Link: https://canaldenuncia.com/@GLOBALDAIRYVENTURES/informar
Internal Information System Privacy Policy
The Internal Information System of GLOBAL DAIRY VENTURES (hereinafter GDV) is the means by which employees, suppliers, customers and third parties with a legitimate interest can report irregular conduct, violations of the Code of Ethics or corrupt conduct in this company, which may constitute a crime under Law 2/2023 of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption
GDV, with registered office at Av. Diagonal, 561, Pl. 4, 08029 Barcelona, is responsible for processing the personal data provided through this channel and expressly states that such data may be communicated to other third parties acting as data processors for the proper management of the report submitted. All complaints submitted will be treated with the utmost confidentiality and for the purpose of investigating, processing and resolving the complaints submitted, anticipating and, where appropriate, correcting irregular behaviour and/or behaviour contrary to the Code of Ethics. Under no circumstances may it be used as a complaints or suggestions box or as a customer service channel.
Personal data will be kept for as long as is necessary to decide whether to initiate an investigation into the reported events.
However, if legal proceedings are initiated following the investigation process, the data may be kept for the additional time necessary until a final court decision is obtained.
Complaints may be submitted anonymously or with identification. In the case of identified complaints, the protective measures against possible reprisals provided for in current regulations will be taken. Complaints may preferably be submitted electronically by clicking on the link provided at the end of this Policy, after accepting it. The person responsible for the internal information system is the Secretary of the GDV Compliance Body, who will receive the complaints and, if appropriate, forward them to the Investigation Body, which will follow the established internal investigation procedure.
Only the following persons may access the complaints:
a) The person responsible for the system and those who manage it directly.
b) The head of HR or the Investigation Body, only when disciplinary measures against an employee may be warranted.
c) The Data Protection Officer.
d) The data processors or sub-processors who may be appointed.
Any complaint or communication with criminal implications will necessarily entail the initiation of proceedings by the Investigating Body and, where appropriate, notification of the State Security Forces and Corps, Administrations and Authorities and/or Courts and Tribunals.
In order to be accepted and properly processed, communications or complaints must contain the following information:
• Identification of the complainant, except in the case of anonymous complaints
• A brief statement of the facts or arguments supporting the communication/complaint and the provision of any documents or testimonies deemed appropriate.
• Person or department against whom the communication/complaint is directed
• Place or address where the events took place.
KBV will take all necessary technical and organisational security measures to prevent the alteration, loss and unauthorised processing or access to such data and thus guarantee its security.
Whistleblowers may exercise their rights of access, rectification, opposition, erasure, restriction of processing and portability by sending an email to: rgpd@globaldairyventures.com
In the case of anonymous reports, the complainant may not exercise the rights indicated herein.
INTERNAL INFORMATION SYSTEM OR WHISTLEBLOWER CHANNEL PROCEDURE
1.- THE INTERNAL INFORMATION SYSTEM OR WHISTLEBLOWING CHANNEL.
1.1.- Concept and nature.
Article 31 bis of the Criminal Code warns of the obligation of legal persons to establish systems or means within their organisation for communicating possible risks or legal breaches.
Likewise, Law 2/2023 of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption, has also introduced a series of requirements that legal persons must comply with for the establishment and management of these "internal information systems" or "whistleblowing channels".
By virtue thereof, this Entity, as part of its culture of ethical compliance, has implemented this INTERNAL INFORMATION SYSTEM OR REPORTING CHANNEL, through which it will be possible to report events relating to materialised risks, suspected criminal offences and any other conduct that constitutes a breach of legal regulations or the Company's Internal Policies.
It may be used by all employees, members of the administrative body or any other interested third party included in Article 3 of the aforementioned Law 2/2023 of 20 February, confidentially or anonymously, without fear of reprisals, in accordance with the provisions of the aforementioned law.
This channel applies to the Entity and, where applicable, to any other company in the same Group in Spain.
By submitting their complaint and expressing their concerns, the complainant is helping our organisation to be recognised as a responsible organisation in all aspects of its activity.
1.2.- Basic guiding principles of the System
Accessibility: there are various options for submitting complaints, although we mainly recommend using the online system available on the company's website in the section "Internal Information System or Complaints Channel".
Confidentiality: the identity and contact details of the person making the report, as well as the facts and documents communicated regarding the possible irregularity through this channel, will always be considered confidential information and, therefore, will not be disclosed without their consent to the accused and/or third parties, except when required by administrative or judicial authorities, in accordance with the provisions of Article 31.1 of Law 2/2023.
Anonymity: anonymous reports are accepted.
