Global Whistleblowing Policy
1. About this policy
1.1 The Cyncly Group including all affiliates (Group) is committed to the highest possible standards of openness, integrity and accountability and encourages any individual who has genuine concerns about an alleged breach in the organisation (e.g. unethical behaviour, forms of malpractice, illegal acts, failure to comply with regulatory requirements, accounting irregularities, or violations of company policy) to raise those concerns at an early stage through the Group's internal reporting channel.
1.2 A Breach is any event, incident, situation, act, or omission believed to violate Group policy or procedure or applicable law or regulation, related to the areas of concern listed in article 3 of this policy (Breach or Breaches).
1.3 You are encouraged to share any concerns or information regarding Breaches, including reasonable suspicions about actual or potential Breaches, whether occurring within the Group or being committed by an entity or an individual acting on the Group's behalf, as well as any attempts or suspected attempts to conceal a Breach.
1.4 The Group strives to foster a workplace conducive to open communication regarding Group business practices. We are committed to ensuring any individual who reports an actual or potential Breach through the reporting channels set out in this policy is protected from unlawful retaliation and discrimination if they make a report with reasonable grounds to believe the information in the report is true. The Group takes all reports of actual or potential Breaches seriously and is committed to ensuring that reported Breaches are addressed discretely and effectively within the Group to determine the appropriate course of action in accordance with Group policy and all applicable laws, including but not limited to the stipulations of the European Directive of 23 October 2019 on the protection of persons who report breaches of Union law (2019/1937).
1.5 In furtherance of these commitments, this policy:
(a) gives guidance on the receipt, retention, and treatment of verbal or written reports of actual or suspected Breaches received by the Group;
(b) gives guidance on how to report information regarding an actual or suspected Breach in a confidential and, where applicable, anonymous manner; and
(c) makes clear the Group's intention to discipline or terminate the employment of any person determined to have engaged in retaliatory or discriminatory behaviour.
1.6 The Group will ensure that all individuals who fall within its scope are able to view a copy of this policy in a format which they can readily understand, particularly catering for those whose first language is not English and those who have difficulty with reading.
2. Prevailing of Local Laws; Country-specific Annexes
If there is a conflict between this Global Whistleblowing Policy and applicable local laws or regulations, these local laws, regulations as well as any local implementation law (e.g., local policy, works council agreement or collective bargaining agreement), take priority over this Global Whistleblowing Policy. Country specific rules in relation to Italy and Germany are set out in the appendices to this policy.
3. Scope
This policy applies to the following individuals who acquire information on a reportable Breach in a work-related context:
3.1 employees or workers with permanent or limited-term contracts;
3.2 contractors;
3.3 sub-contractors;
3.4 volunteers;
3.5 agency workers where the worker is supplied by a third person to the Group;
3.6 self-employed individuals;
3.7 shareholders;
3.8 members of the company's administrative, management and supervisory bodies (including non-executive members);
3.9 anyone working under the supervision and direction of contractors, subcontractors and suppliers;
3.10 anyone in any of the above categories whose work-based relationship with the company is yet to begin or has ended.
4. Concerns covered by the policy
4.1 This policy is designed to cover the reporting of an actual or suspected Breach involving the following areas:
(a) public procurement;
(b) financial services, products and markets;
(c) prevention of money laundering;
(d) prevention of terrorist financing;
(e) product safety and compliance;
(f) transport safety;
(g) protection of the environment;
(h) radiation protection and nuclear safety;
(i) food and feed safety;
(j) animal health and welfare;
(k) public health;
(l) sexual harassment;
(m) violence in the workplace;
(n) consumer protection;
(o) protection of privacy and personal data;
(p) security of network and information systems;
(q) Breaches affecting the financial interests of the EU;
(r) Breaches relating to the EU internal market including Breaches of:
(i) competition and State aid rules;
(ii) rules on corporate tax including any tax arrangements;
(s) allegations of potential violation of company policy or procedure;
(t) allegations of potential violation (either directly or indirectly) of compliance with internationally recognised human rights and good and fair working conditions (such as, but not limited to, UN international covenants and ILO core conventions);
(u) any misconduct such as violations of local laws or regulations that could potentially give rise to criminal or regulatory liability for the Group or its employees, including but not limited to:
(i) allegations of anti-corruption and sanctions;
(ii) account irregularities;
(iii) fraud;
(iv) conflict of interest;
(v) misappropriation of assets.
