INFORMATION
ON THE CONDITIONS AND PROCEDURE FOR INTERNAL SUBMISSION OF SIGNALS
This information is provided pursuant to Art. 12, para. 4 of the Law on the Protection of Persons Submitting Whistleblowers or Publicly Disclosing Information on Violations ("ZZLPSPOIN").
1. Who has the right to report?
Important! Anonymous reports are NOT considered.
2. What violations can you report?
For violations of Bulgarian and European legislation in various areas, including:
• public procurement;
• public health;
• safety of transport;
• consumer protection;
• the protection of privacy and personal data;
• the security of networks and information systems;
• violations related to cross-border tax schemes;
• committed crime of a general nature; • labor legislation;
• the legislation related to the performance of public service;
• the rules for payment of due public state and municipal receivables, etc. areas specified in ZZLPSPOIN.
Important! Reports of violations that do not fall within the scope of AZLPSPOIN, as well as reports made more than two years ago, are not considered.
3. How can you submit a report to "ROMPETROL BULGARIA" EAD?
You can submit a written report by completing a sample form in one of the following ways:
• personally, to our whistleblower;
• electronically by sending it to the following e-mail: whistleblowerRPBG@rompetrol.com
• by post or by courier service - to the address of "ROMPETROL BULGARIA" EAD (city of Sofia, "Tsarigradsko shose" Blvd. No. 115M, European Trade Center, building "D", floor 6) with an explicit indication as the addressee of the postal /courier shipment the responsible person under ZZLPSPOIN or writing on the postal envelope/courier shipment a text indicating that they contain a signal under ZZLPSPOIN.
Important! The reports must be signed by the persons submitting them. When submitted electronically, the form is signed with a qualified electronic signature.
Important! The form is NOT mandatory, but is for your convenience and contains the mandatory data that you must fill out. If your report does not meet any of the legal requirements, our employee responsible for reports will send you a notice to remedy the irregularities within 7 days of receiving the report. If the irregularities are not corrected within this period, the signal together with its attachments will be returned to you.
It is a good idea to attach any written evidence you have. Also, you can designate persons who could confirm the reported data or provide additional information.
You can make a verbal report in any of the following ways:
• on the phone of our employee in charge of signals - +359 2 985 5710
• at a personal meeting with our employee in charge of signals, which you have arranged in advance on the indicated phone number.
In these cases, our whistleblowing officer will fill in the data in the template form and give you the opportunity to check, correct and agree to the text of the conversation in writing, as well as the content of the form by signing them.
4. What happens after the report is filed?
• We will confirm receipt within 7 days and register it with a unique identification number. If the signal does not meet the requirements of the law, we will notify you to remedy the irregularity within 7 days.
• An investigation of the report will be carried out by a person who does not have a conflict of interest.
• Within three months of confirming the receipt of the signal, we will provide you with feedback with the results of the inspection and the actions taken.
5. What protections do whistleblowers have?
• Whistleblowers, as well as persons related to them (eg colleagues and relatives), are protected against unjustified disclosure of their identity, except in cases permitted by law.
• It is prohibited to take retaliatory measures against protected persons, namely: temporary suspension from work, dismissal, demotion, negative assessment of work, application of property and disciplinary responsibility, physical and verbal coercion, threat, hostility and harming their dignity , discrimination, etc.
6. What are the conditions for granting protection?
• The person submitting the report must have a reasonable reason to believe that the submitted information about the violation in the report was correct at the time of submission and that this information falls within the scope of the ZZLPSPOIN; and
• The violation report was submitted under the conditions and according to the order of the ZZLPSPOIN.
Important! The persons named in the report as violators are entitled to compensation for all pecuniary and non-pecuniary damages when it is determined that the whistleblower knowingly filed a report with false information.
