Definitive rubicon logo
Definitive rubicon logo

Complaints channel procedure

1. COMPLAINTS PROCEDURE

The company’s management approves and documents in writing this procedure that regulates the complaints channel, detailing the operation of the system in all the points listed below.

2. OBJECT

a) Scope of application

The whistle-blowing channel shall apply to the entity’s employees and to all personnel who maintain a contractual relationship with the company, such as collaborators, suppliers, subcontracted companies, etc.

b) Mandatory nature

It is essential that the company’s management establishes the mandatory nature of the whistleblower channel, and it is also necessary that the workers’ representatives have been previously informed, as established in Article 64 of the Workers’ Statute.

c) Disclosure

The whistle-blowing channel shall be disclosed to all employees and persons who are linked to the company. Information about its existence must be included in all contracts entered into by the company (employees, suppliers, customers, external collaborators, etc.) as well as on the company’s website.

Both the complainants and the accused must be informed in advance of the existence of the complaints channel and the processing of the data involved in filing a complaint, as well as the consequences that such a complaint may have for the accused.

3. CHARACTERISTICS

a) Consent

In order to implement the internal reporting system, it is not necessary to have the consent of the company’s employees. Nor is it necessary to have the consent of these employees for the communication to third parties of the data of the complaint, in order for them to investigate the reported facts.

Thus, the implementation of a whistle-blowing channel does not require the consent of the interested parties as long as there is a contractual relationship with them and they are informed of the existence of such a system, and this information is incorporated into the established contractual relationship.

b) Filing of complaints

The whistle-blowing channel must be available to any interested party who has a relationship with the company, using a link included in the e-mail sent to the interested party. This link will give access to the complaint form.

It is important to bear in mind that the facts reported must have a direct implication in the relationship that exists between the complainant and the accused. In other words, not just any type of behavior can be the object of the complaint, but those facts that are related to the contractual relationship with the company.

c) Behavior

Criminal behavior or actions that can be reported, such as: respect for ethical values, respect for people’s dignity, manipulation of information, corruption and bribery, loyalty to the company, political neutrality, relations with customers, contractors and suppliers, etc.

d) Penalties

Both the complainants and the accused must have been previously warned of the consequences that this fact may entail for both, i.e. the sanctions that it entails in accordance with the disciplinary regime of the entity, without prejudice to possible responsibilities of another nature that may correspond according to the judgment of judges, courts and competent bodies.

e) Double investigation

In this sense, the complaint can have a twofold aspect:

1. On the one hand, it must be verified whether the behavior of the accused is really irregular.

On the other hand, it must be verified whether the complainant has communicated a false report, and in this case it must be clarified whether it is a simple mistake or whether he acted in bad faith and with the intention of harming the defendant.

f) Confidentiality

It is essential to guarantee the confidentiality of information to the whistleblower during the entire process. In this sense, the term confidentiality refers to all aspects of the complaint, such as data on the complainant, facts, and persons whose conduct or actions may constitute a crime. Such confidentiality may be suspended when knowledge of the facts is required by judges, courts or competent authorities.

g) Anonymous complaints

The Spanish Data Protection Agency “does not allow” companies to accept anonymous complaints, thus guaranteeing the accuracy and integrity of the information required by data protection regulations, otherwise the “duty of quality” established in Article 4 would be violated.

h) Retaliation

The whistleblower must be clear that in addition to the confidentiality of his identification data, he is also guaranteed that he will not be subject to any type of reprisal for the fact of reporting. In this sense, the whistleblower must be informed that in the case of being related to the reported facts, the report made will have an attenuating character for him/her, as a consequence of the confession prior to the discovery of the crime and by diminishing its effects.

4. COMPLAINTS COMMITTEE

a) Independence

The whistleblowing committee must enforce the whistleblowing procedure and ensure effective management of the system. It must be a fully independent body within the company, composed of the Compliance Officer and the heads of the main areas or departments of the company.

