Internal Information System Management Procedure

Internal Information System Management Procedure 

DOCUMENT PROPERTIES 

  

Document title: Internal Information System Management Procedure 

Owner: Compliance Officer Pages: 15 

Approved: Administrative Body Date: 06/08/23 

Document classification: PUBLIC 

  

REVISION HISTORY 

VERSION DATE DETAILS 

1.0 05/20/22 Initial release. 

2.0 06/08/23 Adaptation to Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption. 

  

  

INDEX 

1. PURPOSE AND MATERIAL SCOPE OF APPLICATION
   

2. SCOPE OF PERSONAL APPLICATION
   

3. THE INFORMATION SYSTEM: BASIC ELEMENTS AND CONCEPTS
   

4. REGULATORY FRAMEWORK
   

5. ROLES AND RESPONSIBILITIES
   

6. THE PERSON RESPONSIBLE FOR THE INTERNAL INFORMATION SYSTEM
   

7. WARRANTIES AND RIGHTS
   

8. INTERNAL COMMUNICATION CHANNEL: ETHICAL CHANNEL
   

9. INQUIRY MANAGEMENT PROCEDURE
   9.1 Reception of the Consultation
   9.2 Resolution and Communication
   

10. COMPLAINT MANAGEMENT PROCEDURE
    10.1 Analysis Phase and Admission to Processing
    10.2 Research Phase
    10.3 Communication to the affected person and hearing procedure
    10.4 Reasoned Report of Conclusions and Resolution
    10.5 Deadline for resolution
    10.6 Adoption of disciplinary and other measures
    10.7 Communication of the resolution to the informant

11. EXTERNAL CHANNELS AND INDEPENDENT AUTHORITY
    

12. PERSONAL DATA PROTECTION

13. CONSERVATION AND REGISTRATION OF MANAGED INFORMATION
    

14. ADVERTISING AND DISSEMINATION
    

15. BREACH
    

16. APPROVAL
    

EXHIBIT 

  

1. PURPOSE AND MATERIAL SCOPE OF APPLICATION 

This document regulates the operation of the Internal Information System that CENTRE ESPORTIU MANACOR, SL (hereinafter, CEM or “the Organization”) has enabled to communicate any suspicion or violation of external or internal regulations, committed within it or in its name.

  

In this sense, this document develops the management, investigation and response to the communications made.

  

This procedure defines the operation of the CEM Internal Information System, which is the set of elements that interact with each other and whose specific purpose is to regulate the implementation of the mechanism to prevent and detect the commission of irregularities, as well as to provide adequate protection to all persons who report any of the actions or omissions referred to in article 2 of Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption:

  

· Any actions or omissions that may constitute breaches of European Union law, and provided that:

  

– Fall within the scope of the acts of the European Union listed in the Annex to Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law1. Some examples contained in the Directive are included as an ANNEX to this Procedure.

– Affect the financial interests of the European Union as referred to in Article 325 of the Treaty on the Functioning of the European Union (TFEU);

– Affect the internal market, as referred to in Article 26(2) TFEU, including infringements of EU competition rules and aid granted by States, as well as infringements relating to the internal market in relation to acts infringing corporate tax rules or practices intended to obtain a tax advantage that distorts the object or purpose of the legislation applicable to corporate tax.

· Actions or omissions that may constitute a serious or very serious criminal or administrative offence. In any case, all serious criminal or administrative offences that imply economic losses for the Treasury and Security will be understood to be included.

  

It also aims to provide adequate protection to people who report potential risks or breaches of external regulations, as well as the provisions of the Code of Ethics or any other internal CEM regulations.

The Internal Information System is not a mailbox for complaints or claims, so if any communication of this type is received, it will not be admitted.

The following communications are excluded from the protection of this procedure:

  

· Information contained in communications that has been rejected by any internal information channel or for any of the reasons provided for in article 18.2. a) of Law 2/2023, of February 20.

· Information related to claims regarding interpersonal conflicts or that affect only the informant and the persons to whom the communication or disclosure refers.

· Information that is already public or constitutes mere rumors.

· Questions regarding the interpretation of the Code of Ethics and Conduct, any other internal regulations or applicable legislation.

