Internal Whistleblowing Procedure

§ 1

The internal reporting procedure (hereinafter: the “Procedure”) sets out the rules for making internal reports of breaches of law and for taking follow-up actions pursuant to the Act on the Protection of Whistleblowers (hereinafter: the “Act”).

§ 2

Whenever the Procedure refers to:

  • Whistleblower – this shall mean a natural person making an internal report, external report, or public disclosure in a work-related context, including an employee, former employee, job applicant, a person performing work on a basis other than an employment relationship, a volunteer, trainee, entrepreneur, a person working under the supervision and direction of a contractor, subcontractor or supplier, as well as an applicant or beneficiary of tasks carried out by the company.
  • Work-related context – this shall mean the entirety of circumstances connected with an employment relationship or another legal relationship constituting the basis for the provision of work, under which information about a Breach was obtained.
  • Public disclosure – this shall mean making information about a breach of law available to the public.
  • Internal report – this shall mean the provision by the Whistleblower directly to Ornsson Solutions of information, including a reasonable suspicion, concerning an actual or potential Breach that has occurred or is likely to occur within the company, or concerning an attempt to conceal a Breach.
  • External report – this shall mean the provision by the Whistleblower to a public administrative authority competent for receiving and publicly disclosing breaches of law, and for receiving external reports of breaches of law in areas covered by the Directive, of information, including a reasonable suspicion, concerning an actual or potential breach of law that has occurred or is likely to occur within the company, or concerning an attempt to conceal a breach of law.

§ 3

  1. The Procedure covers the reporting of information on breaches of law obtained in a work-related context, concerning the areas specified in Art. 3(1) of the Act, in particular:
  • corruption;
  • public procurement;
  • counteracting money laundering and terrorist financing;
  • environmental protection;
  • consumer protection;
  • privacy and personal data protection;
  • security of network and ICT systems.

§ 4

  1. Both named and anonymous reports are accepted.
  2. If the Whistleblower wishes to receive confirmation of receipt of the report and feedback on the follow-up actions taken, they should provide their email address. Failure to provide a contact address does not prevent the report from being reviewed; however, the company will not be obliged to provide information to the Whistleblower.

§ 5

  1. The tasks related to:
    • receiving internal reports,
    • taking follow-up actions,
    • maintaining the register of internal reports,
    • communication with the Whistleblower,
    • coordination of other activities arising from the Act,are entrusted to the President of the Management Board, hereinafter referred to as the “Internal Reporting Officer” or the “Officer.”
  2. The Officer may grant further authorisations to perform activities provided for in the Act and in the Procedure, including delegating to other persons the tasks assigned to the Officer.
  3. The Officer may appoint a deputy who will replace them during their absence within the scope of the authorisation granted.
  4. Managers of organisational units and employees of Ornsson Solutions are obliged to assist the Officer and other persons in carrying out activities provided for in the Procedure.

§ 6

  1. Internal reports may be submitted by the Whistleblower through the following channels:
    • a direct meeting with the Officer or via MS Teams after prior email arrangement;
    • email address: [email protected];
    • anonymous online reporting form: [link];
    • postal address: Ornsson Solutions Sp. z o.o., ul. Wiejska 17/3, 00-480 Warsaw, with the envelope marked “Do not open – to the attention of the Internal Reporting Officer only.”
  2. If a report is received by an unauthorised employee, they shall forward it immediately to the Officer without making any changes to the report.
  3. Submitting a report of a breach of law in any other way does not deprive the Whistleblower of protection and does not affect the manner in which the report is processed.

§ 7

  1. Oral reports submitted via MS Teams or during a meeting are recorded in a protocol. The person receiving the report should aim to obtain from the Whistleblower as comprehensive information as possible. In the case of an in-person report, the protocol shall be presented to the Whistleblower for approval.
  2. The protocol shall not include special category data within the meaning of Art. 9 GDPR, which have not been made public by the data subject, nor personal data that are clearly irrelevant to the consideration of the report.
  3. Written reports sent by post or email should contain the history and background of the observed irregularity, including:a) a description of the incident;b) the names of persons involved and their role in the irregularity;c) a description of any evidence (if available) in the form of documents, emails or other materials.

§ 8

  1. If the report meets the requirements of the Act and the Procedure, the Officer shall provide the Whistleblower with confirmation of receipt within 7 days of its receipt, unless no contact address was provided.
  2. If the report does not meet the requirements of the Act or the Procedure, the Officer shall inform the reporting person within 14 days of receipt that the report will not be considered under the Act. The Officer may also inform the reporting person that the matter will be considered under separate regulations.
  3. The Officer shall provide the Whistleblower with feedback on the results of the investigation and any further follow-up actions within 14 days of completing the investigation.
  4. If the period referred to in paragraph 2 would exceed 3 months from the date of receipt of the report, the Whistleblower must additionally be informed of the progress of the investigation within no more than 3 months from the date of receipt.

