The Internal Regulations governing the reporting and the protection of persons reporting information on breaches of Bulgarian legislation or Union law – whistleblowers, within the structure of FANTASTICO GROUP LTD, establish the regulations, procedure and standards of reporting breaches of Union law and of protection of the persons in relation to their report, in accordance with Directive (EU) 2019/1937 of the European Union and of the Council of 23.10.2019 on the protection of persons reporting breaches of Union law, and in accordance with the Act on protection of persons reporting information or publicly disclosing information about breaches (effective, 04.05.2023)
These rules and regulations shall be approved by the employer.
These Internal Regulations cover:
1. Concepts and definition.
2. Material scope of breach of law.
3. Personal scope of whistleblowers.
4. Conditions for protection of whistleblowers.
5. Reporting channel.
6. Procedures for reporting and follow-up.
7. Investigation by the responsible person
8. Duty of confidentiality.
9. Processing of personal data. Technical and organisational measures.
10. Record keeping and storage of the reports.
12. Protection of whistleblowers and of persons concerned.
For the purposes of these Regulations, the following definitions shall apply:
1) “breaches” means acts or omissions that are unlawful and/or contrary to the material scope - Section II, and relate to Bulgarian or European Union legislation in the areas of: public procurement; financial services, products and markets, and prevention of money laundering and terrorist financing; product safety and compliance; transport safety; protection of the environment; radiation protection and nuclear safety; food and feed safety, animal health and welfare; public health; consumer protection; protection of privacy and personal data; security of networks and information systems; breaches affecting the financial interests of the European Union within the meaning of Article 325 of the Treaty on the Functioning of the European Union; breaches relating to the internal market rules, as referred to in Article 26(2) of the Treaty on the Functioning of the European Union, including Union and national competition and state aid rules; breaches relating to cross-border tax schemes designed to obtain a tax advantage contrary to the object or purpose of the applicable corporate tax law; publicly prosecuted offence of which a person referred to in Article 5 has become aware in connection with the performance of his/her work or in the performance of his/her official duties; the rules for payment of outstanding public state and municipal claims; labour legislation; legislation relating to the performance of public service, etc.
2) “information on breaches” means information, including reasonable suspicion, about actual or potential breaches, which occurred or are very likely to occur within the structure of FANTASTICO GROUP LTD in which the whistleblower works or has worked or in another organisation with which the whistleblower is or was in contact through his or her work, and about attempts to conceal such breaches;
3) “report” or “to report” means the oral or written communication of information on breaches, including notification in the proper manner described herein of potential misconduct observed by a person covered by Section III hereof, addressed to the person competent to deal with it;
4) “internal reporting“ means the oral or written communication of information on breaches within FANTASTICO GROUP LTD.
5) “external reporting” means the oral or written communication of information on breaches to the competent authorities;
6) “public disclosure” or “to publicly disclose” means the making of information on breaches available in the public domain;
7) “whistleblower” means a natural person who reports or publicly discloses information on breaches acquired in the context of his or her work-related activities;
8) “facilitator” means a natural person who assists a whistleblower in the reporting process in a work-related context, and whose assistance should be confidential;
9) “work-related context’” means current or past work activities in the public or private sector through which, irrespective of the nature of those activities, persons acquire information on breaches and within which those persons could suffer retaliation if they reported such information;
10) “person concerned” means a natural or legal person who is referred to in the report or public disclosure as a person to whom the breach is attributed or with whom that person is associated;
11) “retaliation” means any direct or indirect act or omission which occurs in a work-related context, is prompted by internal or external reporting or by public disclosure, and which causes or may cause unjustified detriment to the reporting;
12) “follow-up” means any action taken by the recipient of a report or any competent authority, to assess the accuracy of the allegations made in the report and, where relevant, to address the breach reported, including through actions such as an internal enquiry, an investigation, prosecution, an action for recovery of funds, or the closure of the procedure;
13) “feedback” means the provision to the whistleblower of information on the action envisaged or taken as follow-up and on the grounds for such follow-up;
14) “competent authority” means any national authority designated to receive reports in accordance with Chapter III of Directive (EU) 2019/1937 and give feedback to the whistleblower, and/or designated to carry out the duties provided for in the Directive, in particular as regards follow-up.
