Notice for reporting of breaches of Bulgarian law or acts of the European Union
- This Whistleblowing Notice (“Notification”) aims to provide you with clear and easily accessible information on the terms and conditions for reporting violations through an internal channel of BHM CASINO BULGARIA Ltd., with UIC 205324876, with headquarters and address of management: Sofia, P.O. Box 1000, Sredets, 29 Slavyanska Str. (“Company”), under the Law on Protection of Persons Who Report or Publicly Disclose Information on Breaches Act (“Act”).
- WHAT VIOLATIONS CAN YOU REPORT?
- According to the Bulgarian legislation, you can report violations related to violations of Bulgarian law or the acts of the European Union defined in the law in the field of:
- financial services, products and markets and the prevention of money laundering and terrorist financing;
- the safety and conformity of products as well as transport;
- environmental protection;
- radiation protection and nuclear safety;
- food and feed safety, animal health and welfare;
- public health and consumer protection;
- the protection of privacy and personal data;
- the security of network and information systems;
- infringements affecting the financial interests of the European Union within the meaning of art. Article 325 of the Treaty on the Functioning of the European Union and further specified in the relevant Union measures;
- infringements of internal market rules within the meaning of Article 10. Article 26(2) of the Treaty on the Functioning of the European Union;
- infringements related to cross-border tax schemes;
- a crime of general nature has been committed, of which you have become aware in connection with the performance of your work or in the performance of your duties.
- the rules for payment of public state and municipal receivables;
- labour law;
- legislation relating to the performance of a civil service.
- WHO CAN GIVE SIGNALS?
- Reports may submit and/or publicly disclose information to a natural person about violations that have come to his/her knowledge in his/her capacity of:
- employee, where the information was obtained in the context of an employment or service relationship that was terminated at the time of reporting or public disclosure or a worker within the meaning of Article 45(1) of the Treaty on the Functioning of the European Union, including an employee, civil servant or other person engaged in employment, whatever the nature of the work, the method of remuneration and the source of the funding;
- a person having self-employed status within the meaning of Article 49 of the Treaty on the Functioning of the European Union, including a person who performs work without an employment relationship and/or pursues a liberal profession and/or craftsmanship;
- volunteer, paid or unpaid and trainee;
- partner, shareholder, sole owner of the capital, member of the management or control body of a commercial company, member of the audit committee of an enterprise;
- a person who works for a natural or legal person, contractors, subcontractors or suppliers;
- a person whose employment or service is about to commence in cases where information on infringements was obtained during the selection process or other pre-contractual relationship;
- employee, where the information was obtained in the context of an employment or service relationship that was terminated at the time of reporting or public disclosure.
- Protection is also granted to:
- legal persons in which the reporting person holds a holding, for which he or she works or is otherwise related in a working context.
- persons who assist the reporting person in the reporting process and whose assistance should be confidential;
- persons who are linked through the work or relatives of the reporting person and who may be subject to retaliation due to the reporting;
- legal persons in which the reporting person holds a holding, for which he or she works or is otherwise related in a working context.
- In the event that the report is credible and justified, the protection within the meaning of the law is provided to you from the moment of the submission of the report or the public disclosure of information about a violation.
- WHAT ARE THE CONDITIONS TO GET PROTECTION?
- You have the right to receive protection provided that you have simultaneously fulfilled the following conditions:
- have had reasonable grounds to believe that the information submitted about the breach in the alert was correct at the time of submission and that this information falls within the scope of item 2.
- have reported a violation under the terms of the Act.
- You do not initiate proceedings and you do not receive protection in respect of anonymous signals (unless you have been subsequently identified) and signals relating to violations committed more than two years ago.
- HOW AND WHERE CAN I REPORT IT?
- In the event that you wish to report the breaches referred to in point 2 and if there is good reason to believe that the information is true, you can do so in one of the following ways:
– sending an e-mail email@example.com. We will contact you within 7 days to direct you to sign the required form, which can be found here, as well as in case of need to correct irregularities.
– verbally through a personal meeting with the Chief Accountant in the office of the company in Sofia. Sofia, ul. Slavyanska No 29, every Wednesday between 10:00 am and 11:00 am
- When giving an oral signal, we will record the same in a form that we will ask you to sign.