4.2 You are encouraged to report any Breach which you reasonably believe is unlawful and is causing you concern.
4.3 Your report can relate to any Breach anywhere in the world; it is not restricted to matters purely arising in the country where you work.
5. Protection against retaliation
5.1 The Group appreciates that the decision to raise a concern can be a difficult one to make, not least because there may be a fear of reprisal from those who may be involved the Breach (e.g. those who may have committed the Breach, etc). The Group will not tolerate retaliation against any person who raises a concern through the reporting channels provided in this policy where they have reasonable grounds to believe that the information in the report is true at the time of reporting, even if it transpires that there is no basis for concluding that any Breach has occurred or is likely to occur. In addition, the Group prohibits discrimination on the grounds of gender, gender reassignment, marital or civil partnership status, race, colour, nationality, ethnic origin, national origin, disability, age, sexual orientation, religion or belief, or any other prohibited grounds, when addressing concerns that have been raised.
5.2 The protections against retaliation and discrimination also apply, where relevant, to:
(a) facilitators;
(b) third persons who are connected with the reporting persons and who could suffer retaliation in a work-related context; such as colleagues or relatives of the reporting persons; and
(c) legal entities that the reporting person owns, works for or are otherwise connected with in a work-related context.
5.3 The Group will take appropriate steps to protect all impacted individuals, including taking necessary action, which may include but is not limited to disciplinary action or dismissal, against anyone who is found to be pursuing any form of retaliation or discrimination, or has threatened to do so.
6. False allegations
Just as the Group will seek to protect those who raise concerns where they have reasonable grounds to believe that the information in the report is true at the time of reporting, it will also protect those who are accused of a Breach in a report which is false. The Group will take necessary action against any individual who knowingly reports false information, which may include but is not limited to disciplinary action or dismissal.
7. Raising a concern
7.1 General principles
(a) The Group encourages individuals to raise a matter when it is just a concern, as long as they have reasonable grounds to believe that the information in the report is true, rather than waiting for proof or investigating the matter themselves. Acting sooner rather than later can avoid any further potential damage. Reports will be treated with confidentiality.
(b) The Group encourages individuals to ask questions and discuss concerns with their supervisor, who can often be an excellent resource. However, the Group recognizes that you may not always feel comfortable raising concerns with a supervisor and, as such, you can report any concern via the internal reporting channels, as detailed in section 7.2.
(c) Reports may be made on an anonymous basis, but individuals are encouraged to submit their name with their report. Concerns expressed anonymously are less powerful and tend to be more difficult to address effectively, but will nonetheless be considered and dealt with by the Group to the fullest extent possible.
7.2 Outsourced reporting
(a) The Group's reporting channel for whistleblowing reports is operated externally by Whistleblower Software which has been designated to carry out this function.
(b) You may make your report orally, in writing or in person:
(i) to make an oral report visit: https://whistleblowersoftware.com/secure/9a45e341-d9c3-414d-846c-cfb727417b67;
(ii) to make a written report visit: https://whistleblowersoftware.com/secure/9a45e341-d9c3-414d-846c-cfb727417b67
(iii) to make a report in person visit: https://whistleblowersoftware.com/secure/9a45e341-d9c3-414d-846ccfb727417b67.
If you choose to make an oral report or report in person, Whistleblower Software shall either record the conversation or draft a complete and accurate transcript of the conversation. You will be given the opportunity to check, correct and ensure the accuracy of the written transcript of the conversation.
(c) All reports of actual or suspected Breaches must be factual and contain as much information as possible. All reported information, including the identity of the reporter, is treated as confidential subject to applicable legal and regulatory requirements.
(d) Whistleblower Software will be responsible only for receipt of and acknowledging receipt of your report within seven days of your report being made.
(e) The Legal Department (legalteam@cyncly.com) has been designated to carry out and will be responsible for:
(i) maintaining communication with you including asking for further information on the report, where necessary;
(ii) diligently following up/investigating your report to assess the accuracy of the allegations made in the report;
(iii) ensuring a decision is made on any action required to address the breach reported or deciding to close the procedure;
(iv) providing feedback to you on your report including information on action envisaged or taken as a follow-up to the report and the grounds for such follow-up. Feedback will be provided within a reasonable timeframe which will not exceed three months from acknowledgement of receipt of your report.