15) “line manager” means a person hierarchically superior to a staff member in a structural unit.
16) "breach" means any act or omission at work which affects work and which damages, endangers, or is likely to damage the objectives or reputation of FANTASTICO GROUP LTD or their staff member(s), including conduct that is: illegal, dishonest, or unethical; or conduct that violates the law or an internal act of a Company/Companies of FANTASTICO Chain of Stores.
These Regulations aim to lay down standards for the protection of persons reporting information on breaches in the following areas:
i) public procurement;
ii) financial services, products and markets, and prevention of money laundering and terrorist financing;
iii) product safety and compliance;
iv) transport safety;
v) protection of the environment;
vi) radiation protection and nuclear safety;
vii) food and feed safety, animal health and welfare;
viii) public health;
ix) consumer protection;
x) protection of privacy and personal data, and security of network and information systems;
xi) breaches affecting the financial interests – fraud and any other unlawful activity affecting pecuniary interest;
xii) breaches relating to the internal market of the EU – free movement of goods, people, services and capital, as well as breaches relating to the internal market regarding acts which breach the rules of corporate tax or to arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable tax law.
These Regulations shall not apply to reports of breaches: of the procurement rules involving defence or national security aspects unless they are covered by Article 346 of the Treaty on the Functioning of the European Union; of the protection of classified information within the meaning of Article 1(3) of the Protection of Classified Information Act; breaches which have come to the knowledge of persons practicing legal profession who are under a statutory obligation of professional secrecy; breaches of the confidentiality of health information within the meaning of Article 27 of the Health Act; of the secrecy of judicial deliberations; of the rules of criminal procedure.
1. These Regulations target and concern the following individuals:
a) staff members within the structure of FANTASTICO GROUP LTD;
b) staff members whose work-based relationship with FANTASTICO GROUP LTD is terminated at the reporting date, in cases where they report on breaches that have come to their knowledge within the scope of the work-based relationship before the termination thereof;
c) staff members whose work-based relationship with FANTASTICO GROUP LTD is yet to begin – in cases where information they report has been acquired during the recruitment process or other pre-contractual negotiations;
d) persons having self-employed status, who are engaged in the activities of FANTASTICO GROUP LTD;
e) persons working under the supervision and direction of contractors, subcontractors and suppliers that are in a legal relationship with FANTASTICO GROUP LTD;
f) persons under the Act on protection of persons reporting information or publicly disclosing information about breaches.
2. In addition to the persons under paragraphs (a) to (f) of Section III hereof, the protection measures set out herein shall concern and apply to the following categories of persons:
а) facilitators in the meaning of clause 8 of Section I, Concept and Definitions, hereof;
b) third parties who are connected with the whistleblowers and who could suffer retaliation in a work-related context, such as colleagues or relatives of the whistleblowers;
c) legal entities that the whistleblowers own, work for or are otherwise connected with in a work-related context.
1. Whistleblowers shall qualify for protection under these Regulations provided that:
а) they had reasonable grounds to believe that the information on breaches reported was true at the time of reporting and that such information fell within the material scope;
b) they reported in accordance with the established Regulations and in accordance with the procedures set out therein.
1. Whistleblowers shall report through a channel established by FANTASTICO GROUP LTD which is an internal reporting channel within the meaning of Directive # 2019/1937 and the Act on protection of persons reporting information or publicly disclosing information about breaches (The Act), without prejudice to the possibility to report through any other channel under the Directive and the Act.
2. The competent authority for external reporting shall be the Commission for Personal Data Protection, in accordance with the Act.
3. Reporting can take place through the internal or external reporting channels, or through both, as well as through public disclosure within the meaning of the Act.
