Communications Management Procedure

1            OBJECTIVE

The purpose of this procedure is to establish a mechanism of reporting individuals or whistleblowers, in accordance with Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and combat corruption (hereinafter, “Law 2/2023, of 20 February”), which transposes into Spain DIRECTIVE (EU) 2019/1937 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, of 23 October 2019, on the protection of persons who report breaches of Union law.

2            SCOPE

This procedure applies to all Aortyx members as well as the following people in relation to the company:

  • Employees, including those whose employment or professional relationship has already ended.
  • Self-employed individuals.
  • Volunteers.
  • Interns.
  • Applicants in the recruitment process.
  • Partners, shareholders.
  • Members of the management body.
  • Anyone working under the supervision of contractors, subcontractors or suppliers.

3            RESPONSIBILITIES

Table 1. Responsibilities.

Personnel/TeamResposabilities
CEOAct as the Head of the internal information system at Aortyx
All personnelBe aware of the procedure

4            RELATED DOCUMENTATION

Table 2. Related documentation.

Document codeDocument name
POL-028-01Name
FRM-028-01Internal information report

5            PROCEDURE

5.1        Introduction

AORTYX, S.L. (hereinafter, “AORTYX”) has implemented the email whistleblower@aortyx.com as the main and preferred channel available to all managers, employees, collaborators, suppliers and clients, as well as any other third party, to report possible breaches or violations of any of the organization’s internal policies, or to report any irregularity they detect in the performance of their duties, as well as any infringement or omission they become aware of that could constitute a breach of European Union law or its financial interests, or criminal or administrative offences within the Spanish legal framework, as outlined in the AORTYX internal information system policy (POL-028-01).

This document sets out the communication management procedure, which establishes the necessary provisions for the internal information system to comply with the requirements set forth in Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption (hereinafter, “Law 2/2023, of 20 February”).

Although the Internal information system is the preferred channel, alternatively any natural person may report to the Independent Authority for the Protection of Whistleblowers (hereinafter, “A.A.I.”) or to the relevant regional authorities or bodies, any action or omission, either directly or after communication through the aforementioned System and in accordance with the terms set out in the aforementioned Law 2/2023, of 20 February.

5.2        Stages of the communication management procedure

At AORTYX, the receipt of any communication made through the internal information system is managed by the Head of the internal information system, who guarantees at all times respect for independence, confidentiality, data protection, secrecy of communications and has access only to the organization’s internal information system, designed through the email inbox whistleblower@aortyx.com. Additionally, the following means of reporting are available for reporting:

  • Postal address: Aortyx SL, C/ Gaspar Fàbregas i Roses, 81, 08950, Esplugues de Llobregat, and the information must be directed to the Head of the internal information system.
  • In person meeting: requesting a meeting with the Head of internal information system to report orally.

Such communication shall be made in writing and may be anonymous or nominal, in any case being confidential and including a description of the facts, identification of the persons involved, and, if possible, providing evidence supporting the reported breach and explaining the circumstances in which the information was accessed.

The communication may also be made verbally, either by telephone or via a voice messaging system.

Additionally, the whistleblower may request a face-to-face meeting with the Head of the internal information system, which will be held within a maximum period of seven (7) days from the request, in the manner the entity deems most appropriate while preserving the confidentiality of the information. The information received during this meeting will be recorded, with the whistleblower being informed in advance of this circumstance. They will also be advised about the processing of their personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, Organic Law 3/2018 of 5 December on Personal Data Protection and guarantee of digital rights, Organic Law 7/2021 of 26 May on personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offences and the execution of criminal sanctions, and the aforementioned Law 2/2023, of 20 February. Alternatively, the meeting may be documented through a complete and accurate transcript of the conversation. After this referral, its processing and management will be carried out in accordance with this procedure.

If the communication is received through internal channels other than those established by AORTYX or is addressed to staff members not responsible for its processing, the organization will still guarantee confidentiality, warning that failure to comply would constitute a very serious breach of the Law and that, immediately, the communication will be forwarded to the Head of the system.

Upon receipt of a communication or information, the Head will be responsible for initiating the corresponding investigation process, if applicable, to clarify the facts reported.

Within seven (7) calendar days of receiving the communication, an acknowledgement of receipt will be sent to the whistleblower. This acknowledgement will be included in the file, always including clear and accessible information on external information channels before the competent authorities.

In cases where sending an acknowledgement of receipt could endanger the confidentiality of the communication, to ensure confidentiality, it will not be sent until a reasonable period has elapsed.

As mentioned in previous paragraphs, as an alternative to this preferred internal information system, reports can be made to the A.A.I. or the relevant regional authorities or bodies of any action or omission that may constitute any of the breaches that may be reported through the internal information system, either directly or after communication through the aforementioned system, following the provisions of Annex 1 on external information channels.

5.3        Admission procedure

After receiving the communication, the Head will assign a registration number corresponding to its file and a series of codes to anonymize both the whistleblower and the person under investigation, the facts, and any other third party who may be affected by the communication.