System manager: the entity has delegated the management of reports to a system manager, duly identified and in accordance with Law 2/2023.
Objectivity and impartiality: all reports will be handled objectively and impartially, guaranteeing the right to privacy, defence and the presumption of innocence of the persons involved.
Data protection: In accordance with Article 24 of Organic Law 3/2018 of 5 December on the protection of personal data and the guarantee of digital rights (amended by the Seventh Additional Provision of the aforementioned Law 2/2023), "The processing of personal data necessary to ensure the protection of persons reporting regulatory infringements shall be lawful.
Such processing shall be governed by the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, Organic Law 3/2018 of 5 December on Data Protection and Guarantees of Digital Rights, and the Law regulating the protection of persons who report regulatory violations and the fight against corruption."
The data shall be kept in the reporting system only for the time necessary to decide whether or not to initiate an investigation into the reported facts. In any case, three months after the data has been entered (or six months if the deadline has been extended due to the complexity of the report), it must be deleted from the system, unless the purpose of keeping it is to leave evidence of the functioning of the model for the prevention of crimes committed by the legal entity.
If the facts are proven or there is sufficient evidence, the data shall be retained for as long as necessary for the entity to exercise its rights before the courts of justice.
Complaints that have been made anonymously shall be identified by an internal reference so that they can be incorporated into the complaints system.
Only the following persons shall have access to the reports in the first instance:
• The person responsible for the system and those who manage it directly.
• The competent internal body duly designated within the Entity, when disciplinary measures against an employee may be appropriate.
• The person responsible for the organisation's legal services, if legal measures are to be taken in relation to the reported events.
• The data processors or sub-processors who may be appointed.
• The Data Protection Officer and the Compliance Officer.
1.3.- Rights and Obligations
Rights and Guarantees of Whistleblowers
Whistleblowers shall be guaranteed the effective exercise of the following rights, without prejudice to any others recognised by the Constitution and the law:
• to submit information anonymously and to have their anonymity maintained throughout the procedure.
• to make the report verbally or in writing. In the case of a verbal report, the whistleblower shall be given the opportunity to check, rectify and accept the transcript of the message by signing it.
• to indicate an address, email or secure location where communications from the System Manager can be received.
• to appear before the System Manager or the delegated manager on their own initiative.
• waive the right to communicate with the System Manager or the delegated manager conducting the procedure and, where appropriate, revoke such waiver at any time.
• preservation of their identity. The identity of the whistleblower may not be disclosed without their express consent to any person who is not competent to receive and handle complaints, with the exceptions established by European Union law or Spanish regulations in the context of investigations carried out by the authorities or in the course of legal proceedings.
• Protection of your personal data.
• Knowing the identity of the delegated manager conducting the proceedings.
• Confidentiality of communications.
• Protection and support measures under the terms of Law 2/2023.
• to lodge a complaint with the Independent Whistleblower Protection Authority.
• not be subject to reprisals, even if the results of the investigations verify that there has been no breach of the applicable regulations or the Entity's Code of Ethics, provided that they have not acted in bad faith.
1.4.- Obligations of Whistleblowers
Whistleblowers, with regard to the submission of their communications through the internal reporting channel, shall be subject to the following obligations:
• Have reasonable or sufficient evidence regarding the accuracy of the information they report, and may not make generic reports, reports made in bad faith or reports that constitute an abuse of rights, in which case they may incur civil, criminal or administrative liability.
• Describe the facts or conduct they report in as much detail as possible, providing all available documentation on the situation described or objective evidence to obtain proof.
• Refrain from communicating for purposes other than those intended by the System, or in a manner that violates the fundamental rights to honour, image, and personal and family privacy of third parties, or that is contrary to human dignity.
1.5.- Rights of Third Parties
Persons considered as third parties in the proceedings shall be granted the rights recognised by the Constitution and the laws, without prejudice to the possibility of extending to them, as far as possible, the measures of support and protection for whistleblowers provided for in Law 2/2023; specifically the following:
• to be informed, as soon as possible, of the information that affects them
• access to the proceedings against them, without prejudice to any time limitations that may be adopted to guarantee the outcome of the proceedings.
• to know the identity of the manager conducting the proceedings
• To honour and privacy, as well as to the preservation of their identity. The identity of the third party may not be disclosed without their express consent to any person who is not competent to receive and handle complaints, with the exceptions established by European Union law or Spanish regulations in the context of investigations carried out by the authorities or in the course of legal proceedings.
• presumption of innocence and to use all legally valid means for their defence
• to indicate an address, email or secure location where communications made to the System Manager can be received.
