In accordance with the provisions of our Code of Ethics and Conduct, Velora (hereinafter, “Velora”, the “Group” or the “Company”) implements a management model centered on excellence, which includes loyal and ethical conduct by every member of the organization, from the members of the Board of Directors and the Management Committee, to each individual employee.
For the Group, the honesty, integrity, and sound judgment of its professionals constitute the cornerstone of the reputation and success of the Company, both in its external relations with clients, institutions, and public authorities, among others, and in internal relations among those of us who make up Velora. This intrinsically implies the knowledge of and respect for current laws and regulations, as well as the internal rules and procedures that Velora has established to carry out its activity.
As a lever to achieve these ethical objectives, it is fundamental for Velora to have mechanisms that allow the organization to be informed of any perceived or known unacceptable conduct, as well as any behavior contrary to current regulations.
In this regard, the individual action of each member of Velora as a reporter of regulatory infringements or unacceptable conduct is fundamental to the Group’s proper functioning. For this reason, a secure environment is guaranteed so that members of the Company can convey and communicate such conduct, as well as receive balanced and effective protection when they choose to make such communications.
Furthermore, having secure whistleblowing mechanisms based on the principles of trust, good faith, and protection—with guarantees of confidentiality, impartiality, and non-retaliation—will allow us as an organization to mitigate our criminal risks, comply with national regulations regarding whistleblower protection, and align ourselves with international standards in this field.
In this context and with these objectives, this Whistleblowing and Consultation Policy (hereinafter also referred to as the “Policy”) is published to regulate the operation of Velora’s internal information system and the Ethical Channel as a mechanism to communicate, identify, investigate, process, and resolve infringements, as well as to receive and address inquiries or doubts regarding the interpretation of the Code of Ethics and Conduct and other internal regulations. Likewise, this Policy establishes the principles and guarantees of Velora’s actions regarding the communication of infringements and, specifically, with the aim of protecting the whistleblower and the affected person.
Throughout this Policy, the following questions will be addressed:
Who can report an infringement
What matters are subject to these communications
The guiding principles of the internal information system and the Ethical Channel, with special attention to protection measures
What steps to take to report an infringement and how Velora will handle these communications.
For the purposes of this Policy, “infringement” is defined as actions or omissions that are unlawful and related to the acts and areas of action falling within the material scope of Section 4 of this Policy (“Operation of the Ethical Channel and the Information System”).
The Board of Directors of Velora Investa, S.L., as the parent company of the Group, is responsible for approving the creation and implementation of the internal information system and the Ethical Channel and, in particular, for approving this Policy, thereby fulfilling its obligation to ensure the application of its principles in all integrated entities, without prejudice to the autonomy and independence of each company, subgroup, or set of integrated companies that may be established by the Group’s respective corporate governance system, and any modifications or adaptations necessary for compliance with applicable regulations in each case.
All persons subject to the Code of Ethics and Conduct —that is, employees, managers, and directors— and, additionally, those others who maintain a relationship with Velora in a work or professional context and who are identified below may use the Ethical Channel to report infringements:
a) Persons whose employment relationship with Velora has not yet begun, when the information on the infringement was obtained during the selection or pre-contractual negotiation process, as well as those persons whose employment relationship with Velora has already ended, when the information on the infringement was obtained during the course of their employment relationship
b) Volunteers and trainees, whether or not they receive remuneration
c) Self-employed persons (freelancers)
d) Any person working under the supervision and direction of contractors, subcontractors, and suppliers of Velora.
Likewise, partners or shareholders of Velora may also use the Ethical Channel to report infringements.
All persons subject to the Code of Ethics and Conduct may use the Ethical Channel to raise doubts or interpretive inquiries regarding the content of the Code of Ethics and Conduct or any internal regulations.
Communications regarding regulatory compliance concerns that Velora clients may submit in the context of their relationship with the Group will also be processed through the Ethical Channel.
Any infringement of the Code of Ethics and Conduct and any internal regulations, as well as any fact or conduct contrary to them, may be reported through the Ethical Channel.
Additionally, any infringement of national or European Union regulations may be reported in relation to the following areas:
a) commission of crimes within the entities that make up the Group
b) public procurement (except for matters relating to national defense or security)
c) financial services, products and markets, and prevention of money laundering and terrorist financing
d) product safety
e) transport safety
f) environmental protection
g) radiation protection and nuclear safety
h) food and feed safety, animal health and welfare
i) public health
j) consumer protection
k) protection of privacy and personal data, and security of network and information systems
l) competition and State aid, as well as
m) corporate tax rules or practices aimed at obtaining a tax advantage.
Additionally, actions or omissions that may constitute a serious or very serious criminal or administrative offense may be reported. In any case, all those serious or very serious criminal or administrative offenses that involve financial loss for the Public Treasury and for Social Security shall be understood to be included.
When reporting infringements, these must be understood in a broad sense. This means that in addition to actual infringements that have occurred, reasonable suspicions and potential infringements that are likely to occur may also be reported.
Communications relating to purely labor matters and human capital management that do not involve a serious or very serious criminal or administrative offense must be channeled through the ordinary channels of each entity.
