WHAT IS A SIGNAL
A SIGNAL or REPORTING – съгласно the Law on the Protection of Persons Reporting or Publicly Disclosing Information on Breachesis an oral or written transmission of information about breaches.
Who can report a breach
Всяко физическо лице, who has reasonable grounds to believe that during or in connection with the performance of his or her employment or official duties, or in any other working context, has acquired information about committed or potential future violations of Bulgarian law or European Union acts, as well as about the concealment of such in, by and with regard to the organization for which he or she works or has worked, or for any other organisation in which he or she is, or has been in contact, in connection with his or her work.
What breaches can we report?
- For violations of Bulgarian legislation or acts of the European Union in the field of:
- public procurements
- financial services, products and markets and the prevention of money laundering and terrorist financing
- the safety and conformity of products
- transport safety
- environmental protection
- radiation protection and nuclear safety
- food and feed safety, animal health and welfare
- public health
- consumers protection
- protection of privacy and personal data
- the security of networks and information systems
- Infringements affecting the EU's financial interests referred to in Art. 325 of the TFEU (Treaty on the Functioning of the European Union) and further specified in the relevant Union measures.
- Infringements relating to the internal market of the European Union as referred to in Article 26(2) of TFEU, including European Union rules on competition and State aid.
- Infringements relating to acts that distort corporate taxation, tax schemes or arrangements the purpose of which is to obtain a tax advantage that is contrary to the object or purpose of the applicable corporate tax law.
- A crime of general nature has been committed, of which the whistleblower has become aware in connection with the performance of his work or in the performance of his duties.
- 6. Violations of the Bulgarian legislation in the area of:
- The rules for payment of public state and municipal dues
- Labour legislation
- Legislation relating to the performance of a civil service
What violations we CANNOT report?
НЕ МОГАТ Breaches related to the following CANNOT be reported:
- the rules for the award of public procurement in the field of defence and national security, where they fall within the scope of Article 346 of TFEU TFEU (Treaty on the Functioning of the European Union)
- protection of classified information within the meaning of Art. 1 paragraph 3 of the Act on Protection of Classified Information;
- information which has become known to persons exercising the legal profession and for whom there is an obligation of professional secrecy under the law
- confidentiality of health information within the meaning of Art. 27 of the The Health Act;
- the secrecy of judicial deliberation
- the rules of criminal procedure
When do we report breaches?
Подаваме сигнал или публично оповестяваме информация, когато при изпълнение или по повод на трудовите си или служебни си задължения, или в друг работен контекст, сме били свидетели или ни е станала достояние информация за незаконни действия или бездействия, водещи до нарушения на Българското законодателство и актове на Европейския съюз в определени области, представляващи непосредствена или явна опасност за обществения интерес или съществува риск от възникване на щети, които не могат да бъдат отстранени.
What types of reports do we submit?
ПИСМЕНИ:
- confidential – contain mandatory requisites (personal data)
- anonymous – there is no possibility to initiate proceedings.
УСТНИ:
- by telephone or other voice messaging systems (the conversation is recorded and a complete and accurate record is prepared).
- through a personal meeting (scheduled within 7 days; based on the shared information, a complete and accurate protocol is prepared).
HOW DO WE REPORT?
After making an informed decision, based on reliable information provided, we report by:
- Internal Reporting Channel
- External Reporting Channel
- Public disclosure
Why choose the Internal reporting channel?
- The report is submitted to persons who can effectively contribute to the early and effective elimination of risks to the public interest.
- Confidentiality related to the identity of the reporting person.
- Protection of personal data – when registering the report and initiating follow-up actions related to its check or investigation, it is ensured that the processing of personal data, including exchange and/or transmission to a competent authority, is carried out in accordance with the regulations in force for their protection(REGULATION (EU) 2016/679 and DIRECTIVE 2016/680).).
- Protection of personal data of third parties related to the reporting person or the reporting of the report.
- The negative consequences for the organization are reduced.
- The reputation of the organization in the public domain is preserved.
- Strengthening the employee-employer relationship based on trust and a sense of inner conviction that the problem can be resolved effectively and efficiently with the highest possible degree of confidentiality.
What is the procedure for reporting?
- Breaches are reported, including documentation (in the form of annexes supporting the claim, if any) by filling in a form. When submitting an oral report, it is documented using the approved form by the officer responsible for receiving and examining the reports, who proposes to the person who submitted the information to sign it.
- A confirmation of the receipt of the report is sent (within 7 days of its receipt).
- The received report is reviewed with regard to its admissibility and is examined by an authorized officer who is entitled to:
- request that the person who reported remedies the irregularities in the received report within 7 days, with instructions for correction in case of omissions related to the mandatory requisites or when the report contains false or misleading statements of facts, explicitly indicating the responsibility that the reporting person bears. In the event that the irregularities are not remedied within the specified period, the report remains without further examination.
- request, if needed, additional information in connection with the received signal, including from third parties.
- The authorized officer has the obligation to:
- provide clear and easily accessible information on the procedures available for external reporting to the competent national authority (Personal Data Protection Commission) and, where appropriate, refer the person to European Union institutions, bodies, offices or agencies.