- The report must contain at least: full name, address and telephone number of the sender, e-mail address (if any), capacity of the reporting person, names of the person against whom the report is filed and his/her place of work (when it is filed against specific persons and they are known), specific data of a violation or a real danger of such being committed, place and period of committing the violation, if this has been done, a description of the act or situation and other circumstances, to the extent known to the reporting person, date of reporting, signature, electronic signature or other identification of the sender.
- We will take immediate action to ensure your privacy.
- In addition, you have the right to report to an external channel, namely the Commission for Personal Data Protection https://www.cpdp.bg/, as well as the right to publicly disclose information under the terms of the Act.
- WHAT CAN I EXPECT AFTER I REPORT?
- Once you submit a report, we will check that it is credible and, if so, take the necessary follow-up action to uncover the objective truth and gather all the necessary evidence, incl. by the affected parties and by the person against whom the alert has been filed, subject to confidentiality as well as confidentiality of your personal data.
- If necessary, we can contact for further information and documentation.
- In the event that there is a reasonable assumption that there is a risk of retaliatory discriminatory actions and that effective measures will not be taken to check the signal, the signal may be submitted through an external filing channel, namely to the Commission for Personal Data Protection.
- After we prepare a report and before 3 months have elapsed since the alert, we will contact you to give you feedback on your report.
- When the violation is unimportant and does not require further follow-up actions and in case of a repeated signal that does not contain new information essential to the violation, the file on your report may be terminated.
- The Company considers all firstname.lastname@example.org reports of violations in compliance with the principles of confidentiality, impartiality, fairness, independence and lack of conflict of interest.
- The Company shall protect reporting persons from retaliatory acts having the character of repression and placing them at a disadvantage and shall not allow such actions to be carried out within its organisation.
- YOUR RESPONSIBILITY
- For the submission of signals or public disclosure of false information, administrative penal responsibility under Art. 45.
- In case of obviously false or misleading statements of facts, your signal will be returned with an instruction to correct the allegations and a warning about the liability you bear, namely up to a fine of up to BGN 7,000.
- MODIFICATION OF THIS NOTICE
- This notice is available on our website, namely: montecasino.com (“Website”) as well as in a prominent place in our offices.
- More information regarding your rights and the processing of your signals and personal data can be found on our website.
- PERSONAL DATA
- The Company will process your personal data for the purpose of handling a signal.
- The information related to a reported breach, as well as the identity of the Reporting Person and the affected person and the other persons identified in the report or made aware of the report, are protected. Access to your personal data will be granted only to persons responsible for handling reports, as well as state and supervisory authorities, in cases specified by law.
- UPDATING THE NOTICE
- This notice may be subject to amendment, most recently in force on 15.12.2023. Any future changes or additions to the processing of personal data described in this notice that affect you will be communicated to you through an appropriate channel, depending on the usual way of communication.
WHISTLEBLOWING PRIVACY NOTICE
This privacy notice aims to inform individuals about how we process the personal data of whistleblowers or persons other than the reporting person who are protected and of persons against whom the report has been filed (“you”).
INFORMATION ABOUT US
The personal data controller is BHM CASINO BULGARIA Ltd., with UIC 205324876, with headquarters and address of management: Sofia, P.O. Box 1000, Sredets, 29 Slavyanska Str. (,,Company”, “We”)
The contacts of our Data Protection Officer are:
Data Protection Officer: Atty. Desislava Dimitrova-Cholakova
Email: email@example.com BHM CASINO BULGARIA Ltd.
The Company may process some or all of the following categories of personal data of persons who report or publicly disclose information about breaches (whistleblowers), of persons other than the reporting person who are protected and of persons against whom the report has been filed, namely:
Data to identify you with
Names, PIN or date of birth capacity in which you submit the report
Your contact details
Current or permanent address; email; telephone
Other information included at your discretion in your report
Other data you have included at your report
Other information provided on the basis of your explicit consent
We could also process special categories of data, subject to your explicit consent.
Information relating to the persons to whom protection is provided as well as to the persons concerned
Names, position, capacity of the person, telephone number, correspondence address and/or e-mail address, as well as other data that may be provided in connection with the submitted report
GROUNDS FOR DATA PROCESSING
The legal ground for the processing of personal data described above is for the purpose of fulfilling a statutory obligation under the Protection of Persons Who Report or Publicly Disclose Information on Breaches Act (Act), namely: for the purpose of providing an internal channel for reporting breaches.
