WHISTLEBLOWING POLICY

I. Applicability and Responsibility

1 This Policy applies to the terms, conditions and procedure for the intake, of Reports of actual or suspected Misconduct regarding breaches of Bulgarian legislation or acts of the European Union that threaten or harm the public interest and the European Union law, as well as the terms and conditions for submitting and handling such reports or publicly disclosed information.

II. Basis and Object

1 Adecco Bulgaria EOOD hereinafter “Adecco” is committed to conducting its business activity according to applicable laws, regulations and its internal policies and procedures. This Policy defines the way by which reports of actual or suspected Misconduct regarding breaches of Bulgarian legislation or acts of the European Union that threaten or harm the public interest and the European Union law, as well as the terms and conditions for submitting and handling such reports or publicly disclosed information will be received, documented, and tracked.

2 The intake of any matter for possible Investigation is an essential part of an integrity and compliance program. The proper receipt and handling of information includes:

  • Clear and distinct means of receiving information;
  • Systematic recording of the information;
  • Consistent review of the information for action;
  • Transparent and verifiable management of the information;
  • Dissemination of the information according to defined principles.

III. Definitions

  • “Business-Conduct Standard” means (i) laws and regulations and other administrative acts, (ii) Adecco’s Code of Conduct, and (iii) Adecco’s written policies, standards, procedures, business practices, and manuals.
  • “Register” means case-management database in which information about Reports of breaches, received by the Appointed person for registration, investigations and reviewing of reports of Adecco and in which information regarding the received Reports of breaches and their Investigation or other resolution is maintained.
  • “Employee” means all colleagues, and associates employed by Adecco, as well as any of its directors and officers. The definition also includes any third-parties authorized by Adecco to act on its behalf.
  • “Appointed person for registration, investigations and reviewing of Reports” means the person appointed by Adecco responsible, among other things, for Adecco’s process for receiving and registration of Reports, investigation of breaches of Bulgarian legislation or acts of the European Union that threaten or harm the public interest and the European Union law, as well as the terms and conditions for submitting and handling such reports or publicly disclosed information and workplace investigation process.
  • “Investigation” means an objective and reliable determination of the facts and circumstances of reported or suspected wrongdoing affecting Adecco’s interests.
  • “Misconduct” means the types of actual, suspected or alleged breaches of Bulgarian legislation or acts of the European Union that threaten or harm the public interest and the European Union law, as well as the terms and conditions for submitting and handling such reports or publicly disclosed information and workplace wrongdoing by Employees or third parties acting on behalf of Adecco that fall within the categories defined in Annex A to this Policy.
  • “Preliminary Assessment” means the process by which a Report is reviewed to determine its appropriate resolution.
  • “Report” means providing substantive information of actual or possible Misconduct to Adecco.
  • “Reporter” means a person who submits a Report. Reporter is a natural person who reports or publicly discloses information on a breach that has become known to him or her in their capacity as:
  1. a worker, an employee, a civil servant or another person who is employed, regardless of the nature of the work, the manner of pay and the source of the funding;
  2. a person who works without an employment contract and/or is a freelance worker and/or a craft worker;
  3. a volunteer or an intern;
  4. a partner, a shareholder, a sole owner of the capital, a member of the management or supervisory body of a commercial company, a member of the audit committee of an enterprise;
  5. a person who works for a natural or legal person, its subcontractors or suppliers;
  6. a candidate for employment who has participated in a competition or another form of recruitment and who has received in that capacity information on a breach;
  7. a worker or an employee, where the information has been obtained in the framework of an employment or service relationship, which has been terminated at the time of the reporting or the public disclosure;
  8. any other reporter, who reports a breach that has become known to him/her in a work-related context.
  • “Subject” means the Employee who is under Investigation for possible Misconduct.

IV. Making a Report

  • Employees and third parties are encouraged to direct an inquiry or Report to the Appointed person for registration, investigations and reviewing of reports

Contact details / reporting channels: Diana Kovacheva/ HR Manager

Address: Business Park Sofia, building 4, 3rd floor

Email: whistleblowing.Bulgaria@adecco.com

Telephone number: +359 885 131 371

  • Reports may also be made as a result of previous Investigations, audits, management and information from third parties.

