ORDER
EN

RAISING CONCERNS (WHISTLEBLOWING) POLICY

Date: December 2023

Company: MANTZARIS S.A.
Categorization: Policy
Power Level: Binding
Edition: 1.0
Adopted by: Board of Directors
Date of Approval: 15/12/2023
Date of Entry into Force: 15/12/2023

 

  1. INTRODUCTORY NOTE

At ΜΑΝΤΖΑRIS S.A. (the “Company”) we operate in accordance with applicable law, the principles and values of our Company’s Code of Ethics, as well as our internal policies and procedures. Our goal is to ensure the highest level of ethical and professional conduct and to achieve transparency in our business environment.

At ΜΑΝΤΖΑRIS S.A. we are determined to prohibit any illegal or irregular action or behavior that could affect the prestige and credibility of our Company. In compliance with applicable law, we have developed internal reporting channels for actual or suspected breaches of Union law (whistleblowing).

The purpose of this Raising Concerns (Whistleblowing) Policy (hereinafter the “Policy”) is to clarify the scope and operating principles of the internal reporting system of ΜΑΝΤΖΑRIS S.A. and to encourage any interested party to make use of this system, expressing their concerns promptly and without hesitation and submitting accurate and complete reports to the extent possible, in good faith, with responsibility and professional conscientiousness.

We invite all our executives, staff and partners to make use of the internal reporting channels offered to them and to immediately report cases of misconduct or unethical behavior, as well as unfair practices that may come to their attention, in accordance with the provisions of this Policy. We would like to assure you that our Company takes reports on breaches seriously and investigates them with absolute confidentiality and discretion. In the event of a well-founded report, the Company will take all measures to the fullest extent permitted by applicable law, including litigation of any civil and criminal claims.

 

  1. DEFINITIONS

“Internal Report“: The oral or written communication of information to the Report Receiving and Monitoring Officer regarding breaches of Union law, as defined in Law 4990/2022 on the “Protection of Persons Reporting Breaches of Union Law – Incorporation of Directive (EU) 2019/1937 of the European Parliament and of the Council of the 23rd October 2019 and other urgent arrangements”.

“External Report”: The oral or written or electronic communication of information on breaches of Union law to the National Transparency Authority (NΤA) or, as the case may be, to the Competition Commission (HCC).

Person Concerned: The natural or legal person who is referred to in the report or public disclosure as a person to whom the breach is attributed or with whom that person is associated and falls within the scope of the present Policy.

 “Reporting Person”: The natural person who reports or publicly discloses information on breaches acquired in the context of his or her work-related activities.

 “R.R.M.O.”: Report Receiving and Monitoring Officer.

 “Retaliation”: Any direct or indirect act or omission, which occurs in a work-related context, is prompted by a report or public disclosure, and causes or may cause unjustified detriment to the reporting person or puts him or her at a disadvantage.

 “Valid Grounds”: The justified belief of a person, having similar knowledge, education and experience with the reporting person that the information in his or her possession is true and constitutes a breach of Union law falling within the scope of this Policy.

 “Public Disclosure”: The making of information about breaches directly available to the public.

“Follow-up”: Any action taken by the recipient of a report or any competent authority or body, to assess the accuracy of the allegations made in the report and, where relevant, to address the breach reported, including through actions such as an internal enquiry, an investigation, prosecution, an action for recovery of funds, or the closure of the procedure.

“Feedback“: The provision to the reporting person of information on the action envisaged or taken as follow-up and on the grounds for such follow-up.

 “Work context”: Current, past or anticipated work activities through which, irrespective of the nature of those activities, persons acquire information on breaches.

“Breaches”: Acts or omissions that are unlawful under Union law or defeat the object or the purpose of the rules of Union law, falling within the material scope of this Policy.

 “Breach Information”: Information, including reasonable suspicions, about actual or potential breaches, which occurred or are very likely to occur in the company in which the reporting person works or has worked or will work or is in negotiations to work or in another organization with which the reporting person is or was in contact through his or her work, and about attempts to conceal such breaches.

