Policy for communication and handling of breach reports

This document establishes the Policy for Communication and Handling of Breach Reports (hereinafter referred to as the “Policy”), which guides the procedures applicable to the receipt, registration, follow-up, and retention of reports, in accordance with the legal principles set out in the Portuguese Law No. 93/2021 of December 20, and Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019, on the protection of persons who report breaches of Union law.

By defining this Policy and its associated procedures, we aim to ensure the implementation of an independent and diligent reporting management model, safeguarding data confidentiality, and adopting the best practices and possible preventive measures.

This Policy applies to all askblue employees and will be internally communicated to all staff and service providers. It will also be made available on the intranet for consultation.

Scope of application

Reports can only be related to the infractions (committed, ongoing, or anticipated) or attempts to conceal infractions referred to in Article 2 of the Portuguese Law No. 93/2021, of December 20, namely: public procurement; financial services, products and markets and the prevention of money laundering and the financing of terrorism; product safety and compliance; transport safety; environmental protection; protection against radiation and nuclear safety; food safety for human and animal consumption, animal health, and animal welfare; public health; consumer protection; privacy and personal data protection; and network and information systems security.

Reports can be submitted by employees, service providers, subcontractors or sub-subcontractors, clients, suppliers, as well as by any individual acting under the supervision and/or direction of askblue, or by any person who may be considered a whistleblower under the provisions of Article 5 of Law No. 93/2021 of December 20. Reports may be submitted during the recruitment process or any other phase of a pre-contractual relationship, during the professional relationship with the company, or after its termination.

Reporting channels

askblue provides the following reporting channels:

  • By email to the address compliance@askblue.com;
  • By letter sent to Avenida da Igreja, n.º 42, 4º dt.º, 1700-239, Lisboa, marked as CONFIDENTIAL and addressed to the Reporting Officer (including the whistleblower’s contact information, which may be anonymized if desired, to enable follow-up and legally required communications);
  • In person, by prior appointment requested via email to compliance@askblue.com.

askblue ensures, through access control, that only the person(s) assigned to receive and follow up on reports have access to them, and that the established reporting channels allow for the secure submission and handling of reports, in order to guarantee their completeness, integrity, and preservation, as well as the confidentiality of the whistleblower’s identity or anonymity, and the confidentiality of the identity of third parties mentioned in the reports. askblue also guarantees independence, impartiality, confidentiality, data protection, secrecy, and the absence of conflicts of interest in the operations of receiving and handling reports.

Through the first two channels identified, the whistleblower may choose to remain anonymous. In such cases, they must provide an email address or postal box that preserves their anonymity while allowing askblue to carry out the legally required communications regarding external reporting channels and the follow-up of the internal report submitted.

Reporting and handling process

Reporting and handling process
Report submission

Reports may be submitted in writing or verbally through the channels identified in the previous section. At the whistleblower’s request, verbal reports may be made in person, subject to prior scheduling of a meeting. If the report is submitted verbally, askblue, having obtained the whistleblower’s prior consent, shall record the communication on a durable and retrievable support or in a faithful transcript, both of which must be validated by the whistleblower. If the whistleblower, in order to preserve anonymity, chooses not to sign the transcript, it will be sent to the email address used to request the in-person meeting, upon closure of the process and together with information on the measures planned or adopted in response to the report. In such cases, askblue will ensure the confidentiality of the identity of the person(s) concerned by anonymizing the data contained in the durable support and will request that the whistleblower confirm the accuracy of the transcript via email.

The internal reporting channel is operated internally by askblue for the purpose of receiving and handling reports.

Preliminary validation

Upon receipt of the report, it is initially reviewed by the Reporting Officer to determine whether it falls within the scope of the internal reporting channel, to verify the allegations contained therein, and, if applicable, to promote the cessation of the violation or the reported conduct.

Depending on the nature of the report, and if its credibility justifies it, an internal investigation may be initiated, or the report may be forwarded to the competent authority for further investigation.

If the allegations in the report are entirely implausible or cannot be verified through an internal investigation, a brief analysis report will be prepared and the whistleblower will be duly informed, so that they may provide any additional information or documentation to clarify or support the report, or to enable verification of the allegations made.

Acknowledgement

If the report has been submitted through the designated channels and there is a way to contact the whistleblower, the Reporting Officer shall acknowledge receipt of the report via the respective channel within a maximum of 7 days. The whistleblower will be clearly and accessibly informed about the requirements, competent authorities, and the procedures and admissibility of external reporting.

Allegations verification

Following the receipt and validation of the report, the internal entity responsible for its follow-up and handling shall initiate an internal investigation process using the most appropriate procedures, which may include launching an internal inquiry or, if applicable, forwarding the report to the competent authority.

Resolution and communication

Following the completion of the previous phases, the process is closed, and the whistleblower is informed of the closure and of the measures planned or adopted in response to the report, within a maximum period of 3 months from the date of receipt of the report.

Records of reports, corresponding investigation reports, and supporting documents are stored on a durable and retrievable support for a minimum period of 5 years or, regardless of that period, for as long as any judicial or administrative proceedings related to the report are pending, if applicable.

Guiding Principles
Good faith and Justification

Reports, whether submitted through the appropriate communication channels or by any other means, must be based on the principle of good faith. At the time of reporting, the whistleblower must have sufficient grounds to believe that the information provided is true and warrants independent investigation, presenting all facts of which they are aware.

Confidentiality and Personal Data Processing

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR), concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data, the personal data of both the whistleblower and any third parties, shared at the time of the report and/or during the investigation process, shall be used solely for the purposes set out in this Policy.Personal data that are not relevant to the handling of the report must be deleted, and the provisions of section 5.5 regarding data retention shall not apply to such data.

The identity of the whistleblower and any information provided that could lead to their identification are confidential in nature and shall only be accessible to the Reporting Officer, unless disclosure is required by legal obligation or court order. The same level of confidentiality applies to anyone who receives information related to a report, even if they are not responsible for its receipt or follow-up.

Non-Retaliation

A retaliatory act is understood as any act or omission which, directly or indirectly, occurring in a professional context and motivated by an internal report, external report, or public disclosure, causes or may unjustifiably cause the whistleblower material or non-material harm. Following the submission of a report, the whistleblower shall not be subject to any retaliatory act by askblue. This protection does not apply if it is found that the whistleblower acted in bad faith or knew at the time of the report that the information provided was false or unfounded. In such cases, disciplinary proceedings may be initiated.

Approval and Review

This Policy was approved by the Management and has been in effect since 18 June 2022. This Policy shall be reviewed every three years or, in any case, whenever a review is necessary to better adapt the whistleblowing channel and the established procedures, or in the event of changes to the applicable legal framework.

  • Law No. 93/2021 of 20 December – Establishes the general framework for the protection of whistleblowers in cases of breaches.
  • Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 – On the protection of persons who report breaches of Union law.

Let’s empower your business together