1. Purpose and Scope
This Policy aims to define the guiding principles relating to KLOG’s whistleblowing channel, namely the procedures for receiving, handling and retaining communications regarding unlawful practices, in compliance with Law No. 93/2021, the general regime for the protection of whistleblowers of infringements.
This channel is specifically intended for individuals who become aware of an infringement arising within the scope of their professional activity, hereinafter referred to as the whistleblower. The channel may therefore be used by:
- Employees or former employees;
- Job applicants;
- Volunteers or trainees;
- Clients;
- Partners, suppliers or service providers;
- Shareholders, management bodies and supervisory bodies.
In all matters not expressly provided for in this Policy, the applicable legislation and regulations shall apply.
2. Scope
The whistleblowing channel must be used to communicate infringements that have already been committed, are likely to be committed, or are occurring, and that are related to the Company.
Infringements are considered to be acts or omissions, whether intentional or negligent, that violate or seriously compromise:
- Compliance with applicable legislation, rules or regulations;
- The Code of Ethics and Conduct and the ethical and deontological principles applicable to the role;
- Good management practices.
Communications may refer to matters such as harassment, fraud, discrimination, information security and privacy, corruption, among others.
Communications submitted that fall outside the scope described above will not be handled through this channel.
3. Guiding Principles
3.1. Good Faith
The decision to report must be made consciously, thoughtfully and honestly, and is assumed to be made in good faith. Communications must be properly substantiated and include the information available and essential to enable an investigation. If the information is insufficient, it may compromise the investigation and the report may be closed without conclusions.
Reports whose sole purpose is to damage the reputation of an employee or third parties, which are false or contain manipulated documents, lack proper substantiation, or represent abusive use of the channel, will not be tolerated and may constitute a disciplinary, civil or criminal offence.
3.2. Confidentiality and Anonymity
The whistleblowing channel implemented by KLOG allows the whistleblower, if they so wish, to report irregularities anonymously, i.e., without providing information about their identity or contact details.
In any event, collected data will be processed exclusively for the purpose of handling the report, with full confidentiality of the whistleblower’s identity guaranteed by all those responsible for the operational management of the mechanisms and for the procedures of receiving, handling and archiving communications. The identity of the whistleblower will only be disclosed when legally required, namely in compliance with a legal obligation or judicial decision.
The whistleblower may also choose to remain anonymous and should indicate this option on the communication form.
3.3. Protection Measures
All communications will be handled independently and confidentially, ensuring the protection of personal data. In all cases, collected data will be processed exclusively for the purpose of handling the report, ensuring anonymity to all individuals involved in following up on the report.
The identity of the whistleblower will only be disclosed if legally required, namely following a legal obligation or judicial decision.
4. Procedures
Reports of infringements must be submitted through a dedicated form available on the company’s website.
Reports are forwarded to designated users according to the category to which they relate. The table below indicates the allocation of categories to the function responsible for handling them:
| Category | Responsible User |
| Physical aggression | People & Communication Manager |
| Harassment | People & Communication Manager |
| Money laundering | CFO |
| Conflict of interest | People & Communication Manager |
| Consumer protection | Quality & Environmental Coordinator |
| Discrimination (race, age, gender, sexual orientation, religion, etc.) | People & Communication Manager |
| Radiation protection and nuclear safety | Quality & Environmental Coordinator |
| Privacy and personal data protection | IT Infrastructure Manager |
| Environmental protection | Quality & Environmental Coordinator |
| Theft, corruption or embezzlement | People & Communication Manager |
| Public health | Quality & Environmental Coordinator |
| Network and information systems security | IT Infrastructure Manager |
| Food safety for human and animal consumption | Quality & Environmental Coordinator |
| Transport safety | Quality & Environmental Coordinator |
| Product safety and compliance | Quality & Environmental Coordinator |
Upon receipt and registration of the communication, the designated user is responsible for carrying out the investigations and enquiries deemed necessary to determine the legitimacy of the grounds for the communication. The investigation may require involving and/or interviewing other relevant persons. The whistleblower may also be contacted for clarification, if they provided contact details. In any case, the whistleblower’s protection is ensured, and their identity remains confidential until disclosure is legally required, namely in compliance with a legal obligation or judicial decision.
Following the assessment, the designated User may:
- Close the case if the report is found to be clearly unfounded or if no infringement exists;
- Close the case if the information is insufficient and it is not possible to obtain the necessary information for clarification;
- Trigger measures to stop the infringement, to be defined based on the specific case. These measures may involve an internal process and/or communication to Competent Authorities.
In all cases described above, a report must be drawn up, explaining the reasons and measures that led to the conclusion of the process.
A record is kept for each case, including the actions taken or justification for the absence of measures.
4.1. Follow-up of the Report
The whistleblower may request information regarding the result of the report’s assessment within 15 days following its conclusion, using the same contact method provided when submitting the report.
The following is guaranteed:
- Information on requirements, competent authorities, and the form and admissibility of external reports (this information is permanently available on the page for each report);
- Confirmation of receipt of the report within a maximum of 7 days;
- Ongoing updates on the status of the investigation;
- Conclusion of the report, indicating whether it was upheld, with justification, and, if upheld, identifying the measures taken.
A whistleblower who provides a contact method may request information regarding the result within 15 days after the conclusion, using the identified contact method and the code assigned for tracking the report.
The designated user is responsible for ensuring the communication to the whistleblower within the defined deadlines.
5. Privacy and Retention
5.1. Personal Data
KLOG undertakes to process personal data collected through this channel in accordance with personal data protection legislation. Data collected will be processed exclusively for the purpose of handling the report, with confidentiality of the whistleblower ensured under the conditions set out in section 3.2.
Identified data subjects are guaranteed the rights of access, rectification, erasure, objection and restriction of processing of their personal data under the GDPR, where feasible, through written request to comite.etica@klog.pt.
However, legal and/or regulatory requirements may prevent KLOG from complying with the data subject’s request. In such cases, the data subject will be informed, within a maximum of one month from the date of receipt of the request, of the reasons why it cannot be fulfilled.
5.2. Retention
Supporting documentation and data collected during the preliminary analysis and investigation are archived confidentially and securely, with security measures adopted to restrict access only to authorised persons.
Reports are retained by KLOG for a period of five years, notwithstanding the immediate deletion of personal data that are manifestly irrelevant to the handling of the report, without prejudice to the archival rules of judicial and administrative courts.
6. Approval and Review of the Policy
The Policy will be reviewed annually, without prejudice to additional reviews, and will be updated whenever necessary, namely following legal or regulatory changes, to ensure it remains current and appropriate to its purpose.
This Policy was approved by the Administration and made available to all interested parties on the company’s website and the internal company portal, in accordance with KLOG’s internal procedures.