1.1. The present Whistleblower Notice (“Notice“) is intended to provide you with clear and easily accessible information about the terms and conditions for whistleblowing through an internal channel of Amusnet Interactive Ltd, UIC 203773449, with its registered office and registered address at Garitage Park, Building No. 4, Floor 2, ul. “2, Donka Ushlinova Str. Sofia 1766 (the “Company“), pursuant to the Whistleblower Protection Law (the “Law“).
2. WHAT BREACHES CAN YOU REPORT?
2.1. Under Bulgarian law, you may report breaches relating to violations of Bulgarian law or of European Union legislation in the field of:
- financial services, products and markets; and the prevention of money laundering and terrorist financing;
- protection of privacy and personal data;
- security of networks and information systems;
- breaches affecting the financial interests of the European Union within the meaning of Article 325 of the Treaty on the Functioning of the European Union;
- breaches relating to the internal market, as referred to in Article 26(2) of the Treaty on the Functioning of the European Union;
- breaches relating to cross-border tax schemes;
- an offence of a general nature of which you have become aware in connection with the performance of your work or the performance of your duties;
- the rules on the payment of outstanding public state and municipal debts;
- employment law.
3. WHO CAN SUBMIT A REPORT?
3.1. A natural person may submit reports and/or publicly disclose information about violations known to him/her in his/her capacity as:
- an employee, public servant or other person performing work in exchange for payment, regardless of the nature of the work, the method of payment or the source of funding;
- a person working without an employment relationship and/or in a liberal profession and/or craft;
- volunteer or trainee;
- partner, shareholder, sole proprietor, member of the management or supervisory body of a commercial company, member of the audit committee of an undertaking;
- a person working for a natural or legal person, its subcontractors or suppliers;
- an applicant for employment who has participated in a competition or other form of selection for employment and who has been informed of an infringement in that capacity;
- an employee, where the information was obtained in the course of an employment or service relationship which has terminated at the time of the alert or public disclosure.
3.2. Protection shall be granted to:
- any other whistleblower who reports a violation of which they have knowledge in a work context;
- persons who assist the whistleblower in the reporting process;
- persons who are associated with the whistleblower and who may be subjected to retaliation for whistleblowing;
- legal entities in which the whistleblower has an ownership interest, works for, or is otherwise associated with in a business context.
3.3. In the event that the whistleblowing is credible and justified, the protection under the Law shall be available to you from the time of the whistleblowing or public disclosure of information about a breach.
4. WHAT ARE THE CONDITIONS TO GET PROTECTION?
4.1. You have the right to a defence provided that you:
- had reasonable cause to believe that the information provided about the breach in the alert was correct at the time of submission and that such information falls within the scope of section 2.
- made a whistleblowing report in compliance with the Law.
4.2. You will not be prosecuted or protected in respect of anonymous whistleblowing (unless you have been subsequently identified) and whistleblowing relating to breaches that occurred more than two years ago.
5. HOW AND WHERE CAN I REPORT?
5.1. In the event that you wish to report the breaches referred to in section 2 and if there is reasonable cause to believe that the information is correct, you may do so by one of the following means:
- sending an e-mail to: [email protected]. We will contact you within 7 days for the signature of the required form and to check if there are any irregularities that need to be corrected;
- a meeting, with the Responsible Persons.
5.2. If a verbal report is made, we will record it on a form which you will be asked to sign.
5.3. The report must contain at least: three names, address and telephone number of the sender, e-mail address (if available), names of the person against whom the report is made (where the report is made against specific persons and they are known), specific details of the offence or of a real risk of such an offence being committed, place and period of the offence, if any, description of the offence or the situation and other circumstances as far as such are known to the reporting person, date and signature.
5.4. We will take immediate action to ensure your confidentiality.
5.5. In addition, you also have the right to report to an external channel, namely the Commission for Personal Data Protection https://www.cpdp.bg, and the right to make information public, in accordance with the Law.