 “Personal Data”: Any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 “Data Processing”: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 “Data Controller”: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

 

  1. SCOPE

 Α. MATERIAL SCOPE

The reporting system can be used to report or disclose breaches related to the following:

  • Breaches of Union law, as specifically defined in Annex I of Law 4990/2022, in the areas of:

(a) public procurement;

(b) financial services, products and markets, prevention of money laundering and terrorist financing;

(c) product safety and compliance;

(d) transport safety;

(e) protection of the environment;

(f) radiation protection and nuclear safety;

(g) food and feed safety, animal health and welfare;

(h) public health;

(i) consumer protection;

(j) the protection of privacy and personal data, as well as security of network and information systems.

  • Breaches affecting the financial interests of the Union as referred to in Article 325 of the Treaty on the Functioning of the European Union (TFEU), namely cases of fraud or any other illegal activity against the financial interests of the EU, and as further specified in relevant Union measures.
  • Breaches relating to the internal market, as referred to in paragraph 2 of Article 26 TFEU, including breaches of Union competition and State aid rules, as well as breaches relating to the internal market in relation to acts which breach the rules of corporate tax or to arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law.

Incidents of violence and harassment at work, which are regulated by a separate Policy of ΜΑΝΤΖΑRIS S.A. for the “Prevention and Handling of all Forms of Violence and Harassment in the Workplace” and have their own reporting mechanism, do not fall within the scope of this Policy. Moreover, this Policy does not cover disagreements on issues relating to policies and decisions of the Company’s management, personal matters and/or disagreements with superiors/colleagues or unfounded gossips and rumors.

 

B. WHO CAN SUBMIT A REPORT?

Reports can be made by:

  • Shareholders, members of the Board of Directors of the Company and generally persons belonging to the administrative, management or supervisory bodies of the Company, including non-executive members, as well as volunteers and paid or unpaid trainees/apprentices;
  • The executives and staff of the Company, regardless of position and hierarchical level of employment (whether they are linked to the Company by an employment relationship or provide independent services, of an indefinite or fixed-term, full-time or part-time, permanent or seasonal, seconded from another body, etc.);
  • Persons whose employment relationship with the Company has ended for any reason (former employees) or has not yet started (prospective employees, who obtain information about breaches during the recruitment process or at any other pre-contractual negotiation stage);
  • Suppliers, consultants, all kinds of associates of the Company, including persons working under the supervision and instructions of contractors, subcontractors and suppliers.

A prerequisite for falling within the scope of protection of this Policy is that the report is submitted in good faith, namely the reporting person should have reasonable grounds to believe that the information provided is true.

 

  1. NAMED OR ANONYMOUS REPORTING?

Reports may be submitted by name, through appropriate channels, as provided for under clause 7.A below. The Company guarantees the confidentiality of reports and keeps the identity of the reporting person private.

The identity of the reporting person may, however, be disclosed in exceptional cases, including when permitted by Union or national law, when the reporting person has authorised disclosure or if the reporting person acts in bad faith or if necessary in the context of investigations by competent authorities and/or judicial proceedings, and where such disclosure is necessary for the purposes of this Policy or to safeguard the rights of defense of the person concerned. In this case, the reporting person will be informed before his or her identity is revealed, unless such information would jeopardize the relevant investigations or procedures.

In case the reporting person does not wish to submit a named report, it is possible to submit an anonymous report, through appropriate channels, as provided for under clause 7.A below.

The Company encourages anyone wishing to share their concerns to make use of the internal reporting system and guarantees that any report received will be treated with absolute confidentiality and secrecy. It is emphasized that anonymous reports are treated by the Company with the same attention and gravity as named ones.

 

  1. INSTRUCTIONS WHEN SUBMITTING REPORTS

In order to facilitate the investigation and proper evaluation of a report, it is important that the report submitted is clear, specific and that it contains as much information as possible.

The report must include the name of the person(s) likely to have committed any misconduct, the date and place of the incident, the type of breach and a detailed to the extent possible description of same, accompanied by documents and, in general, evidence, if available.