1. Any person covered by clause 1 of Section III hereof shall be entitled to report and shall be a whistleblower.
2. The report shall be made by sending a written communication to the following e-mail address: firstname.lastname@example.org, or by sending a written report to the following address: Sofia, Simeonovo District, 14a, Momina Salza St., or by oral report in a physical meeting with the person responsible for handling reports - within a reasonable time frame agreed between the parties, as well as by calling 0894 777 430. The report must contain at least the following information:
а) data of the whistleblower (and/or the facilitator, if any) – full name, address, contact phone, fax, and e-mail of sender, if any;
b) date and time of the breach – if known;
c) date and time of becoming aware of the breach and the related circumstances;
d) person who committed the breach or against whom the report is made and the place of work of such person, if known to the whistleblower;
e) presence of another person – a witness or an accomplice in the breach;
f) a description of what the breach consists of - particulars of the breach or of a real risk of a breach being committed, the place and period of the breach, if any, a description of the act itself or the setting and other circumstances, as far as known to the whistleblower;
g) other data and circumstances which the whistleblower considers important;
h) real risk of a breach;
i) signature and full identity of the reporting person;
2.1. Written reporting:
a) the written report shall be sent by any of the methods specified and shall contain the information specified in the preceding paragraph. The report shall be addressed to the person designated to receive reports and must contain the information specified in clause 2 of this section. The written report should be made using the form available on the following website: www.fantastico.bg, and it may be provided by the person responsible for the handling of reports within the structure of the FANTASTICO GROUP LTD.
2.2. Oral reporting:
a) the oral report shall be made by calling 0894 777 430. Whistleblowers calling the number specified in the preceding sentence shall state that they are aware that their telephone call and conversation may be recorded and logged and that agree with that fact. In addition to calling the above telephone number, the whistleblower may also report in a physical meeting with the person(s) responsible for handling reports, in which case the conversation, the actions performed, the evidence provided, etc., shall be recorded in special minutes to be signed by the parties. Whatever the method of oral reporting, the persons who take the action to initiate such a report shall be obliged to identify themselves and to provide their contact details for feedback.
b) the person responsible for receiving reports shall draw up minutes that accurately and specifically records the information required under clause (2) of this section and the minutes shall be provided to the whistleblower for signature. If corrections and/or additions to the minutes are necessary, they shall be recorded by the responsible person receiving the report and shall be signed by the parties.
c) the whistleblower shall appear to be handed in and sign the minutes within 7 days from the date on which the report is made.
d) the whistleblower may request a physical meeting with the person responsible for receiving reports. The meeting shall be held within 7 (seven) days from the reporting date.
2.3 Where the whistleblower is unwilling to disclose their identity and remains anonymous, no proceedings shall be initiated on the report. Any whistleblower who has made a report anonymously and is subsequently identified or their identity is disclosed shall enjoy all rights in accordance with the Act.
2.4. Where the whistleblower fails to provide a feedback channel or means for receiving acknowledgment of receipt of the report made and/or for receiving feedback on the ongoing investigation of the breach described by the whistleblower and on the follow-up and the results thereof, such whistleblower thereby agrees not to be notified and not to receive subsequent feedback regarding the information described above.
2.5. Where the report does not comply with the requirements under clause 2 of Section VI, same shall be sent back to the whistleblower for correction of the irregularities within 7 (seven) days from receipt of the communication. Where the irregularities are not corrected within 7 (seven) days from receipt of the communication under the preceding sentence, the report shall be returned to the whistleblower.
3. The reports received at the above e-mail address shall be handled in a secure manner that guarantees the confidentiality of the identity of the whistleblower and of any other person named in the report and shall only be accessible to the persons responsible for handling reports in FANTASTICO GROUP LTD. The report and any information related thereto shall be strictly confidential.
4. Whitin not more than 7 (seven) days from the date on which the report is received at the above e-mail address, the whistleblower shall receive a written acknowledgement of the fact of receipt.