  

  

2. SCOPE OF PERSONAL APPLICATION

This procedure applies to all CEM members and collaborators, specifically:

  

· All CEM employees, regardless of their category or position and the hiring model through which they are linked to the Organization, including interns, temporary staff, volunteers, managers, as well as the Management Body. All of them have the obligation to report any risk or non-compliance with applicable legislation and internal regulations through the enabled channels.

· Candidates for employment in cases where information on violations was obtained during the selection process or pre-contractual negotiation.

· Former employees who have become aware of any infringement within the framework of an employment relationship that has already ended.

· Any person who works for or under the supervision and direction of contractors, subcontractors and suppliers.

  

3. THE INFORMATION SYSTEM: BASIC ELEMENTS AND CONCEPTS 

CEM’s internal information system consists of the following elements:

  

· Internal Information System Policy

· Internal Information System Management Procedure

· System Manager

· Ethical Channel

· External communication channel

  

For the purposes of this procedure, the following definitions or basic concepts shall be taken into account:

  

1. Communication or complaint: information received in the CEM internal information system that aims to bring to light potential risks or regulatory non-compliance.

2. Consultation: information received in the Internal Information System related to doubts about the interpretation of the Code of Ethics and Conduct, any other internal regulations or applicable legislation.

3. Informant: will be the person who makes the communication through the internal information system enabled by the Organization.

4. Respondent or affected person: person against whom the communication is directed.

5. Third party involved: person or persons mentioned in the communication or who are involved in the investigation process, without being the complainant or the accused (for example, witnesses).

6. Instructor: person in charge of investigating the reported facts.

7. Independent Authority for the Protection of Informants (AAI): a public entity with its own legal personality and organic and functional independence from the Executive and the public sector, whose work includes, among others, the management of the external communications channel, assumption of the status of advisory body and advice to the Government on matters of informant protection, development of models for the prevention of crimes in the public sphere and assumption of sanctioning powers in this area.

8. External information channel: communication channel for filing complaints with the Independent Whistleblower Protection Authority (AAI)

  

4. REGULATORY FRAMEWORK 

For the development and execution of the procedure, the following regulations have been taken as a reference:

· Directive (EU) 2019/1937 of the European Parliament and of 23 October 2019 on the protection of persons who report breaches of Union law.

· Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption.

· Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

· Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights.

  

5. ROLES AND RESPONSIBILITIES 

  

ROLE	RESPONSIBILITY
Administrative Body	– Approve and implement the internal information system  – Approve this Procedure and the Internal Information System Policy.  – Designate the System Manager
System Manager	– Implementation and review of this procedure.  – Manage communications.  – Diligent processing of communications received.  – Processing of investigation files.  – Decision-making or proposal on the consequences that may arise from the facts investigated.

  

6. THE PERSON RESPONSIBLE FOR THE INTERNAL INFORMATION SYSTEM 

The Management Body has appointed the Director of Administration of CEM, Antoni Illa, as the Person Responsible for the Management of the Internal Information System (also known as the System Manager).

In this regard, both the appointment and the termination of the System Manager must be notified to the Independent Authority for the Protection of Informants, AAI, or, where appropriate, to the competent authorities or bodies of the autonomous communities, within the scope of their respective powers, within the following period of ten (10) business days, specifying, in the case of termination, the reasons that have justified it.

The System Manager will carry out his or her functions independently and autonomously from the rest of the bodies, without receiving any instructions in their exercise, and having all the personal and material means necessary to carry them out.

  

7. WARRANTIES AND RIGHTS 

CEM guarantees compliance with the following guarantees and rights:

– The confidentiality of the identity of the informant, of any third party involved and of all information in a communication or investigation, as well as of all actions carried out, is guaranteed. Without prejudice to the above, the data of said persons may be provided to administrative or judicial authorities, should they be required as a result of the initiation of any procedure derived from the subject matter of the communication.

Likewise, the identity of the informant may be known to those persons essential to carrying out the relevant investigation. The person in charge of the investigation shall, in all cases, avoid, during the processing of the investigation, the identification, either directly or by reference, of the informant. This guarantee of confidentiality extends even after the investigation has been completed.

– The informant will, in any case, have the possibility of making communications anonymously without having to provide any type of data tending to his/her identification.

