individuals who may have knowledge of the event in question, including those indicated as the perpetrators of the event.

  3. The Coordinator or the Investigating Committee may interview the Whistleblower (unless they refuse to provide explanations), witnesses, the person indicated as the perpetrator of the event, and other individuals who may have knowledge of the event or possess documents confirming it.

  4. If the Coordinator finds that a breach has likely occurred, it shall notify the person indicated as the perpetrator and give them the opportunity to provide explanations and present their position on the matter.

 

§ 14

  1. The Coordinator shall refrain from conducting an investigation and taking follow-up actions in the following cases:

    1. the information obtained is insufficient to carry out an investigation;

    2. it has been determined that there are grounds for the Coordinator to refrain from forwarding the report during the verification stage;

    3. it has been determined that the information provided is highly likely to be false or the report was made in bad faith;

    4. the information provided or the evidence submitted does not indicate that a breach occurred;

    5. it has been established that a breach occurred, but its social harm is negligible;

    6. the breach is of such a nature that it is impossible or impractical to take follow-up actions, i.e., the Company does not have the authority or resources to implement measures that would be appropriate and proportional to the breach.

  2. If the Investigating Committee confirms the validity of the report during its activities, it will issue recommendations for follow-up actions, preventive measures, or actions to eliminate similar events in the future.

  3. The subsequent recommendations of the Investigating Committee may include, among others:

    1. initiating disciplinary proceedings against those who committed the breach or those who were aware of the breach and did not respond appropriately;

    2. amending or supplementing existing procedures to avoid similar breaches in the future;

    3. implementing preventive and control measures;

    4. conducting training to raise awareness among employees and collaborators;

    5. conducting audits or inspections;

    6. making changes in the management of the Company, its bodies, or departments;

    7. taking appropriate legal measures (depending on the circumstances of the event, including the extent of damage or harm), including potential legal proceedings to ensure the effective protection of the rights and interests of the Company and its employees or collaborators.

  4. The Coordinator shall read the recommendations of the Investigating Committee, decide on resolution of the case and inform the Company’s management and other individuals concerned about the subsequent recommendations and those responsible for their implementation.

  5. The Coordinator shall inform the Whistleblower about the resolution of the case.

 

Section VI

Registration of breaches

§ 15

  1. The Coordinator or the Investigating Committee shall maintain a file related to the report, which will store documentation associated with the case, including: documents, electronic correspondence, notes, reports, photographic documentation, witness statements or explanations from other individuals, and the final protocol concluding the proceedings.

  2. Upon conclusion of the case, the Coordinator shall prepare a report, which shall include, among other things:

    1. an established, as detailed as possible, description of the event;

    2. a description of the investigative activities;

    3. information on the decision made by the Coordinator, including any follow-up actions taken, subsequent recommendations issued, or the decision to refrain from forwarding the case;

    4. a plan of follow-up actions, along with the identification of the persons or departments within the Company responsible for their implementation.

 

§ 16

  1.  Every report of a breach must be recorded in the Internal Reporting Register, which is maintained by the Coordinator.

  2. The Internal Reporting Register includes:

    1. the report number;

    2. the subject of the legal breach;

    3. personal details of the Whistleblower (if applicable) and the person to whom the report pertains, necessary for the identification of these individuals;

    4. the Whistleblower’s contact address (if applicable);

    5. the date the report was made;

    6. information on the follow-up actions taken;

    7. the date the case was closed.

  3. The case files, personal data and other information in the Internal Reporting Register shall be stored in electronic or physical form for a period of 3 years after the end of the calendar year in which the follow-up actions related to the accepted report were concluded, or proceedings initiated by those actions were completed.

 

Section VII

Confidentiality and protection of personal data

§ 17

  1. The Company provides appropriate technical and organisational measures to ensure the confidentiality of the identity of the Whistleblower, the person to whom the report relates, and other individuals mentioned in the report or whose personal data has been obtained during the investigation.