5. In connection with the reporting and follow-up procedure, an impartial person shall be designated as the person responsible for handling the report, who shall be entitled to request additional information from the whistleblower and from whom the whistleblower shall be entitled to receive feedback.
6. The responsible person within the meaning of the preceding clause hereof shall, in a timely manner, give due follow-up to the report received in order to clarify and address the report and, if necessary, to inform a competent authority about the existence of such report.
7. Within not more than 3 (three) months from the report receipt acknowledgement date, the whistleblower shall be given feedback on the ongoing investigation of the breach described by the whistleblower, and on the action taken.
7.1. Upon completion of the investigation, the report shall be made available to the person concerned for written opinion within 7 days from being so invited.
8. The investigation on the report shall be terminated by a written opinion which shall be sent to the whistleblower and the person concerned within seven days from being issued, in compliance with the obligations for protection of the whistleblower.
8.1. Where the report is against the employer, the person responsible for handling reports shall refer the whistleblower to an external reporting channel.
1. The person making the investigation shall:
1.1. maintain contact with the whistleblower where such person has data on whitleblower’s identity;
1.2. request, at their discretion, additional information on the report from the whistleblower;
1.3. refer the whistleblower to the competent authorities where whistleblower’s rights are affected;
1.4. take specific action to stop or prevent the breach where such is established or there is real risk of it being committed;
1.5. forward the report to the Commission for Personal Data Protection or to another authority having competence;
1.6. terminate the investigation on the report by taking the actions referred to in clauses 4 and 5 of Section VI hereof, or on account of lack of sufficient evidence of a breach or of a real risk of a breach.
2. Persons within employer’s structure, other than the responsible persons for the reports, may be designated for the follow-up.
3. No proceedings shall be initiated where:
3.1. The report made is anonymous;
3.2. The reported breach was made more than 2 (two) years before the date on which the report is made.
1. The identity of the whistleblower shall not be disclosed to anyone beyond the persons responsible for handling reports who are competent to receive or follow up on reports, without the explicit consent of the whistleblower. This shall also apply to any other information from which the identity of the whistleblower may be directly or indirectly deduced.
2. By the express will of the whistleblower, their identity and any other information referred to in clause 1 of Section VII hereof may be disclosed only where this is a necessary and proportionate obligation imposed by Union or national law in the context of investigations by national authorities or judicial proceedings, including with a view to safeguarding the rights of defence of the person concerned.
3. Whistleblowers shall be informed before their identity is disclosed under the conditions of clause 2 of Section VII hereof, unless such information would jeopardise the related investigations or judicial proceedings. When informing the whistleblowers, the competent authority shall send them an explanation in writing of the reasons for the disclosure of the confidential data concerned.
4. Where information including trade secrets is received, such information shall not be used for purposes going beyond what is necessary for proper follow-up.
1. Any processing of personal data carried out pursuant to these Regulations, including the exchange or transmission of personal data, shall be carried out in accordance with Regulation (EU) 2016/679 and Directive(EU) 2016/680. Any exchange or transmission of information by Union institutions, bodies, offices or agencies shall be undertaken in accordance with Regulation (EU) 2018/1725.
2. Personal data which are manifestly not relevant for the handling of a specific report shall not be collected or, if accidentally collected, shall be deleted without unusual delay.
3. Personal data obtained unlawfully or needlessly shall not be collected.
4. Access to the personal data of the persons related to the report shall only be granted to the persons responsible for handling the reports. Access to personal data by third parties shall only be on a lawful basis, in accordance with the duty of confidentiality under the Act and the Directive.
5. Categories of personal data processed in connection with reporting, and personal data carriers:
5.1. Data of the whistleblower: full name;
5.2. Contact information of the whistleblower: address, phone number, fax, and e-mail;
5.3. Name and place of work of the person against whom the report is made.
5.4. Other data collected and necessary in connection with the investigation of the report.
6. The data processed by the person responsible for receiving reports shall be processed in accordance with Regulation (EU) 2016/679, in accordance with the law.
