Information on internal reporting

INFORMATION REGARDING THE REPORTING OF BREACHES IN ICGB AD

 

 Reporting registration form

 

 This information is provided pursuant to Art. 12, para. 4 of the Law on protection of reporting persons and persons publicly disclosing information on breaches.

  • Reporting via internal channel

  You can report a breach verbally or in writing through the internal reporting channel established at ICGB AD. The reports can be filed against employees, members of the management and management bodies, customers, suppliers of ICGB AD, as well as against third parties related to ICGB AD.

  The report should contain your data, which will not be shared with other persons except for the purpose of the inspection. The reports are dealt with under the terms and conditions of the Law on protection of reporting persons and persons publicly disclosing information on breaches (for short, the " LPRPPPDIB") and ICGB's "Rules on Internal Reporting and Follow-up". During investigation, appropriate action shall be taken in 3 months from the registration of the report.

The report should be made to the reporting officer (Officer) in one of the following ways:

  • by e-mail: reporting@icgb.eu
  • by telephone on +359 02 4513 544
  • during a personal meeting with the reporting officer.
  • by letter to the official address of the company in city of Sofia, 23 "Georg Washington" St. In the case of submitting the report by letter, please mark the letter as "Confidential", necessarily with the text "Report under the “LPRPPPDIB" and indicate the official as the recipient. An anonymous report will not be considered unless the reporting official determines otherwise on a case-by-case basis.

  The report of breaches should fall under the areas covered by the law. In order for your report to be dealt with under the conditions and within the timeframes set out in the information you have seen; the report must allege breaches in one of the following areas:

  1. infringements of Bulgarian legislation or of the European Union acts referred to in the Annex to the LPRPPPDIB in the field of:

  • public procurement, financial services, products and markets and the prevention of money laundering and terrorist financing, product safety and compliance, environmental protection, consumer protection, protection of privacy and personal data, security of networks and information systems.

  2. infringements affecting the financial interests of the European Union (fraud affecting the financial interests of the Union).

  3. infringements of internal market rules, including competition and State aid rules.

  4. offences relating to cross-border tax schemes the purpose of which is to obtain a tax advantage contrary to the object or purpose of the applicable corporate tax law.

  5. a crime of a general nature of which the reporting person has become aware in connection with the performance of his or her work or during the performance of his or her duties.

  6. breaches of Bulgarian legislation in the field of rules for payment of public state and municipal claims, labour legislation or legislation related to the performance of state service.

  When submitting your report in writing, you can fill in a form provided by the Commission for the Protection of Personal Data (CPPD), available above. If you do not use the form, the report should contain: your three names, address, telephone number and e-mail address, if available; the name of the person against whom the report is made and his or her place of work, if the report is made against a specific person and he or she is known to you; specific details of the breach or of a real risk of such an breach being committed; the place and period of the breach, if any; a description of the breach or the situation and other circumstances, to the extent known to the person making the report; the date of the report, signature, electronic signature or other identification of the reporting person.

  Registration of a report via an internal channel

  Within 7 days of receipt of the report, you will receive confirmation of its registration in the internal report register, together with a unique report identification number issued by the CPPD. Access to the register is restricted.

  No reports are considered when they:

  1. are irregular and the irregularities have not been corrected within the specified period.

  2. contain false or misleading statements of fact and the statements have not been corrected within the specified period.

  3. contain allegations of breaches outside the above-mentioned areas.

  4. relate to breaches committed more than two years ago.

  5. are submitted anonymously unless the person examining them decides to initiate an investigation.

  6. refer to breaches of the rules for awarding public contracts in the field of defense and national security, when they fall within the scope of Art. 346 of the Treaty on the Functioning of the European Union (production or trade in weapons, ammunition, and military materials).

  7. refer to breaches of the protection of classified information within the meaning of Art. 1, para. 3 of the Law on Protection of Classified Information.

  8. have become known to persons exercising a legal profession and for whom there is an obligation by law to protect professional secrecy.

  9. refer to breaches of the confidentiality of health information within the meaning of Art. 27 of the Health Act.

  10. refer to breaches of the secrecy of the judicial conference.

  11. refer to breaches of the rules of criminal proceedings.

  12. relate to breaches in other areas that do not fall within the scope of the Law on protection of reporting persons and persons publicly disclosing information on breaches.

