Fermator

Legal Ethical Channel

Last update: 17 Feb 2026

1. OBJECTIVE

The purpose of the management procedure of the Internal Information System is to regulate those acts and procedures carried out by THE ENTITY as a result of the submission of information referred in the Spanish Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption (hereinafter, Law 2/2023).

 

2. RELEVANT REGULATIONS AND LEGISLATION

  • Law 2/2023, of February 20, 2023, regulating the protection of persons who report regulatory breaches and the fight against corruption, by transposition of Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of EU law.
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data (General Data Protection Regulation or GDPR).
  • Organic Law 3/2018, of 5 December, on the protection of personal data and guarantee of digital rights (LOPD GDD).

 

3. SCOPE OF APPLICATION

These regulations are applicable to the entire scope of action of THE ENTITY and its contents derive from the more general guidelines defined in the entity’s Information Security Policy.

It shall be mandatory for all personnel who, on a permanent or temporary basis, provide their services in THE ENTITY, including the personnel of external providers when they are users of THE ENTITY’s Information Systems.

 

4. DEFINITIONS

For the purposes of this regulation, the following definitions shall apply:

  1. Informant: natural or legal person who has obtained information on infringements in a work or professional context and who brings them to the attention of THE ENTITY, including in any case those provided for in Article 3 paragraphs 1 and 2 of Law 2/2023.
  2. Affected person: natural person to whom the informant attributes the commission of the offences referred to in article 2 of Law 2/2023. Affected persons will also be considered those who, without having been informed by the informant, through the investigative acts of the procedure have become aware of the alleged commission by them of the aforementioned infringements.
  3. Third parties: natural persons who may have knowledge of aspects related to the reported infringement, either as direct or indirect witnesses and who may contribute information to the proceedings.
  4. Internal Information System: this is the information channel established in THE ENTITY to report on the actions or omissions provided for in article 2 of Law 2/2023, with the functions and contents set out in article 5.2 of said regulation. It includes the Internal Information Channel and the Information Management System.
  5. Internal Information Channel: this is the channel specifically set up by THE ENTITY to receive information related to the object of this procedure, under the administration of the person in charge of the ENTITY’s Internal Information System.
  6. Information Management System: technological platform integrated into the Internal Information System, the purpose of which is to keep, record and preserve the actions that take place because of the submission of information to which Law 2/2023 is applicable.

 

5. RIGHTS AND GUARANTEES OF INFORMANTS

Informant persons will be guaranteed the effective exercise of the following rights, without prejudice to any others recognized by the Constitution and the laws:

  1. To submit information anonymously and to maintain anonymity during the procedure.
  2. To make the communication orally or in writing. In the case of oral submission, the informant will be offered the opportunity to verify, rectify and accept the transcription of the message by signing it.
  3. To indicate an address, email address or safe place to receive communications from the System Manager.
  4. To appear before the System Manager or the delegated manager on his/her own initiative.
  5. To the waiver of the right to communicate with the System Manager or the delegated manager who instructs the procedure and, where appropriate, to the revocation of such waiver at any time.
  6. To the preservation of their identity. The identity of the informant may not be disclosed without his or her express consent to any person who is not competent to receive and handle the complaints, with the exceptions established by European Union law or Spanish regulations in the context of investigations carried out by the authorities or in the course of legal proceedings.
  7. To the protection of your personal data.
  8. To know the identity of the delegated manager who instructs the procedure.
  9. To confidentiality of communications.
  10. To the protection and support measures in the terms provided for in Law 2/2023.
  11. To lodge a complaint with the Independent Whistleblower Protection Authority.
  12. Not to be subject to reprisals, even if the results of the investigations will verify that there has been no breach of the applicable regulations or the Code of Ethics of THE ENTITY, provided that it has not acted in bad faith.

 

6. OBLIGATIONS OF THE INFORMANTS

The informants shall be subject to the following obligations regarding the submission of their communications through the Internal Information Channel:

  1. Have reasonable or sufficient indications of the certainty of the information they communicate, and generic communications may not be made, in bad faith or with abuse of rights, in which case they could incur in Civil, criminal, or administrative liability.
  2. Describe in the most detailed way possible the facts or conduct they communicate, providing all available documentation on the situation described or objective indications to obtain evidence.
  3. Refrain from making communications with a purpose other than that envisaged by the Channel or that violates the fundamental rights to honour, the image and personal and family privacy of third parties or that are contrary to the dignity of the person.

 

7. RIGHTS OF THIRD PARTIES

The following rights shall be recognised for persons considered as third parties in the procedure, without prejudice to the possibility of extending to them, as far as possible, the support and protection measures for the whistleblower provided for in Law 2/2023.