– The absence of retaliation, direct or indirect, is guaranteed for all communications made in good faith. Any communication made in bad faith will give rise to appropriate action by CEM. If this guarantee of non-retaliation is violated, it must be reported and, if once the facts have been investigated, it is confirmed, it may be subject to disciplinary measures. This guarantee also extends to any person who participates in the investigation (e.g. witnesses), provided that their participation is done in good faith.

– Upon receipt of the communication and the start of the investigation, the affected person must be informed of the start of the procedure and its purpose, unless, for reasons of the investigation, it is necessary to delay the communication. Once the opening of the procedure has been communicated, the affected person will have the right to provide all the evidence that he or she considers relevant for his or her defence. He or she will also have access to all the evidence that may have been collected, but in no case to the identity of the informant.

During the course of the investigation, the affected person will have the right to make all the allegations he or she considers appropriate. In any case, before the resolution is issued, the person under investigation will be given the opportunity to make allegations.

– The presumption of innocence of the affected person is guaranteed throughout the procedure, until the resolution is issued. Therefore, under no circumstances may restrictive or coercive measures be taken. Precautionary measures may only be adopted in certain duly justified cases (for example, harassment) and/or evidence protection measures may be imposed when they are strictly essential, and always in accordance with the principles of reasonableness and proportionality.

When a communication is sent by means other than those specifically established or to members of the staff not responsible for its processing, it must be sent immediately to the System Manager, maintaining the duty of confidentiality in all cases.

  

8. INTERNAL COMMUNICATION CHANNEL: ETHICAL CHANNEL 

In order to carry out any communication that falls within the material scope of application described in section 1, the CEM Internal Information System has an Ethics Channel accessible through these channels: – Email: sii@rafanadalacademy.com

An example to achieve anonymity: use a generic email address – not a nominative one, created exclusively for this purpose – or any other means that allows you to hide your identity.

– At the request of the informant, the communication may be made through a face-to-face meeting within a maximum period of seven (7) calendar days. The aforementioned meeting will be documented in one of the following ways, with the prior consent of the informant:

· By recording the conversation in a secure, durable and accessible format, or

· Through a complete and accurate transcription of the conversation conducted by the staff responsible for handling it.

  

Without prejudice to the rights that apply to him/her under data protection regulations, the informant will be offered the opportunity to check, rectify and accept the transcription of the conversation by signing.

  

– In cases where the System Manager is the person affected by the communication, the informant may make the communication directly to the General Director.

  

If the communication is received by the System Manager and he is the person affected by it, he must refrain from acting, immediately communicating this to the General Director, so that he may appoint an instructor and/or resolve what he deems appropriate, always observing the provisions of this procedure.

  

Any query regarding the interpretation of applicable regulations, whether external or internal, may also be made through the Ethics Channel. However, queries will be excluded from the scope of protection of this Procedure. In this case, the person consulting must identify themselves.

  

9. INQUIRY MANAGEMENT PROCEDURE 

The purpose of consultations is to resolve any doubts that may arise regarding the interpretation of the Code of Ethics and Conduct, any other internal regulations or applicable legislation. Any doubt related to a guideline of action or conduct that may have an impact on matters of ethics or crime prevention must also be formulated as a consultation.

The Ethics Channel is not a complaint or claim mailbox, so it should not be used to communicate issues such as complaints about the facilities, employee complaints about their work situation, etc. as long as these do not represent a violation – whether potential or actual – of the Code of Ethics and Conduct. If received, they will not be admitted or resolved.

  

9.1 Reception of the Consultation 

Once the query has been received, an acknowledgement of receipt will be sent within a period of no more than seven (7) days.

Any query whose content falls outside the scope of the Channel or which is made in terms that are notoriously disrespectful or in bad faith will not be admitted.

  

9.2 Resolution and Communication 

Once the query has been analyzed, a response will be issued as quickly as possible, but may not exceed one (1) month from the acknowledgement of receipt, either through the same Channel or personally to the consultant. Professionals from other areas or external collaborators may be used to resolve the query.

  

10. COMPLAINT MANAGEMENT PROCEDURE 

10.1 Analysis Phase and Admission to Processing 

In the event of receiving a complaint, the receipt of the same will be acknowledged within seven (7) days. The System Manager must carry out an initial analysis of the complaint within a period not exceeding one (1) month from the receipt acknowledgement. The final result of this prior analysis will be whether the communication is admitted for processing or not.