7. The processed personal data shall be stored in electronic and/or hard copy, depending on how the report was made.
7.1. Hard copies of personal data shall be stored in a separate archive, with access restricted to the staff members responsible for handling reports only, and shall be locked with a key lock with key access restricted to the persons responsible for handling reports only.
7.1.2. A separate file shall be created for each case and shall be placed in a folder which shall be put in the archive referred to in clause 7.1 by the staff member responsible for handling reports.
7.1.3. The staff member responsible for handling reports shall not disseminate or share information which has become known to him/her during and in connection with the handling of reports. Any information relating to reports shall be considered strictly confidential and shall be handled only by the person responsible for handling reports. Information shall only be shared in compliance with the provisions of the Act and the Directive.
7.1.4. The person responsible for handling reports shall not leave documents and data carriers relating to the report unattended at his/her workplace. All data carriers at person's workplace shall be placed in such a way as to ensure that other persons cannot obtain information from the data carriers.
7.1.5. Data on electronic media shall be processed by the staff member responsible for handling reports on his office computer only. The staff member may not use technical means other than the office ones made available to him/her.
7.1.6. The staff member shall create an electronic file in an electronic folder to which only he/she has access. The electronic folder shall be protected by a password created by the staff member. The password is for the staff member’s use only and may not be shared.
7.1.7. The staff member’s office computer shall lock automatically when not in use by the staff member. The computer shall be protected by an individual password which shall be changeable at intervals determined by the staff member. The staff member shall be prohibited to share passwords. The staff member shall be under an obligation to lock his/her computer whenever he/she gets up from his/her workstation.
7.1.8. Employer’s internal electronic system shall use high levels of electronic protection and data encryption.
8. Physical meetings with the whistleblower shall only be held in the presence of the whistleblower and the person responsible for handling reports. Meetings shall be individual and third parties shall not be allowed to attend. This applies to any physical meetings held by the person responsible for handling reports in relation to the reports.
9. The reports and the data processed in connection thereof shall be kept for a period of 5 years from the date of the opinion on the measures taken and/or from the closing date of the administrative proceedings or court proceedings, or for a longer period, where a law or other statutory act of Bulgarian law so requires. Where the report does not meet the requirements introduced by the Act and the irregularities therein are not remedied in due course, and where the report does not contain evidence of breaches, the data shall be deleted immediately after the opinion of the person responsible for receiving reports.
10. After the retention period has expired, the data shall be destroyed by the person responsible for handling reports by deleting them in such a way as to make their retrieval impossible.
11. The organizational and technical data protection measures under clause 7 of this section shall be mandatory for the persons responsible for handling reports.
12. Personal data shall be provided in relation to a request by persons concerned by them and by the report made, without disclosing third party data. Whistleblower’s data shall only be shared with his/her preliminary consent, except in the cases provided for by law.
13. Personal data that are irrelevant to the report made shall not be processed. The person responsible for handling reports, together with the personal data protection officer within the structure of FANTASTICO GROUP LTD, shall assess what information is needed for the report, whereupon the report investigation procedure shall be initiated.
1.[i] Every report received shall be recorded in a register on receipt, pursuant to Section VI.
2. The register shall be in electronic form and shall not be public. Access to the register shall be password locked and the password shall only be known to the persons responsible for handling reports.
3. The rules under Section IX hereof shall apply to register’s keeping and storage.
4. The person responsible for handling reports shall be responsible for keeping the register.
5. The register shall contain at least the following information:
a) person who received the report;
b) reporting date;
c) identification number, where the report is anonymous;
d) person concerned, if such information is contained in the report;
e) aggregated data on the alleged breach, as well as place and time of breach, description of the act and other circumstances under which it was committed;
f) relationship of the report made with other reports, once such relationship is established in the report handling process;
g) information provided as feedback to the whistleblower, and date of provision;
h) follow-up given;
i) results of the investigation of the report;
j) period of storage of the report.