  2. Only individuals with written authorisation from the Company may be allowed to receive and verify reports, take follow-up actions, and process the personal data of the individuals mentioned in point 1 above. Authorised individuals are required to maintain the confidentiality of the information and personal data obtained during the receipt and verification of internal reports and the execution of follow-up actions, even after the termination of employment or any other legal relationship under which they performed this work.

  3. The personal data of the Whistleblower, which may reveal their identity, shall not be disclosed to unauthorised persons unless the Whistleblower explicitly consents. This does not apply in cases where the disclosure of such data is a necessary and proportionate legal obligation in connection with investigative proceedings conducted by public authorities or preparatory or judicial proceedings conducted by courts, including ensuring the right to a defence for the person to whom the report pertains.

 

§ 18

  1. Upon receiving a report, the Company processes personal data only to the extent necessary for the receipt of the report or the initiation of any potential follow-up action. Personal data that is not relevant to the assessment of the report is not collected, and if inadvertently collected, it is promptly deleted. Such personal data will be deleted within 14 days from the moment it is determined that it is not relevant to the case.

  2. The Coordinator and the Investigating Committee provides individuals whose data is being collected with an information clause in accordance with Attachment 3 to this Regulation.

  3. The Company is the Data Controller of the personal data processed in connection with the received report of the breach. For all matters related to the processing of personal data and the exercise of rights related to its processing, contact can be made in writing to the Company’s registered office address or via the email address: gdpr@grandparade.co.uk

  4. The aforementioned personal data will be processed in accordance with applicable laws, and the Company will process it based on Article 6(c) of the GDPR (processing is necessary for compliance with a legal obligation to which the Data Controller is subject) or Article 6(1)(f) of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Data Controller).

 

Section VIII

Protection against retaliation

§ 19

  1. No retaliatory actions, attempts, or threats of such actions may be taken against the Whistleblower.

  2. The Company undertakes measures to protect Whistleblowers from retaliatory actions in accordance with the principles set out in the Act.

  3. Individuals under protection who experience any form of retaliatory actions related to the report they made may report such retaliation in the same manner as the initial breach, i.e., as specified in Section II of these Regulations. At the Whistleblower’s request, a different Coordinator from the one who previously handled the report will be assigned to the case.

  4. In the event of confirmation that retaliatory actions have been taken in connection with the reported breach, the Company will promptly take disciplinary measures against the person responsible for the retaliation.

  5. Reports made in bad faith will not be considered under the procedure outlined in these Regulations, and the person making such a report will not be afforded the protection mentioned in this chapter.

  6. Making reports in bad faith is subject to penalties under the Act, including fines, restriction of liberty, or imprisonment for up to 2 years.

  7. The provisions of this chapter apply accordingly to any person assisting in making a report and any person associated with the Whistleblower, as well as to any legal entity or other organisational unit assisting or associated with the Whistleblower, particularly those owned by or employing the Whistleblower, and also when information about the breach of the law has been reported to the relevant institutions, bodies, or organisational units of the European Union.

 

Section IX

Other Forms of Reporting

§ 20

  1. The Whistleblower is entitled to make external reports to the Ombudsman or public authorities and, where appropriate, to the institutions, bodies, or organisational units of the European Union.

  2. The Whistleblower may make an external report without first making an internal report.

  3. An external report may be made orally or in writing.

  4. An external report in document form can be made:

    1. in paper form – to the correspondence address indicated by the Ombudsman or the public authority receiving the report;

    2. in electronic form – to the email address, electronic submission box address, or electronic delivery address indicated by the Ombudsman or the public authority receiving the report, or via the designated online form or application specified by the public authority as the appropriate means for making electronic reports.

 

Section X

Final Provisions

§ 21

  1. The provisions of these Regulations shall come into force one week after their publication.

  2. In matters not regulated by these Regulations, the provisions of the Act shall apply.

  3. The attachments to these Regulations are:

    1. Attachment 1 – template for the Declaration of Impartiality and Confidentiality;

    2. Attachment 2 – template for the Authorisation to Process Personal Data;

    3. Attachment 3 – template for the RODO Information Clause.

 

Kraków, 25 September 2024