Special categories of personal data or sensitive information not related to the incident should not be included in the submitted report.

The reporting person should be available to provide additional information and clarifications upon request. Especially in the case of anonymous reporting, the reporting person, if he/she so wishes, may make himself/herself available through any communication route or specific contact point he/she chooses.

It is recommended that the reporting person refrains from disclosing details of the matters reported to other individuals, as this may adversely affect any subsequent investigation.

The Company respects the right of defense of persons involved in a report. Fraudulently submitted reports intended to damage the integrity or reputation of a person are strictly prohibited.

 

  1. REPORT RECEIVING AND MONITORING OFFICER (R.R.M.O.)

The R.R.M.O. has the below mentioned responsibilities. In particular, the R.R.M.O.:

  • Provides appropriate information regarding the possibility to submit a report through internal reporting channels;
  • Receives reports on breaches falling within the scope of this Policy;
  • Acknowledges receipt of the report to the reporting person within seven (7) working days of that receipt;
  • Takes the necessary steps in order for the competent bodies in the Company to deal with the report or close the procedure by archiving the report, if the report is incomprehensible or submitted abusively or does not contain facts that constitute a breach of Union law or there are no serious indications of such a breach, and informs the reporting person of the relevant decision;
  • Ensures the protection of the confidentiality of the identity of the reporting person and of any third parties named in the report, by preventing access to it by unauthorized persons;
  • Monitors the reports and maintains communication with the reporting person and, if necessary, requests further information from the reporting person;
  • Informs the reporting person of the actions taken within a reasonable period of time, which shall not exceed three (3) months from the acknowledgement of receipt, or, if no acknowledgement has been sent to the reporting person, three (3) months from the end of seven (7) working days from the submission of the report;
  • Provides clear and easily accessible information on the procedures under which reports can be submitted to the National Transparency Authority (NAA) and, where appropriate, to public bodies or institutions, offices or agencies of the Union; and
  • Plans and coordinates training activities on ethics and integrity and participates in the drafting of internal policies to enhance integrity and transparency in the Company.

The R.R.M.O. must:

  • Perform his/her duties with integrity, objectivity, impartiality, transparency and social responsibility;
  • Respect and observe the rules of confidentiality and privacy on matters of which he/she has become aware in the performance of his/her duties;
  • Refrain from handling specific cases, declaring an impediment when there is a conflict of interest.

 

  1. CHANNELS FOR SUBMITTING REPORTS

 Α. REPORTING INTERNALLY (INTERNAL REPORTING CHANNEL)

 Reports can be submitted internally as follows:

  • By letter, named or anonymous, addressed to the Company’s R.R.M.O. and sent by traditional mail. The letter should be sent with the indication “Personal – Confidential“:

To ΜΑΝΤΖΑRIS SOCIETE ANONYME

Attention: Report Receiving and Monitoring Officer

Thesi Tsakiri, Zevgolatio Korinthias,

P.C. 200 01, Greece

  • By email at [email protected]
  • By telephone at (0030) 2741 888129 or
  • Through a physical meeting with the Company’s R.R.M.O., which can be arranged within a reasonable timeframe, at the request of the reporting person.

In case of submission  of a report by telephone, the recording of the conversation by the R.R.M.O. is permitted, subject to the lawful consent of the reporting person. In this case, the R.R.M.O. shall be entitled to document the oral reporting either by recording the conversation in a durable and retrievable form or through a complete and accurate transcript of the conversation, enabling the reporting person to check, rectify and agree with the transcript of the conversation by signing it.

In case of submission  of a report by telephone without recording of the conversation, the R.R.M.O. has the right to document the oral reporting in the form of accurate minutes of the conversation, which are prepared by the R.R.M.O., giving the reporting person the opportunity to verify, correct and agree with the minutes of the conversation by signing them.

In case of submission  of a report through a physical meeting with the R.R.M.O., the latter may, subject to the consent of the reporting person, keep complete and accurate minutes of the meeting in a durable and retrievable form, either by  recording the conversation in a durable and retrievable form or by accurate minutes of the meeting prepared by the R.R.M.O., enabling the reporting person to check, rectify and agree with the minutes of the meeting by signing them.