1. At the end of the investigation, an opinion shall be prepared, which shall be provided to the manager of FANTASTICO GROUP LTD within which the investigation was conducted.
2. The opinion should:
a) summarise the results of the investigation and the evidence;
b) draw a conclusion and indicate the degree of non-compliance of the unlawful conduct with the requirements of the law and the rules of FANTASTICO GROUP LTD;
c) make recommendations and suggestions for action to remedy the unlawful conduct in order to prevent its recurrence in the future;
d) contain information as to whether there are grounds for imposing a disciplinary measure on the person who has engaged in unlawful conduct and what the extent and form of the measure should be – where such measure exists;
1. Where whistleblowers report information on breaches, they shall not be considered to have breached any restriction on disclosure of information and shall not incur liability of any kind in respect of such a report or public disclosure provided that they had reasonable grounds to believe that the reporting or public disclosure was necessary for revealing the breach.
2. Whistleblowers shall not incur liability in respect of the acquisition of or access to the information which is reported, provided that such acquisition or access did not constitute a self-standing criminal offence.
3. Whistleblowers within the meaning of these Regulations shall be protected against unlawful dismissal, disciplinary measures and penalties, wrongful assignment to work outside formal employment; loss of opportunity for education, training or professional development; loss of opportunity for promotion in the workplace, loss of professional title; poor working conditions; early termination of contract, reduction in salary and other forms of remuneration; assignment to additional duties or transfer to other posts; retaliation by staff members.
4. Whistleblowers cannot be discriminated against as a result of a report made in good faith.
5. The person responsible for conducting the investigation shall take all necessary steps and actions to ensure that the investigation is fair and unbiased. In this regard, persons who may be affected by the investigation should be made aware of the allegations and evidence against them and shall have the opportunity to submit a statement on the case.
6. Prohibited shall be any form of retaliation against whistleblowers, including threats and attempts of retaliation including in particular in the form of:
6.1. suspension, dismissal or application of another ground for termination of the employment relationship under which the person is employed;
6.2. demotion or withholding of promotion;
6.3. change of location of place of work or transfer of duties, change in working hours and reduction in wages;
6.4. withholding training to maintain and improve the professional qualifications of staff members;
6.5. negative performance assessment, including in employment reference;
6.6. enforcing pecuniary and/or disciplinary liability, including the imposition of disciplinary penalties;
6.7. rejection, threatening to retaliate, or taking actions, whether physically, verbally or otherwise, that are intended to humiliate the person and create a hostile professional environment;
6.8. direct and indirect discrimination, disadvantageous or unfair treatment;
6.9. failure to convert a temporary employment contract into a permanent one, where the worker had legitimate expectations that he or she would be offered permanent employment;
6.10. early termination of or failure to renew a temporary employment contract where such renewal is legally permissible;
6.11. harm, including to person’s reputation, particularly in social media, or financial loss, including loss of business and loss of income;
6.12. listing on the basis of a sector or industry-wide formal or informal agreement, which may entail that the person will not, in the future, fund employment or be able to supply goods or services in the sector or industry (blacklisting);
6.13. early termination or cancellation of a contract for goods or services;
6.14. cancellation of a license or permit;
7. Any retaliation against whistleblowers shall be prohibited.
8. The persons against whom a report or public disclosure of a breach is made shall fully enjoy the right to an effective remedy and to a fair trial, as well as the presumption of innocence, including the right to be heard and the right of access to the documents relating to them.
9. The person concerned shall be entitled to compensation for all material and non-material damage, where it is established that the reporting person knowingly reported or publicly disclosed false information.
1. These Regulations were approved with an order of the representative of FANTASTICO GROUP LTD.
2. These Regulations shall only be amended and supplemented in writing, by order of approval.
3. These Regulations take effect on 15.03.2023
4. Until a maximum of 3 years from the date of adoption of these Regulations, same should be reviewed based on an analysis of practices and updated, if necessary.
5. Attached to these Regulations are: a model register for the recording of reports and a model report form.