In order to comply with the requirements of Organic Law 1/2015, as well as Law 2/2023, the H&A group introduces, among other measures, Whistleblowing Channels integrated in the Internal Reporting System.

The main function of this Whistleblowing Channel or Channels is that any person may report any activity or conduct they observe or become aware of that may be detrimental to the Company, or that may constitute a criminal offence or infringement.

The aim is also that these reports or denunciations can be carried out quickly and easily, and without consequences of any kind for the informant.

In the Internal System, which includes all the Channels provided by the Company, all the reports that are filed are recorded, with high security and always maintaining confidentiality, as well as the anonymity of the informant, provided that he/she so requests.

Complaints made through any of the Company's Internal Channels will be dealt with only by the person or persons designated by the whistleblower, from among the members of the Compliance Committee and the Human Resources team.



The complaint must meet the following requirements to be admissible:

1. Expose or refer to facts or conduct that may be detrimental to the Company, or that fall within the scope of article 2 of Law 2/2023. In short, the conduct reported must be:

1. Infringement of European Union law.

2. Constitute a serious or very serious criminal or administrative offence.

2. Provide an adequate or sufficient description to enable the recipient of the complaint to assess whether the conduct or action reported falls within the scope of Article 2/2023.

3. To the extent possible, an identification of the person or persons who have carried out the infringing or unlawful conduct.

4. The addressee(s) to whom you want the report to be addressed, i.e. the person(s) you want to have access to the report.

5. In case the complaint is not anonymous, an e-mail address where the complainant can be contacted.

6. Of course, the facts or conduct reported must be in accordance with the criteria of truthfulness, objectivity and good faith, since misuse of the reporting channel may give rise to offences of libel and/or slander, as well as civil liability for the infringement of the right to honour.

By way of example, complaints may relate to:

  • Prevention of money laundering
  • Environmental protection
  • Personal data protection and privacy
  • Network and information systems security
  • Sexual harassment
  • Harassment at work



In relation to whistleblowing, the whistleblower shall have the following safeguards:

1. Decide whether you wish to make the report anonymously or non-anonymously. In the case of being anonymous, the IP of the whistleblower will be deleted as the report is made. If not anonymous, the identity of the informant will be kept confidential and will not be disclosed to third parties not involved in the report.

2. Choose whether to communicate verbally or in writing.

The written complaint will be made, in general, physically, through the mailboxes provided by the Company, which will be located in the coffee corner, or through the Channel enabled on the Factorial platform.

The whistleblower may also choose to make the report by means of a face-to-face meeting with the Head of the System, the Compliance Committee or any of its members, which shall be recorded in a secure, durable and accessible format that guarantees the confidentiality and anonymity of the informant, and provided that the informant has previously given his or her express consent. The recording may be replaced by a complete and accurate transcript of the conversation, which the informant may review and modify before proceeding with its processing and storage.

3. Choose the member(s) of the Compliance Committee and/or the Human Resources team to whom you want to address the complaint. Members who are not designated by the whistleblower will not have access to the complaint.

4. Exercise the rights conferred by personal data protection legislation.

5. Know the status of the processing of your complaint at all times and the results of the investigation.



Communications can be made either through the internal channels provided by the Company or through external channels provided by the competent authorities, or through both simultaneously.

Within the internal channels, the complaint may be made orally, by means of a face-to-face meeting; or in writing, physically in the mailboxes located in the coffee corner, or online, in the channel provided by the Company through the link https://hyaip.factorialhr.es/complaints, which redirects the user to the FACTORIAL platform where they will find a form that they can fill in with their preferences when making the complaint.



In the first place, the complaint received through the established internal channels will be reviewed by the Compliance Committee or, failing that, by the person from the Committee or Human Resources to whom the whistleblower has referred the complaint.

The recipient of the information shall acknowledge receipt of the information to the reporter within a maximum of seven days, and shall assess whether more information than that provided is necessary to enable the complaint to be followed up.

On the other hand, it is also possible that, after receipt of the complaint and its corresponding assessment, the situation cannot be easily resolved or should not be resolved through these channels, and there are several situations that arise:

a) The complaint is inadmissible. The Committee shall issue a report and send a communication to the complainant explaining the grounds and reasons why the complaint has been considered inadmissible.

b) The complaint is admissible, but further action is required. The Committee will so inform the complainant, informing him/her of the action to be taken. The Committee, at its discretion, may either initiate a process of investigation into the matter, gathering as much information as possible through the means at its disposal, or refer the case to the Courts or other competent authorities.