  In the case of initiated inspections, the reporting officer has the right to request additional information from you and third parties, to listen to the affected person, who in turn has the right to object and to present evidence in defence of his claims.

  If it is necessary to take action with the assistance of a state body, the report can be forwarded to the CPPD after notifying you in advance.

  Security and privacy

  The report and the materials collected during the inspection are stored for a period of 5 years, unless a law or other regulatory act requires a different storage period. Technical and organizational measures have been taken to protect their confidentiality. Your identity is protected, and the forwarding of your report is carried out only in the cases provided for by law, and in most of them after notifying you in advance of the upcoming forwarding.

  Defence to be asserted.

  The reporting of breaches, if filed in accordance with the law, cannot be used against you for purposes unfavourable to you. You are protected under the LPRPPPDIB from the time of reporting through an internal or external channel, if the report is of a breach falling within the scope of these rules, was made within the terms and conditions of the LPRPPPDIB, and you had reasonable cause to believe that information in the report about the breach was correct at the time of the reporting. In this case, your relatives and colleagues who helped you to file the report, as well as the legal entities in which you own a stake, work for or are connected in any other way in a work context, also enjoy protection.

  In case of public disclosure of information about a breach, you will benefit from legal protection if the above conditions are present, but also if any of the additional conditions are present, namely:

  1. you have submitted a report through an internal channel under the terms of these rules or through an external channel to the CPPD or a European institution, but the report has not been acted upon within 3 months from the confirmation of a received report or up to 6 months if the report is filed through an external channel and the deadline is extended, or

  2. you had reason to believe that:

  a) the breach may represent an immediate or clear danger to the public interest or there is a risk of damage that cannot be remedied.

  b) in the event of an external report, there is a risk of retaliatory actions against you, legal entities in which you have a stake, or against your relatives, or there is a possibility that the breach will not be effectively dealt with, due to the risk of concealment or destruction of evidence, suspected existence of collusion between the competent authority and the perpetrator of the breach, or of the authority's complicity in the breach, as well as due to other specific concrete circumstances of the case. If you have reported anonymously, you have the protection of the law if you are subsequently identified and subjected to reprisals.

  If you meet the conditions set forth above, against you is prohibited from any form of employment, personal, discriminatory, commercial retaliation, threats or attempts of such actions, where such actions are repression and put or may put you at a disadvantage,

 You have the right to free and accessible information and advice from the CPPD regarding the procedures and protection measures under the law, and the Commission can also provide assistance to any authority necessary for your protection against repressive retaliatory actions, including by duly communicating the fact that you have the right to protection. You also have access to legal assistance provided by the National Legal Aid Bureau in criminal, civil, administrative, and international civil disputes related to your defence in connection with your reporting, as well as out-of-court resolution of cross-border disputes through mediation, in accordance with the Law on Mediation, with the assistance of a mediator entered in the Unified Register of Mediators.

  If criminal, civil, or administrative proceedings are instituted against you, in connection with a report or publicly disclosed information, you have the right to request the termination of those proceedings if you prove that you had reasonable cause to believe that the filing of the report or public disclosure of the information were necessary to detect an infringement.

  Liability

  You will not be liable if you obtained the information disclosed in the report through any means other than a crime, even if there is a contractual or statutory duty of confidentiality, including where the report discloses a trade secret. In case of a lawsuit initiated by or against you in connection with the report, you must prove that the actions taken against you are a reaction specifically in connection with the report. You have the right to compensation for pecuniary and non-pecuniary damages incurred in connection with the reported breach or publicly disclosed information.

  You are responsible if you acquired the information disclosed in the report as a result of a crime, as well as for any action you take that is not related to the report or is not necessary to detect the breach. You are responsible for knowingly filing a false report. The person affected by the report also enjoys rights such as the right to defence, to be heard and to access the data of the report while preserving your identity, the right to a fair trial and to compensation for reports containing false information.

  • Reporting via an external channel

  You can report a breach orally or in writing and through an external reporting channel managed by the "External Reporting Channel" Directorate at the CPPD, as well as to any other state or European body, if you believe that the report could create a risk for you and your loved ones in a work or personal context, including the risk of retaliatory, discriminatory actions, as well as if the report is filed against your employer or you are sceptical about filing a report through the internal channel. CPPD verifies the regularity and validity of the report in accordance with the terms and conditions of Section II of the Law.