The code will have the following structure:

WTB-YYYY-XXX (where YYYY refers to the year and XXXX is a consecutive number starting by 001).

To protect information privacy, these records will be kept in a restricted SharePoint folder accessible only to the Head of internal information systems.

Firstly, if the Head of the internal Information system is implicated in the communication, they will be required to recuse themselves from managing and processing the received communication and will be replaced. Consequently, the investigation will be assumed by a substitute appointed by the AORTYX Governing Body to handle these particular cases.

Such substitutions and new appointments will be recorded in writing in the minutes and in the opening of the file.

Finally, after receiving the communication, the Head will record the following information:

  • Objective data of the communication: facts, dates, names, amounts, places, contacts, etc., provided by the person making the communication.
  • Subjective data: opinions, rumors, ideas, and assessments that the whistleblower considers necessary in the account of the communication.
  • An assessment by the Head as to whether the communication is associated with a possible or alleged infringement or is merely a claim or suggestion relating to improving a business area, working conditions, etc.

If the Head becomes aware that the reported facts may prima facie constitute a crime, they will immediately forward the information to the Governing Body, who must decide on its immediate referral to the Public Prosecutor’s Office.

5.4        Investigation procedure

If communication is admitted for processing, the general rule is that the investigation will be led and conducted by the Head.

If possible, the whistleblower may be asked to provide additional information necessary for the course of the investigation arising from their communication.

At this stage, the person under investigation will be notified and interviewed, being informed of their right to be informed of the actions or omissions attributed to them, and may also exercise their right to be heard, without in any case being informed of the identity of the whistleblower.

Third parties involved (if any) will also be summoned and interviewed to explain and present any allegations they consider appropriate. Any necessary investigative actions will be carried out for the parties, and all actions will be documented in the file.

Investigative actions carried out towards third parties or other bodies, areas or departments of AORTYX must maintain the anonymity of both the whistleblower and the person under investigation, as well as the reasons for the communication.

Confidentiality of information, presumption of innocence, and respect for the honor of all persons affected will be ensured at all times.

During this stage, the Head:

  • Will investigate the facts reported, specifically:
  • The objective and subjective elements provided by the whistleblower, prioritizing objective elements supported by documentation that proves, in whole or in part, the reported facts.
  • The reputation, seriousness and reliability of the whistleblower.
  • The allegations and exculpatory evidence provided by the person under investigation.
  • Evidence gathered from third parties, or from other bodies, areas or departments involved.
  • Will analyze and assess the potential consequences that the reported facts may produce:
  • First, the Head will check whether these facts occurred due to a significant lack of internal controls at AORTYX. If so, they will propose urgent remedial and preventive measures to avoid new risks.
  • Second, if the seriousness, specificity or complexity of the facts so advises, the Head may appoint another senior professional or a third-party specialist to assist in the investigation. Also, if the reported facts could result in asset losses, the Head will take measures to stop or mitigate such losses. If there is a risk of loss or destruction of evidence relevant to the communication, before starting the investigation the Head will ensure the preservation of evidence. The Head will also assess whether to inform the governing bodies of this communication. Lastly, they will check whether harm may have been caused to third parties, in which case the extent of the harm and the need to inform the affected third party will be evaluated.

The period for conducting the investigation and providing a response to the whistleblower regarding the actions taken and their outcome will depend on the seriousness of the reported facts and their potential consequences, with the duration of this stage being at the discretion and risk of the HEAD. However, according to Article 9.2(d) of Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption, this period may not exceed three (3) months from receipt of the communication, or, if no acknowledgement of receipt was sent to the whistleblower, three (3) months from the expiry of the seven (7) day period after the communication was made. This is except in cases of particular complexity, where the period may be extended by a further maximum of three (3) months.

If the communication contains personal data of third parties other than the person under investigation (for example, witnesses, suppliers, clients, etc.), the Head will record in writing that all unnecessary personal information provided must be deleted for the purposes of the investigation, and will inform the third parties whose data are to be processed. The information will comply with the informational requirements of data protection regulations, omitting the identity of the whistleblower, which must remain confidential.

All these notifications will be decided by the Head of the system, will be recorded in writing in the file, and will be executed through the email inbox whistleblower@aortyx.com or the additional means of reporting available and mentioned above in 5.2.

