Reporting Channel

1. OBJECT

This Policy lays down rules governing the reception, registry and treatment of reports by certain whistle-blowers that are related with NCP – FABRICO DE PRODUTOS METÁLICOS, S.A. (“NCP”) of breaches allegedly occurred within the company.

2. SCOPE

2.1. For the purposes of this Policy, breaches are deemed to be the acts and omissions, wilful or negligent, which are provided for and described in article 2, no. 1, of Law no. 93/2021, of 20 December, as well as in article 3 of Decree-Law no. 109-E/2021, of 9 December, particularly in the following areas: 

(a) Public procurement; 

(b) Financial services, products and markets and the prevention of money laundering and terrorist financing; 

(c) Product safety and compliance; 

(d) Transport safety; 

(e) Environmental protection; 

(f) Food and feed safety, animal health and animal welfare; 

(g) Public health; 

(h) Consumer protection; 

(i) Protection of privacy and personal data and security of network and information systems; 

(j) Fraud against the EU’s financial interests; 

(k) Infringement of competition and state aid rules; 

(l) Organised and economic-financial crime; 

(m) Acts of corruption and related offences (e.g. bribery, money laundering, influence peddling, fraud); 

(n) Harassment; 

(o) Discrimination; 

(p) Any other acts which, although not included in the previous paragraphs, may constitute a violation of the rules of conduct of NCP, as well as of any rules provided for in European Union law or in the national law applicable in the countries where NCP operates.

2.2. Breaches that fall within the list in the preceding paragraphs are reportable, for the purposes of this Policy. 

2.3. The report may refer to breaches committed, in the process of being committed or which can be reasonably foreseen, as well as attempts to conceal such breaches.

3. PRECEDENCE OF INTERNAL REPORTING AND PROHIBITION OF PUBLIC DISCLOSURE

3.1. Considering the existence of an Internal Reporting Channel, the Whistleblower may not previously resort to external reporting channels or public disclosure of an Irregularity, except in the cases referred to in article 7(2) and (3) of Law no. 93/2021, of 20 December.

3.2. Without prejudice to the preceding paragraph, this Policy does not exclude or replace the obligation to report in the cases and under the terms determined by criminal law and criminal procedural law.

3.3. The Whistleblower who, outside the cases provided for by law, publicly discloses a breach or makes it known to a media organisation or journalist, does not benefit from the protection conferred by law and by this Policy.

4. REPORTING PERSONS

4.1. For the purposes of this Policy, a reporting persons is considered to be an individual who, in good faith, reports a breach concerning NCP or the companies comprising NCP’s corporate group, based on information obtained in the course of his/her professional activity, regardless of the nature or sector of such activity (even if such information was obtained in the course of a professional relationship terminated in the meantime, or during the recruitment process or during another pre-contractual negotiation phase of an existing or unformed professional relationship). 

4.2. The following, inter alia, may be deemed reporting persons: (i) employees, (ii) collaborators, trainees, services providers, contractors, subcontractors and suppliers, whether remunerated or not, as well as any persons acting under their direction or supervision, and (iii) shareholders, members of the management and supervisory bodies of NCP.

5. ANONYMITY OF THE WHISTLEBLOWER

When the reporting person so requests, he/she will be given the opportunity to report the breach in such a way as to maintain his/her anonymity, which does not prevent the reporting person from being contacted in order to obtain information relevant to ascertaining the facts.

6. INTERNAL DENUNCIATION CHANNELS

6.1. Reports of breaches may be made verbally or in writing, in person or in a meeting, and must be made as soon as possible. 

6.2. Reports of breaches may be transmitted through any of the following internal channels, at the reporting person’s discretion: 

(a) By e-mail to denuncias@ncpmetal.com; 

(b) By letter addressed to NCP – RH – Confidential, sent to the postal address Zona Industrial de Oiã, Rua do Caminho Branco, nº3. Apartado 104 3770-908 Oiã – Aveiro Portugal, with the express indication of “confidential”; 

(c) Verbally or in a meeting with the head of the Human Resources Department of NCP. 

6.3. Reports of breaches must have the following content and characteristics: 

(a) Identification of the reporting persons (full name and contact details, unless you wish to make the report anonymously) and the Whistleblower, if you are aware; 

(b) Description of the facts reportedDescription of the facts reported; 

(c) Justification, elements and level of detail necessary for its assessment; 

(d) Documents on which it is based to report the irregularity, if any, without it being obligatory to present evidence. 