  1. To indicate an address, e-mail address or safe place where you can receive communications to the System Manager.
  2. To appear before the System Manager or the delegated manager on his/her own initiative.
  3. To the preservation of their identity. The identity of the third party may not be disclosed without its express consent to any person who is not competent to receive and manage the complaints, with the exceptions established by European Union law or Spanish regulations in the context of investigations conducted by the authorities or in the course of legal proceedings.
  4. To the protection of your personal data.
  5. To the confidentiality of communications.
  6. Not to be subject to reprisals.

 

8. RIGHTS OF DATA SUBJECTS

Affected persons shall have the rights recognized by the Constitution and the laws, compliance with which the System Manager shall be obliged to ensure. In particular, they shall have the following rights:

  • To be informed, as soon as possible, of the information that affects them.
  • To Honor and Intimacy
  • To the presumption of innocence and to use all legally valid means of defence.
  • To be assisted by a lawyer.
  • To access to the proceedings against them, without prejudice to any time
    • limitations that may be adopted to guarantee the outcome of the proceedings.
  • To know the identity of the delegated manager who instructs the procedure.
  • To preserve their identity, vis-à-vis any person outside the System Manager.
  • To the protection of the personal data
  • To the Confidentiality of communications.

 

9. THE PERSON IN CHARGE OF THE INTERNAL INFORMATION SYSTEM

  1. System Manager is the person or collegiate body referred to in Article 8 of Law 2/2023, who shall be appointed by the Management.
  2. System Manager, in the exercise of his/her powers, may not receive instructions from any other area of THE ENTITY, nor may he/she be removed from his/her positions for issues related to his/her participation in the Internal Information System. They are also independent in the exercise of their functions and are not subject to hierarchy within that collegiate body.

 

10. ACCESS TO PERSONAL DATA IN THE INTERNAL INFORMATION SYSTEM

Access to personal data in the Internal Information System by the staff of THE ENTITY shall be limited, within the scope of their competences and functions and regardless of the professional responsibilities of the persons who finally form part of the collegiate body responsible for the System, to:

  1. System Manager or his/her delegate.
  2. The Responsible for People Management, when disciplinary measures may be taken against an employee of THE ENTITY.
  3. The responsible for the Legal Office, if it is appropriate to adopt legal measures in relation to the facts reported in the communication.
  4. The data processors that may be appointed.
  5. The data protection officer of THE ENTITY

The processing of data by other persons, or even its communication to third parties, shall be lawful when it is necessary for the adoption of corrective measures in the entity or the processing of the sanctioning or criminal proceedings that, where appropriate, may be appropriate.

 

11. PERIODS OF PROCEDURE

  1. The period for resolving the investigation actions to which the information management procedure gives rise may not exceed 3 months, except in cases of special complexity, in which case the System Manager may, with reasons, agree to extend this period up to a maximum of a further three months.
  2. The computation of the period referred to in the previous section starts from the receipt of the communication by the System Manager or, if an acknowledgement of receipt is not sent to the informant, from the expiry of the period of seven days after the communication has been received.

    Time period expressed in months shall be computed from date to date.

  3. The period in days referred to in this regulation shall be considered working days, unless it is expressly indicated that they are natural.

    Saturdays, Sundays and public holidays are excluded from the calculation of the period in working days.

 

12. PERSONAL DATA PROTECTION

  1. The processing of personal data arising from the processing of this information management procedure shall be carried out in accordance with the provisions of Title VI of Law 2/2023.
  2. The Internal Information System must prevent unauthorised access and preserve the identity and guarantee the confidentiality of the data pertaining to the persons concerned and to any third parties mentioned in the information provided, in particular the identity of the informant if identified.

    The identity of the informant may only be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority in the context of a criminal, disciplinary or punitive investigation, and these cases shall be subject to the safeguards established in the applicable regulations.

  3. If the information received contains special categories of data, it shall be immediately deleted, unless the processing is necessary for reasons of an essential public interest in accordance with the provisions of article 9.2.g) of the General Data Protection Regulation, as provided for in article 30.5 of Law 2/2023.
  4. Personal data shall not be collected if it is manifestly not relevant for the processing of specific information or, if collected by accident, shall be deleted without undue delay.
  5. In any case, after 3 months have elapsed from receipt of the communication without any investigation having been initiated, the communication must be deleted, unless the purpose of storage is to leave evidence of the operation of the system.

    Communications that have not been processed may only be recorded in anonymized form, without the obligation to block provided for in article 32 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights being applicable.