§ 9

  1. The Officer shall take follow-up actions on each report that meets the requirements of the Act and the Procedure.
  2. Follow-up actions include:
    • preliminary assessment of the report to prepare the investigation,
    • the investigation itself to establish the facts and assess the truthfulness of the information,
    • further follow-up measures to counteract the effects and causes of the breach or reduce the risk of such breaches.
  3. If the report concerns the Officer or their deputy, an authorised employee shall forward it directly, bypassing the chain of command, to Mr. Grzegorz Koterwa, Member of the Management Board, who will appoint an impartial team to carry out the investigation. The report shall not be recorded in the internal reports register until the investigation is complete. Contact with Mr. Koterwa: [email protected].

§ 10

  1. The investigation shall be carried out by a team of at least two persons.
  2. The composition of the team must ensure the necessary competence and impartiality.
  3. The Officer may appoint themselves, other employees of Ornsson Solutions, and external persons to the team.
  4. The team may use internal and external experts.
  5. The investigation must be conducted with due diligence, protecting the identity of the Whistleblower, the person concerned, and other protected information.
  6. The team shall ensure the right of defence to the person concerned.
  7. The team and its members are entitled to:
    • direct access to documents and data of Ornsson Solutions related to the case;
    • obtain processed and unprocessed information from employees;
    • access premises for inspections and evidence preservation;
    • obtain oral and written explanations;
    • consult with the Whistleblower through authorised persons.
  8. In justified cases, the Officer may request additional authorisations, e.g., access to computer or phone data.
  9. Employees, managers, and the Data Protection Officer must provide all necessary assistance.

§ 11

  1. Upon completion, the team shall prepare a protocol with the factual findings and conclusions on whether a breach occurred. The Officer approves it and determines follow-up actions.
  2. Approval of the protocol concludes the investigation.
  3. If further actions are needed later, Ornsson Solutions reserves the right to define additional required measures.

§ 12

  1. Statutory protection against retaliation (including threats and attempts) applies to:
    • the Whistleblower,
    • persons assisting them,
    • persons connected to the Whistleblower.
  2. This Procedure also provides internal protection against retaliation for:
    • employees receiving and registering reports,
    • persons conducting investigations and their assistants,
    • witnesses.
  3. Confidentiality means protection against unauthorised access.
  4. All persons are obliged to maintain confidentiality regardless of how they obtained the data.
  5. Confidentiality covers any information that may directly or indirectly identify such persons.
  6. The identity of Whistleblowers whose reports are not pursued must also be protected.
  7. If retaliation or threats occur, the matter must be reported to the Officer for further action.

§ 13

  1. The Officer carries out information activities related to the application of the Act and the Procedure.
  2. Any employee may request oral or written advice from the Officer regarding reporting and whistleblower protection.
  3. The Officer publishes information on the Procedure internally and externally.

§ 14

  1. The Officer, in agreement with relevant bodies, defines the forms and methods of keeping the register.
  2. Access is granted only to the Officer and authorised persons.
  3. Authorisations may be for full or partial access, in edit or view mode.
  4. The register includes qualified and repeated reports.
  5. The register contains in particular:a) report number;b) date of internal report submission;c) date of receipt;d) reporting method;e) subject of breach;f) Whistleblower’s personal data or “anonymous report”;g) data of person concerned;h) contact address;i) date of confirmation;j) results of the investigation;k) follow-up actions;l) date of feedback;m) feedback content;n) results of external proceedings;o) case closure date;p) date of data deletion.
  6. Fields are completed without undue delay.
  7. Special category data not made public are excluded from the register.
  8. Irrelevant personal data must be deleted within 14 days.
  9. Copies of reports with such data removed must be made and used going forward.

§ 15

  1. The Officer assesses whether the Whistleblower has provided credible evidence justifying immediate referral to law enforcement or other competent authorities.
  2. This may concern the most serious offences or the need for operational or investigative techniques from the outset.
  3. In justified cases, the Officer prepares a referral for signature by the unit head and cooperates with authorities.
  4. This mode is exceptional; the default is internal investigation.

§ 16

  1. The Whistleblower has the right to make an external report without first making an internal one.
  2. Such a report may only concern breaches in areas listed in Art. 3(1) of the Act.
  3. The report must be in a work-related context; otherwise, it will not be considered.
  4. An external report may be submitted to:
    • the Ombudsman, who will forward it to the competent authority;
    • directly to the competent Polish public authority;
    • the relevant EU institution, body or agency if within its remit.
  5. The public authority is competent if it has the power to investigate the suspected breach. Examples:
    • supervisory authorities (mayor, voivode, minister);
    • market regulators (e.g., KNF, UKE, KRRiT);
    • sector supervisors (e.g., UOKiK, NFZ, ZUS, KRUS, UODO, tax administration);
    • inspection authorities (e.g., Chief Inspector of Environmental Protection, Sanitary Inspector).