- keep in touch with the person who submitted the report, safeguard the persons anonymity, as well as the personal data of third parties related to the breach or those related to the reporting person and the submitted report.
- to hear the person against whom the report was submitted or to accept his written explanations and to collect and evaluate the evidence indicated by him.
- provide the person concerned with all evidence collected and give him or her the opportunity to object to it within 7 days, subject to the protection of the reporting person.
- enable the person concerned to present and identify new evidence to be gathered in the course of the examination;
- The examination on the report is carried out within 2 months (due follow-up action is taken on the report).
- Within a reasonable time, feedback is provided – a written statement on the result of the examination of the report (not longer than 3 months after sending an acknowledgement of its receipt).
What can we expect when sending a report on breaches – follow-up actions?
В случай, че изнесените в сигнала факти бъдат потвърдени:
- In the event that the facts stated in the report are confirmed: specific measures are taken to stop/prevent the violation in the event of an act already committed or a real risk of committing an act.
- the person who reported a breach is referred to the competent authority - the Commission for Personal Data Protection when his or her rights are affected (protection of privacy and personal data).
- forwarding the report to the relevant authority for external reporting, where necessary, for action under its competence (within 7 days of its receipt), for which the person who submitted the report is informed in advance.
- upon establishing data that a crime has been committed, the report and all the materials are immediately sent to the prosecutor's office.
- In the event that the report is filed against the reporting person's employer, the reporting officer refers the person to also report to the external reporting authority.
Преписката се прекратява:
- The file is closed in cases of: in the absence of sufficient evidence of a breach or a real danger of a potential one.
- where the breach reported is a minor case and no follow-up action is necessary.
- on a repetitive report which contains no new information essential to the breach in respect of which an examination has already been completed, unless new legal or factual circumstances warrant further action.
*При прекратена проверка, сигнализиращото лице, може да подаде сигнал до централния орган за външно подаване на сигнали (КЗЛД).
RIGHT OF DEFENCE! WHO IS PROTECTED?
What does the internal reporting system guarantee us?
- PROTECTION, preventing access to the report by unauthorized personnel members
- The confidentiality regime PRESERVES the IDENTITY and the shared personal data of both the reporting person and any third party named in the report and/or involved in its submission.
- RIGHT TO PROTECTION of persons who have reported breaches of retaliation against them.
Who has the right to protection against retaliation?
Лицата имат право на защита от момента на подаване на сигнала или публично оповестяване на информация за нарушение.
- Individuals have the right to protection from the moment of reporting or public disclosure of information about a breach.
Protection is granted to an individual who reports or publicly discloses information about a violation (in, about, by the organization) that has become known to him in his capacity of:
- a worker, employee, civil servant or other person performing hired labor, regardless of the nature of the work, the method of payment and the source of funding.
- self-employed person – a person who performs work without an employment relationship and/or exercises a liberal profession and/or craft activity.
- partner, shareholder, sole owner of capital, as well as a person belonging to the administrative, management, control and supervisory bodies of a commercial company, member of the audit committee of an enterprise.
- volunteer or intern.
- a person who works for a natural or legal person, its subcontractors and suppliers.
- a candidate for employment who has participated in a competition or other form of recruitment for employment during which information about an infringement has become known.
- Protection is also granted to employees who have received information about violations in the context of their employment or service relationships, but they have been terminated at the time of filing the report or its public disclosure.
- Protection is also provided to third parties:
- persons assisting the reporting person in the reporting process.
- persons who are related to the reporting person (colleagues, relatives, etc.) and who may be subjected to retaliatory acts (for the purpose of retaliation in a working context) due to the reporting.
- legal persons in which the reporting person holds shares, for which he or she works or is otherwise related in a working context.
What are the mandatory conditions guaranteeing the reporting person his or her rights of defence?
За да се гарантира на лицето сигнализиращо за нарушения правото му на защита от последващи ответни действия срещу него с цел отмъщение, следва да са спазени следните задължителни условия:
- Сигнализиращото лице да е имало основателна причина да счита, че подадената информация за посоченото нарушение в сигнала е била вярна към момента на подаването му, както и че тази информация се отнася до сигнали за нарушения, попадащи в обхвата на посочените области.
„ОСНОВАТЕЛНА ПРИЧИНА“ е налице, когато сигнализиращото лице разполага с информация, съдържаща конкретни данни за твърдяното нарушение, или за реална опасност такова да бъде извършено, както и място и период на извършването му, когато такова е извършено.
- Сигнализиращото лице да е подало сигнал, съгласно изискванията на Закона за защита на лицата подаващи сигнали или публично оповестяващи информация за нарушения, а именно – чрез The confidential reporting system (вътрешен канал), сезирана е Комисията за защита на личните данни (външен канал) или чрез публично оповестяване на информацията.
При спазване на горните две условия, право на защита имат и лицата, които директно подават сигнали за нарушения, попадащи в обхвата на посочените области, до институции, органи, служби или агенции на Европейския съюз.
