Whistleblowing policy

Last update: 15 December 2023

1. Introduction

Ferryhopper S.A. ( "Ferryhopper", "we", "us" or "our") is continuously striving to achieve a high level of business ethics and transparency. We can only maintain our reputation as a trusted business partner by conducting business with integrity: employees, customers, shareholders, and other stakeholders expect us to maintain the highest standards of ethics and compliance. We value and encourage reports of potential misconduct or wrongdoing regarding Ferryhopper 's business to identify and escalate issues that may not otherwise be uncovered, to prevent damage to Ferryhopper, our employees, and ecosystem.

The goal of this policy (the "Whistleblowing Policy") is to provide very clear guidelines on how we approach and manage such reports. Our primary aim is to proactively receive information, so all misconduct described below is addressed early and appropriately in a timely manner. Ferryhopper wants all whistleblowers to know they can provide information on any concerns they have, understand where they can report their concerns, know what happens after they make a report, and ensure they feel safe in providing a report. Ferryhopper ensures that whistleblowers will not suffer retaliation or other abuse as a result of reporting.

This Whistleblowing Policy complies with the requirements of the regulatory framework, as stipulated in the provisions of Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law as well as Greek Law 4990/2022.

2. What should be reported?

Ferryhopper 's whistleblowing scheme can be used to alert us about breaches of European or national laws concerning the following areas:

  • Public procurement;

  • Financial services, products and markets, and prevention of money laundering and terrorist financing;

  • Product safety and compliance;

  • Transport safety;

  • Protection of the environment;

  • Public health;

  • Consumer protection;

  • Protection of privacy and personal data, and security of network and information systems;

  • Breaches of European Union competition, State Aid rules and corporate tax rules.

This is not an exhaustive list but it is intended to indicatively illustrate the sort of issues that are raised under this Whistleblowing Policy. A whistleblower does not need to have a high level of certainty or evidence; expressing an honest suspicion will be sufficient if they had reasonable grounds to believe that the information on breaches reported was true at the time of reporting. However, please note that deliberate reporting of false or malicious information is forbidden. Abuse of the whistleblowing scheme may result in action against the perpetrator of the abuse but also to criminal sanctions, in accordance with Law 4990/2022.

3. Who can be a potential whistleblower?

Persons who acquired information on breaches in a work-related context could be potential whistleblowers, including, at least, the following:

  • Employees of Ferryhopper, regardless of whether their employment is full-time or part-time, permanent or seasonal, or whether they are seconded from another entity;

  • Former employees of Ferryhopper or persons whose employment relationship with Ferryhopper has not yet started, in cases where information about breaches has been obtained during the recruitment process or other pre-contractual negotiations;

  • Persons having self-employed status or consultants providing their services to Ferryhopper;

  • Shareholders and persons belonging to the administrative, management or supervisory body of Ferryhopper, including non-executive members;

  • Trainees or volunteers in Ferryhopper; or

  • Any persons working under the supervision and direction of contractors, subcontractors or suppliers of Ferryhopper.

4. How can I report a concern to Ferryhopper?

A report may be submitted to Ferryhopper through the following reporting channels:

  • Electronically by sending an email to [email protected];

  • By post to Ferryhopper 's address, namely Ferryhopper S.A., 47 Thessalonikis Street, 183 46, Moschato, Athens, Greece. The letter shall include the indication "For the attention of the Whistleblowing Officer'' and be marked as "Confidential";

  • Upon request of the whistleblower at [email protected], the report may also be submitted by means of a physical meeting with the Whistleblower Officer.

We recommend using the above-mentioned Ferryhopper reporting channels, as they enable confidential and efficient handling of reported concerns within Ferryhopper.

The report can be made both in Greek and in English.

5. Named or anonymous report?

Ferryhopper guarantees that all reports will be handled confidentially. If a whistleblower decides to disclose their identity, Ferryhopper commits to maintain it confidential throughout the whole process unless (i) the whistleblower has provided their consent for the disclosure of their identity; or (ii) such disclosure is required by European or national law, in the context of investigations by competent authorities or in the context of judicial proceedings, and it is necessary for the purposes of this Whistleblowing Policy or to safeguard the rights of the defense of the person accused in the whistleblower 's report. In cases where the whistleblower 's identity and/or other confidential information needs to be disclosed to judicial authorities during judicial proceedings, the whistleblower will be informed in writing in advance about the disclosure unless such notification would undermine investigations or judicial proceedings. Ferryhopper will also take all steps necessary to ensure you do not suffer any retaliation.

Alternatively, the whistleblower has the option to make an anonymous report and Ferryhopper will secure their anonymity. It 's the whistleblower 's choice to disclose their identity or not and at no point will they be forced to provide their identity. However, it is worth noting that Ferryhopper will make every endeavor possible to investigate your anonymous report, but in some cases, there are limitations of what can be achieved if the whistleblower decides to remain anonymous.

