Internal Information System and Defense of the Informant
In accordance with Law 2/2023, of 20 February, regulating the protection of persons who report regulatory and anti-corruption infringements, Nuvolar Works (hereinafter referred to as “Nuvolar”) has established a unified Internal Information System.
This system ensures confidentiality, independence, and protection for all informants who, in good faith, report potential irregularities, breaches of law, or unethical behavior. It reflects Nuvolar’s commitment to transparency, integrity, and compliance with national and European legal standards.
This procedure describes the internal reporting channel, the rights of whistleblowers, and the protocols that guarantee a secure, fair, and supportive environment for all individuals who report concerns.
Responsible for the Internal Information System
The person Responsible for the Internal Information System (RSII) for Nuvolar is:
Marketa Bartova
HR Manager at Nuvolar
Email: ethics@nuvolar.com
In the event of conflict of interest, absence, or vacancy, the functions of the RSII will be temporarily assumed by the General Management through the appointed CEO, provided that no conflict of interest exists, acting with full independence and confidentiality in accordance with Article 8.3 of Law 2/2023.
Purpose of the Whistleblower Channel
The Whistleblower Channel serves as a secure and confidential mechanism for employees, collaborators, suppliers, and other stakeholders to report any behaviors, actions, or irregularities that may constitute:
- Non-compliance with internal policies or ethical standards.
- Breaches of applicable local, national, or international laws.
- Violations of anti-corruption or transparency obligations.
- Actions against the interests of the company, its employees, or stakeholders.
The objectives of this system are to:
- Promote a culture of transparency, responsibility, and ethical conduct within the organization.
- Detect and address potential irregularities swiftly to mitigate risks or damages.
- Ensure the protection of the informant and the confidentiality of all reports.
- Guarantee compliance with the General Data Protection Regulation (GDPR) and Law 2/2023.
By providing a clear and reliable avenue for reporting, Nuvolar fosters a positive, safe, and integrity-driven working environment.
Reportable Behaviors and Irregularities
The Internal Information System may be used to report any of the following situations, among others:
- Fraud and Corruption: Acts of fraud, embezzlement, bribery, or corruption.
- Violation of Laws and Regulations: Breaches of legal or regulatory obligations, including labor, environmental, financial, or data protection regulations.
- Workplace Misconduct: Harassment, discrimination, bullying, or other inappropriate conduct.
- Health and Safety Violations: Behavior endangering the health, safety, or well-being of employees or others.
- Environmental Violations: Activities harming the environment or violating environmental law.
- Financial Misconduct: Misappropriation of funds, falsified accounting, or incorrect financial reporting.
- Conflicts of Interest: Situations where personal interests conflict with professional responsibilities.
- Confidentiality Breaches: Unauthorized access to or disclosure of confidential information.
- Ethical or Integrity Violations: Conduct contrary to the company’s values, policies, or code of ethics.
These examples are not exhaustive. Any conduct that threatens the principles of legality, fairness, or transparency within Nuvolar may be reported through this channel.
Rights of the Informant
Nuvolar guarantees all whistleblowers the following rights under Law 2/2023 and the GDPR:
Right to Anonymity
Informants may remain anonymous. No identifying data is required unless voluntarily provided. Anonymous reports will receive the same consideration and protection as identified ones.
Right to Confidentiality
All communications, identities, and documents are treated with strict confidentiality. Only authorized personnel may access the data necessary for the investigation. Disclosure is limited to cases required by law.
Protection Against Retaliation
Any form of retaliation — dismissal, demotion, harassment, or negative professional treatment — is strictly prohibited. This protection applies even when the investigation finds no wrongdoing, provided the report was made in good faith.
Right to Information
- Acknowledgment of receipt will be provided within 7 calendar days of submission.
- A decision or update will be communicated within 3 months, extendable to 6 months for complex cases.
Right to Limited Disclosure
Only the information essential to the investigation will be collected and processed. If sharing with third parties (e.g., legal advisors) is necessary, the informant will be notified unless prohibited by law.
Right to Data Protection
All data are handled under the General Data Protection Regulation (EU) 2016/679 and the Spanish data protection law (LO 3/2018). Informants may exercise their rights of access, rectification, erasure, restriction, and objection.