Право на защита имат и лицата, които публично оповестяват информация за нарушения, при спазване горепосочените две условия, и в случай, че:
- по постъпилия сигнал не са били предприети съответните действия в законоустановените срокове;
- сигнализиращото лице има основания да счита, че нарушението може да представлява непосредствена или явна опасност за обществения интерес или съществува риск от щети, които не могат да бъдат отстранени (т.нар. необратими вреди);
- при външно подаване на сигнал съществува риск от ответни действия или има вероятност нарушението да не бъде ефективно разгледано, поради: опасност от укриване или унищожаване на доказателства; съмнение за наличие на споразумение между компетентния орган и извършителя на нарушението или съучастие на органа в нарушението; други специфични конкретни обстоятелства.
Право на защита имат и лицата, които анонимно са подали сигнал, но впоследствие са идентифицирани и са обект на ответни действия срещу тях, с цел отмъщение, когато са налице горепосочените две условия.
ВАЖНО: По анонимни сигнали не се образуват производства, както и по сигнали, отнасящи се до нарушения, извършени преди повече от две години.
What are the protection measures and procedures that persons who report breaches can use against retaliation?
- Persons reporting breaches who meet and comply with the legal requirements have the right to comprehensive, free and easily accessible information and advice on the procedures and measures available to protect them against further retaliation, as well as on the rights of the person concerned, namely:
- exemption from liability with respect to the acquisition of the information set out in the report, provided that access to it or its acquisition does not constitute an independent crime.
- exemption from liability for breaches of restrictions on disclosure of information provided for by contract, law, regulation or administrative action, as well as for disclosure of a trade secret, provided that there are reasonable grounds to believe that the reporting or public disclosure of the report was necessary for the disclosure of the infringement.
- possibility of termination of judicial proceedings – in the event of proceedings initiated in relation to the reported or publicly disclosed information, the person who reported has the right to request the termination of such proceedings, provided that there are reasonable grounds to believe that the reporting or public disclosure was necessary to disclose the breaches.
- Damages suffered by the reporting person in relation to the report or public information disclosed by him or her shall be deemed to have been intentionally caused by private parties, subject to proof to the contrary.
- Effective assistance in front of any relevant authority related to the protection of individuals against retaliation, including certification of the fact that they have the right to protection under the Law on the Protection of Persons who Report or Publicly Disclose Information on Breaches.
- Legal aid in criminal, civil and administrative cases, as well as in international disputes in civil cases related to the protection of the reporting person, in connection with the report submitted by him or her or publicly disclosed information, in accordance with the Legal Aid Act.
- Out-of-court resolution of cross-border disputes through mediation under the Mediation Act.
- The reporting person is liable under Bulgarian and Union law for an act or omission that is not related to the reporting or is not necessary to disclose the breach.
- In the case of judicial or administrative proceedings in which a person claims to have been the subject of retaliation, it must be demonstrated that these actions are a reaction precisely to a report made by him. It should not be assumed that the retaliatory act was carried out as a reaction to an alert submitted by the person if the assessment of all the circumstances shows that the person imposing it has another legal basis for the application of the measure.
What actions are expressly prohibited from being initiated as retaliatory against persons who report breaches?
Съгласно действащата нормативна уредбаUnder the current legal framework, any form of retaliation against persons reporting breaches who become aware of them in a working context is expressly forbidden, as well as actions that put them at a disadvantage, any threats or attempts to do so, is prohibited, including in the form of:
- temporary suspension, dismissal or application of other grounds for termination of the legal relationship under which the person performs hired work.
- downgrading or delaying promotion.
- a change in the place or nature of the work, the duration of working time or a reduction in remuneration.
- refusal to provide training for maintenance and improvement of the professional qualification of employees.
- application of property and/or disciplinary liability, including the imposition of disciplinary sanctions.
- coercion, rejection, intimidation to take retaliatory acts or actions, expressed physically, verbally or otherwise, aimed at violating the dignity of the person and creating a hostile professional environment.
- direct or indirect discrimination, unequal or disadvantageous treatment.
- withdrawal of the possibility of transition from a fixed-term to a permanent employment contract when the employee had a reasonable legal expectation of being offered a permanent job.
- early termination of a fixed-term employment contract or refusal to re-conclude, where such is permissible by law.
- damages, including with regard to reputation, in particular on social networks, or financial loss, including loss of business and loss of income.
- blacklisting drawn up on the basis of a formal or informal agreement in a sector or industry which may result in the person not being able to enter employment or be unable to supply a good or service in that sector or industry.
- early termination or cancellation of a contract for goods or services, where the person is a supplier.
- termination of a licence or authorisation.
- referral of the person to carry out a medical examination.
В случай на нарушение на горепосочените забрани – сигнализиращото лице има право на обезщетение за претърпени имуществени вреди.
What rights does the person identified as the perpetrator of the breach have?
- The person reported as perpetrator enjoys to the full extent his or her rights of defence and to a fair trial, as well as the presumption of innocence, including to be heard, and the right of access to documents relating to him/her.
- Is entitled to compensation for all pecuniary and non-pecuniary damages when it is established that the person who submitted a report has knowingly reported false information, as well as when, according to the circumstances, he/she was obliged to assume that the information was false.