3 Reports may be submitted through the specified above internal reporting channels, though public disclosure of information on breaches and/or to the Central authority for external reporting – The Commission for Personal Data Protection, Sofia, 2 Tsvetan Lazarov Blvd., e-mail: kzld@cpdp.bg. More information on the procedure and manner of submission of Reports to the Commission for Personal Data Protection in connection with the Protection of Persons Who Report or Publicly Disclose Information on Breaches Act /Whistleblowing Act/ may be found on its website https://www.cpdp.bg .

4 No proceedings shall be initiated on:

  1. anonymous Reports;
  2. Reports relating to breaches committed more than two years ago.

5 The Report shall be submitted to the Appointed person for registration, investigations and reviewing of Reports, in writing, including by e-mail, or orally. Oral reporting shall be possible by telephone, through other voice messaging systems and, at the request of the Reporter, through a personal meeting within an appropriate timeframe agreed between the Reporter and the Appointed person for registration, investigations and reviewing of Reports.

6 The Report may be submitted through proxy with explicit written power-of-attorney (no notarization is required) as well. When the Report is submitted through proxy, the original of the power-of-attorney is attached to the Report.

V. Receiving the Report

1 Each of the Reports received by the Appointed person for registration, investigations and reviewing of Reports is registered and entered into the Register.

2 For the registration of reports of breaches, the Appointed person for registration, investigations and reviewing of  Reports shall use forms in accordance with a template approved by the national external reporting authority, which shall contain at least the following data:

  1. the full name, address and telephone number of the sender, as well as an e-mail address, if any;
  2. the names of the person against whom the Report is made and his/her place of work, if the Report is made against specific persons and they are known;
  3. specific data on a breach or a real threat of a breach, the place and duration of the breach, if such a breach has been committed, a description of the act or situation and other circumstances, as far as these are known to the Reporter;
  4. date of submission of the report;
  5. signature, electronic signature or other identification of the sender.

3 The written Report shall be submitted by the sender by completing a form under Item 2. If the Reporter submits a Report in a different than the approved by the CPDP form, the Appointed person for registration, investigations and reviewing of Reports is obligated to the enter the information from the report in the approved form.

4   The oral Report shall be submitted to the Appointed person for registration, investigations and reviewing of Reports, who shall document and register the Report by completing the form under item 2, and shall propose to the Reporter to sign it if he/she so wishes.

5 The Report may be accompanied by any sources of information supporting the statements made therein and/ or references to documents, including the indication of data on persons who could confirm the reported data or provide additional information.

6 If the Report does not comply with the requirements, the Reporter shall be sent a message to remedy the irregularities within 7 days of receipt of the Report. If the irregularities are not rectified within this period, the Report together with the annexes thereto shall be returned to the Reporter.

7 The Appointed person for registration, investigations and reviewing of  Reports shall make initial formal review of whether the Report falls within the scope of the Whistleblowing Act.

8 After that, the Appointed person for registration, investigations and reviewing of  Reports shall take actions to obtain a Unique Identification Number /UIN/ from the website of the CPDP: https://uin.cpdp.bg/ The main purpose of the UIN, which is given by the CPDP, is to get individualization and traceability of each Report. UIN is a requisite of the sample form for registering a report approved by the CPDP. The signal itself and the materials on it, incl. and the form for its registration (according to the model approved by the CPDP), when submitted through the internal channel to the obliged entities, are not provided to the CPDP.

To obtain a UIN, the Appointed person for registration, investigations and reviewing of Reports provides only the following data:

– Name and UIC/BULSTAT of the employer to whom the Report was filed;

– Identification data of the Appointed person for registration, investigations and reviewing of Reports;

– Subject of the Report (the relevant areas provided for in Article 3, Paragraph 1 and Paragraph 2 of the Whistleblowing Act);

– Method of receiving the Report (written or verbal).

This information serves for control, administrative punishment and statistical purposes of the CPDP. The Appointed person for registration, investigations and reviewing of Reports reflects the information about the received UIN in the register it maintains.

The UIN is obtained immediately after receiving a Report received within Adecco’s business hours. For Reports received after Adecco’s business hours, the UIN is received on the first business day following receipt of the Report.