If the reporting person refuses to sign the minutes, as provided for above, special reference is made on said minutes by their author.

 Β. REPORTING EXTERNALLY (EXTERNAL REPORTING CHANNEL)

If the reporting person considers that his/her internal report has not been effectively addressed, he/she may submit an external report to the National Transparency Authority. Instructions for the procedure for submitting a report to the NTA can be found on its website www.aead.gr.

Specifically for infringements of Articles 101 and 102 of the Treaty on the Functioning of the European Union concerning competition issues, the Competition Committee has been designated as the competent authority to receive external reports. Instructions on the procedure for submitting a report to the Competition Committee are posted on its website www.epant.gr.

 

  1. INTERNAL REPORTING MANAGEMENT PROCESS

The procedure followed as soon as an internal report is received is described below: 

  • Within seven (7) working days from the date of receipt of the report, the R.R.M.O. acknowledges its receipt to the reporting person, provided that the latter has given his/her contact details.
  • At the same time, the R.R.M.O. informs without delay the three-member Reporting Administration Committee (Whistleblowing Committee) of the Company, which consists of:

(a) the Head of the Operations Division;

(b) the person in charge of the Customer Service Department and

(c) the Legal Advisor of the Company.

 The Reporting Administration Committee is responsible for the investigation of the reports, carries out audits, assesses the accuracy of the reporting person’s claims, decides on the facts and grounds of the report, records the results of the relevant investigation and, accordingly, recommends (i) appropriate measures to address the reported breach, (ii) further investigation of the report or (iii) closure of the procedure and archiving of the report. The decisions of the Reporting Administration Committee are reasoned and taken by majority, and the Managing Director of the Company is informed of them, in order to take the necessary decisions.

If a report is incomprehensible or submitted abusively or does not contain facts constituting a breach of Union law or there are no serious indications of such a breach, then the Reporting Administration Committee may decide that no further investigation is required, in which case the R.R.M.O. shall archive the report and notify the relevant decision to the reporting person, provided that his/her contact details are known.

If additional information is required from the reporting person for the further investigation of a report, the latter is informed through the R.R.M.O. Where necessary and depending on the subject of each report, additional professional support may be sought from other executives of the Company and/or specialized external legal or technical advisors (auditors, fraud investigators, etc.).

In case a report is directed against a member of the Reporting Administration Committee or in case a member of the Committee has a conflict of interest, then that member shall be excluded from the list of recipients of that report, he/she shall not participate in the relevant investigation and shall be replaced by a person appointed by the other members of the Reporting Administration Committee.

In case a report is directed against the Managing Director of the Company or in case he has a conflict of interest, then the decision of the Reporting Administration Committee is forwarded to the President or, as the case may be (when the Managing Director is also the President of the Board of Directors of the Company), to the Vice-President of the Board of Directors of the Company,  in order to take the necessary decisions.

Depending on the results of the investigation, the Reporting Administration Committee  recommends that appropriate and necessary actions be taken in order to effectively address the breach and prevent a similar incident from happening again in the future. Such actions may include, indicatively, modifications to the Company’s existing procedures and policies, imposition of disciplinary sanctions, including termination of contract, initiation of legal proceedings/court actions, additional employee training.

The R.R.M.O. shall inform the reporting person about the actions taken within a reasonable timeframe, not exceeding three (3) months from the acknowledgement of receipt, or, if no acknowledgement was sent to the reporting person, three (3) months from the expiry of the seven (7) working days period after the report was made.

In any event, if the reporting person considers that his/her report has not been dealt with effectively, he/she may make use of an external reporting channel, as provided for under clause 7.B above.