PURPOSES OF DATA PROCESSING
The purposes of personal data processing are as follows:
- Registration of the report and its review;
- Providing protection to the reporting person, their related persons and the person concerned;
- To comply with an obligation imposed by Bulgarian or European Union law in the context of investigations by national authorities or legal proceedings, including with a view to ensuring the rights of defense of the person concerned;
- To hold the reporting person accountable and protect the legitimate interests of the Company in the cases specified by law.
CONFIDENTIALITY OF INFORMATION
We protect information related to reported breaches, including but not limited to the identity of whistleblowers and persons concerned, and take appropriate measures to protect such information.
Access to the information related to the reported breaches, including the identity of the reporting and concerned persons, shall be ensured, under the terms of the Act, respectively only to employees and other persons within the Company and to the person responsible and designated for the registration of reports (incl. when this person is outside the structure of the Company) to whom these data are necessary for the performance of their official and/or contractual obligations.
Within the Company, only the employees responsible for handling reports have access to the information. A person under the preceding sentence, against whom a report has been submitted, shall not have access to the information related to this signal, except when the provision of the information is required by law. Access may also be granted to other persons depending on the specifics of the case and access is allowed by the Company on a case-by-case basis.
The disclosure of the identity of the whistleblower and/or other information about the report shall be permitted only with the express consent of the reporting person.
Notwithstanding the above, the identity of the reporting person and any other information from which his or her identity can be directly or indirectly known, may be disclosed where this is a necessary and proportionate obligation imposed by Bulgarian or European Union law in the context of investigations by national authorities or legal proceedings, including with a view to ensuring the rights of defense of the person concerned.
To whistleblowers, to persons other than the whistleblower who are protected and to persons against whom the report has been filled, the Company provides all rights provided in local and European legislation, namely:
- upon request, obtain all necessary information relating to the processing of the data you provide, including, if possible, a copy;
- to request access to, correction or deletion/erasure of personal data or restriction of the processing of personal data, if the prerequisites for this exist;
- to object to the processing, as well as to file a complaint with the supervisory authority – CPDP (Sofia 1592, bul. “Prof. Tsvetan Lazarov” No2 or www.cpdp.bg) in case of unlawful data processing;
- withdraw your consent at any time without causing negative consequences for you where the ground for processing is consent;
- to exercise your right of portability.
In certain cases, informing the person against whom a report has been filled at an early stage may be detrimental to the internal handling of reports. When, in the Company’s judgment, it is considered that there is a high risk that the provision of access will impede the procedure or violate the rights and freedoms of others, the Company may impose a restriction on the provision of specific information or a delay in its provision.
All requests related to personal data such as: information, access, deletion, withdrawal of consent, etc. described above shall be filled in writing, signed by you and submitted for processing to the Company to the following e-mail address: firstname.lastname@example.org or to the registered office of the Company. The request must contain information about three names and, if the request is about specific personal data, they should be specified, along with describing exactly which right is exercised.
MEASURES FOR THE PROTECTION OF PERSONAL DATA
The Company has implemented technical and organizational measures to protect information related to reported breaches, including the identity of the whistleblower and concerned persons, against unauthorized, accidental or unlawful destruction, loss, alteration, misuse, disclosure or access and against all other types of unlawful processing. Special attention is paid to sensitive data. Some of the measures taken are: encryption, pseudonymization, reservation, access control, strict confidentiality, periodic training, etc.
TRANSFER OUTSIDE THE EUROPEAN ECONOMIC AREA
Your personal data is not transferred outside the EU/EEA. In the event of a need for such processing, appropriate safeguards will be used to ensure that such transfer takes place in accordance with applicable data protection rules, including legal bases.
– data and materials on a specific signal shall be kept for a period of 5 (five) years.
– in case of disciplinary, administrative-criminal, criminal and/or civil proceedings, the data shall be stored until the final conclusion of these proceedings and for a period of 5 (five) years thereafter, for the purpose of establishing, exercising and defending against legal claims, administrative and other acts, unless a law or other normative act specifies a shorter or longer retention period.
– data which are found to be clearly not related to a report shall be kept for up to 2 months from the establishment of their irrelevance.
Update the Privacy Notice
This notification may be subject to amendment as last updated on 15.12.2023. Any future changes or additions to the processing of personal data described in this notice that affect you will be communicated to you through an appropriate channel, depending on the usual channel of communication.