With the UIN, all Reports are registered, including:

  • anonymous reports (Art. 9, item 1 of the Whistleblowing Act);
  • reports relating to violations committed more than two years ago (Article 9, Item 2 of the Whistleblowing Act);
  • reports that do not fall under the scope of the Whistleblowing Act;
  • reports of violations, the content of which does not give grounds to be considered credible (Art. 15, Para. 6, Art. 2 of the Whistleblowing Act); reports containing obviously false or misleading statements of fact (Art. 15, Para. 6, Art. 3 of the Whistleblowing Act);
  • reports of violations subject to reporting under special regulations;
  • reports of violations that have already been detected by an internal unit of the entity’s obligations (eg internal audit or inspectorate), regardless of whether actions have been taken to eliminate them.

The specified above information serves for control and statistical purposes of CPDP. The Appointed person for registration, investigations and reviewing of Reports reflects the information about the received UIN in the register it maintains.

The assessment of whether the Report falls within the scope of the Whistleblowing Act and whether it meets the conditions and procedures for its examination under Whistleblowing Act is made after receiving the UIN and after registering the Report in the Register. The analysis of the regularity and admissibility of the Report (the assessment of whether the Report falls within the scope of the Whistleblowing Act and whether the conditions for its examination are present) is made afterwards.

VI. Register and Data Retention

  • Each Report receives a unique case file in the Database. The case file includes: the Report, all signed protocols and proposals, related to the investigation and review of the Report other supporting documents, if needed.
  • The case file shall be registered and documented by the Appointed person for registration, investigations and reviewing of
  • The Appointed person for registration, investigations and reviewing of Reports shall maintain records of Reports and Investigations according to Adecco policy and applicable laws and regulations.

VII. Acknowledgment of Report

  • When a Report is received, the Appointed person for registration, investigations and reviewing of Reports will send the Reporter within 2 business days a written acknowledgment that the Report has been received.
  • The acknowledgment is simply a notification that the Appointed person for registration, investigations and reviewing of Reports has received the Report and/or an Investigation may be opened. The Report may be referred to another internal department, or no action will be taken if the Report does not meet the criteria, outlined in the present policy, for taking action.

VIII. Review of Reports

1 Each Report shall be verified for its authenticity. Reports which do not fall within the scope of this Act and the content of which does not give grounds to be considered truthful shall not be handled. Reports that contain manifestly false or misleading statements of facts shall be returned the Reporter with instructions to the sender to rectify the statements and that he/she bears liability for false accusation.

IX. Preliminary Assessment and Investigation Proposal

  • A Preliminary Assessment is conducted by the Appointed person for registration, investigations and reviewing of Reports within 2 business days for all Reports to determine the totality of issues which underlay the Report. The inquiries in a Preliminary Assessment are limited to discreet discussions, communications with the Reporter, online research, and reviews of company documents and databases.
  • The Appointed person for registration, investigations and reviewing of Reports drafts within 2 business days an Investigation Proposal, which shall be reviewed and approved by the managers of Adecco within 2 business days Unless special situations apply, the Preliminary Assessment should be completed within 7 business days.
  • The Investigation Proposal details the substance of the proposed Investigation of the Report. The Investigation Proposal specifies: (i) the subject matter of the investigation; (ii) time range of the Misconduct to be investigated; (iii) individuals involved in the investigation (Subjects, witnesses, further individuals); (iv) whether a review of electronic files with potentially personal information is needed; and (v) whether other intrusive investigation measures are needed to conduct the Investigation.
  • The following types of Reports are not appropriate for Investigation:
  • Reports that are frivolous, made fraudulently or in bad faith.
  • Reports that do not relate to Misconduct or that pertain to the private interests of an Employee without a reasonable connection to Adecco.
  • Reports by a Reporter who has already raised the same issues, unless new information is available or there has been a change in circumstances.

X. Investigation

  • After the investigation proposal is approved, where applicable, and in all other cases after receipt of the Report by the Appointed person for registration, investigations and reviewing of Reports, the Report is investigated and reviewed by the Appointed person for registration, investigations and reviewing of Reports within 45 business days.
  • The Appointed person for registration, investigations and reviewing of Reports specifies the appropriate scope and extent of the Investigation, as well as time frame for completing the Investigation.
  • After completion of the Investigation, the Appointed person for registration, investigations and reviewing of Reports sends a confirmation to the managers of Adecco within 3 business days containing a short summary of its outcome and the corrective action that has been executed.
  • The Appointed person for registration, investigations and reviewing of Reports shall confirm to the managers of Adecco the execution of the corrective action.