In the event that a committee member is involved in a complaint, he/she shall refrain from participating in the handling of the complaint and shall immediately inform the committee of this circumstance.

b) Functions

The functions of the complaints committee are as follows:

● Receive the complaint.
● Decide whether the complaint is dismissed or processed.
● Designate for each complaint the person in charge of the investigation.
● Approve and give reasons for exceptions to the procedure.
o To ensure compliance with the obligations established by the Data Protection Law.
● Report to the board of directors.
● Appoint a secretary to keep minutes of the meetings.

c) Responsible for training

The person in charge of instruction must be a department director, and his/her main functions are:

● Designate the instructor who will conduct the investigation of each complaint.
● Setting actions, priorities and deadlines for implementation.
● Approve the report issued by the instructor with the result of the investigation.
o Verify compliance with the implementation of the security measures established by the Data Protection Law.

d) Instructor

The instructor shall be appointed from among the personnel forming part of the department whose director is responsible for instruction, and his/her main duties are:

● Document and record complaints received.
● Investigate the facts and gather evidence.
● Document and record all actions taken.
● Prepare the report under the supervision of the person in charge of instruction.
● Comply with the requirements of data protection regulations.

5. CONSERVATION OF DATA

a) Deadlines

● From the beginning of the investigation until its completion the term may not exceed 6 months.
● From the completion of the investigation:
o If the facts are not proven, the term may not exceed 2 months.
o If the facts are proven, the term may not exceed 2 months from the end of the procedure.

b) Blocking

After the aforementioned deadlines, the cancellation of the information implies the blocking of the information, in case subsequent liabilities may arise, which is feasible in this area. It is recommended that the information be blocked for a reasonable period of one year.

The term “Block” means to keep the documentation separately, without any processing and in complete confidentiality. Such information may only be used at the expense of a judicial claim or other public administration with authority in the matter.

6. INFORMATION TO INTERESTED PARTIES

a) Duty to inform the complainant

The reporting channel should provide for the following information to be provided to the whistleblower:

● Company name and address of the data controller performing the processing.
● Purpose of data processing.
● Strict confidentiality of data, except for possible communications to third parties involved (witnesses) in the investigation or judges and courts.
● Consequences of making a false or bad faith report.
● No retaliation by the company.
● Inform about how to exercise ARCO rights.
● Communicate that anonymous complaints will not be processed (Art. 4 of the LOPD).

b) Duty to inform the defendant and third parties involved.

The company must inform within 3 months from the day on which the complaint is received, both the person complained of and the third parties involved (affected parties, witnesses, etc.).

This duty of information does not imply revealing the identity of the whistleblower or data allowing to deduce his or her identity, but the following information:

● That it has been reported through the whistleblower channel.
● The facts denounced.
● Company name and address of the data controller performing the processing.
● Purpose of data processing.
● Strict confidentiality of data, except for possible communications to third parties involved in the investigation or judges and courts.
● Inform about how to exercise ARCO rights.

An individual meeting must be held with each interested party (reported, affected and witnesses) within a maximum period of 3 months in order to draw up minutes containing the questions on the reported facts and including the information clause, so that it can be approved for compliance with any requirement that may be made by the Spanish Data Protection Agency.

7. ARCO RIGHTS

a) Access

The right of access of the defendant only allows him/her to obtain information about his/her personal data, and never about the identification data of the complainant or other third parties, otherwise we would be dealing with a case of transfer of data without consent.

b) Cancellation

The right of cancellation may not be exercised during the processing of the complaint.

c) Opposition

The respondent cannot exercise the right of opposition, i.e. he/she cannot oppose the processing of his/her data in the complaint system.

d) Obligation to answer

Regardless of any rights requested by the respondent, the company is obliged to reply to the interested party provided that the request has been made in due time and form.

8. SECURITY MEASURES

a) On access security

● Permission to access complaints should be granted to a small group of people who need it.
● There must be an up-to-date list of users with access.
● User IDs and passwords must be changed at least once a year.
● From each access attempt the system will store for at least 2 years the following information:
● The identification of the accessing user.
● The date and time at which you performed the access.
● The file you are accessing and whether you have been authorized.
● The confidentiality commitment must be signed by the persons in charge of managing the whistleblowing channel and access permission.

b) About information

● The complaints committee should be informed of any anomalies or nonconformities that appear.
● A record should be kept of incoming and outgoing information sent to judges, courts, etc.
● The audit required by the Data Protection Law must be carried out on the internal complaints file at least every 2 years, reporting the result to the company’s management.
● All information regarding internal complaints should be in the information system, including e-mails as well.
Backups should be performed at least once a week
● Data cannot be stored on portable devices, USB, and/or flash drives.
● The safety officer, or person delegated by him/her, shall be responsible for reviewing at least once a month the recorded control information and shall prepare a report regarding such reviews and the problems detected.