 

  1. RECORD KEEPING OF THE REPORTS AND PROTECTION OF INFORMATION

The Report Archive is kept in electronic and/or printed form by the Reporting Administration Committee, in accordance with the highest security standards of the Company. Reports, documents and data relating to investigations and audits shall be stored for a reasonable and necessary period of time, as provided for under clause 11.A below, in order to be retrievable and to comply with the requirements imposed by the present Policy, Union and national law, and in any case until the completion of the investigation or judicial proceedings initiated following the report against the person concerned,  the reporting person or third parties.

It should be noted that both the R.R.M.O. and the Reporting Administration Committee, as well as any person involved in the management and investigation of reports, are bound by a Confidentiality Agreement for the information they become aware of during the performance of their duties.

 

  1. PROTECTION OF REPORTING PERSONS

Reporting persons shall be entitled to protection if, at the time of submission of the report, they had reasonable grounds to believe that the information concerning the suspected breaches was true, even if the report submitted turns out to be incorrect.

 The Company will not tolerate acts of retaliation of any kind, including threats, marginalization, intimidation, threats or unfair treatment, against persons who submit a report in good faith regarding a breach. Any form of retaliation is prohibited, including in particular: (a) suspension, dismissal or other equivalent measures, (b) demotion, omission or withholding of promotion, (c) transfer of duties, change of location of place of work, reduction in wages, change in working hours, (d) withholding of training, (e) a negative performance assessment or negative employment reference, (f) imposition or administering of any disciplinary or other measure, including financial penalty, (g) coercion, intimidation, harassment or ostracism, (h) discrimination or unfair treatment, (i) failure to convert a temporary employment contract into a permanent one, (j) failure to renew or early termination of a temporary employment contract, (k) intentional damage, including to the person’s reputation, particularly in social media, or financial loss, including loss of business and loss of income, (l) blacklisting on the basis of a sector or industry-wide formal or informal agreement, which may entail that the person will not, in the future, find employment in the sector or industry, (m) early termination or cancellation of a contract for goods or services; (n) revocation or cancellation of a licence or permit, (o) referral for psychiatric or medical supervision, (p) refusal or deprivation of reasonable adjustments for persons with disabilities.

Any act of retaliation should be reported promptly and directly to the Reporting Administration Committee, which will be responsible for further investigation of the incident. Individuals who have retaliated will be subject to disciplinary action, up to and including termination of their employment contract.

 

  1. PERSONAL DATA

Α. PROTECTION OF PERSONAL DATA

 Any processing of personal data pursuant to this Policy shall be carried out in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable national legislation.

The data controller within the meaning of the GDPR is ΜΑΝΤΖΑRIS S.A., however it is noted that the processing of personal data for the purposes hereof is carried out exclusively by the R.R.M.O., the Reporting Administration Committee and/or any other person deemed necessary under this Policy.

During the submission and monitoring of reports, appropriate technical and organizational measures will be taken, in order to process solely the data that are  strictly necessary and appropriate for the purposes of the present Policy. Personal data that are obviously not related to the handling of a specific report will not be collected, and in case they are incorrectly disclosed and consequently collected, they will not be taken into account and will be deleted without delay.

The personal data collected in the context of a submitted report will be kept in printed and/or electronic form, in accordance with the Company’s security standards, for a reasonable and necessary period of time not exceeding five (5) years. The data will then be securely destroyed, unless otherwise provided by law or in case legal, judicial or disciplinary proceedings have initiated, in which case such data may be retained for a longer period of time.

The Company invites reporting persons to refrain from including in their reports special categories of personal data about themselves or the person concerned or third parties, unless such inclusion is strictly necessary to support a report. Special categories of personal data are information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

 

Β. SCOPE AND LEGAL BASIS OF PROCESSING OF PERSONAL DATA

The personal data of all parties involved, collected in the context of the operation of the internal reporting system, are processed solely in relation to each report and only for the purpose of ascertaining the validity of such report and investigating a specific incident of suspected breach.

The legal basis for data processing is a) compliance with a legal obligation of the Company deriving from Law 4990/2022, which provides for the obligation to establish an internal channel for reporting breaches and b) the legitimate interest pursued by the Company in preventing and combating bad practices or irregularities in the execution of its business activities.