6. WHAT CAN I EXPECT AFTER I REPORT A BREACH?
6.1. Once you have reported a breach, we will check whether it is credible and, if so, we will take the necessary follow-up action to uncover the objective truth and gather all necessary evidence, including from the parties concerned and the person against whom the report has been made, while respecting the confidentiality and privacy of your personal data.
6.2. If necessary, we may contact you for further information and documentation.
6.3. In the event that there is a reasonable belief that there is a risk of retaliatory, discriminatory action, and that effective measures will not be taken to verify the reported information, the breach may be communicated through an external submission channel, namely to the Commission for Personal Data Protection.
6.4. Once we have produced a written report and before 3 months have elapsed since the whistleblowing, we will contact you to provide feedback on your whistleblowing.
6.5. Where the breach is minor and does not warrant further follow-up action and in the case of a repeated report that does not contain new information relevant to the breach, the file on your report may be closed.
6.6. The Company shall consider all whistleblowing reports in accordance with the principles of confidentiality, impartiality, fairness, independence and absence of conflict of interest.
6.7. The Company shall ensure that whistleblowers are protected from retaliatory actions that disadvantage them and shall not allow such actions to take place within its organisation.
7. YOUR LIABILITY
7.1. Whistleblowing or public disclosure of false information shall be liable for administrative penalties under Article 45 of the Whistleblower Protection Law.
7.2. In the event of manifestly false or misleading statements of fact, your alert will be returned with instructions to correct the statements and a warning of the liability you bear, namely a fine of up to BGN 7,000.
8. WHISTLEBLOWER NOTICE AVAILABILITY
8.1. This Notice is available on our website, namely https://www.amusnet.com/whistleblowing, and prominently displayed at our offices.
9. PERSONAL DATA
9.1. Amusnet Interactive Ltd will process your personal data for the purposes of handling a report of a breach.
9.2. The information relating to a whistleblowing, as well as the identity of the whistleblower and the person concerned, and other persons named in the whistleblowing report or made known in connection with the whistleblowing report, are protected. Access to your personal data will only be granted to the persons responsible for handling whistleblowing, as well as governmental and supervisory authorities, in cases defined by law.
10. UPDATING THE WHISTLEBLOWER NOTICE
10.1. This notice may be subject to amendment, with the latest effective date being 04.05.2023. Any future changes or additions to information described in this notice that affect you will be communicated to you through an appropriate channel depending on the usual mode of communication.
NOTICE ON THE CONFIDENTIALITY OF PERSONAL DATA PROCESSED IN RELATION TO REPORTS ON BREACHES
The purpose of this notice is to inform individuals about how we process the personal data of whistleblowers or persons who publicly disclose information about breaches, of persons other than the whistleblower who are afforded protection, and of persons against whom a report is made.
WHO WE ARE?
The controller of personal data is Amusnet Interactive Ltd, UIC 203773449, with registered office and management address in Garitage Park, building No. 4, floor 2, ul. “2, Donka Ushlinova Str. Sofia 1766 (“the Company“, “we“).
The contact of our Data Protection Officer is:
Data Protection Officer: atty. Desislava Dimitrova-Cholakova
Email: [email protected] Amusnet Interactive Ltd.
PERSONAL DATA WE PROCESS
- Data identifying you – Name, national ID number or date of birth, details of the capacity in which you are submitting the report
- Contact details – Current or permanent address, email, phone number
- Other information provided on the basis of your explicit consent – We may also process special categories of data, subject to your explicit consent
- Information relating to the persons to whom protection is granted as well as the persons concerned – Names, position, capacity in which the person submits the report, telephone number, correspondence address and/or e-mail address, and other data that may be provided in connection with the report
BASIS FOR PROCESSING
The basis for the processing of the personal data described above is for the purpose of fulfilling a legal obligation under the Whistleblower Protection Law, SG No. 11 of 2 February 2023, effective 4 May 2023 (the “Law“), namely: for the purpose of providing an internal whistleblowing channel.
1. Report registration and handling;
2. Providing protection to the whistleblower, the individuals related to the whistleblower, as well as the person concerned;
3. To fulfil an obligation imposed by Bulgarian or European Union law in the context of investigations by national authorities or judicial proceedings, including with a view to guaranteeing the right of defense of the person concerned;
4. To hold the whistleblower accountable and to protect the legitimate interests of the Company in the cases defined by law.