7.3 The Group would expect that raising concerns internally through the central procedure would be the most appropriate action for you to take. However, if you feel that you cannot raise your concerns in this way and reasonably believe the information you wish to report is true, you may consider using the internal reporting channel of the local entity you have a work-based relationship with (if such separate local reporting channel exist). Details of existing local reporting channels, the procedures and the people or departments responsible for operating them, can be found in the country and legal entity-specific annexes attached to this policy.
7.4 Operating principles for investigating complaints:
(a) An investigation to establish all relevant facts will be conducted as sensitively and speedily as possible.
(b) Investigations will be carried out by an independent investigator who has had no previous involvement in the matter.
(c) In some instances it might be necessary to refer the matter to an external authority for further investigation, such as the Police.
(d) At the end of the investigation, the investigator will analyse all the evidence and make findings of fact, based upon the balance of probabilities, as to whether a Breach has occurred or is likely to occur.
7.5 Keeping and managing records
(a) When an individual makes an internal report, the Group will process any personal data collected in compliance with applicable laws and regulations and in accordance with its Data Protection Policy and Employee Data Privacy Notice. Data collected from the point at which an individual makes the report is held securely and accessed by, and disclosed to, only authorised individuals and only for the purposes of dealing with the report.
(b) Personal data collected by the Group as a consequence of a report under this policy will be incorporated to a database controlled by Consilio Midco Limited, for the purposes of processing the report and conducting any investigation required. The Group may also need to share personal data with other companies/subsidiaries within the Group, external investigative agencies, legal counsel and/or local authorities. Such third parties may be based in territories outside the EU, like the United States of America, which do not offer an equivalent level of protection on data privacy as in EU. Nevertheless, if data transfers outside the EU are needed, the Group will take appropriate measures to protect the data according to local regulations.
(c) Personal data which are not relevant for the handling of a specific report will not be collected or, if accidentally collected, will be deleted without undue delay.
(d) The Group recognises that it is important, and in everyone's interests, to keep written records during the concern raising process. Records will be stored for no longer than is necessary and in a way that is proportionate to comply with the Group's data privacy obligations and record-keeping obligations. Records that will be retained and treated as confidential, include:
(i) the nature of the concern raised;
(ii) a copy of any written notification setting out the nature of the concern;
(iii) key documents/evidence;
(iv) the investigation work papers;
(v) the investigator's report;
(vi) any written response by the Group, including any action taken and the reasons for the action taken; and
(vii) minutes of meetings.
(e) For reports made to the Group's recorded telephone line/recorded voice messaging system, subject to the consent of the reporting individual, the Group will document the oral report either:
(i) by making a recording of the conversation in a durable and retrievable form; or
(ii) by documenting a complete and accurate transcript of the conversation prepared by the Legal Department. The reporting individual will be offered the opportunity to check, rectify and agree on the transcript of the conversation by signing it.
(f) For reports made to the Group's unrecorded telephone line/unrecorded voice messaging system, the Group will document the report in the form of accurate minutes of the conversation written by the staff member responsible for handling the report. The reporting individual will be offered the opportunity to check, rectify and agree the minutes of the conversation by signing them.
(g) Where an individual requests a meeting for reporting purposes, the Group will ensure, subject to the consent of the individual, that complete and accurate records are kept of the meeting which will be either:
(i) by making a recording of the conversation; or
(ii) through accurate minutes of the meeting prepared by the staff member responsible for handling the report. The reporting individual will be offered the opportunity to check, rectify and agree the minutes of the meeting by signing them.
7.6 Duty to cooperate and preserve relevant evidence
From time to time, you may be asked to provide or preserve documents related to an investigation or may receive a request to participate in an investigative interview. All individuals subject to this policy are obliged to cooperate with Group investigations by timeously providing truthful accounts and relevant documents in response to interviews, questions and information requests. The destruction of documents or other evidence related to an investigation is prohibited. Any individual who fails to cooperate, or otherwise obstructs, impedes or improperly influences an investigation, or attempts to do so, will be subject to disciplinary action, or even termination of their employment, in accordance with the Group's applicable policies.