7. How can you report to the COMMISSION FOR THE PROTECTION OF PERSONAL DATA?
The Personal Data Protection Commission is the Central Authority for external whistleblowing. You can also submit your report directly to her in one of the following ways:
• in writing: ¾ on e-mail: whistleblowing@cpdp.bg ¾ by mail to the address: Sofia 1592, "Prof. Tsvetan Lazarov" No. 2 ¾ through the Secure Electronic Delivery System
• orally - on site at the CPLD at the address: Sofia 1592, "Prof. Tsvetan Lazarov" No. 2
You could use the sample Form for registering a whistleblower report, which can be downloaded from the CPLD website.
The form is optional. In case you decide to use it, however, you only need to complete Parts I – V inclusive and sign it: when sending the form by post – with a handwritten signature; when sending by e-mail - with a qualified electronic signature.
If you use the System for secure electronic delivery, the employee of the CPLD responsible for considering the report will establish contact with you in order to fill in a Form for registering a report for submitting information on violations under the ZZLPSPOIN.
Important!
1) Anonymous reports are NOT considered. 2) Reports of violations that do not fall within the scope of ZZLPSPOIN, as well as reports made more than two years ago, are not considered.
3) Reports must be signed by the persons submitting them. When submitted electronically, the form is signed with a qualified electronic signature.
4) The persons named in the report as violators are entitled to compensation for all pecuniary and non-pecuniary damages, when it is established that the reporting person knowingly submitted a report with false information.
5) Assault is an offense under the Penal Code! When the whistleblower has knowingly filed a whistleblower report with false information, it is possible that the act may be qualified as solicitation, or that the whistleblower may be held criminally liable.
PRIVACY NOTICE RELATING TO DOMESTIC CHANNEL BREACH REPORTING
"ROMPETROL BULGARIA" EAD pays serious attention to the privacy of all natural persons reporting or publicly disclosing information about violations. Please read this Notice to understand how and why personal data is processed in connection with the operation of our internal whistleblowing channel. A data subject in connection with the submitted signal may be:
– the author of the report (also referred to as the reporting person);
– the person against whom the report is filed or persons related to him (affected persons);
– the witness(es) and other persons whose personal data could become known in the course of the inspection.
WHAT ARE THE PURPOSES OF PERSONAL DATA PROCESSING?
Personal data is processed for the purposes of receiving, registering, verifying and taking action on reports of alleged violations committed by our staff.
When you provide your personal data in a reported report, we will collect and store your personal data in order to investigate and investigate your report. The information you provide to us will be kept strictly confidential and secure.
In certain cases, we may also need to process your data in connection with legal disputes, as indicated in the How long we keep your personal data section, as well as for purposes specified elsewhere in this Notice.
We will notify you in the event that we would like or need to use your personal data for purposes and in a manner significantly different from what we have informed you about and, if necessary, we will seek your consent.
ON WHAT BASIS DO WE PROCESS PERSONAL DATA?
In the context of the operation of our internal whistleblower channel, we process personal data in compliance with our obligations under the Whistleblower Protection Act (WFP). The legal basis we refer to is Article 6, paragraph 1, letter "c" of the GDPR.
If the information we receive in connection with the report of violations contains a special category of data revealing the racial or ethnic origin, political views, religious or philosophical beliefs, data about the state of health, sex life, sexual orientation of the natural person, etc., the legal basis on which we will process these personal data is Article 9, paragraph 2, letter "g" of the GDPR, because the processing is necessary for reasons of important public interest based on the law of the Union and Bulgarian law.
We can also process your personal data on the basis of our legitimate interest in connection with the possibility of criminal, civil and administrative proceedings in connection with the reported report and the actions taken on it.
WHAT PERSONAL DATA DO WE PROCESS AND WHERE DO WE COLLECT IT FROM?
We process only such personal data as is strictly necessary for the above purposes.
We receive the data from the signals sent through our internal channel. In particular, we may receive such data because you give it to us (by submitting a report) or because other whistleblowers from our staff or our suppliers and contractors or other third parties give it to us (e.g. if you appear in a report as a potential offender or witness). If necessary, we may request additional information so that we can investigate all the grounds for your report, along with any supporting documents or evidence.