The System Manager will base his decision on whether or not to process the application based on the following aspects:

– Reception of the complaint with sufficient data to carry out the analysis, including the possible persons/areas involved and a clear description of the reported facts.

– The indications of veracity of the complaint.

– The possible existence of documentation or evidence supporting the reported facts.

– The apparent absence of bad faith in the communication.

  

Depending on the results of this analysis, the Commission may decide to accept the complaint, initiating an internal investigation process, or, if not, not to accept the complaint. All complaints that are not related to the purpose of the Channel or whose wording does not indicate any potential non-compliance will be rejected.

If a complaint does not contain the information required for processing, the informant will be asked to rectify the complaint by completing it or providing additional information.

Where there is evidence of a criminal offence, the information shall be forwarded immediately to the Public Prosecutor’s Office. Where the facts affect the financial interests of the European Union, the information shall be forwarded to the European Public Prosecutor’s Office.

In any case, the informant will be informed whether the complaint has been accepted for processing or not. In the event that the communication is not accepted, a reasoned justification from the Information System Manager will be included, indicating the reasons for the rejection.

  

10.2 Research Phase 

For any complaint admitted for processing, the System Manager will proceed to open an investigation, assessing the best investigation strategy to develop in each specific case based on the scope, extent and persons allegedly involved in the events.

This investigation phase will be instructed by the System Manager himself, unless he decides to appoint a different investigating body, which may be other members of the Organization or an external advisor (hereinafter, the “Instructor”).

The Instructor may request from the different areas/departments the information and collaboration that he considers necessary to carry out the investigation.

The Instructor will proceed to open an investigation file in which it will be essential to include detailed documentation of all actions carried out and the documents that have been collected to obtain sufficient and appropriate evidence.

In order to obtain this evidence, the investigator may carry out the actions he or she considers appropriate, such as reviewing documents or records, analysing processes and procedures, or conducting interviews, among others. One of the unavoidable steps will always be the examination of the evidence provided by the informant, and he or she may be required to expand on it to better clarify the facts reported.

  

10.3 Communication to the affected person and hearing procedure 

During the course of the investigation, the Investigator will contact the person concerned, informing him/her of the facts attributed to him/her and the main milestones that may occur during the investigation.

However, in cases where such communication could endanger or harm the investigation of the facts, for example, due to a risk of manipulation or destruction of evidence, or could make it difficult to obtain the evidence necessary for clarification, notification to the person affected by the communication may be delayed as long as such risk exists.

CEM will ensure the integrity and non-manipulation of the evidence obtained. Before making any resolution proposal, the Instructor must take a statement from the affected person within a period of ten (10) days for the submission of any allegation and any documentation, evidence or proof to the contrary, which he considers of interest.

  

10.4 Reasoned Report of Conclusions and Resolution 

Once the investigation is completed, the Investigator will prepare a reasoned report of the findings and may, where appropriate, recommend the adoption of disciplinary measures. In cases where he has appointed other members of the Organisation or an external advisor as Investigator, he will issue a report of the findings which he will submit to the System Manager for resolution of the case.

This report shall contain, at least, the following elements and their description, without prejudice to the duties of confidentiality that must be maintained:

– Identification of the subjects involved.

– Nature of the irregularity or non-compliance

– List of relevant facts or discoveries

– Conclusions or assessment of the facts

– Proposal of measures, controls and/or actions to be implemented by CEM to prevent or mitigate the likelihood of said infringement occurring again.

  

The resolution may be: 

– Archive the case due to the lack of relevant facts for these purposes, lack of sufficient evidence or lack of veracity of the information. If bad faith of the informant has been established, Human Resources will be informed for the adoption of disciplinary measures.

– Declare the commission of an irregularity or non-compliance with internal regulations or legislation, urging Human Resources to apply the corresponding disciplinary regime.

  

10.5 Deadline for resolution 

The deadline for resolution may not exceed three (3) months from receipt of the communication. For cases of special complexity, the deadline may be extended for another three (3) months subject to a report, which will be incorporated into the file, stating the reasons.