Right to Deletion
Personal data will be deleted three months after the closure of the investigation unless required to preserve evidence or pursue legal proceedings.
Right to Fair Treatment
Informants will be treated respectfully, impartially, and without discrimination throughout the process.
Whistleblower Channel Investigation Procedure
Initial Phase
Submission:
Reports are submitted individually via the Whistleblowing channel, accessible to all employees and collaborators.
Form Details:
- Email (optional for anonymity)
- Identification of the reported party (optional)
- Description of the facts and supporting documents
Acknowledgment:
Receipt will be confirmed within 7 calendar days unless it endangers confidentiality.
Additional Clarifications:
The RSII may request further details such as location, timing, or evidence related to the incident.
If no acknowledgment is received within 30 days, the report will be considered closed unless the case is critical or ongoing.
Investigation Phase
- Risk Assessment:
The RSII will assign a risk level (LOW, MEDIUM, HIGH, or CRITICAL). - Evidence Gathering:
Documentation, interviews, and factual verification will be conducted confidentially. - Report Preparation:
The RSII will prepare a summary report describing findings, measures, and recommendations. - Duration:
The investigation must conclude within 3 months, extendable to 6 months in complex cases.
Resolution Phase
- Decision and Communication:
The resolution and any corrective measures will be communicated to the informant (if identified) and the reported party. - Possible Outcomes:
- Verification of Facts: Adoption of corrective or disciplinary actions.
- No Verification: Closure of the case with written justification.
- Referral to Authorities: If the facts indicate criminal conduct, the case may be referred to competent authorities, with the informant’s consent if identity disclosure is necessary.
This structured process guarantees confidentiality, fairness, and due diligence throughout the entire investigation.
External Reporting Channel (AIPI)
In accordance with Article 16 of Law 2/2023, informants may also submit reports through the external channel managed by the Autoridad Independiente de Protección del Informante (AIPI), the national authority responsible for external whistleblower reports.
The AIPI ensures the same guarantees of confidentiality, independence, and protection as internal systems, under the legal framework established by Law 2/2023.
Reports to the AIPI may be submitted directly, particularly in cases where:
- The internal channel is not considered safe or effective.
- The informant fears retaliation.
- The reported facts involve senior management or the person Responsible for the Internal Information System (RSII).
The official website of the AIPI is https://www.proteccioninformante.gob.es.
The online reporting platform (external channel) can be found here: https://www.proteccioninformante.gob.es/presentacion-de-informaciones-sobre-infracciones
Data Protection and Privacy
All personal data processed under this system is handled in compliance with:
- Regulation (EU) 2016/679 (GDPR)
- Law 2/2023, of 20 February
- Organic Law 3/2018, of 5 December, on Personal Data Protection and Guarantee of Digital Rights
The data controller is Nuvolar. Personal data collected through this channel is processed exclusively for the purpose of managing reports, investigating potential breaches, and ensuring legal compliance under Law 2/2023 and the General Data Protection Regulation (EU) 2016/679 (GDPR).
The system is operated through Bizneo HR, which acts as a data processor on behalf of Nuvolar, ensuring secure processing and confidentiality.
Data are retained securely for the legally required period (normally up to 3 months after the closure of an investigation, extendable to 6 months in complex cases) and then deleted or anonymized in accordance with the law.
For any questions or to exercise your data protection rights (access, rectification, deletion, limitation, or opposition), please contact ethics@nuvolar.com.
For full details on data protection and informant rights, please refer to:
https://nuvolar.com/privacy-policy/
Misuse of Reporting Channels and False Allegations
Improper or malicious use of the reporting channel — including knowingly false allegations — will be investigated in accordance with internal disciplinary policies and applicable legal standards.
Such conduct may lead to disciplinary or legal action, depending on the severity and intent of the misuse.
However, good-faith reports, even if unsubstantiated, will never result in retaliation or adverse treatment.
Nuvolar’s Commitment
By implementing this Internal Information System and Defense of the Informant, Nuvolar reinforces its ongoing commitment to:
- Ethical business conduct and legal compliance.
- The protection of employees, clients, and partners.
- A transparent, fair, and accountable corporate culture.
All members of Nuvolar are encouraged to uphold these values and to use the reporting channel responsibly to ensure the organization’s integrity and trustworthiness.