ΠΟΛΙΤΙΚΗ ΑΝΑΦΟΡΩΝ EN

Whistleblowing Policy – Law 4990/22

IDIKA S.A. (Electronic Governance of Health and Social Insurance S.A.)

1. Introduction

The Electronic Governance of Health and Social Insurance Single-Member S.A. (IDIKA S.A.) operates in accordance with the principles of professional ethics, integrity, transparency and morality. It also creates and implements policies to comply with the applicable legislative and regulatory framework.

Through this Whistleblowing Policy, the Company complies with Directive (EU) 2019/1937 on the protection of persons who report breaches of EU law, and with National Law 4990/2022. The Policy aims to establish an internal system for reporting breaches of EU law rules, to protect persons who report such breaches, and to organise the procedure for submitting, receiving and monitoring reports.

The Company demonstrates zero tolerance for actions that may disrupt its healthy working environment, harm it or expose its reputation and credibility to risk. It encourages the submission of reports as soon as a concern is identified. All reports are taken seriously and investigated with full objectivity and independence. The Company assures that those who submit reports will be protected from any retaliation, and that the personal data of all parties involved are protected through appropriate technical and organisational security measures.

2. Definitions

«Report»: the oral or written or electronic provision of information regarding violations covered by this Policy.

«Internal report»: the oral or written or electronic provision of information regarding violations to the Report Receipt and Monitoring Officer (RRMO) of a public or private sector legal entity.

«External report»: the oral or written or electronic provision of information regarding violations to the National Transparency Authority (NTA).

«Reported person»: a natural or legal person named in an internal or external report or public disclosure as the person to whom the violation is attributed, or who is associated with such person.

«Reporter»: the natural person who makes an internal or external report or a public disclosure, providing information about violations obtained in the context of their work activities.

«Retaliation»: any direct or indirect act or omission occurring within a work context that causes or may cause unjustified detriment to the reporter, or places them at a disadvantage, in connection with an internal or external report or public disclosure.

«Reasonable grounds»: the justified belief of a person with similar knowledge, training and experience to the reporter that the information they hold is accurate and constitutes a breach of EU law falling within the scope of this Policy.

«Public disclosure»: the direct provision of information to the public regarding violations.

«Facilitator»: a natural person who assists the reporter in the reporting process within a work context, whose assistance must be kept confidential.

«Follow-up actions»: any action taken by the recipient of a report or by any competent authority or body to assess the accuracy of the allegations in the report and to address the reported violation, such as internal investigation, inquiry, prosecution, action for recovery of funds, or closure of proceedings.

«Feedback»: the provision of information to reporters about the measures envisaged or taken as follow-up, and the reasons for such follow-up.

«Work context»: current, past or prospective work activities in the public or private sector, regardless of the nature of those activities, through which persons obtain information about violations and in the context of which they may face retaliation if they report them.

«Violations»: acts or omissions that are unlawful under EU law or that defeat the object or purpose of EU law rules falling within the material scope of this Policy.

«Information on violations»: information, including reasonable suspicions, about violations that have occurred or are very likely to occur in the organisation where the reporter works, has worked or intends to work, or in other entities with which the reporter has had contact through their work, including information about attempts to conceal violations.

«External partners»: third parties contractually linked to the Company and their personnel, including consultants, subcontractors, contractors, suppliers, partners of all kinds, shareholders, etc.

«Report Receipt and Monitoring Officer» (RRMO): the person who receives and monitors the progress of reports.

«Report Management Committee» (RMC): the committee appointed on a case-by-case basis by the Board of Directors to manage and investigate a report.

«Employee»: a person engaged by the Company under a fixed-term or open-ended employment contract, or connected to the Company through another employment relationship, including seasonal staff and interns.

«Reporting channels»: the means through which reports are submitted, including the channels used for submission and the persons to whom reporters may address themselves.

«Malicious report»: a report made by the reporter with knowledge that it is untrue.

«Good faith»: the state that gives the reporter the reasonable belief that the information they provide is accurate.