In the process of receiving, registering, checking and taking action on the report, we may process the following types of personal data:
• names, job title/position, phone number, email address and other contact details for you (eg address) of a whistleblower;
• signature, electronic signature or other identification of the sender of the signal;
• names, position/position and contact details of persons indicated in a reported report;
• names, title/position and contact details of persons verifying the report;
• personal data in relation to circumstances that are the subject of the report and those collected during its verification;
• personal data in connection with measures taken on the report. The processing of the above-mentioned personal data is necessary for the regularity of the signal and the verification of the information indicated in it.
Failure to provide this data would not allow the processing of the report and the conduct of the related investigation.
Pursuant to the Act on the Protection of Persons Submitting Whistleblowers or Publicly Disclosing Information on Violations, no anonymous whistleblower proceedings are initiated.
WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA?
Personal data collected in connection with a whistleblower report (and in particular the identity of the whistleblower) is treated with complete confidentiality as required by the Whistleblower Protection Act. This personal data will be available only to the persons designated by the company, who will accept and carry out a check on the report. These individuals are specially trained and aware of their duty of confidentiality regarding all aspects of the inspection.
The identity of the whistleblower is not disclosed to the individuals against whom the allegations are made.
The whistleblower's identity is disclosed only if the whistleblower consents to it, or if disclosure of the whistleblower's identity is required in a criminal proceeding, or if the whistleblower has filed a false report with malicious intent. Personal data may be disclosed to third parties, such as public authorities or external inspectors, when this is a necessary and proportionate obligation imposed by Bulgarian law or European Union law in the context of investigations by national authorities or legal proceedings, including with with a view to guaranteeing the right of defense of the affected person. In these cases, before disclosing the identity or information related to the whistleblowers, we will notify the whistleblower of the need for disclosure. The notification shall be in writing and shall be motivated. The whistleblower is not notified when the investigation or legal proceedings are jeopardized.
TRANSFER OF PERSONAL DATA OUTSIDE BULGARIA
We will not transfer your personal data to persons outside the EU or EEA.
HOW LONG DO WE STORE YOUR PERSONAL DATA?
Personal data that is the subject of a report that is anonymous is deleted immediately. If the report contains personal data that is not necessary for its verification, such personal data is also deleted immediately.
We store your personal data for a period of 5 years after the conclusion of the examination of the report, except in the presence of criminal, civil, labor law and/or administrative proceedings in connection with the submitted report pursuant to Art. 8 of Ordinance No. 1 of July 27, 2023 on keeping the register of signals under Art. 18 of ZZLPSPOIN and for forwarding internal signals to the CPLD.
After the storage period expires, the personal data is destroyed or anonymized. In the latter case, this means that it will be impossible to identify you from this data.
HOW DO WE PROTECT YOUR PERSONAL DATA?
We value your privacy and take the security measures of the personal data we collect and store very seriously.
We use multiple physical, electronic and organizational measures, appropriate in light of the sensitivity of the information we maintain, to protect your personal data from unauthorized access, use or disclosure. For example, we use passwords, we have firewalls and anti-virus programs and more. We have adopted data protection policies and procedures.
Only persons specifically designated to verify a received alert will have access to the personal data contained in the alert.
WHAT RIGHTS DO YOU HAVE?
You have the following rights:
• Right of access to the personal data related to you;
• Right to object to the processing of your personal data where we invoke our legitimate interest;
• The right to request correction of inaccurate personal data relating to you;
• The right to request deletion of personal data relating to you ("the right to be forgotten");
• Right to request restriction of processing of personal data related to you;
• The right to submit a complaint to the Commission for the Protection of Personal Data, with the address Sofia, p. code 1592, Tsvetan Lazarov Blvd. No. 2. You can also seek protection of your rights through court proceedings.
HOW TO CONTACT US?
• Administrator of the personal data is "ROMPETROL BULGARIA" EAD, EIC 117599032, with headquarters and management address: Sofia, p.k. 1784, Mladost district, "Tsarigradsko Shose" Blvd. No. 115M, European Trade Center, building "D", 6th floor.
• If you have any questions about this notice or about how we process your personal data, please contact our data protection officer as indicated on our website.
Date: 01.12.2023