 

13. PROCEDURE Phase of receipt of information

The information on the commission of infringements referred to in article 2.1 of Law 2/2023, as well as any other arising from the processing of this procedure, shall be communicated in writing or orally through the electronic means established for this purpose in the internal information channel enabled on the website of THE ENTITY.

At the request of the informant, it may also be presented through a face-to-face meeting within a maximum period of seven days.

Verbal communications, including those made through a face-to-face meeting, telephone or voice messaging system, should be documented in one of the following ways, with the prior consent of the informant:

  1. by a recording of the conversation in a secure, durable, and accessible format, or
  2. through a complete and accurate transcription of the conversation made by the staff responsible for processing it.

Without prejudice to his or her rights, in accordance with the regulations on the protection of personal data, the informant will be offered the opportunity to verify, rectify and accept the transcription of the conversation by signing it.

In any case, the communication must contain at least the following information:

  • Identification of the informant unless the informant chooses to submit the information anonymously.
  • Description of the facts and, where appropriate, determination of the rule concerned.
  • Identification of the person or persons affected.
  • Identification, where appropriate, of third parties who may provide relevant information.
  • If the right to waive communication with the System Manager is exercised.

The informant may indicate an address, e-mail address, or safe place for the purpose of receiving communications.

Once the communication has been received, within seven calendar days of its receipt, receipt will be acknowledged and the justification shall be communicated to the informant, unless no means of contact has been provided or the person exercises the right to waive communication with the System Manager or the delegated manager in charge of the procedure.

 

Admission Phase

Once the communication has been registered, the System Manager must check whether it exposes facts or conduct that are within the subjective scope of application provided for in article 3 of Law 2/2023 and, within ten working days from the date of entry of the information in the register, may:

  1. Inadmissibility of the communication, in any of the following cases:
    • When the facts reported lack all plausibility
    • When the facts reported do not constitute an infringement of the legal system within the scope of application of Law 2/2023.
    • When the communication is unfounded or there are reasonable grounds to believe that it was obtained through the commission of an offence. In the latter case, in addition to the inadmissibility, a detailed account of the facts deemed to constitute an offence shall be sent to the Public Prosecutor’s Office.
    • When the communication does not contain new and significant information on offences in comparison with a previous communication in respect of which the corresponding proceedings have been concluded, unless there are new circumstances that justify a different follow-up.
    • The inadmissibility shall be communicated to the informant within five working days, unless the communication is anonymous or the informant has waived receiving communications.
  2. Admitting the communication for processing. The informant shall be notified of the admission for processing within the following five working days unless the communication is anonymous or the informant has waived the right to receive communications.
  3. Immediately forward the information to the Public Prosecutor’s Office when the facts may be indicative of a crime or to the European Public Prosecutor’s Office in the event that the facts affect the financial interests of the European Union.
  4. Send the communication to the authority, entity or body considered competent to process it.

 

Instruction Phase

The investigation shall include all those actions aimed at verifying the plausibility of the facts reported.

The delegated manager appointed by the System Manager shall be considered the instructor of the procedure.

Within a maximum period of 15 days from the decision of admission, the affected person shall be informed of the existence of the actions and the facts reported in a succinct manner, unless such communication may facilitate the concealment, destruction and alteration of evidence, in which case, the delegated manager, in a reasoned manner, may modify said period until such circumstances disappear.

Under no circumstances will the identity of the informant be communicated to the affected parties or given access to the communication.

In order to guarantee the right of defence of the affected person, he or she shall have access to the file without revealing information that could identify the person giving the information, and may be heard at any time, and shall be advised of the possibility of appearing with the assistance of a lawyer.

The affected person has the duty to maintain the confidentiality of the information to which he/she becomes aware as a result of access to the file, and any action aimed at identifying the informant or third parties is prohibited, without prejudice to the obligations arising from compliance with the regulations on the personal data protection.

 

Completion Phase

Once the actions have been concluded, the System Manager shall issue a report to be forwarded to the Managing Director of THE ENTITY, containing at least:

  1. A statement of the facts reported together with the file number, the date of registration and the date of the admission agreement.
  2. The actions carried out in order to verify the plausibility of the facts, which will include, at least and in a succinct manner, the allegations made by the affected person, including the interview, if applicable, the documentation provided by the latter or collected by the System Manager through third parties and any other information on which the adopted resolution is based.
  3. The conclusions reached in the investigation and the assessment of the proceedings and the evidence supporting them.
  4. The decisions taken.

Likewise, the report shall be notified to the informant, to the extent that he/she is identified and has not made use of the right of waiver to communicate with the System Manager and the affected person.

The period to complete the actions and provide a response to the informant, where applicable, may not exceed three months from the date of entry into the register of the information management system, without prejudice to the extension of the period provided for in article 9 of Law 2/2023.