  At the latest within 3 months from the confirmation of the report, the CPPD shall provide the reporting person with feedback. This period can be extended up to 6 months in duly justified cases requiring a thorough investigation.

  You can send reports to CPPD in writing: by e-mail whistleblowing@cpdp.bg or by mail to the address: Sofia 1592, "Prof. Tsvetan Lazarov" No. 2, or orally - on site in the CPPD at the address: Sofia 1592, "Prof. Tsvetan Lazarov" No. 2.

  You can find more information on the implementation of the CPPD on the CPPD`s website: https://www.cpdp.bg

  Protection of personal data when reporting breaches

  1. General information about the personal data controller

  The personal data controller and the obligated person under Art. 12, para. 1, item 2 of LPRPPPDIB is:

  "ICGB" AD, UIC 201383265, with registered office and management address in the city of Sofia, 23 "George Washington" St.

  2. What is the purpose of this information (notice)?

  The purpose of this notice is to inform all natural persons whose personal data is collected through the internal reporting system about the manner and procedure for processing personal data by the data controller when reporting breaches.

  This notice does not replace the Privacy Policy published in accordance with Regulation (EU) 2016/679 and the LPPD but applies only in cases of internal reporting and the need to process personal data in these cases, according to the requirements of the LPRPPPDIB.

  Any processing of personal data carried out pursuant to LPRPPPDIB, including exchange or transmission of personal data by the competent authorities, is carried out in accordance with Regulation (EU) 2016/679, as well as with the Law on the Protection of Personal Data, and when in the transmission institutions, bodies, services or agencies of the European Union are involved - in accordance with Regulation (EU) 2018/1725.

  This notice (policy) applies to:

  - the reporting person within the meaning of Art. 5, para. 2 of LPRPPPDIB.

  - all affected persons within the meaning of § 1, item 5 of AP of LPRPPPDIB.

  3. Where is personal data collected from?

  The data controller collects personal data provided by the reporting person through the internal channel for reporting of breaches. In addition, during the investigation of the report, if necessary, personal data is collected from the other internal systems of the controller, as well as from third parties.

  Personal data concerning data subjects is collected from the data subjects themselves when they have reported using their name. Data about data subjects may also be collected from sources other than the data subjects themselves, for example when a report submitted by a data subject contains personal data about another person.

  During the processing of the reports, the data controller may also learn other data about the data subjects that the reporting persons themselves voluntarily provide or that are obtained from other sources in a manner permitted or required by applicable law.

  4. Purposes and basis for processing

  4.1. Purpose of processing

  We process your personal data for the following purpose: collecting and processing internal reports to comply with the LPRPPPDIB.

  When you provide your personal data in the report, we will collect and store your personal data to research and investigate your report. The information you provide to us will be kept strictly confidential and secure.

  4.2. Grounds for processing

  The processing of personal data is lawful if one of the legal grounds specified in the applicable law is present (Article 6 of the GDPR).

  We process personal data on the following grounds:

  • Legal obligation - we will process your personal data to fulfil our obligations under the LPRPPPDIB. The legal basis we refer to is Article 6, paragraph 1, letter "c" of the GDPR.

  • If the information we receive in connection with the report of breaches contains a special category of data revealing the racial or ethnic origin, political views, religious or philosophical beliefs, data about the state of health, sex life, sexual orientation of the individual, etc. , the legal basis on which we will process these personal data is Article 9, paragraph 2, letter g) of the GDPR, because the processing is necessary for reasons of important public interest based on European Union law and Bulgarian law.

  • Data related to crimes, convictions and security measures may be processed under the conditions specified in Article 10 of the GDPR and the Personal Data Protection Act.

  5. Data Subjects

  In the sense of the GDPR, a data subject in relation to the submitted report can be:

  • the author of the report (also called the reporting person);

  • the person against whom the report is filed, or persons related to him (affected persons);

  • the witness(es) and other persons whose personal data could become known during the inspection.

  6. What personal data do we collect?

  When disclosing information about breaches (i.e. reporting possible wrongdoing), you are asked to provide at least the following personal information:

  • your three names, address, and telephone number, as well as an e-mail address, if any.

  • your status as a reporting person, for a breach that became known to you in a work context - worker, employee, self-employed, etc.