9. PENALTIES FOR NON-COMPLIANCE

a) Data Protection Law

The implementation of a whistleblower channel without complying with the requirements established by the Data Protection Law may result in the following sanctions:

● Accepting and handling anonymous complaints: This is a serious offense ranging from 40,001€ to 300,000€.
● Failure to remove (block) the data of the complaint in due time: This is a serious offense ranging from 40,001€ to 300,000€.
Failure to inform the complainant: This is a minor offense ranging from 600 € to 40,000 €.
Failure to inform the defendant or affected third parties: This is a serious offense ranging from 40,001 € to 300,000 €.
● Failure to comply with the required security measures: This is a Serious infraction ranging from 40.001€ to 300.000€ or Very Serious ranging from 300.001€ to 600.000€.
● Failure to obtain authorization for TID: This is a Very Serious infraction ranging from 300.001€ to 600.000€.

b) Internal disciplinary regime

Independently of the above sanctions, the company may apply the sanctions established in the internal disciplinary regime as a consequence of faults committed by employees or collaborators. The amounts established in these sanctions will be applied according to various criteria, such as the continued nature of the infraction, recidivism and degree of intentionality.

10. GROUP OF COMPANIES

a) Location

In the case of a group of companies, the parent company or the company that manages the processing of the complaint channel must take into account whether the transfer of data is carried out with another company of the group, which is located:

● In a country belonging to the European Economic Community.
● In a country whose data protection level is comparable to the European level.

Well, it is a U.S. entity that adheres to the “safe harbor” principles.

b) Authorization

In case of not being in any of the above assumptions will be producing what we call an International Data Transfer (TID), which requires that prior authorization is requested and obtained from the director of the Spanish Data Protection Agency. Taking into account that the procedure to obtain such authorization may take up to a maximum of 3 months from the date of application.

11. EXTERNAL MANAGEMENT

a) Justification

The external management of the whistleblowing channel is justified by the possible weaknesses that may arise from the fact that the company’s personnel may not be confident about the confidentiality of their data and, consequently, may be afraid to report.

On the other hand, there can be no assurance that the company’s management of the whistleblower channel provides objective and independent handling of complaints.

And finally, the company’s personnel who receive the complaints are not experts in detecting crimes and criminal conduct.

b) Image

These circumstances make it advisable in many cases to outsource the internal complaint management service, since poor or inefficient management of this service can be counterproductive for the company’s image.

c) Procedure

You can file a complaint with the Compliance Officer by following the link below: Canaldenuncia@rubicon interacional.com complaints page.

X

Advertencia legal registro de marca Rubicon

Les informamos que M4225240(7) – RUBICON INTERNATIONAL y M4225243(1) – RUBICON SIGNATURE son marcas registradas por RUBICON FINANCE NETWORK, S.L.

Cualquier uso de la palabra “RUBICÓN” sin nuestro consentimiento se verá obligado a La Cesación de los actos que violen nuestro derecho marcario, en especial: La indemnización de los daños y perjuicios sufridos. La adopción de las medidas necesarias para evitar que prosiga la violación y, en particular, que se retiren del tráfico económico los productos, embalajes, envoltorios, material publicitario, etiquetas u otros documentos en los que se haya materializado la violación del derecho de Marca así como la publicación de la sentencia a costa del condenado, mediante anuncios y notificaciones a las personas interesadas.

Así mismos les advertimos que por el artículo 34.3 e) de la L. M.: El registro de marca confiere a su titular el derecho a prohibir, en especial usar el signo en redes de comunicación telemáticas y como nombre de dominio.

Aviso legal patente de marca

Legal notice Rubicon trademark registration

Please note that M4225240(7) – RUBICON INTERNATIONAL and M4225243(1) – RUBICON SIGNATURE are registered trademarks of RUBICON FINANCE NETWORK, S.L.

Any use of the word “RUBICON” without our consent will be obliged to Cessation of the acts that violate our trademark rights, in particular: Compensation for damages suffered. The adoption of the necessary measures to prevent the continuation of the infringement and, in particular, the removal from the market of the products, packaging, wrappings, advertising material, labels or other documents in which the infringement of the trademark right has materialized, as well as the publication of the judgment at the expense of the convicted party, by means of announcements and notifications to the persons concerned.

We also warn you that according to article 34.3 e) of the Trademark Law: The registration of a trademark confers to its owner the right to prohibit, in particular, the use of the sign in telematic communication networks and as a domain name.

Trademark patent legal notice