SC GRAFFITI PLUS S.A. wishes to provide both its employees and business partners with a working environment with a high degree of trust, having zero tolerance for any violation of legal provisions that could have a negative impact on the Company's reputation, image and credibility.
The Company's policy on whistleblowers in the public interest complies with the provisions of Act No. 361/2022 on the protection of whistleblowers in the public interest ("Act No. 361") which transposes Directive (EU) 2019/1937 on the protection of persons reporting breaches of Union law ("Applicable Law") and sets out the principles and procedure for reporting breaches of the law.
We encourage both the Company's employees and partners with whom the Company cooperates to report information on any actual or potential breaches of the law that have occurred or are likely to occur within the Company, as well as information on attempts to conceal such breaches.
The principles that govern the protection of Whistleblowers in the public interest (whistleblowing of Violations of the Law) are as follows:
(i) the principle of legality, whereby the Society ensures that it respects fundamental rights and freedoms by ensuring full respect for, inter alia, freedom of expression and information, the right to protection of personal data, the freedom to conduct a business, the right to a high level of consumer protection, the right to a high level of human health protection, the right to a high level of environmental protection, the right to an effective remedy and the right of defense;
(ii) the principle of accountability, according to which the Whistleblower who observes and reports Infringements of the law is obliged to support the Report with data or information;
(iii) the principle of impartiality, according to which the examination and resolution of the Reports shall be carried out without subjectivity, irrespective of one's own beliefs and interests;
(iv) the principle of balance, according to which no person may take advantage of the provisions of this Policy or of Law No. 361/2022 to diminish the administrative or disciplinary sanction for a more serious act of his or her own that is unrelated to the Reporting;
(v) the principle of good faith, which protects a person who had reasonable grounds to believe that the information relating to the reported violations was true at the time of the report and that the information fell within the scope of this Policy and/or Act 361/2022.
This Policy applies to Reports relating to:
Violations of Law that pertain to the areas covered by Act No. 361, specifically, but not limited to, the following areas:
(i) public procurement;
(ii) financial services, products and markets; and
(iii) product safety and conformity;
(iv) transportation safety;
(v) environmental protection;
(vi) food and feed safety, animal health and animal welfare;
(vii) public health;
(viii) consumer protection;
(ix) protection of privacy and personal data and security of networks and information systems.
Fraud and any other illegal activities affecting the financial interests of the European Union and as detailed in the relevant European Union measures;
Infringements related to the internal market of the European Union - free movement of goods, persons, services and capital, including infringements of European Union competition and state aid rules, as well as infringements related to the internal market in respect of acts which infringe corporate tax rules or mechanisms the purpose of which is to obtain a tax advantage that is contrary to the object or purpose of the applicable corporate tax law.
For the purposes of this Policy, a Whistleblower may be any person who makes Reports and who has obtained information relating to Violations of the Law, in a Professional Context, such as the following categories of persons:
(i) Individuals who are in an employment relationship or service relationship with the Company, pursuant to the provisions of common or special law on the matter, and perform work for remuneration;
(ii) Individuals whose employment relationship has not yet commenced and who make Reports through internal or external reporting channels or publicly disclose information on Breaches of the Law obtained during the recruitment process or other pre-contractual negotiations or where the employment or service relationship has ended, as well as volunteers or trainees;
(iii) self-employed persons within the meaning of Article 49 of the Treaty on the Functioning of the European Union;
(iv) shareholders and persons who are members of the administrative, management or supervisory bodies of the Company, including non-executive members;
(v) any person working under the supervision and direction of a person who is or has been a contractor of the Company, and/or its subcontractors or suppliers.
Reporting in writing can be made via the online reporting form in the dedicated section of the website or by email to facilitator@grf.plus.
In case you consider that your Report has not been effectively resolved through these channels or there is a risk of Reprisals, you may Report externally, by addressing, as appropriate, the National Integrity Agency (integritate.eu) or to the public authorities and institutions that, according to special legal provisions, receive and resolve Reports on Breaches of the Law, within their area of competence.
The Company, as personal data controller, in compliance with the provisions of Law no. 361/2022 and the General Data Protection Regulation no. 679/2016 ("GDPR"), will process your personal data in order to efficiently resolve your Reports.
The Company processes the personal data of the Whistleblowers in order to efficiently manage and resolve the Reports received, the processing being necessary in order to fulfill the legal obligations incumbent on the Company pursuant to Law no. 361/2022 (art. 6, paragraph 1, letter c GDPR).
In addition, the Company may also process this data in order to defend the Company's rights before the courts/against supervisory authorities/institutions, respectively for the exercise of any defenses/rights or when protecting our interests against claims/claims, in steps such as: the formulation of statements of defense, written conclusions, requests, specific litigation documentation. In order to fulfill this purpose, the legal basis is the legitimate interest of the Company (Art. 6, para. 1 lit. f GDPR).
In the case of a Confidential Report made via the online form by one of the persons defined as Whistleblowers for the purposes of this Policy ("Data Subject"), the Company will process the following personal data:
Full name;
Telephone Number;
Mailing Address;
Your position in relation to the Company;
Your signature;
Any other personal data that may be identified in the Report (for example, data extracted from the description of the professional context in which the information was obtained, the description of the fact likely to constitute a Breach of the law within the Company and/or evidence in support of the Report).
The Company will not share the Processed Personal Data with third parties, except to relevant authorities and/or entities, but in this situation it will only be done in order to secure purposes or to ensure compliance with legal obligations as detailed above.
As a general rule, the Company will not transfer Data Processed under this Section outside the European Economic Area (EEA). For the purposes of settling certain Reporting, the Company may transfer some Personal Data to other affiliated entities.
We will store Personal Data for the period required by Applicable Legislation, i.e. 5 years. Upon expiry of this period, the Reports and the personal data collected on the basis thereof will be destroyed, regardless of the medium on which they are stored.
The Company ensures the technical and organizational measures necessary for the collection, processing and safekeeping of data, including against unauthorized access and unauthorized use of data.
Under the GDPR, as a Data Subject, you have a number of rights in relation to the processing of your personal data by the Company, namely: the right to be informed, the right of access to data, the right to object to the processing of data for certain purposes, the right to withdraw your consent, the right to erasure (right to be forgotten), the right to restriction of processing, the right to rectification, the right to portability, the right to complain to the ANSPDCP.
The Company is at your disposal for any queries, clarifications or any details you may need regarding this Section and the processing of your data by the Company. You may also contact us for any suggestions or comments related to this Section or the way we collect and use your data at gdpr@grf.plus.