 

C. POTENTIAL DATA RECIPIENTS

Access to the personal data included in the reports may be granted only to those involved in the administration and investigation of an incident, such as the R.R.M.O., the members of the Reporting Administration Committee, as well as specific executives and/or specialized external consultants, whose assistance is sought, as the case may be.

Access to such data may also be granted to competent supervisory, investigative or other public authorities where there is a legal obligation or where judicial or other legal proceedings have initiated in the context of investigating a report.

 

D. TRANSFER OF PERSONAL DATA OUTSIDE THE E.U./E.E.A.

 Personal data collected in the context of the operation of the internal reporting system are not transferred outside the European Union and/or the European Economic Area. In the exceptional event that such a transfer becomes necessary, it will be ensured that appropriate data protection safeguards are provided and that the transfer takes place in compliance with applicable law.

 

Ε. RIGHTS OF DATA SUBJECTS AND POSSIBLE RESTRICTIONS

As a data subject you have the following rights that you may exercise at any time,  unless if the GDPR or applicable law provide otherwise:

  • Obtain confirmation on whether your personal data are being processed by the Company and, in the affirmative, access and obtain a copy of such data;
  • Update, modify and/or rectify your personal data, where it may be inaccurate or incomplete;
  • Request the erasure of your personal data, where the processing is unnecessary or unlawful;
  • Request the restriction of processing of your personal data, when you feel that your personal data are inaccurate or that the processing is unnecessary or unlawful;
  • Withdraw your consent to the processing of your personal data, when such consent serves as the legal basis for processing;
  • Request, under certain conditions, the portability of your personal data, namely, obtain a copy of your personal data in a structured, commonly used and machine-readable format, as well as request the transmission of your personal data to another data controller;
  • Object to the processing of your personal data;
  • File a complaint with the Hellenic Data Protection Authority. Regarding the competency of the Authority and for information on how to file a complaint, you may visit the website www.dpa.gr.

Please note that the exercise and/or degree of satisfaction of these rights may be restricted to the extent necessary to preserve evidence and investigate a report smoothly, as well as to protect the rights and freedoms of others involved in the reporting system. The right to information may, for example, not be satisfied for as long as it is deemed necessary for the purpose of preventing and confronting attempts to hinder reporting, obstruct, cancel or delay follow-up measures, in particular with regard to investigations, or attempts to identify reporting persons, and to protect them against retaliation.

 

  1. RAISING AWARENESS AND TRAINING

The Company promotes communication and training activities to ensure the widest possible knowledge and effective implementation of this Policy. To this end, adequate and repeated training (face-to-face and/or electronic) will be offered to staff and any interested party regarding the implementation of this Policy and the operation in general of the internal reporting system.

  

  1. AMENDMENTS TO THIS POLICY

The Company is committed to continuously improving the reporting system and ensuring its effectiveness. To this end, it will monitor the adoption of this Policy and review it on an annual basis. Amendments and updates hereof will be communicated appropriately and in a timely manner to all interested parties, by posting on the Company’s website and its internal network.

 

  1. CONTACT

If you have any questions regarding the protection of your personal data  or in case you need information about your rights as a data subject and how to exercise them, you may contact us:

  1. By post (To: ΜΑΝΤΖΑRIS SOCIETE ANONYME, Attention: Personal Data Officer, Thesi Tsakiri, Zevgolatio Korinthias, P.C. 200 01, Greece) or
  2. By email ([email protected]).

If you have any questions regarding the administration of the reporting system, the types of breaches that can be reported, or any other relevant request, you may contact us:

  1. By post (To: ΜΑΝΤΖΑRIS SOCIETE ANONYME, Attention: Report Receiving and Monitoring Officer, Thesi Tsakiri, Zevgolatio Korinthias, P.C. 200 01, Greece) or
  2. By email ([email protected]).

We would like to thank you for your participation in the continuous efforts of ΜΑΝΤΖΑRIS S.A. to ensure the highest level of ethical and professional conduct, maintain high standards of good governance and ethics and a working environment in which transparency, cooperation, integrity and mutual trust are upheld.