5.5        Completion of proceedings

After the investigation of the communication and with the supporting documentation used to clarify the facts, a verdict or resolution will be drawn up with the following content:

  • Description of the facts: communication registration number; date of communication; reported facts; involved parties; documentation provided during the investigation by both parties (whistleblower and person under investigation), by other bodies, areas or departments or by third parties; interview with the person under investigation and/or with third parties, etc.
  • Analysis and assessment of the evidence obtained.
  • If the reported breach is confirmed, the Head will include in the verdict recommendations considered necessary to improve the internal controls and protocols that were deficient in this instance.
  • Resolution: it will be reasoned and include the grounds for which it is FILED WITHOUT SANCTION, FILED WITH SANCTION, or REPORTED TO THE AUTHORITIES.
  • FILED WITHOUT SANCTION: After investigation, if it is concluded that the reported breach is manifestly minor and requires no further follow-up, it will be filed. Filing is also appropriate in cases of repeated reports that do not contain new and significant information about previously reported breaches whose investigation process has already concluded, unless there are new factual or legal circumstances justifying different follow-up. In these cases, the whistleblower must be informed of the decision and the decision must be reasoned.
  • FILED WITH SANCTION: the Head may propose the imposition of a sanction, but the decision will rest with the Governing Body in coordination with human resources specialists, following the procedures indicated for the application of labor sanctions in the organization.
  • REPORTED TO THE AUTHORITIES: If the received communication appears at first sight to be related to the commission of a crime, the Head will immediately notify the Governing Body for assessment of its referral to the Public Prosecutor’s Office.

In this regard, the Spanish Criminal Procedure Act states in Article 259 that anyone witnessing the commission of a public offence is obliged to immediately inform the nearest investigating judge, magistrate, local or municipal judge, or public prosecutor, under penalty of a fine of 25 to 250 pesetas.

However, the duty to report to the competent authorities is increased for certain offences distinguished by criminal law. In this respect, Article 450 of the Spanish Criminal Code addresses the “omission of duties to prevent offences or to promote their prosecution”, penalizing anyone who fails to prevent the commission of a crime affecting life, integrity or health, liberty or sexual freedom, if they could have done so by immediate intervention without risk to themselves or others, and anyone who, being able to do so, fails to go to the authorities or their agents to prevent such crimes of which they have knowledge of their imminent or ongoing commission.

Therefore, if after the investigation the facts are confirmed to be true, AORTYX will take all necessary measures to put an end to the reported event and, where appropriate and taking into account the nature of the event, will apply the actions it deems appropriate as laid down in the disciplinary regime, current labor legislation and, where applicable, in accordance with the aforementioned criminal legislation.

The measures that may be imposed internally will not in any way limit the exercise of legal actions that AORTYX may take.

In all cases, the RESOLUTION will be notified to both the whistleblower and the person under investigation, taking into account the maximum period of three (3) months from receipt of the communication. The whistleblower will not be notified if they have waived this, if there are no contact details, or if the whistleblower is anonymous.

After this, the Head will order its FILING, in all cases complying with current data protection legislation.

In the case of FILING WITH SANCTION, the notification to the person under investigation will contain the adoption of the contractual, disciplinary or judicial measures to be taken.

AORTYX guarantees, as stated in its Internal Information System Policy, that no retaliation will ever be taken against anyone who, in good faith brings to its attention an unlawful act, collaborates in its investigation, or helps to resolve it. This guarantee does not extend to those who act in bad faith with the intention of spreading false information or harming others. Against such unlawful conduct, AORTYX will take legal or disciplinary measures as appropriate.

5.6        Register of communications

The Head maintains a register of communications received and the internal investigations resulting from them, enabling them to store and/or retrieve key information about each incident, including the date and source of the original communication, the investigation plan, results of interviews or any other investigative procedure, pending tasks, final resolution, as well as the chain of custody of any key evidence or information.

5.7        Personal Data Protection

As stated in the AORTYX internal information system policy, the processing of personal data arising from the application of this policy and the present Communication Management Procedure is governed by Title VI of Law 2/2023, of 20 February, by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, by Organic Law 3/2018 of 5 December on Personal Data Protection and the guarantee of digital rights, and by Organic Law 7/2021 of 26 May on personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offences and the execution of criminal sanctions.

Considering the principle of data minimization established by the General Data Protection Regulation and reflected in Law 2/2023, of 20 February, AORTYX will only process the personal data necessary for the knowledge and investigation of the actions or omissions subject to investigation through the Internal System. Consequently, if the personal data collected are not considered necessary or it is proven that the information is not accurate, AORTYX will proceed to delete them in accordance with the terms set out in Article 32 of Law 3/2018.

Likewise, AORTYX may only process special category data to the extent that such data are necessary for the adoption of corrective measures or disciplinary procedures, and must otherwise proceed to their immediate deletion as mentioned above.

Finally, AORTYX must ensure that those affected by the processing of personal data as a result of the investigation can exercise their rights of access, rectification of inaccurate data, erasure, restriction, portability, objection, and not to be subject to a decision based solely on automated processing. For the exercise of these rights, it should be noted that the right of access may not include information about the whistleblower, and that the right of objection of persons under investigation may be refused on legitimate grounds.

6            REFERENCES

  • Spanish Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and combat corruption
  • Directive (EU) 2019/1937 OF The European Parliament and of the Council, of 23 October 2019, on the protection of persons who report breaches of Union law.

Aortyx
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.