In the event that the Committee carries out the investigation itself and it becomes necessary to rely on witnesses, they must be informed of the situation and must give their approval for their intervention, informing them in all cases that the information will be treated in accordance with the LOPD, and that the rights to privacy, defence, presumption of innocence and any other related rights will also be guaranteed. The maximum duration of the investigation carried out by the Regulatory Committee shall be three (3) months.

If, during the investigation process, it is concluded that preventive measures are necessary to mitigate the damage, or to secure the information available, the Standards Committee shall immediately proceed with their implementation, whichever is more convenient, and always and in any case, in accordance with the legislation in force and good customs.

During the research process, the aim is to distinguish between objective information (dates, names, places, etc.) and subjective information (opinions, rumours, etc.). Furthermore, the aim of the research is to analyse this information in order to be able to issue a subsequent report detailing in particular the following:

  • Data identifying and describing the complaint and the complainant.
  • Data processed and analysed on the basis of the information contained in the complaint.
  • Measures proposed during the investigation phase.
  • Proposals for resolving the conflict situation.
  • Concrete measures of action for the resolution of the conflict situation.
  • Communication to the complainant informing of the initiation and completion of the investigation process, as well as of the measures taken during the process.
  • Data processing certificate in accordance with current legislation (LOPD).
  • Disciplinary measures that have been taken, explaining always and in any case why these measures have been taken and not others.
  • Disciplinary sanctions that have been taken, justifying always and, in any case, why these sanctions have been applied and not others.



This procedure, designed by the Compliance Committee and approved by the Governing Body, establishes a series of provisions necessary for the Internal System and its channels to comply with the regulations, containing minimum information and respecting the following principles:

1. Identification of the internal information channel(s) with which the procedure is associated.

2. Inclusion of clear and accessible information on external reporting channels to the competent authorities and, where appropriate, to the institutions, bodies, offices or agencies of the European Union.

3. An acknowledgement of receipt of the communication shall be sent to the reporter within seven days of receipt, unless this would jeopardise the confidentiality of the report.

4. It determines the maximum time limit for providing a response to the complaint investigation proceedings, which shall never exceed three months from the receipt of the complaint or three months and seven days if the informant has not been acknowledged, except in very complex cases where it may be extended for an additional three months.

5. Possibility to maintain communication with the informant and request additional information, if necessary.

6. Inform the person affected by the complaint of the acts or omissions attributed to him or her, and ensure that he or she can be heard at any time.

7. Ensure confidentiality when communication is made through channels other than those established by the Company or sent to members of staff who are not responsible for its processing.

8. Demanding respect for the honour and the presumption of innocence of the persons concerned.

9. Always respecting the provisions and regulations for the protection of personal data.

10. The complaint shall be referred to the Public Prosecutor's Office if the facts could constitute a criminal offence. If the financial interests of the European Union are affected, it shall be referred to the European Public Prosecutor's Office.

All these principles will also be available on the Factorial platform, and any employee of the Company will be able to access them through their credentials.



The processing of personal data carried out as a result of an information or complaint, whether from the informant or a third party, shall always be in accordance with European Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights, Organic Law 7/2021 of 26 May on the protection of personal data processed for the purposes of the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties, and Law 2/2023 of 20 February on the protection of persons who report regulatory offences and the fight against corruption.

Only personal data necessary to process the information provided by the informant are collected. If irrelevant data is provided, it will be deleted without undue delay.

When obtaining the informant's data, the duty of information is always complied with, especially with regard to the confidentiality of the informant's identity.

Personal data contained in the Company's Internal Information System is accessible only to:

a) The Controller of the system and its management.

b) The Human Resources Manager, only when disciplinary measures against an employee are appropriate.

c) The Data Protection Officer.

d) Where appropriate, the data processors that may be designated.

Data shall only be retained in the System for as long as it is necessary to decide whether to initiate an investigation into the reported facts. If it is established or discovered that certain information is untrue, it shall be deleted immediately.

H&A's Internal System has the appropriate technical and organisational measures in place to preserve the identity and guarantee the confidentiality of the data of the persons affected or mentioned in the information or complaint.