• to appear before the System Manager or the delegated manager on their own initiative.
• protection of their personal data.
• confidentiality of communications.
• not to be subject to reprisals.
2.- PROCEDURE FOR REPORTING INCIDENTS
2.1.- Incidents or breaches to be reported
The following cases are considered reportable incidents or breaches:
• Any violation of current legislation
• Any breach of the CODE OF ETHICS or INTERNAL POLICIES of our entity and/or Group companies or of the values, general principles of conduct or rules of conduct of the employees of any of the Group companies, as set out therein.
• Any contingency that may pose a risk to the reputation of our organisation.
2.2.- Means of communication and minimum content thereof.
Incidents may be reported through:
• Preferably through this reporting channel enabled on the website.
• Alternatively, they may be sent by post or delivered by hand to the Complaints Control and Investigation Body at our offices.
In order to be accepted and properly processed, communications or reports must contain the following information:
• the complainant's full name (except in the case of anonymous complaints) a brief summary of the facts or arguments supporting the report/complaint
• the person or department against whom the communication/complaint is directed
The burden of proof shall always lie with the complainant, who must provide the documents on which the complaint is based, and the party against whom the complaint is made may provide any documents they deem appropriate to counter those of the other party.
If any of the persons affected by the communication/complaint are involved in the investigation of the complaint, they must be replaced by another person who is not directly related to the communication/complaint in question.
3.- PRELIMINARY INVESTIGATION PHASE OF THE PROCEDURE
3.1.- Receipt and acknowledgement of receipt
Once the communication/complaint has been received, the person responsible for the system will acknowledge receipt to the complainant within a maximum period of 3 days, unless the complainant is anonymous, and will initiate the appropriate verifications and checks necessary; a file will be generated, which will be registered and identified by a reference number.
If necessary, and if the report is not anonymous, the person responsible for the system may request clarification or further information.
3.2.- Preliminary analysis of the information received
With this initial information, the person responsible for the system will carry out a preliminary analysis to verify the substance, sufficiency and plausibility of the report, the credibility of the complainant and the relevance of the reported facts for these purposes, determining whether they may constitute a legal infringement or a breach of the code of conduct.
Depending on the outcome of this preliminary analysis, the person responsible for the system may take one of the following decisions, drawing up a reasoned report:
• Rejection of the notification or complaint and immediate closure of the file when the reported facts do not constitute any of the cases provided for in this channel
• Admission of the notification or complaint and immediate closure of the file when the content is manifestly irrelevant, when the information is insufficient to proceed with any further action, when the reported facts are implausible or when the informant lacks credibility.
• Admission of the notification or complaint and initiation of the corresponding investigation file in relation to the reported facts.
3.3.- Procedure following analysis
If the complaint is considered inadmissible, the person responsible for the system will inform the communicator or informant of the inadmissibility of the complaint or the closure of the file, as appropriate, as well as of any additional measures that may have been taken.
If the complaint is admitted, an investigating body will be set up, whose functions are to process the complaint and draft a report for its resolution.
However, urgent measures may be taken, provided they are justified, for the following purposes:
• To mitigate the effects of the risk that has materialised or is likely to materialise
• To implement urgent measures to preserve evidence
• Urgent communication, where appropriate, of the information to the governing bodies of the legal entity
If accepted, the procedure will follow these steps:
• Identify the legislation, policies, procedures or internal regulations affected, as well as the reputational, economic, financial or legal risks that may arise from the incident.
• Identify all information and documents that may be relevant and whose review is considered useful (emails, websites, audiovisual surveillance and security media of the company, attendance lists, passwords or electronic security devices, accounting media, etc.).
• Determine, with the collaboration of the Human Resources Department, the need and, where appropriate, the urgency of adopting precautionary measures with respect to the subjects under investigation.
• Depending on the severity, immediately suspend the subjects under investigation.
The investigation shall include all investigative procedures deemed appropriate for clarifying the facts, identifying those responsible and determining any corrective measures to be taken.
Some of the main procedures that may form part of any investigation are detailed below:
• In the case of a non-anonymous complaint, an interview with the complainant to obtain more information about the complaint.
• Statements from the subjects under investigation.
• Conducting confidential questionnaires and interviews with witnesses.
• Arrange hearings with the subjects under investigation, their superiors and colleagues, as well as with any other persons deemed necessary.
• Gather as much information as possible from company documentation.
• If it is essential for clarifying the facts, surveillance measures may be adopted through detectives or computer, telematic or audiovisual means, provided that they meet criteria of reasonableness, suitability and proportionality, ensuring at all times the worker's right to privacy and the right to secrecy of communications.