  

10.6 Adoption of disciplinary and other measures 

If an irregularity or breach is found to have actually occurred, the Human Resources Manager will decide on the appropriate disciplinary measures to be adopted, which will be communicated and applied in accordance with current labour regulations and the applicable collective agreement.

Sanctions will be graded according to the seriousness of the acts committed, and may take into consideration circumstances such as the damage or harm caused, recidivism, degree of participation, etc. To this end, when the opening of a disciplinary file is required, a Reasoned Report of Conclusions prepared by Human Resources will be incorporated into the file, in order to avoid duplication of actions.

  

10.7 Communication of the resolution to the informant 

The System Manager will inform the informant of the end of the procedure and the meaning of the resolution adopted in this regard.

  

11. EXTERNAL CHANNELS AND INDEPENDENT AUTHORITY 

Either directly or by prior communication through the means indicated in section 8 of this procedure, the Independent Authority for the Protection of Informants (AAI), or the corresponding autonomous authorities or bodies, may be informed of the commission of any actions or omissions included in the scope of application of Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption.

The communication, which may be carried out anonymously, may be made, at the discretion of the informant:

· In writing, by post or through any electronic means enabled for this purpose, addressed to the AAI’s external information channel

· Verbally, by telephone or through the voice messaging system.

· By face-to-face meeting, within a maximum period of seven (7) days.

  

12. PROTECTION OF PERSONAL DATA 

CEM undertakes to treat personal data in an absolutely confidential manner and in accordance with current regulations at all times. It will adopt the necessary technical and organisational measures to guarantee the security of the data and prevent its alteration, loss, processing or unauthorised access, taking into account the state of the technology, the nature of the data stored and the risks to which they are exposed.

For more information, you can consult the Privacy Policy on the website (link to the Privacy Policy.

  

13. CONSERVATION AND REGISTRATION OF MANAGED INFORMATION 

CEM guarantees that the data communicated through the internal information system will only be accessible by those persons who are essential to carry out the investigation and resolution. However, access to it will be lawful for other persons or may even be communicated to third parties when necessary for the adoption of disciplinary measures or for the processing of legal proceedings, where appropriate.

CEM will have a logbook of communications received and internal investigations carried out, thus carrying out diligent and exhaustive monitoring with the aim of maintaining traceability of the activity of the Internal Information System. However, the confidentiality requirements provided for in this procedure will be guaranteed in all cases.

This registry is not public, so its content may only be accessed in whole or in part at the reasoned request of the competent Judicial Authority, by means of an order, and within the framework of a judicial or administrative procedure related to the subject of the communication.

  

14. ADVERTISING AND DISSEMINATION 

CEM guarantees to provide appropriate information in a clear and easily accessible manner, at all times, on the use of the Ethical Channel, as well as the essential principles set out in this document.

  

  

15. NON-COMPLIANCE 

Failure to comply with any internal CEM regulations by any member of your team may constitute a punishable offence. Therefore, failure to comply with this procedure may be subject to reasonable and proportionate disciplinary measures, taking into account the circumstances of the case.

  

16. APPROVAL 

The current version of this Procedure was approved by the Administrative Body on June 8, 2023. Any update to its content will be duly communicated.

  

Exhibit 

The provisions of Annex I of DIRECTIVE (EU) 2019/1937 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 October 2019 may be reported through the Internal Information System.

Some examples are given below:

  

Infringements falling within the scope of Union acts relating to:

  

Public procurement: 

· Procedural rules applicable to public procurement and the awarding of concessions, to the awarding of contracts in the areas of defence and security, and to the awarding of contracts by entities operating in the water, energy, transport and postal services sectors and any other contract.

Environmental protection: 

· Any crime committed against environmental protection 

· Environmental and climate standards 

· Standards on sustainable development and waste management 

· Standards on marine, atmospheric and noise pollution 

· Standards relating to the protection and management of water and soil 

· Rules relating to the protection of nature and biodiversity 

· Standards relating to chemical substances and mixtures 

· Standards for organic products 

Food and feed safety, animal health and animal welfare: 

· EU legislation on food and feed 

Consumer protection: 

· Consumer rights and consumer protection 

Protection of privacy and personal data, and security of networks and information systems.