7.7 External reporting route
(a) This policy provides individuals with the opportunity and protection necessary to raise concerns internally through a central reporting procedure and the Group believes that the processes laid out herein are the most effective processes for dealing with reports of a Breach in a manner that serves the best interests of both the Group and any individual making a report. However, if you feel that you cannot raise your concerns in this way and reasonably believe the information you wish to report is true, you may consider reporting the matter to a competent external authority.
(b) You can also report via external reporting channels to competent investigating authorities. External reporting channels are in particular the European Union institutions, bodies, or agencies (where available, external reporting channels of the Commission, the European Anti-Fraud Office (OLAF), the European Maritime Safety Agency (EMSA), the European Aviation Safety Agency (EASA), the European Securities and Markets Authority (ESMA) and the European Medicines Agency (EMA)). External reporting is also possible with local investigating authorities.
(c) Further details on the options for external reporting can be found in the country-specific information attached to this policy.
8. Confidentiality
The Group's internal reporting processes are secure and confidential which means that:
8.1 no unauthorised staff member is allowed access to information held within it;
8.2 the identity of an individual who makes a report, together with any other information from which their identity may be directly or indirectly deduced, will be kept confidential and protected and will not be disclosed, without the individual's consent, to anyone beyond authorised individuals within the Group or their designees who are competent to receive or follow-up on a report;
8.3 by way of an exception, and subject to appropriate safeguards under the applicable European Union and national rules, the identity of a reporting person and any other information from which their identity might be deduced, may be disclosed where this is necessary in the context of an investigation by any national authority or in the context of judicial proceedings;
8.4 where an individual is referred to in a report as a person to whom a Breach is attributed or with whom someone who committed a Breach is associated, the Group will ensure that the individual's identity is kept confidential and protected for so long as investigations triggered by the report are ongoing and will ensure that the individual is treated fairly including being given the presumption of innocence and a right to be heard.
9. Monitoring and review
The Cyncly Group General Counsel and the Legal Department will be responsible for monitoring the effectiveness of this policy and taking remedial action where it is apparent that the policy and procedures may not be achieving the Group's overall aim.
10. Contractual status
This policy does not form part of any employee’s contract with the Group, however, the Group expects that its principles and procedures should be followed by all individuals within its scope. The Group reserves the right to change the content of this policy, as necessary, from time to time.
11. No waiver of rights
The rights of individuals to report concerns under this policy cannot be waived or limited by any agreement, policy, form or condition of employment and the Group will never require any such waiver or limitation of rights by any individual.
12. Periodic review of procedures
The Cyncly Group General Counsel and the Legal Department will review the procedures outlined above and consider changes to such procedures periodically.
Appendix – Country specific rules for Germany
1. Purpose of this Appendix
1.1 The purpose of this Appendix is to include country-specific rules for employees in Germany.
2. Concerns covered by the Policy (Section 3 of the Policy)
2.1 Reporting and disclosures under the Policy shall be limited to information on violations obtained in connection with the professional activity or in the run-up to a professional activity and which are breaches as defined in the German Whistleblower Protection Act, i.e., in particular,
(a) violation subject to criminal law (for example, fraud, bribery, corruption, competition law infringements, blackmailing, insider trading and other securities fraud, money laundering), or
(b) violation subject to a fine, to the extent that the violated regulation serves to protect life, limb or health or to protect the rights of employees or their representative bodies, or
(c) involve violations of national and European Union law in specific areas of law (as defined in the German Whistleblower Protection Act), including, but not limited to
(i) public procurement, prevention of money laundering and terrorist financing;
(ii) product safety and compliance;
(iii) transport safety;
(iv) protection of the environment; and
(v) protection of privacy and personal data and security of network and information systems, or
(vi) that concern public procurements (as defined in the German Whistleblower Protection Act), or
(vii) violations of regulations relating to the European Union internal market including breaches of competition and stat aid rules as well as rules on corporate tax including any tax arrangements (as defined in the German Whistleblower Protection Act).
2.2 For reporting on violations that are not subject to the German Whistleblower Protection Act (e.g. violations of the Code of Business Conduct and Ethics, provided that these do not also constitute violations under the German Whistleblower Protection Act, you (as employee) may contact your Germany-based supervisor or your Germany-based HR contact person.