«Platform»: the specially designed electronic platform accessible online via computer or mobile device.

3. Scope – Reporters

Reports under this Policy may be submitted by anyone who has obtained, in the context of their work, information about Violations (the «Reporters»), and specifically:

employees, regardless of whether their employment is full-time or part-time, permanent or seasonal, or whether they are seconded from another organisation;
non-salaried persons, self-employed persons, consultants or home workers;
shareholders and persons belonging to the administrative, management or supervisory body of the Company, including any non-executive members, as well as volunteers and paid or unpaid trainees;
any persons working under the supervision and instructions of contractors, subcontractors and suppliers;
persons whose employment relationship has ended, including through retirement, and job applicants.

4. Scope – Types of Violations

Reports under this Policy are accepted when they concern the following types of misconduct or violations. Anyone within the scope of Section 3 who becomes aware of such conduct within the Company must submit a Report immediately.

Public procurement
Money laundering
Terrorist financing
Financial services, products and markets
Product safety and compliance
Transport safety
Environmental protection
Radiation and nuclear safety
Food and feed safety / animal health and welfare
Public health
Consumer protection
Privacy and protection of personal data
Security of networks and information systems
Financial interests of the European Union
Competition and state aid
Breach of corporate tax rules or arrangements
Bribery and trading in influence
Other serious matters

The Whistleblowing Policy does not cover:

Disagreements regarding management policies and decisions
Personal matters and disputes with colleagues or supervisors
Personal employment matters falling within the remit of HR
Rumours

5. Reporting Channels

The Company establishes easily accessible reporting channels, encourages the submission of reports concerning incidents within the scope of this Policy, and guarantees that all reports received are handled with discretion. A report may be submitted with or without identification (anonymously).

Where a named report is submitted, the reporter’s personal details may be disclosed to the reported person upon their request, subject to the conditions of applicable data protection legislation. If the reporter does not wish to submit a named report, they may submit it anonymously.

Reports may be submitted as follows:

A) Via the electronic reporting platform, which meets all requirements regarding the security of information systems, the protection of personal data, and the confidentiality or anonymity of the reporter. The platform also allows the reporter to track the status of their report from submission to completion. Access to the platform is available on the Company’s website, and reporters are encouraged to use it as it is the most comprehensive and secure reporting tool.

B) In writing, with identification, by sending an email to: yppa@idika.gr

C) In writing, with or without identification, by sending a postal letter to the Company’s RRMO at: Lykouργου 10, 10551, Athens, marked «personal and confidential».

D) Orally, by telephone at 213 2168120 or by personal meeting with the RRMO upon request by the reporter.

Regardless of the reporting channel, all reports are received and managed by the RRMO, who is also responsible for communicating with the reporter.

6. Guidelines for Submitting Reports

The Report should be made in good faith and without delay, as soon as the misconduct is identified.
The Report should be clear, specific and contain as much information and detail as possible to facilitate investigation.
The Report should include the name of the person(s) who may have committed the misconduct, the date/period and location of the incident, the type of misconduct, and as detailed a description as possible.
Special category personal data and other sensitive information not related to the incident must not be included in the Report.
The Reporter does not need to be entirely certain of the validity of their Report. They must also not engage in illegal actions that could endanger themselves, the Company or a third party in order to gather further supporting evidence.
The Reporter should be available, either confidentially or anonymously via the reporting platform, to provide further information if requested.