6.4. The register of received reports will be kept permanently updated. 

6.5. Following the report, the appropriate internal acts shall be taken to assess the breach reported. 

6.6. Once the report is received, if a contact is provided, the reporting person will receive an acknowledgement of receipt within seven days from the date of receipt, and will also be informed of the requirements, form and admissibility of the external report, in accordance with the law, as well as the competent authorities to receive it. 

6.7. After being registered, reports shall be subject to preliminary analysis in order to certify the degree of credibility of the report, the irregular and/or illicit nature of the reported behaviour, the feasibility of the investigation and the identification of the persons involved or who have knowledge of relevant facts, and who should therefore be questioned. 

6.8. The preliminary analysis report will conclude by pushing forward or closing the investigation. 

6.9. If the content of the report is considered unfounded, abusive, contains clearly innacurate or misleading information, or was made with the sole intention of harming another person, the report will be closed and a summary of the grounds communicated to the reporting person (unless the reporting person has not identified himself/herself), and, if appropriate, under the terms of the law, the immediate destruction of the personal data involved, statistical processing and information on such closure.

6.10. If it is considered that the content of the report is consistent, plausible and credible and that the facts reported are likely to constitute a breach under the terms of this Policy, an investigation process will be initiated, conducted and supervised by the competent entity according to the subject reported. 

6.11. The reporting person may be requested to provide additional information in the course of the investigation. 

6.12. The body, committee or person responsible for handling reports may, whenever it deems necessary, be assisted by other internal or external persons, namely external auditors or other experts to assist in the investigation, especially when the matters in question so warrant. These persons shall also be bound by the duty of confidentiality provided in this Policy. 

6.13. Whenever it is deemed necessary for the execution of the provisions laid down in this Policy, any persons whose questioning is relevant to the investigation of the complaint may be questioned. 

6.14. Once the investigation phase foreseen in paragraph 6.10. is completed, a report will be drawn up with the analysis of the report, the description of the internal acts performed, the facts found during the investigation, the conclusions and the corresponding duly reasoned decision will be presented. This report shall also indicate any measures adopted (or to be adopted) to mitigate any risks identified and prevent the reoccurrence of the breaches reported. 

6.15. If deemed necessary and appropriate, namely according to the type and nature of the breach, the breach will be reported to the competent authorities, namely those listed in paragraph 1 of article 12 of Law no. 93/2021, of 20 December. 

6.16. Within the context of the internal report, information will be transmitted to the reporting person, to the extent legally admissible, on the follow-up of the report. 

6.17. Without prejudice to the provisions of the following point, the measures planned or adopted to follow up on the report and the respective grounds will be communicated to the reporting person within a maximum period of three months after the dispatch of the acknowledgement of receipt referred to above (this period may be extended to six months, depending on the complexity of the complaint). 

6.18.                The reporting person may request that the result of the analysis of the report be communicated within 15 days of its conclusion. 

7. CONDITIONS OF PROTECTION FOR REPORTING PERSONS AND THIRD PARTIES

The following will benefit from the conditions of protection for reporting persons established in this Policy: 

(a) The reporting person who, in good-faith, and having serious grounds to believe that the information is, at the time of reporting or public disclosure, true, reports or publicly discloses an Irregularity on the terms set out in the Policy; 

(b) The anonymous reporting person who is subsequently identified, provided that he/she satisfies the conditions set out in the preceding paragraph;

(c) The reporting person who makes an external report without observing the legal precedence rules for internal reporting, only benefits from the protection afforded by the Policy if, at the time of making the report, he/she was blamelessly unaware of such rules; 

(d) The natural person who assists the reporting person in the reporting procedure and whose assistance must be confidential, including trade union representatives or employee representatives; 

(e) Third persons who are connected with the reporting persons and who could suffer retaliation in a work related context, such as colleagues or relatives of the reporting persons; and 

(f) Legal persons or similar entities that the reporting person owns or controls, for which the reporting person works or with whom the reporting person is otherwise connected in a work-related context. 

8. CONFIDENTIALITY

8.1. Any reporting of alleged breaches covered by this Policy will be treated as confidential and all those having access to the information contained in the investigation processes of alleged Irregularities are obliged to keep it confidential. 

8.2. The reporting channels established in this Policy particularly guarantee the confidentiality of the identity of the reporting person, as well as of all the information which, directly or indirectly, allows the identity of the reporting person to be deduced, and of the third parties mentioned in the complaint. 