3. Raising a concern (Keeping and managing records) (Section 7.5 of the Policy)
Reports shall be documented in compliance with the applicable data protection laws and regulations. In the case of telephone reports and reports using another form of voice transmission, an audio recording or a protocol is only made with the consent of the reporting person. In the absence of consent, the report shall be documented by means of a summary of the contents. The reporting individual will be offered the opportunity to check, rectify and agree the transcript of the conversation by signing it. In the case of a face-to-face meeting, the documentation shall be made by means of an audio recording or a protocol with the consent of the reporting person. Consent may be given by agreement (before the interview) or authorisation (after the interview).
4. Raising a concern (External reporting channel) (Section 7.7 of the Policy)
4.1 As indicated in section 6.7 of the Policy, if you feel that you cannot raise your concerns via the internal (local) reporting channel and reasonably believe the information you wish to report is true, you may consider reporting the matter to a competent external authority. In Germany, the following external reporting possibilities exist:
(a) the external reporting office of the federal government, which is to be located at the Federal Office of Justice;
(b) the Federal Financial Supervisory Authority (BaFin); and
(c) the Federal Cartel Office.
The federal states may also establish external reporting channels.
4.2 The Group invites you to make internal reports first so that we can follow up on them without delay and remedy possible grievances promptly. However, this is not mandatory before a report is made via external reporting channels.
Appendix – Country-specific rules for Italy
1. Local legal entity internal reporting channel
1.1 As indicated in article 6.2 of this policy, the Group would expect that raising concerns internally through the central procedure would be the most appropriate action for you to take. However, if you feel that you cannot raise your concerns in this way and reasonably believe the information you wish to report is true, you may consider using the internal reporting channel proper of the local entity you have a work-based relationship.
1.2 In Italy and with regards to DAU S.p.A., any reports can be made through the following local legal entity internal reporting channel:
(a) the Group's local legal entity internal reporting channel for whistleblowing reports is operated internally by the Legal Department who has been designated to carry out this function;
(b) You may make your report orally, in writing or in person:
(i) to make an oral report visit: https://whistleblowersoftware.com/secure/9a45e341-d9c3-414d-846c-cfb727417b67;
(ii) to make a written report visit: https://whistleblowersoftware.com/secure/9a45e341-d9c3-414d-846c-cfb727417b67;
(iii) to make a report in person visit: https://whistleblowersoftware.com/secure/9a45e341-d9c3-414d-846ccfb727417b67.
Where you choose to make an oral report or report in person, the reporting channels above have been designated to carry out this function shall either record the conversation or draft a complete and accurate transcript of the conversation. You will be given the opportunity to check, correct and ensure the accuracy of the written transcript of the conversation;
(c) all reports of actual or suspected Breaches must be factual and contain as much information as possible. All reported information, including about the identity of the reporter, is treated as confidential subject to applicable legal and regulatory requirements;
(d) The Legal Department will be responsible for:
(i) acknowledging receipt of your report within seven days;
(ii) maintaining communication with you including asking for further information on the report, where necessary;
(iii) ensuring your report is diligently followed up/investigated to assess the accuracy of the allegations made in the report;
(iv) ensuring a decision is made on any action required to address the breach reported or deciding to close the procedure;
(v) providing feedback to you on your report including information on action envisaged or taken as a follow-up to the report and the grounds for such follow-up. Feedback will be provided within a reasonable timeframe which will not exceed three months from acknowledgement of receipt of your report.
2. External reporting channel
2.1 As indicated in article 6.7 of this policy, if you feel that you cannot raise your concerns via the internal (local) reporting channel and reasonably believe the information you wish to report is true, you may consider reporting the matter to a competent external authority. With regard to Italy, it is also guaranteed an external reporting channel managed by the Italian Anti-Corruption Authority (ANAC).
2.2 In this respect, you could report externally to ANAC:
(a) if you filed a report locally, but the report did not have any effect.
(b) If you have justified reason to assume that report through the (local) reporting channel will not be effective or will be retaliatory.
(c) In case of imminent or manifest danger to the public interest.
2.3 To submit a report to the ANAC reporting channel, please click on the link below: