INTERNAL REPORTING POLICY

– breach reporting and whistleblower protection rules –

§ 1.

1. This Policy regulates the internal reporting understood as the provision of the information about breaches within a private entity as per Article 5(4) of the Directive of the European Parliament and of the Council (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law [hereinafter: “Whistleblowing Directive”].

2. Terms used herein shall have the following meanings:

  • Policy – this “Internal Reporting Policy” by GetResponse S.A. with the registered office in Gdańsk, Poland,
  • Company or Employer – GetResponse S.A. with the registered office in Gdańsk (80-387), Arkońska 6/A3, Poland, entered to the register of entrepreneurs maintained by the District Court Gdańsk – Północ in Gdańsk, 7th Economic Department of the National Court Register under the number KRS: 0000942075, TAX ID number: 9581468984, shared capital of 5,559,840.00 PLN,
  • Employee – a person employed by the Employer,
  • Breach – an action or omission that is non-compliant with the law and included in the catalogue referred to in § 4 of the Policy,
  • Report – information about Breaches submitted via designated communication channels,
  • Whistleblower – an individual, listed in sec.4 below, reporting a Breach in the context relating to the work (with the meaning attributed in §4 sec. 2 of the Policy), 
  • Follow-up actions taken by the Company to assess the truthfulness of allegations contained in the Report and, where applicable, to address the reported breach, e.g. in the form of an internal inquiry, preliminary investigation, notifying competent agencies, actions taken to recover funds or procedure closure,
  • Internal Compliance Team – a team established pursuant to a resolution adopted by the Management Board of the Company, authorized to receive Reports and to follow them up,
  • Retaliation – direct or indirect actions or omissions in a work-related context, caused by the Report and causing or potentially causing unjustified harm to the Whistleblower,
  • GDPR – Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

3. The Company familiarizes each new Employee with the contents of this Policy.

4. Rules set out in the Policy apply to all Employees irrespectively of the occupied position, type of work performed and type of employment contract as well as:

  • Individuals who report or disclose the information about the breach of the law acquired in a work-related context,
  • Employees – also if no longer employed by the Employer,
  • Individuals applying for employment who have acquired the information about the breach of the law during the recruitment process or during negotiations preceding the execution of a civil law contract,
  • Individuals performing work on the basis of contracts other than the employment contract including a civil-law contract,
  • Entrepreneurs, including individuals rendering services for the Company under cooperation contracts (B2B),
  • Shareholders or partners,
  • Legal person body members,
  • Individuals performing work under the supervision and direction of a contractor, subcontractor or supplier, including work done on the basis of a civil-law contract,
  • Trainees,
  • Volunteers.

§ 2.

1. The Company establishes the following internal Report receipt channels:

  • dedicated email: whistleblowing@getresponse.com;
  • online form available HERE;
  • verbally at direct meeting in the Company’s office under the address disclosed in the current register of entrepreneurs of the National Court Register or via meeting organized via MS Teams platform or different electronic communication measures chosen by the Company;
  • in writing.

2. The information about available Report receipt channels can be found on the Company’s website.

3. The Company does not provide the possibility to submit Reports anonymously.

4. Within 7 days of the receipt of a Report, the Whistleblower shall receive the Report receipt confirmation unless the Whistleblower has failed to provide contact data for the purpose of notification or if the receipt confirmation is not supported by the channel used for reporting.

5. The person submitting the Report can submit an external report for specified state agencies without the prior internal report. The Commissioner for Civil Rights Protection is the central body, and the Office for Competition and Consumer Protection can be contacted in cases relating to competition and consumer protection issues. An external channel can be used after the prior internal Report or directly via the external channel.

§ 3.

1. The Whistleblower can submit a Report in the form of the online form available HERE.

2. The Whistleblower can submit a Report verbally to Ms. Aleksandra Bugajska during direct meeting or via MS Teams platform or different electronic communication measures chosen by the Company. The verbal Report may be made by the Whistleblower after prior appointment via the channels specified in § 2. The meeting shall be arranged within a reasonable time after the related need has been reported, i.e. not later than within one month

3. The Whistleblower can submit a Report in writing by sending a letter via traditional post to the address of the Company disclosed in the current register of entrepreneurs of the National Court Register. The Report mentioned in the preceding sentence has to include the Whistleblower’s correspondence address. Within 7 days of the receipt of the Report, the Company shall send the Report receipt confirmation via traditional post. If the Report mentioned in clause 1 does not contain the address data of the Whistleblower, but includes other data enabling direct contact with the Whistleblower, then the confirmation of receipt of the Report is sent through these channels.