XI. Obligations of the Appointed person for registration, investigations and reviewing of Reports

1 The Appointed person for registration, investigations and reviewing of Reports shall:

  1. ensure that the identity of the Reporter and of any other person mentioned in the report will be duly protected and shall take the necessary measures to limit access to the report of unauthorised persons;
  2. liaise with the Reporter and, if necessary, request additional information from him/her and from third parties;
  3. provide feedback to the Reporter on the actions taken within three months after the acknowledgement of receipt of the Report;
  4. provides the persons wishing to file a Report with clear and easily accessible information on the procedures for external reporting of Reports to the competent national authority and, when appropriate, to the institutions, bodies, services and agencies of the European Union;
  5. hear the Subject or to accept his/her written explanations and shall collect and evaluate the evidence specified by him/her;
  6. provide the Subject with all the evidence collected and provide him/her with the opportunity to object it within 7 days, subject to the protection of the Reporter;
  7. provide an opportunity to the Subject to present and indicate new evidence to be collected in the course of the check;
  8. in case the facts presented in the Report are confirmed:

(a) organize the follow-up of the Report and may require the assistance of other persons or units within the structure of Adecco;

(b) propose to Adecco to take specific measures in order to stop or prevent the breach where such a breach is found or where there is a real danger that it will be committed;

(c) refer the Reporter to the competent authorities when his or her rights are affected;

(d) forward the report to the CDPD where action is required to be taken, as the Reporter shall be notified thereof in advance.

XII. Follow-up actions

1 On the basis of the received Report and the proposals of the Appointed person for registration, investigations and reviewing of  Reports, Adecco shall:

  1. take action within his/her competence to terminate the breach or to prevent it, if it has not started;
  2. prioritize according to predetermined criteria and rules the handling of the multiple Reports received of more serious breaches;
  3. terminate the verification:

(a) where the reported breach is minor and does not require further follow-up; termination shall be without prejudice to other obligations or procedures applicable to the reported breach for which the Report has been submitted or to the protection, which is provided to the Reporter or Subject;

(b) on a repetitive Report which does not contain any new information essential to a breach in respect of which an investigation has already been completed, unless new legal or factual circumstances warrant follow-up;

(c) where there are grounds to believe that a criminal offence has been committed; the Report and the materials related to it shall forthwith be transmitted to the prosecutor office;

  1. draw up an individual report describing briefly the information contained in the Report, the actions taken, the final results of the check on the Report, which, together with the reasons, shall be communicated to the Reporter, and to the Subject, in compliance with the obligation to protect them.

In cases where the verification is terminated on the basis of item 3, points (a) and (b), the Reporter may report to the Commission for Personal Data Protection as the national external reporting authority.

XIII. Closing a Report

  • The Appointed person for registration, investigations and reviewing of Reports will ensure that all aspects of the Report’s resolution are fully, accurately and properly documented. A Report may be closed by the Appointed person for registration, investigations and reviewing of Reports when all Investigation-related activity is complete, even if legal proceedings and similar external activities remain pending.
  • The closing of the procedure for investigation and review of the Report shall be ascertained by signing of protocol.
  • The Reporter shall be informed that the procedure for investigation and review of the Report is closed within 7 business days as of signing of the protocol for close of the procedure regarding the Report.

XIV. Follow Up on Measures Taken

1 Follow up actions, which shall be executed after completion of a procedure regarding a Report shall include appropriate post-investigation measures to be taken by management, as well as additional measures if indicated. These measures include possible disciplinary actions against the Subjects, changes in business processes and improvements in internal controls.

2 The disciplinary measures that shall be imposed on the employees after conducting the necessary disciplinary proceedings, when the violation is proven, depend on the type and degree of the violation.

XV. Additional Considerations

1 Documents created under this Policy should be uploaded in the Database.

2 Once submitted, the Report cannot be withdrawn by the Reporter.

3 Adecco shall take appropriate measures to protect the information related to the reported breaches and to protect the identity of the Reporters and/or the Subjects, by providing access to the information only to the employees who need this data to perform their duties obligations.

