EU Whistleblower Policy

This information is provided under Article 12, para 4 of the Act on the Protection of Persons Reporting or Publicly Disclosing Information on Breaches (also known as ЗЗЛПСПОИН in Bulgarian, effective 4 May 2023, referred to as the “Whistleblower Protection Act” or “WPA” for short).

1. Who has the right to report?

The following persons may report a breach of which they have knowledge in their capacity as:

• Current or former employees;
• persons working under a civil contract;
• a partner, shareholder, sole shareholder, member of a management or supervisory body;
• persons with self-employed status, including persons working without an employment contract and persons exercising a profession or a trade;
• volunteers and trainees;
• persons working for contractors, sub-contractors or vendors;
• persons whose employment or service relationships are about to begin, or persons who are about to conclude a contract for the provision of any type of service, in cases where information about the breaches was obtained during the selection or negotiation process; former workers or employees, as well as any other person referred to in the preceding paragraphs, who has received the information in the context of an employment, service or other legal relationship in a work context, which has been terminated at the time of submission of the report or of the public disclosure
• former employees, where the information was obtained in the context of an employment relationship that had been terminated at the time of the alert

Important! Anonymous reports will NOT be considered.

2. What breaches can you report?

For violations of Bulgarian and European legislation in various areas, including:

• public procurement;
• financial services, products and markets, and prevention of money laundering and terrorist financing;
• product safety and compliance;
• public health;
• transport safety;
• consumer protection;
• protection of the environment;
• protection of privacy and personal data;
• security of network and information systems;
• breaches related to cross-border tax fraud schemes;
• a crime of a general nature;
• labour law;
• breaches affecting the financial interests of the European Union;
• breaches of the rules of the internal market of the European Union, including the rules of the European Union and Bulgarian legislation on competition and State aid;
• breaches relating to cross-border tax schemes the purpose of which is to obtain a tax advantage contrary to the object or purpose of the applicable corporate tax law;
• a crime of a general nature of which a person referred to in Article 5 has become aware in connection with the performance of his work or in the performance of his official duties;
• the rules for the payment of outstanding public State and municipal claims.

Important! Reports of breaches that do not fall within the scope of the WPA.

3. How can you report to “Paynetics” AD’s internal reporting channel?

You may submit a written report using a standard form in any of the following ways:

• in person, to our Reporting Officer: Vyara Hristova-Mileva; or, if he or she is likely to be affected by the relevant report, to the Back-Up Reporting Officer: Greta Ivanova
• electronically by sending it to the following e-mail address whistleblowing@paynetics.digital (Vyara Hristova-Mileva) or whistleblowing.alternative@paynetics.digital (Greta Ivanova)

Important! Reports must be signed by the persons submitting them. If submitted electronically, the form must be signed with a qualified electronic signature.

Important! The form is NOT mandatory, it is for your convenience and contains the mandatory information you must complete. If your report does not comply with any of the legal requirements, our Reporting Officer will send you a notice to correct the irregularities within 7 days of receiving the report. If the deficiencies are not corrected within this period, the report and its attachments will be returned to you.

It is a good idea to include any written evidence you have. You may also identify persons who can confirm the information reported or provide additional information.

You may also submit a verbal report:

• in a personal meeting with our Reporting Officer, which you have arranged in advance via the e-mail provided.

In these cases, our Reporting Officer will fill in the information on the form and give you the opportunity to review, correct and approve the text of the written conversation and the contents of the form by signing it. With your explicit consent, the verbal report, you submit, may also be documented by means of its recording on a durable medium allowing its subsequent retrieval.

4. What happens after the report?

• We will acknowledge receipt within 7 days and register it with a unique identification number. If the report does not meet the legal requirements, we will notify you to rectify the irregularity within 7 days.
• The report will be checked by a person who does not have a conflict of interest. The transmission of data and the reference to circumstances may not directly or indirectly reveal the identity of the whistleblower or create a presumption as to his or her identity.
• Within three months of acknowledging receipt of the whistleblowing, we will provide you with feedback on the results of the investigation and the action taken.

5. What are the protections for whistleblowers?

Whistleblowers and persons related to whistleblowers (e.g. colleagues and relatives) are protected against disclosure of their identity and any other information from which their identity may be known, directly or indirectly, except with the express written consent of the whistleblower or where this is a necessary and proportionate obligation imposed by Bulgarian or European Union law in the context of investigations by national authorities or judicial proceedings, including in order to ensure the right to a fair hearing.

Retaliation against protected persons is prohibited, such as (but not limited to):

• Suspension from employment,
• Discharge,
• demotion,
• negative performance evaluations
• Application of financial and disciplinary liability
• Physical and verbal coercion
• threats,
• hostility and violation of their dignity,
• Discrimination.

Any of the aforementioned retaliatory measures taken in connection with the report shall be null and void. You may apply to the competent authority to restore the situation you were in before the retaliatory action was taken.

You are entitled to compensation for the material and non-material damage suffered as a result of retaliatory measures against you.

You are also entitled to the following assistance:

• Comprehensive, independent, free and accessible information and advice, on an individual and confidential basis, on procedures and safeguards provided by the Bulgarian Data Protection Commission;
• Assistance before any authority necessary for your defense against retaliation, including by proper communication of the fact that you are entitled to protection under the WPA – provided by the Bulgarian Data Protection Commission;
• Legal assistance in criminal, civil, administrative and international civil proceedings related to your defense in connection with the report or disclosure under the Legal Aid Act – provided by the National Legal Aid Bureau;
• Out-of-court settlement of cross-border disputes through mediation in accordance with the Mediation Act – provided by a mediator registered in the Single Register of Mediators.

6. What are the conditions for providing protection?

• The person submitting the report must have a reasonable belief that the information about the breach in the report was true at the time of submission and that this information falls within the scope of the WPA.
• The report of a breach must be submitted under the conditions and procedures established by the WPA.

Important! Persons named in the report as violators are entitled to compensation for all material and non-material damages if it is established that the whistleblower knowingly submitted false information in the report.

7. How can you submit a report to the Commission for Personal Data Protection (CPDP)?

The CPDP is the central authority for external whistleblowing. You can submit your report directly to the commission through one of the following methods:

In writing:

• By email: whistleblowing@cpdp.bg
• By mail to the address: Sofia 1592, 2 “Prof. Tsvetan Lazarov” Blvd.
• Via the Secure Electronic Delivery System.

Verbally:

• In person at the CPDP office at the address: Sofia 1592, 2 “Prof. Tsvetan Lazarov” Blvd.

You may use the sample Form for Registering a Report of Breaches published on the CPDP website. The form is not mandatory. However, if you decide to use it, you must complete Sections I–V inclusively and sign it:

• When sending the form by mail – with a handwritten signature.
• When sending it by email – with a qualified electronic signature.

If you use the Secure Electronic Delivery System, a CPDP officer responsible for reviewing the report will contact you to complete the Form for Registering a Report of Violations in accordance with the WPA.