• Seek external assistance from other professionals.
• Any other steps that the investigating body deems necessary to clarify the facts.
3.4.- Notification to the subjects under investigation
Except in the case of anonymous complaints, the person responsible for the system will contact the parties, identifying themselves as the person in charge of investigating the complaint and briefly informing them of the facts attributed to them and the main milestones that may occur during the investigation.
If the complaint is rejected as inadmissible, the complainant shall be informed of this within a maximum of three days of its submission.
3.5.- Documentation of the investigation procedure
It is essential to include in the file detailed documentation of the entire investigation procedure, such as the documents collected and the minutes of the interviews conducted.
In all interviews conducted by the Investigating Body, the latter shall take written note of the relevant facts and incorporate them into a record, which must be signed by the persons appearing and by the members of the investigating committee.
Likewise, in all interviews, the parties shall be informed of the requirements of current legislation on data protection.
3.6.- Final report of the investigating body
Once all the investigation proceedings have been completed, the Investigating Body shall draw up a report of its conclusions within 15 days, which shall contain a brief description of the following elements:
• Identity of the members of the investigating committee.
• Nature of the contingency. As far as possible, the parties involved, the nature of the events, the date, place and circumstances in which they allegedly occurred, and the legal provisions or internal regulations infringed or jeopardised shall be identified.
• List of relevant facts and findings. The most relevant facts gathered during the investigation procedure shall be reported, distinguishing between those obtained from the company's documentation, the information provided by the complainant, and the interviews conducted with the subjects under investigation and with witnesses.
• Conclusions and assessment of the facts. The conclusions drawn by the investigating committee shall be specified, as well as its assessment of the facts reported, and two possible actions may be proposed:
• Proposal to continue the proceedings, if it is considered that the proceedings have sufficiently proven that the subject under investigation has committed a punishable offence, and it must include a final section identifying the sanctions that may be adopted by the company against the persons responsible for the facts, as well as any other additional measures, including possible compensatory actions that may be taken with respect to any person harmed by the facts
• Closing of the proceedings, if it is deemed that the act does not constitute an offence, that there is insufficient evidence to justify its perpetration, or that no known perpetrator has been identified.
Once prepared, the final investigation report shall be immediately forwarded to the Decision-Making Body and shall be filed together with the rest of the investigation file.
4.- DECISION-MAKING PHASE
In view of the report prepared by the investigating body, if the complaint is deemed appropriate, the Decision-Making Body shall be constituted, whose function is to form the will of the legal entity in response to the complaint filed.
In order to form this decision, the Decision-Making Body may request advice from as many external services as necessary, as well as any clarifications required from the Investigating Body itself.
It is a collegiate body, composed of the members of the Investigating Body, to which a representative of the entity's Administrative Body shall be added.
In the event of incompatibility of any of the members of the Decision-Making Body for the processing of a specific matter, said member shall be removed from all proceedings held in relation thereto.
The Decision-Making Body shall forward the file to the subjects under investigation, who shall be given a period of 5 days to submit any written arguments they deem appropriate for their defence and to provide any documents they consider relevant. Once this period has elapsed, the Decision-Making Body may adopt one of the following decisions:
• Request additional investigative proceedings
• Request the administrative body to impose sanctions and/or additional measures
• In the case of possible criminal acts, it shall be obliged to bring them to the attention of the competent authority, whether administrative or judicial.
• Take compensatory action against any person or entity that may have been harmed by the events.
• Make decisions regarding the communication, training or internal dissemination of the facts, both to any body or unit of the company and to the workforce in general, when this is considered an effective tool for preventing similar incidents in the future (always with the necessary precautions regarding the protection of personal data).
The entity's legal department will be available at all times during the procedure to ensure compliance with current legislation.
5.- RECORD
For the purposes of documenting the actions taken, the person responsible shall keep an up-to-date and confidential chronological record of the investigation (both ongoing and closed cases), complaints and disciplinary measures applied in relation to the breach.
This register shall contain at least:
• Date of the incident
• Type of incident
• Date of complaint
• Type of complainant
• Persons involved in the situation
• Description of incident
• Actions taken
• Consequences
The record referred to in the previous paragraph must always be kept up to date and available for review by those responsible for this policy (the person responsible for the system and the entity's Compliance Body), and must always be kept strictly confidential.
However, once the matter has been resolved, a decision will be made as to what information will be disclosed to other employees and managers about the events, either as a deterrent or as a means of improving procedures and future actions to prevent malpractice.
Furthermore, the resolution of the procedure will become part of the file (employment, where applicable) of the person reported.
Updated version January 2026