4 The transmission of data and reference to circumstances cannot directly or indirectly reveal the identity of the Reporters and/or the Subjects, as well as create an assumption about their identity.

5 Disclosure of identity or information is permitted only with the express written consent of the Reporter.

6 The identity of the Reporter and any other information from which his/hers identity can be directly or indirectly revealed can only be disclosed when this is a necessary and proportionate obligation imposed by Bulgarian legislation or by European Union law in the context of investigations by national authorities or of legal proceedings, including with a view to guaranteeing the right of defense of the affected person. In these cases, before disclosing the identity or information, Adecco shall notify the Reporter of the need for their disclosure. The notification shall be in writing and shall be motivated. The Reporter is not notified when the investigation or legal proceedings are jeopardized.

7 Any processing of personal data carried out pursuant to this law, including the exchange or transmission of personal data by the competent authorities, is carried out in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680, and when the transmission involves institutions, bodies, services or agencies of the European Union – in accordance with Regulation (EU) 2018/1725, as well as with the Personal Data Protection Act.

8 No personal data is collected that is clearly not relevant for considering the specific Report, and if it is accidentally collected, it is deleted.

9 Any form of retaliatory actions against the Reporter in the nature of repression and putting them in a disadvantageous position, as well as threats or attempts at such actions, including in the form of:

  1. temporary suspension, dismissal or application of another ground for termination of the legal relationship under which a person is employed;
  2. demotion or delay in promotion;
  3. change in the place or nature of work, the duration of working hours or a reduction in remuneration;
  4. refusal to provide training to maintain and increase the professional qualification of the worker or employee;
  5. negative assessment of work, including in a job recommendation;
  6. application of property and/or disciplinary liability, including imposition of disciplinary penalties;
  7. coercion, rejection, threat to take retaliatory actions or actions, expressed physically, verbally or in any other way, which aim to harm the dignity of the person and create a hostile professional environment;
  8. direct or indirect discrimination, unequal or unfavorable treatment;
  9. taking away the possibility to switch from a fixed-term employment contract to an employment contract for an indefinite period of time, when the worker or employee had the legal right to be offered a permanent job;
  10. premature termination of a fixed-term employment contract or refusal to re-sign it, when such is permissible by law;
  11. damages, including to the person’s reputation, in particular in social networks, or financial losses, including loss of business and loss of income;
  12. inclusion in a list drawn up on the basis of an official or informal agreement, in a sector or in an industry, which may result in the person not being able to start work or not being able to supply goods or services in that sector or industry (black list);
  13. premature termination or cancellation of a contract for the supply of goods or services, when the person is a supplier;
  14. termination of a license or permit;
  15. directing the person to a medical examination.

XVI. Adoption and Approval

This Policy is approved by the managers of Adecco Bulgaria EOOD by Оrder No.355

ANNEX A. Categories of Misconduct

  1. Breaches of the Bulgarian legislation or acts of the European Union referred to in the Annex to the Whistleblowing Act in the areas of:

(a) public procurement;

(b) financial services, products and markets, and prevention of money laundering and terrorist financing;

(c) safety and compliance of products;

(d) transport safety;

(e) protection of the environment;

(f) radiation protection and nuclear safety;

(g) food and feed safety, animal health and welfare;

(h) public health;

(i) consumer protection;

(j) respect for privacy and protection of personal data;

(k) security of network and information systems;

  1. Breaches affecting the financial interests of the European Union as referred to in Article 325 of the Treaty on the Functioning of the European Union;

III. Breaches of the rules of the internal market as referred to in Article 26, paragraph 2 of the Treaty on the Functioning of the European Union, including the rules of the European Union and the Bulgarian legislation on competition and state aid;

  1. Breaches relating to cross-border tax arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law;
  2. A committed criminal offence of a general nature, of which a person under Article 5 has become aware in connection with the performance of his or her work or his or her official duties.
  3. breaches of Bulgarian law concerning:
  4. the rules for payment of outstanding public state and municipal receivables;
  5. the labour law;
  6. the legislation related to the performance of public service.