The Ethical Channel of Velora is governed by the following basic principles:
a) Principle of trust and good faith The person reporting infringements has Velora’s commitment that, in accordance with this Policy, the communications received will be processed and investigated and, where appropriate, the necessary measures will be adopted to correct the identified deficiencies. The Ethical Channel is an instrument for improving the Company’s operations and must be understood as such by everyone.
For their part, the person reporting infringements must act in good faith and not make false accusations when stating their concerns. It is understood, therefore, that information will be provided without malice, without considering personal interest or benefit, and considering the information to be reasonably truthful with the means available. Any person who deliberately makes false or misleading statements or acts in bad faith will not enjoy the protection provided by this Policy and may be subject to disciplinary action in accordance with current legislation.
This Policy shall not affect the applicable rules regarding the exercise of workers’ right to consult their representatives or trade unions before reporting an infringement.
b) Principle of Protection
Velora guarantees the confidentiality of the identity of the person making the communication at all stages of the infringement investigation and resolution process; therefore, it will not be disclosed to third parties nor, consequently, to the affected person(s), nor to the managers of the person making the communication or those of the affected person(s). The identity of the person making the communication may only be disclosed when there is a legal obligation requiring communication to a judicial or administrative authority or when it is strictly necessary to share said information with external advisors and other Velora providers for the operation of the Ethical Channel itself, requiring the latter to maintain the same level of confidentiality as that applied internally. The above shall also apply to any other information from which the identity of the informant can be directly or indirectly deduced. For all the above reasons, personal data whose relevance is not manifest for dealing with a specific infringement will not be collected or, if collected by accident, will be deleted without undue delay. In any case, anonymous communications are also permitted and will be processed in the same manner.
Velora will treat all communications with absolute impartiality and without any type of prejudice and will not tolerate retaliation (including the mere threat of retaliation or attempted retaliation) of any kind against those persons who make good faith use of the Ethical Channel.
For the purposes of this Policy, retaliation is understood as any acts or omissions that are prohibited by law, or that, directly or indirectly, involve unfavorable treatment that places the persons suffering them at a particular disadvantage with respect to another in the work or professional context, solely due to their status as informants, or for having made a public disclosure. An exception is made in the event that said action or omission can be objectively justified in view of a legitimate purpose and the means to achieve said purpose are necessary and appropriate.
Specifically, the adoption of any of the following measures is expressly prohibited:
a) Suspension of the employment contract, dismissal or termination of the labor or statutory relationship, including non-renewal or early termination of a temporary employment contract once the probationary period has passed, or early termination or cancellation of contracts for goods or services, imposition of any disciplinary measure, demotion or denial of promotions and any other substantial modification of working conditions and the non-conversion of a temporary employment contract into an indefinite one, in the event that the worker had legitimate expectations that they would be offered indefinite work
b) Damages, including those of a reputational nature, or economic losses, coercion, intimidation, harassment or ostracism
c) Negative evaluation or references regarding work or professional performance
d) Inclusion on blacklists or dissemination of information in a specific sectorial scope, which hinder or prevent access to employment or the contracting of works or services
e) Cancellation of a license or permit
f) Denial of training g) Discrimination, or unfavorable or unfair treatment.
The prohibition of retaliation also extends to those persons who externally communicate information on infringements to the competent authorities or who make public disclosures of information on infringements.
The retaliations contained in section a) above are prohibited unless these measures are carried out within the regular exercise of management power under the corresponding labor legislation, due to proven circumstances, facts or infringements, and unrelated to the filing of the communication.
Likewise, said prohibition of retaliation also applies to any third party linked to the person communicating the infringement (such as, for example, colleagues, relatives or legal entities that said person owns, works for or is linked to in any other way in a work or professional context), as well as to any person who has assisted the informant in the communication process.
If any employee, manager or director of Velora takes any type of retaliation directly or indirectly against any of the persons protected under this Policy, Velora will adopt the necessary measures to ensure that the retaliation or its effects cease as soon as possible and, where appropriate, will adopt the appropriate disciplinary measures against those responsible for the retaliation.
Persons who communicate information on infringements in accordance with this Policy shall not be considered to have breached any restriction on disclosure of information or commitment to confidentiality, and shall not incur liability of any kind in relation to said communication of information, provided that they had reasonable grounds to believe that the communication was necessary to reveal an infringement under this Policy.
Likewise, persons who report infringements shall not incur liability with respect to the acquisition of or access to the information being communicated, provided that such acquisition or access does not in itself constitute a crime. In the event that the acquisition or access in itself constitutes a crime, the criminal liability of the person who made the communication shall be governed by the applicable regulations.
Velora guarantees the confidentiality of the data corresponding to all persons affected by the information provided in the communications received, at all stages of the process of investigation and resolution of the infringement. This confidentiality is extended even in the event that the communication is sent to non-competent personnel. In these cases, the improper recipient of the communication is obliged to forward it immediately to the System Manager.