4. The deadline for feedback submission is 3 months as of the receipt confirmation or, if no confirmation has been sent to the reporting person, the 3-month period starting 7 days after the Report submission.

§ 4.

1. The Breach of the law that can be reported consists of the action or omission in violation of the law or striving to circumvent the law and relating to:

  • Public procurement,
  • Financial services, products and markets,
  • Prevention of money laundering and funding of terrorism,
  • Safety of products and their compliance with requirements,
  • Safety of transport,
  • Environmental protection,
  • Radiation protection and nuclear safety,
  • Food and feed safety,
  • Animal health and welfare,
  • Public health,
  • Consumer protection,
  • Protection of privacy and personal data,
  • Safety of the network and IT systems,
  • Financial interests of the European Union,
  • EU internal market, including rules of competition and state aid and corporate taxation.

2. The Report has to be made in the work-related context understood as the entirety of circumstances related to the employment or another legal relationship constituting the basis for work performance within which the information about the Breach was obtained.

3. To make it possible for the Company to investigate the matter reliably, the Report shall contain the following information: a brief description of the case (facts), indication of violated regulations, as possible, the indication of a person, unit or organisational entity the Breach refers to and the source of the Whistleblower’s knowledge of the Breach. If the information available to the Whistleblower is incomplete the Report shall include the available information.

§ 5.

1. In the event of the processing of personal data of the Whistleblower or other individuals in connection with the Report, the provisions of generally applicable law on the protection of personal data shall apply.

2. The Employer in its capacity as the data controller can process the personal data of the Whistleblower or individuals included in the Report as well as the data of witnesses of events in connection with the Report for the purpose of its verification, including the follow-up pursuant to Article 6(1)(e) GDPR.

3. The personal data of the Whistleblower and other individuals related to the Report will only be available to a limited group of persons acting on behalf of the Employer and authorized to receive Reports and follow them up, including investigative measures.

4. The Whistleblower’s personal data can be communicated to external entities exclusively in the context of the preliminary investigations or court proceedings conducted by national authorities on the basis of a legal regulation authorizing such an authority, with the proviso that the Whistleblower will be informed of such intention prior to the disclosure of the data..

5. In particular, the Employer as the data controller shall guarantee the implementation of the rights of persons whose data is processed in connection with the Report, including:

  • The right to be informed about personal data processing rules within the limits set out, respectively, in Article 13, 14 and 15 GDPR. The information communicated pursuant to Article 14 and 15 with regard to the source of personal data cannot disclose the Whistleblower’s identity.
  • The right to access the data subject to the terms set out in Article 15 GDPR,
  • The right to correct or supplement personal data subject to the terms set out in Article 16 and 19 GDPR,
  • The right to delete personal data subject to the terms set out in Article 17 and 19 GDPR,
  • The right to limit the processing of personal data subject to the terms set out in Article 18 GDPR,
  • The right to object to the processing of personal data subject to the terms set out in Article 21 GDPR.

6. Personal data are acquired adequately to the purpose of their processing. Personal data obviously not relevant to the examination of a specific Report are not collected and, if collected accidentally, they are deleted with no undue delay, in particular, from the documentation relating to the Report.

7. The Company establishes and maintains technical, technological and organisational measures to protect personal data from their illegal deletion, unauthorised access, disclosure or modification including, in particular:

  • Individuals able to access the personal data have been informed about their processing rules and are aware of the consequences of their illegal processing,
  • The Company has appropriate internal regulations describing data processing rules, including rules regulating the access to such data and the management of personal data protection breaches,
  • The documentation relating to Reports is stored and made available in a manner guaranteeing access control limited to authorized persons mentioned in clause 3;

8. All individuals authorized to receive the Report or to follow up the received Report containing the information enabling the identification of the Whistleblower or the person accused of a Breach are strictly obliged to maintain the confidentiality of this information.