7. Responsibilities of the Report Receipt and Monitoring Officer (RRMO)

The RRMO has the following responsibilities:

Provides appropriate information about the possibility of submitting a report within the organisation and posts relevant information in a prominent location.
Receives reports concerning violations falling within the scope of this Policy.
Acknowledges receipt of the report to the reporter within seven (7) working days of receipt.
Takes the necessary steps to refer the report to the Report Management Committee (RMC), or closes the procedure by filing the report if it is unintelligible, submitted abusively, or does not contain facts that constitute a violation of EU law, and notifies the reporter accordingly. If the reporter believes the matter was not effectively addressed, they may resubmit the report to the National Transparency Authority (NTA), which serves as the external reporting channel.
Ensures the confidentiality of the identity of the reporter and any third party named in the report, by preventing access by unauthorised persons.
Monitors reports and maintains communication with the reporter, requesting further information where necessary.
Provides the reporter with an update on the actions taken within a reasonable period not exceeding three (3) months from acknowledgement of receipt, or if no acknowledgement was sent, within three (3) months from the expiry of seven (7) working days after submission.
Provides clear and easily accessible information on the procedures for submitting reports to the NTA and, where applicable, to public bodies or EU institutions and bodies.
Designs and coordinates training activities on ethics and integrity, and participates in the formulation of internal policies to strengthen integrity and transparency.

The RRMO:

Performs their duties with integrity, objectivity, impartiality, transparency and social responsibility.
Respects and observes rules of discretion and confidentiality regarding matters they become aware of in the course of their duties.
Recuses themselves from handling specific cases where a conflict of interest arises.

The Company ensures that where the RRMO performs other duties, those duties do not affect their independence or lead to a conflict of interest.

8. Responsibilities of the Report Management Committee (RMC)

Reports are managed by the members of the RMC, appointed on a case-by-case basis by the Company’s Board of Directors. The RMC consists of at least three members, one of whom is the RRMO.

No person named in the report — whether as the alleged perpetrator, accomplice or witness — may participate in the Committee.

The RMC has the following responsibilities:

Examines the admissibility of reports received through all established reporting channels.
Evaluates reports.
Communicates with the RRMO to exchange necessary information.
Takes all appropriate measures to protect the personal data of data subjects involved in reports and ensures their deletion in accordance with prescribed deadlines.
Supervises the internal investigation procedure for accepted reports.
Maintains a Central Reports Register.

The RMC is empowered to conduct thorough audits to assess the accuracy of allegations. For the purposes of investigation, it may conduct interviews, perform on-site inspections or commission specialist advisers (e.g. legal, financial) to investigate specific aspects.

9. Report Management Procedure

The reporter submits a report through one of the reporting channels.
The RRMO receives the report and acknowledges receipt to the reporter within 7 days.
The RRMO assesses whether the report falls within the scope of the Law and forwards it to the RMC.
If the report does not fall within the scope of the Law, the RRMO informs the RMC; if the RMC concurs, the procedure is closed and the reporter is notified.
If the report falls within the scope of the Law, it is forwarded to the RMC, which takes over the management and investigation.
The RRMO notifies the reporter that their report has been accepted.
The investigation of the report is carried out.
The RMC updates the RRMO at regular intervals on the progress of the investigation; the RRMO must inform the reporter no later than 3 months after receipt of the report, even if the investigation is still ongoing.
Upon completion of the investigation, the RMC informs the RRMO, who in turn informs the reporter of the final results.

10. Rights of the Reporter and the Reported Person

The Reporter has the right to be informed both of the receipt of their Report (no later than within 7 working days) and of the outcome of the investigation (no later than within 3 months).

The Company protects both those who submit a Report and those reported. The investigation is conducted with full discretion and confidentiality at every stage, as far as possible, to avoid stigmatisation of individuals.

Persons named in reports have the right to be promptly informed of the alleged misconduct, of who has access to the data included in the Report or investigation file, and of their right to be given the opportunity to respond. However, where there is a serious risk that such notification could obstruct the investigation or the collection of necessary evidence, notification may be deferred until that risk no longer exists.

The identity of the Reporter remains confidential. Exceptionally, if the Report is found to be malicious and the reported person requests it, they may be informed of the Reporter’s identity in order to exercise their legal rights. Reports that are found to be manifestly malicious will be further investigated by the Company, both as to the motives and the persons involved, in order to restore order by every lawful means.

11. Protection of Reporters

The Company protects reporters who, in good faith, report unlawful or unethical conduct. Any form of negative treatment against anyone who has submitted a Report is strictly prohibited, even if the Report subsequently proves to be unfounded. The RMC and Management ensure that no retaliation occurs against anyone who submits a Report in good faith.