For the purposes of this Policy, affected persons shall be considered all those natural or legal persons referred to in the communication as the person to whom the infringement is attributed or with whom the infringement is associated in any way.
persons fully enjoy the maximum respect for their right to honor, the presumption of innocence and the right of defense, including the right to be heard and the right to access their file.
The person wishing to report an infringement must direct their communication to the email address enabled for this purpose by Velora on the corporate website (www.velorainvesta.com) for the receipt of infringement communications. The person making the communication will complete the form in accordance with the instructions provided on the corporate website.
At the informant’s request, the communication may also be presented through a face-to-face meeting within a maximum period of seven days from the date the written communication was made.
The person making the communication must provide the information requested and may submit any documentation they deem necessary to prove the veracity of the infringement being reported. In any case, at least the following information will be requested:
Identity of the person making the communication and contact details.
Relationship with Velora of the person making the communication.
Country, legal entity, and department in which the infringement occurred.
Description of the infringement.
Estimated date of the infringement.
Date and manner of discovery of the infringement.
Identification, where applicable, of the infringer and their relationship with Velora.
In the event that the communicator requests to remain anonymous, the above data that would allow their identification may be omitted. All communications received will be processed by the Compliance Officer of Velora and managed through a computer system that ensures the confidentiality, traceability, and security of the information contained therein.
Within a maximum period of 7 days following its receipt, an acknowledgment of receipt and registration of the communication will be issued. At that time, an individualized case file will be opened and assigned to the team responsible for it.
The person or team in charge of the case file will proceed to initiate the analysis of the information received in order to correctly categorize, identify, and verify the infringement, deciding whether the communication is credible and therefore subject to further investigation, and whether it constitutes a breach of the Code of Ethics and Conduct or any internal or external regulations.
The investigation will be conducted with respect for the rights of all affected parties. During the processing of the file, the person who made the communication may be contacted to raise inquiries or request further information; likewise, a hearing will be granted, where appropriate, to the affected persons. All employees are obliged to collaborate in the investigations carried out, always safeguarding secrecy and confidentiality and, where applicable, anonymity for the successful outcome of the investigation and the protection of the persons involved.
If necessary for the successful outcome of the investigation, the Compliance Officer of Velora may access the computer equipment and tools of the persons involved, always complying with legal and data protection requirements. In cases of special complexity or when the nature or circumstances of the infringement under investigation so advise, the investigation may be outsourced.
At any time during the processing of the case file, the competent person or team, in light of the facts investigated, may communicate the information received and the known facts to the judicial or administrative authorities in accordance with current regulatory obligations. In any case, such communication will be made immediately regarding facts that could prima facie constitute a crime.
The Compliance Officer of Velora, once the investigation is finalized and in the event that the commission of the infringement has been verified, will forward the results to the competent body or bodies so that appropriate measures can be adopted to mitigate the effects of the infringement, including those that may proceed in application of the disciplinary system, and will propose to the Board of Directors, if appropriate, the necessary mechanisms to avoid new infringements in the future. The outcome of the case file will be communicated to the person who reported the infringement within a reasonable period and no later than three months from the receipt of the communication, except in those cases where the complexity of the infringement does not allow for the resolution of the file within said period, in which case, the maximum resolution period for the file may not exceed six months.
The Compliance Officer of Velora shall be responsible for the custody of the information and documentation related to the communications and investigations, which must be kept in the Internal Information System‘s record. Personal data processed within the framework of this Policy will be kept for the period strictly necessary for the purposes of the investigation and, in any case, in accordance with the periods established by the applicable data protection regulations. Personal data that are not necessary for the investigation will be deleted immediately. In any case, and as a general rule, documentation related to the investigations will be deleted after ten years have elapsed since the end of the investigation, unless legal or judicial requirements mandate its preservation for a longer period.
5. Data Protection
Velora Investa, S.L. shall be the data controller for the personal data processed through the Ethical Channel, as the group company where the Compliance Officer in charge of managing said channel is located.
These personal data will be processed with the primary purpose of managing, processing, and investigating the communications submitted through the Ethical Channel, as well as for adopting disciplinary measures or processing any legal proceedings that may apply. The legal basis for this processing is Law 2/2023 of February 20, regulating the protection of persons who report regulatory infringements and the fight against corruption. Personal data may be communicated to the Velora company with which the person making the communication and/or the affected person(s) maintain the corresponding labor, commercial, or professional relationship, should it be necessary to carry out action measures, as well as to Judges and Courts, the Public Prosecutor’s Office, or the competent Public Administrations as a result of the investigation that may be initiated.
The exercise of the rights of access, rectification, erasure, restriction, and objection of data may be carried out by email communication to lopd@cunext.com. In the event that you require additional information regarding data protection, please access the following link (https://velorainvesta.com/en/privacy-policy).
This Policy has been approved by the Board of Directors of Velora Investa, S.L., entering into force on the same day of its approval. Any modification to it shall be approved by said body at the proposal of the Compliance Officer of Velora, following a report from the Audit Committee.
This Policy is available on the Velora corporate website (https://www.velorainvesta.com) from the same day of its approval and, additionally, has been communicated to all employees of the Group through the usual channels.