  • the names of the person against whom the report is filed and his workplace, if the report is filed against specific persons and they are known.

  • signature, electronic signature, or other identification of the sender.

  If necessary, we may request additional information so that we can investigate all the grounds for your report, along with any supporting documents or evidence.

  6.1. The categories of personal data that may be affected by the processing of the report.

  We recognize that personal information in a report may relate to the reporting person(s), the person being reported, witnesses to the breach, or other individuals named in the report (data subjects).

  Therefore, in connection with your report, we will also store the following personal information:

  • identity and contact details of the witnesses.  

  • identity, functions, and contact details of the persons involved in the processing of the report.

  • information collected in the context of verifying the reported facts.

  • information in reports prepared during the investigation.

  6.2. Obligation to provide your personal data.

  The processing of the above-mentioned personal data is necessary for the verification of the information indicated in the report of breaches. Failure to provide this data would not allow the processing of the report and the conduct of the related investigation. Pursuant to the Bulgarian Law on protection of reporting persons and persons publicly disclosing information on breaches, proceedings are not initiated based on anonymous reports.

  7. Who has access to the personal data and is the data disclosed to third parties?

  We take appropriate measures to protect information related to reported breaches and to protect the identity of reporting persons, providing access to the information only to employees who need this data to perform their duties. The reporting person's identity is not disclosed to the accused persons. The reporting person's identity is disclosed only if the reporting person consents to it, or if disclosure of the reporting person's identity is required in a criminal proceeding, or if the reporting person has filed a false report with malicious intent. Personal data may be disclosed to third parties, such as public authorities or external inspectors, when this is a necessary and proportionate obligation imposed by Bulgarian law or European Union law in the context of investigations by national authorities or legal proceedings, including with a view to guaranteeing the right of defence of the affected person. In these cases, before disclosing the identity or information related to the reporting persons, we will notify the reporting person of the need for disclosure. The notification shall be in writing and shall be motivated. The reporting person is not notified when the investigation or legal proceedings are jeopardized.

  8. Transfer of personal data outside the European Union/European Economic Area

  Personal data obtained when reporting is not transferred outside the EU or EEA.

  9. Period of storage of personal data

  Personal data will only be processed to fulfil the obligations on which the processing is based – in this case to comply with the requirement to provide a breach reporting channel. Personal data will not be processed for a longer period than is necessary to fulfil this purpose.

  No personal data is collected that is clearly not relevant to the administration of the report. If such data is collected in error, it will be deleted as soon as possible.

  The reports and the materials attached to them, including the subsequent documentation related to their consideration, we are obliged to store for a period of 5 years after the conclusion of the consideration of the report, except in the presence of criminal, civil, labour law and/or administrative proceedings in connection with the given report.

  We apply the following storage periods:

The report does not apply to this procedure The report did not lead to any consequences Where disciplinary or legal proceedings have been initiated
The data is destroyed immediately The data is destroyed within 5 years after the end of the examination of the report The data is destroyed at the end of the procedure or the limitation period for appealing the decision

  
  After the storage period expires, the personal data is destroyed or anonymized. In the latter case, this means that it will be impossible to identify you from this data.

IGB Project

Gas Interconnector Greece-Bulgaria is co-financed by the European Union's
European Energy Programme for Recovery programme.

The sole responsibility of this publication lies with the author.
The European Union is not responsible for any use that may be made of the information contained therein.

Co-financed by the Europen Union, Europen Energy Programme for Recovery  European Regional Development Fund Operational Program Innovation and Competitiveness

Cookies

We use cookies to ensure that the website functions properly. By selecting the "Accept" option, you agree to the use of all cookies in accordance with the Information for the use of cookies on the site.

System Cookies

Enabled

These cookies are mainly used for session management, and security purposes, ensuring that the user's interactions with the web application are secure and consistent.

Notification

Disabled

These cookies is set to show the notification panel on the very first website load, once you accept it the message will be hidden for the next 365 days.

Analytics

Disabled

This cookies are used to monitor app usage and performance. They tracks anonymous IDs to collect data, helping us ensure efficient operation and resolve any performance issues. It contains no personal information, and all stored data is anonymized. The cookie also tracks sessions involving specific pages and features, using a unique browser session value for better performance monitoring.