Internal information system policy
1. OBJECT
The purpose of this Policy is to regulate SALORO’s Internal Information System, establishing the principles, guarantees and procedures applicable to the receipt, management and investigation of communications relating to possible regulatory non-compliance or conduct contrary to the ethical principles of the organization.
This Policy is adopted in compliance with Law 2/2023 and other applicable regulations regarding regulatory compliance, personal data protection and good governance.
2. SCOPE OF APPLICATION
The Internal Information System is accessible to all persons who maintain or have maintained a professional, contractual or any other nature relationship with the entity, including, among others, workers, members of the administrative and management bodies, suppliers, contractors, collaborators, as well as any person from the social or local environment who may be affected by the activity of the organization or have knowledge of possible irregularities.
This Policy applies to all communications made through the Internal Information System, regardless of the channel used for their presentation, as well as to all management, investigation and resolution actions derived from them.
3. PURPOSE OF THE SYSTEM
The purpose of the Internal Information System is to constitute an effective instrument for the detection, prevention and, where appropriate, correction of regulatory non-compliance, irregularities or conduct contrary to the ethical principles of the entity.
Likewise, the system is configured as an essential tool to foster an organizational culture based on integrity, transparency and regulatory compliance, guaranteeing the protection of informants against any type of retaliation and ensuring that communications received are managed diligently, objectively and impartially, in accordance with the principles established in Law 2/2023.
The system also contributes to compliance with the principles of sustainability, social responsibility and good governance, reinforcing the entity’s commitment to ethical and transparent management.
4. GUIDING PRINCIPLES
The system is governed by the following principles:
- Confidentiality: The confidentiality of the identity of the informant, the affected persons, and any third party mentioned is guaranteed. Under no circumstances will the identity of the informant or any information that allows their identification be revealed, except in cases legally provided for.
- Protection from retaliation: Any form of retaliation against persons who communicate information in good faith is prohibited.
- Independence and autonomy: The person responsible for the system will act with full functional independence and without receiving instructions.
- Good faith: All communications must be conducted in good faith. Misuse of the system may result in liability.
- Diligence: Communications will be handled in an agile, objective and documented manner.
5. COMMUNICATION CHANNELS
The Internal Information System provides individuals within its scope with various channels that allow for the submission of communications in an accessible, confidential, and secure manner, guaranteeing in all cases the protection of the identity of the reporting person.
In particular, communications may be made through the following means: a web form enabled for this purpose, a specific email address, a telephone channel or voicemail, as well as by requesting a face-to-face meeting with the System Manager, which must be held within a reasonable time.
The entity guarantees that all channels comply with the legal requirements of confidentiality, security and traceability, as well as the possibility of making communications anonymously, without prejudice to the fact that the provision of contact data may contribute to a better management and monitoring of the communication.
Notwithstanding the foregoing, informants may direct their communications to the external channels enabled by the competent authorities, in accordance with the provisions of Law 2/2023.
6. TYPOLOGY OF COMMUNICATIONS
The Internal Information System is intended for the communication of facts or conduct that may constitute violations of the legal system, regulatory non-compliance or breaches of the ethical principles of the organization.
By way of example and not limitation, the following situations may be reported: legal or regulatory non-compliance, conduct contrary to the code of ethics, risks or non-compliance in matters of occupational safety and health, environmental damage or risks, situations of harassment or discrimination, fraudulent practices, corruption or conflicts of interest, as well as violations in matters of personal data protection.
7. MANAGEMENT PROCEDURE
Communications received through the Internal Information System will be managed according to a procedure that guarantees their diligent, objective and confidential treatment, as well as respect for the rights of all persons involved.
First, the communications will be registered and subjected to a preliminary admissibility review. Where possible, an acknowledgment of receipt will be sent to the reporting party within a maximum of seven calendar days from receipt of the communication.
Subsequently, the corresponding investigation phase will be carried out, in which the reported facts will be analyzed, gathering the necessary information and guaranteeing at all times the presumption of innocence, the right to defense and the confidentiality of the affected persons.