Specifically, the Company commits that employees who have submitted a Report will not suffer retaliation, harassment, marginalisation, intimidation, threats or unfair treatment as a result of their Report.

Unjustified changes to the employment relationship as a result of a Report are also prohibited (e.g. dismissal, suspension, demotion or denial of promotion, pay reduction, change of workplace, transfer, change of duties, alteration of working hours, etc.). In the case of a malicious Report, this protection does not apply.

The same level of protection applies to third parties connected to reporters who could face work-related retaliation, such as colleagues or relatives of reporters.

Where the Reporter is an external partner, early termination or cancellation of a contract for goods or services as a result of the Report is not permitted.

Any act of retaliation must be reported immediately to the RMC, which will investigate and resolve the matter. If the investigation establishes that retaliation did occur, disciplinary measures will be imposed against the perpetrator. The person accused of retaliation bears the burden of proving that their actions were unrelated to the Report.

Where an employee chooses to report an incident covered by this Policy in which they were previously involved, the fact that they ultimately reported it will be taken into account in their favour in any subsequent proceedings.

Where a named Report leads — following investigation — to the Company protecting vital financial or other interests, the reporter may be rewarded in the most appropriate manner available.

12. Investigation of a Report

The Company is committed to treating every Report, whether named or anonymous, with due diligence. The Investigation Officer and the Investigation Team, where required, conduct an investigation into the matters contained in the Report as promptly as possible. Where deemed necessary and depending on the subject matter of the Report, additional professional support may be obtained from other Company staff and from external specialist advisers.

13. Confidentiality and Anonymity

The Company encourages employees and external partners to raise concerns about potential misconduct through the existing Reporting channels. It commits to making every possible effort and taking all appropriate measures to protect the identity of both the Reporter and any persons named in reports, and to handle the matter with full confidentiality and discretion.

In all cases, during the investigation of an incident, the identity of the Reporter is not disclosed to anyone other than the authorised persons responsible for receiving, monitoring and investigating reports — that is, the members of the RMC, the Investigation Officer, the Investigation Team and any specialist external advisers specifically engaged for the investigation — unless the Reporter has given explicit consent or the Report is found to be malicious.

Anonymity is achieved through appropriate technical and organisational measures, primarily via the reporting platform, which supports both named and anonymous submissions, two-way communication, and high security standards.

14. Personal Data

All processing of personal data under this Policy is carried out in accordance with applicable national and European data protection legislation and the Company’s Privacy Policy. The data of all parties involved are protected and processed solely in connection with the relevant Report and for the sole purpose of establishing its validity and investigating the specific incident.

The Company takes all necessary technical and organisational measures for the protection of personal data, in accordance with its Privacy Policy.

Sensitive personal data and other data not directly related to the Report are disregarded and deleted.

Access to data included in reports is restricted to those involved in the management and investigation of the incident, such as the members of the RMC, the Investigation Officer, the Investigation Team and specialist external advisers.

Personal data and materials generated during the handling of a report are deleted within a reasonable period following completion of the investigation initiated on the basis of the Report.

15. Corrective and Disciplinary Actions

Depending on the results of the investigation, the RMC proposes corrective and/or disciplinary/legal actions. These may include (by way of example and not limitation): (a) additional employee training; (b) establishment of new internal controls; (c) amendments to existing policies and/or procedures; (d) disciplinary sanctions, including permanent removal/dismissal; or (e) legal proceedings.

16. Information and Training

The Company ensures that all employees are informed and trained on the content of this Policy and on any revisions to it.

External partners are required to communicate this Policy to their own personnel, primarily by drawing attention to the Policy itself and additionally by providing any supplementary material supplied by the Company.

Information and awareness-raising activities will be ongoing, both internally and externally, with the aim of establishing a positive corporate culture for reporting that upholds the principles of integrity, honesty and transparency.