The various types of Misconduct are organized into the following categories:

  • Accounting Irregularities: An Employee did not follow internal accounting and financial- reporting rules.
  • Bribery and Corruption: An Employee offered or accepted, or requested or promised, something, usually money, to gain an illicit business advantage. Similarly, an Employee abused a position of trust in the company in order to gain an undue advantage.
  • Conflicts of Interest: Someone made a business decision while allowing their personal loyalties to conflict or appear to conflict with Adecco’s interests. This includes hiring or supervising a relative, having a business or personal interest in a company vendor or competitor, or having some outside personal interest that conflicts with Adecco’s interests. This also includes outside employment that creates a conflict of interest.
  • Data Privacy: Someone acted improperly in connection with the ways Adecco gathers, uses, discloses, and manages the data of a client or Employee. The improper action, if true, would impact Adecco’s legal obligations to protect the privacy of a client or Employee.
  • Deception: Someone intentionally deceived Employees or manipulated company processes in order to obtain financial gain or other personal advantage, and this deception resulted in financial harm to the company. This includes, for example, expense-report fraud, time card fraud, falsifying financial records, embezzlement, and mishandling of company funds.
  • Improper Competitive Practices: Improper sales and marketing practices such as unfair competition, unethical marketing practices, and making disparaging comments about competitors. An allegation of “unfair competition” includes discussing prices, strategies or sales terms with competitors. It also includes agreements covering customers or territories. This category also includes obtaining competitor information in some improper way.
  • Discrimination: Someone acted improperly or did not follow established company processes in the recruiting, hiring, evaluation, promotion, training, discipline or compensation of an Employee related to discrimination (race, color, gender, national origin, age, marital status, religion, disability, sexual orientation, veteran status or other protected category under applicable law).
  • Improper Gifts, Gratuities and Entertainment: Someone improperly accepted something of value from another person who is trying to influence an Adecco business decision.
  • Insider Trading: An employee traded company stock to his/her own advantage by having access to confidential information or otherwise in violation of company policy.
  • Improper Workplace Conduct: Someone behaved improperly while on Adecco premises. This includes harassment, threats, theft of property, speech that violates Adecco policies (not using an internal system), improper employee relationships, and physical violence. This includes improper soliciting and distribution of printed material not related to Adecco business.
  • Local Office Financial Violations: A member of a local office staff did not follow established procedures for handling financial processes. This includes, for example, workers- compensation coding, wage/hour issues, handling of delinquent accounts, misstatement of office revenues and expenses, or misstatement of business transactions.
  • Misuse of Internal Company Systems: Someone used Adecco’s telephone systems, voice mail, fax machines, computers, e-mail, teleconferencing services, copiers, internal data systems, or the Internet in violation of Adecco policies. This includes using the systems to send illegal, sexually explicit, abusive, offensive or profane messages. This also includes improperly uploading or downloading information. This also includes using company systems for soliciting funds or distributing information that is unrelated to Adecco business.
  • Money Laundering: Someone used, or attempted to use, Adecco systems or operations in order to “launder” the proceeds of a crime so as to make it appear as a normal business transaction.
  • Regulatory Non-Compliance: Someone did not follow a government rule or regulation or written Company policies or processes. These rules and regulations include employee- verification requirements, visa and immigration rules, labor-law and social security violations.
  • Retaliation of Whistleblowers: Someone who made a Report of possible or actual Misconduct received some negative employment impact for making the Report.
  • Third-Party Violation: Someone with no affiliation to Adecco acted improperly, and this action has an actual or potentially negative impact on Adecco’s interests. This includes phishing or deceiving others by misrepresenting an affiliation with Adecco.
  • Violation of Confidential or Proprietary Information Rules: Someone improperly lost, used, or possessed information which Adecco is required to safeguard. This includes software piracy, improper data copying, and unauthorized use of someone’s copyright or trademark rights. This also includes the improper disclosure of Adecco business plans, pricing data, marketing programs, personnel information, financial reports, and customer-related information.
  • Violation of Health and Safety Rules: Failure of local management to resolve reports re providing of a safe working environment or training required by applicable law, regulation, or by Adecco policies.
  • Violation of Procurement Rules: Someone did not follow established procedures relating to buying supplies or services for company use.