Finally, a reasoned decision will be adopted, which may include the adoption of corrective, disciplinary, or other measures as deemed appropriate. The maximum period for responding to the communication will not exceed three months from its receipt, except in cases of particular complexity that justify an extension in accordance with applicable regulations.
8. PROTECTION OF PERSONAL DATA
The processing of personal data derived from the management of the Internal Information System will be carried out with full respect for the provisions of Regulation (EU) 2016/679 and Law 2/2023, guaranteeing at all times the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, integrity and confidentiality, as well as the principle of proactive responsibility.
Specifically, personal data will be processed solely for the purpose of managing, processing, investigating, and, where applicable, resolving communications received through the Internal Information System, as well as for taking any necessary corrective or disciplinary measures. The legal basis for this processing is compliance with a legal obligation applicable to the entity (Article 6.1.c of the General Data Protection Regulation), in relation to the obligations established in Law 2/2023.
The system may involve the processing of identifying and professional data, and, where applicable, special categories of data as defined in Article 9 of the General Data Protection Regulation, when necessary for the proper investigation of the reported facts. In any case, processing will be limited to strictly relevant and necessary data, avoiding the collection or storage of excessive or irrelevant information.
The confidentiality of the identity of the informant, as well as any third party mentioned in the communication, will be guaranteed, adopting appropriate technical and organizational measures to prevent unauthorized access, including access restriction, traceability of actions taken and the establishment of reinforced confidentiality duties for persons involved in the management of the system.
Personal data will be kept only for the time necessary to process the communication and, in any case, for a maximum period of three months from its introduction into the system, unless its retention is necessary for the continuation of the investigation or for the adoption of legal measures, in which case it will be blocked in accordance with the applicable regulations.
Interested parties may exercise their rights of access, rectification, erasure, objection, restriction of processing, and other rights recognized in data protection regulations through the contact channels provided by the entity. The exercise of these rights may be limited to the extent necessary to guarantee the confidentiality of the informant’s identity or the proper conduct of the investigation, in accordance with applicable regulations.
Likewise, the entity will ensure that interested parties can access additional information on the processing of their personal data through the corresponding Privacy Policy of the Internal Information System, available on the corporate website ( www.saloro.com ).
9. SYSTEM MANAGER
The Internal Information System will be managed by a person formally appointed by the entity, who will perform their duties with full functional independence and autonomy, without receiving instructions in the performance of their responsibilities, guaranteeing impartiality at all times in the management of communications received. The appointment will be made based on criteria of suitability, professionalism, and absence of conflict of interest, in accordance with the provisions of Law 2/2023.
In those cases where a conflict of interest, direct or indirect, or any circumstance that compromises the objectivity of the responsible person may occur, this person must refrain from intervening, activating the substitution mechanisms provided by the entity, ensuring in all cases that the management of the system is carried out by an independent person without a conflict of interest.
10. SECURITY AND CONTROL MEASURES
The entity will adopt the necessary technical and organizational measures to guarantee the security, integrity and confidentiality of the information managed through the Internal Information System, in compliance with the provisions of Regulation (EU) 2016/679 and Law 2/2023.
Specifically, control mechanisms will be established to ensure restricted access to information exclusively for authorized personnel, traceability of all actions taken on received communications, and the implementation of enhanced confidentiality measures. Furthermore, the system may be subject to periodic reviews and internal or external audits to verify its proper functioning, detect any deficiencies, and guarantee its compliance with current regulations and best governance standards.
11. RESPONSIBLE USE OF THE SYSTEM
The Internal Information System must be used responsibly, ethically, and in accordance with its purpose, which is none other than the communication of relevant facts related to possible regulatory non-compliance or irregular conduct.
In this regard, the use of the system for making false, unfounded, or malicious communications, as well as its use for purposes other than those set forth in this Policy, is expressly prohibited. Misuse of the system may give rise to liability under applicable law.
12. APPROVAL AND REVIEW
This Policy has been approved by the entity’s governing body and forms an integral part of its regulatory compliance and good governance system.
The entity undertakes to periodically review its content, as well as to update it when necessary, in order to ensure its compliance with current regulations, in particular Law 2/2023 and Regulation (EU) 2016/679, as well as with best practices in compliance, integrity and sustainability.