9. Personal data processed in connection with a Report are deleted from the documentation of the Report after 5 years of the Report receipt date.

§ 6.

1. The Employer maintains a record of all the Reports received [hereinafter: “the Report record”] as per the provisions of this Policy. Reports are retained for the period set out in § 5 clause 9 of the Policy.

2. Reports submitted via the form, by email whistleblower@getresponse.com or in writing are recorded on carriers assigned to these channels.

3. Verbal Reports are not recorded, which is why they are documented in the form of a report from the conversation compiled by the person receiving the Report. The Company makes it possible for the Whistleblower to check, correct and approve the report from the conversation mentioned in the preceding sentence by signing it.

4. The Report made during direct meeting is documented in the form of a report reflecting the meeting and the contents of the Report compiled by the receiving person. The Company makes it possible for the Whistleblower to check, correct and approve the report from the conversation mentioned in the preceding sentence by signing it.

5. The person receiving the Report can ask the Whistleblower to provide further information and provide feedback to the Whistleblower.

§ 7.

1. The Company guarantees and takes necessary measures set out in clause 2 below to eliminate all forms of retaliation possible against Whistleblowers, including threats of retaliation and attempts to take retaliatory actions, in particular in the form of: suspension, enforced unpaid leave, dismissal or equivalent measures; degradation or suspension of promotion, transfer of duties, change of workplace, salary reduction, change of working hours, suspension of training, negative evaluation of work results or a negative opinion about work done, imposing or applying any disciplinary measure, reprimand or other penalty (including financial penalty); coercion, intimidation, mobbing or exclusion; discrimination; unfavourable or unfair treatment, the failure to transform the fixed-term contract into a contract for an indefinite period if the employee could rationally expect to be offered permanent employment; the failure to renew or an early termination of the fixed-term contract; a loss including damage to the person’s reputation, especially on social media or financial losses, including economic losses and loss of income; blacklisting on the basis of an informal or formal sectoral or industry agreement that can potentially make it impossible for the person to find employment in a sector or industry; early termination or notice of termination with regard to a contract relating to goods or a service contract; withdrawal of a license or permit, referral to psychiatric or medical examination.

2. Measures aimed at the elimination of the risk of all forms of retaliation:

  • appointing an impartial person to follow up on Reports, to receive Reports, communicate with the Whistleblower and request further information from that person, as well as provide feedback.
  • ensuring the conduct of explanatory proceedings guaranteeing all the rights of the Whistleblower, witnesses and persons concerned by the Report (including the right to testify, the right not to incriminate themselves, presumption of innocence).

3. The Whistleblower’s protection does not cover the Whistleblower who is also the perpetrator, co-perpetrator or accessory to the irregularity covered in the Report. While deciding to potentially terminate the employment or civil-law contract with the Whistleblower who is at the same time the perpetrator, co-perpetrator or accessory to the irregularity disclosed in the Report, the Team shall always consider the fact that the Whistleblower has disclosed all the material circumstances of the irregularities disclosed in the Report.

4. The Whistleblower shall be protected provided that he/she has had reasonable grounds to believe that the information on the breach of law that was the subject of the report or public disclosure is true at the time of reporting or public disclosure and that such information constitutes information about the breach of law. Irregularities can only be reported in good faith. The conscious submission of false Reports does not make the Whistleblower eligible for the protection set out in this Policy.

5. If the Company determines that a Report containing untruth or concealing the truth was knowingly submitted by the Employee, then such person may be subject to disciplinary liability defined in the provisions of the Labour Code. Such behaviour can also be classified as a serious breach of basic employee duties and, as such, shall result in the termination of the employment contract without notice.

6. For Whistleblowers providing services or delivering goods for the Company pursuant to a civil-law contract, a false Report may result in the termination of the related contract for reasons not attributable to the Company.

7. Irrespectively of the consequences specified in clauses 4 and 5 above, the person falsely reporting irregularities can be held liable for damages in the event of a loss incurred by the Company in connection with the false Report.

§ 8.

1. This Policy is implemented for an indefinite period.

2. This Policy comes into force on its publication date.

3. The Policy may be amended or supplemented in a manner appropriate for its adoption or in another manner determined by the Company.

4. The Policy is made available to the Employees in a manner customary for the Company.

January 4, 2022.