8.3. The information referred to in the previous paragraphs is of restricted access to the persons responsible for receiving and following up the complaints received. 

8.4. The obligation of confidentiality referred to in the preceding paragraphs extends to anyone who, even if unduly, has received information on complaints, even if they are not responsible for receiving and processing it. 

8.5. The identity of the reporting person may only be disclosed in compliance with a legal obligation or judicial decision, preceded by written communication to the reporting person, indicating the reasons for disclosure, unless the provision of this information compromises the related investigations or judicial proceedings. 

9. PROHIBITION OF RETALIATION

9.1. NCP prohibits any act of retaliation against reporting persons due to good faith reports and takes steps to protect reporting persons from any act, prompted by a report, that negatively affects them. 

9.2. Retaliatory acts are considered to be threats, attempts, or actual acts or omissions which, directly or indirectly, occurring in a work-related context and prompted by an internal or external report or public disclosure, cause or may cause the reporting person, in an unjustified manner, to suffer pecuniary or non-pecuniary damage, particularly in the following form:

(a) Changes in working conditions, such as duties, hours, place of work or remuneration, non-promotion or breach of labour duties; 

(b) Suspension of an employment contract; 

(c) Negative performance evaluation or negative reference for employment purposes; 

(d) Failure to convert a fixed-term employment contract into an indefinite-term contract, where the employee had legitimate expectations of such conversion; 

(e) Non-renewal of a fixed-term employment contract; 

(f) Dismissal; 

(g) Blacklisting, on the basis of an industry-wide agreement, which may lead to the reporting person not being able to find employment in the sector or industry in question in the future; 

(h) Termination of a contract for goods or services. 

9.3. Acts of retaliation shall be presumed to have been committed if they occur within 2 years of the internal or external report or public disclosure, unless there is evidence to the contrary. 

9.4. The prohibition of retaliation extends, in addition to the reporting person, to the persons referred to in paragraphs (d), (e) and (f) of Article 7. 

9.5. The practice of retaliatory acts, as well as threats or attempts, constitute a serious breach which may result in the application of the corresponding disciplinary measures, without prejudice to the civil and/or criminal liability which may eventually arise for the author of such practices. 

10. RECORDING AND STORAGE OF DATA

10.1. The personal data collected within this policy shall be processed by NCP, which is the data controller within the meaning of the General Data Protection Regulation. 

10.2. The processing of the information reported under this Policy is aimed at receiving and following up the reports submitted to the Internal Reporting Channel, and the processing is carried out on the following legal grounds: 

(a) Compliance with legal obligations imposed on NCP, namely regarding the mandatory implementation of a reporting channel, laid down in Law no. 93/2021, of 20 December; 

(b) Pursuit of legitimate interests of NCP, namely knowledge and prevention of breaches occurring within it; 

(c) Consent of the reporting person who chooses to identify himself/herself to the reporting channel.

10.3. Reporting persons are assured the right to access, correct (inaccurate, incomplete or equivocal data) and delete data reported by them, unless they are conflicting with prevailing rights, through the means of communication provided in the following article. 

10.4. Reporting persons are also guaranteed the right to access information on reported facts concerning them, unless they contend with prevailing rights. 

10.5. Information relating to reports that is received by NCP shall be recorded and retained, at least for the period of five years and, irrespective of such period, in the following cases: 

(a) during and until the conclusion of judicial or misdemeanour proceedings concerning the report; or 

(b) by virtue of an obligation laid down by law or regulation to the contrary. 

11. LIABILITY OF THE REPORTING PERSON

11.1. The reporting person cannot be held disciplinary, civil, misdemeanour or criminally liable for reporting or publicly disclosing a breach made in accordance with this Policy, nor can he/she be held liable for obtaining or having access to the information that prompted the report or public disclosure, unless obtaining or accessing such information constitutes a crime. 

11.2. Without prejudice to the provisions of the preceding paragraph, the behaviour of those who report evidence of breaches with manifest falsehood or bad faith, as well as the disregard for the duty of confidentiality associated with the report, shall constitute an infraction liable to be subject, as applicable, to a disciplinary sanction or contractual penalty/resolution, appropriate and proportional to the breach, without prejudice to any civil and/or criminal liability that may arise for the perpetrator of such conduct. 

12. ENTRY INTO FORCE

This Policy shall enter into force on the date of its publication.