CONFIDENTIALITY OF INFORMATION
We protect information related to whistleblowing, including but not limited to the identities of whistleblowers and persons concerns, and take necessary measures to protect that information.
Access to information relating to whistleblowing, including the identity of whistleblowers and persons concerned, shall be provided, subject to the Law, only to employees and other persons within the Company and to the person responsible and designated for registering the reports (including where such person is outside the Company).
Within the Company, access to the information shall be limited to the employees responsible for handling reports. A person against whom a report has been made shall not have access to the information relating to that report, except where the provision of the information is required by law. Access may also be granted to other people depending on the specifics of a particular case.
Disclosure of the identity of the whistleblower and/or other information concerning the report shall be authorized only with the express consent of the whistleblower.
Notwithstanding the foregoing, the identity of the whistleblower, and any other information from which the identity of the whistleblower may be revealed, directly or indirectly, may be disclosed where this is necessary and is a proportionate obligation imposed by Bulgarian or European Union law in the context of investigations by national authorities or legal proceedings, including with a view to ensuring the right of defence of the person concerned.
The Company shall provide to persons reporting or publicly disclosing information about breaches, to persons other than the whistleblowers who are afforded protection, and to persons against whom a report has been made, all the rights set out in national and European legislation, including the right:
1. on request, to receive all necessary information relating to the processing of the data provided by you, including, if possible, a copy;
2. to request from the Company access to, rectification, erasure/deletion of personal data or restriction of the processing of personal data, if the prerequisites for this are present;
3. to object to the processing, as well as to lodge a complaint with the supervisory authority – the Commission for Personal Data Protection (CPDP) (Sofia 1592, 2 Tsvetan Lazarov Blvd. or www.cpdp.bg) in case of unlawful processing of data;
4. to withdraw your consent at any time, without negative consequences for you, when the basis for processing is consent;
5. to exercise your right to portability.
In certain cases, informing the whistleblower at an early stage may be detrimental to internal reports examination. Where, at the Company’s discretion, it is considered that there is a high risk that providing access will impede the procedure or undermine the rights and freedoms of others, the Company may impose a restriction on the provision of specific information or a delay in its provision.
All requests related to personal data such as: information, access, deletion, withdrawal of consent, etc. described above, shall be made in writing, signed by you and transmitted to the Company for processing at the e-mail address: [email protected] or at the Company’s management address. The request must contain three names and, in the event that it relates to specific personal data – these should be specified, together with the precise right being exercised.
DATA PRIVACY MEASURES
The Company has put in place technical and organizational measures to protect information relating to whistleblowing, including the identity of whistleblowers and affected individuals, against unauthorized, accidental or unlawful destruction, loss, alteration, misuse, disclosure or access and against all other types of unlawful processing. Special attention shall be paid to sensitive data. Some of the measures taken are: encryption, pseudonymization, redundancy, access control, strict confidentiality, periodic training, etc.
DATA TRANSFER OUTSIDE THE EUROPEAN ECONOMIC AREA
Your personal data is not transferred outside the EU/EEA. Should such processing be necessary, appropriate safeguards will be used to ensure that such transfer is carried out in accordance with applicable data protection rules, including legal grounds.
- data and materials relating to a specific report shall be kept for a period of 5 (five) years;
- in the event of disciplinary, administrative, criminal and/or civil proceedings, the data shall be kept until the final conclusion of such proceedings and for a period of 5 (five) years thereafter, for the purpose of establishing, exercising and defending against legal claims, actions, administrative and other acts, unless a shorter or longer retention period is specified by law or other regulatory act;
- data which are found to be manifestly irrelevant to a report shall be kept for up to 2 (two) months after their irrelevance has been established.
Updating the privacy notice
This notice may be subject to change and was last updated on 04.05.2023. Any future changes or additions to the processing of personal data described in this notice will be communicated through an appropriate channel.