6. What kind of information should I provide?

We ask you to provide as much information as possible when making a report. Mere rumors are not sufficient; however, actual proof of wrongdoing is not necessarily required. Please include relevant, adequate, and precise factual data. It is important that you provide as much information as possible, such as details of the circumstances relating to the concern, people involved, dates, locations, infringed European or national laws (to the extent known), and ideally any potential evidence (e.g., screenshots, emails, documents etc.).

7. What is the investigation process?

The procedure for handling whistleblowing reports includes the following steps:

  • The report is received by the Whistleblowing Officer. Upon receipt of the report, the Whistleblowing Officer ensures the confidentiality and protection of the personal data of the whistleblower and any third party named in the report by preventing access to it by unauthorized persons.

  • In case the report contains allegations against the Whistleblowing Officer or against a body responsible for investigating reports within Ferryhopper, the report will be forwarded to the National Transparency Authority.

  • The acknowledgement of receipt of the report takes place within seven (7) working days from receipt unless in the absence of necessary contact details of the whistleblower such notification becomes impossible.

  • The Whistleblowing Officer will do an initial assessment to confirm it is a valid report.

  • The Whistleblowing Officer may close the procedure by filing the report if one or more of the following applies:

    • The report is manifestly absurd, vague, incomprehensible, or repeated in an abusive manner, such as in the case of re-submission of the same content without providing new information.

    • The alleged breach does not constitute a reportable breach under this Whistleblowing Policy; however, in case the report contains information on breaches falling within the scope of another Ferryhopper policy, the report will be forwarded to the competent person/department of Ferryhopper.

    • There are no serious indications of breaches falling within the scope of this Whistleblowing Policy.

  • Where new information is provided for a report that has already been filed, the Whistleblowing Officer will retrieve the archived report and re-evaluate the report.

  • In case the report is valid, the Whistleblowing Officer forward the report to be investigated pseudonymised:

    • To the competent persons or departments of Ferryhopper; where needed, individuals who can add expertise, such as external lawyers or accountants, may be included in the investigation process, subject to their written commitment to confidentiality.

    • To the competent bodies, such as the prosecution authorities or other competent authorities, as the case may be.

  • The Whistleblowing Officer may, where needed, submit follow-up questions to the whistleblower.

  • The Whistleblowing Officer will provide feedback to the whistleblower no later than three (3) months from the acknowledgement of receipt of the report or, if no acknowledgement was sent, three (3) months from the expiry of the seven-day period after the report was submitted.

8. What if the whistleblower is not satisfied with the result?

In case, after receiving the summary report of the investigation, the whistleblower is not satisfied with the result, they can submit a report to the National Transparency Authority, which is the competent authority for external reporting in Greece. Especially for breaches of Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU) regarding the European rules on free competition, the competent authority for external reporting in Greece is the Hellenic Competition Commission.

9. Does the whistleblower need to worry about consequences?

No. Ferryhopper has a strict non-retaliation policy and does not tolerate any threatened or actual retaliation against anyone who reports suspected misconduct in good faith. It does not matter if the whistleblower is mistaken; they are entitled to protection if, at the time of reporting, they had reasonable grounds to believe that the information about the reported breaches was true.

Ferryhopper takes precautions to ensure that if you make or plan to make a report through a Ferryhopper official reporting channel, you are not subjected to any detrimental or disciplinary action because of speaking up, in particular in the form of:

  • Suspension, lay-off, dismissal or equivalent measures;

  • Demotion or withholding of promotion;

  • Transfer of duties, change of location of place of work, reduction in wages, change in working hours;

  • Withholding of training;

  • A negative performance assessment or employment reference;

  • Imposition or administering of any disciplinary measure, reprimand or other penalty, including a financial penalty;

  • Coercion, intimidation, harassment or ostracism;

  • Discrimination, disadvantageous or unfair treatment;

  • Failure to convert a temporary employment contract into a permanent one, where the worker had legitimate expectations that they would be offered permanent employment;

  • Failure to renew, or early termination of, a temporary employment contract;

  • Harm, including to the person's reputation, particularly in social media, or financial loss, including loss of business and loss of income;

  • Blacklisting on the basis of a sector or industry-wide informal or formal agreement, which may entail that the person will not, in the future, find employment in the sector or industry;

  • Early termination or cancellation of a contract for goods or services;

  • Cancellation of a license or permit;

  • Psychiatric or medical referrals;

  • Refusal or deprivation of reasonable accommodation to persons with disabilities.

The above-mentioned protection also covers:

  • Persons who assist a whistleblower in the reporting process (the so-called "facilitators ");

  • Third persons who are connected with whistleblowers and who could suffer retaliation in a work-related context, such as colleagues or relatives of the whistleblowers; and

  • Legal entities that the whistleblowers own, work for, or are otherwise connected with in a work-related context.

If you believe you have been or are being retaliated against for making a report, please raise your retaliation concern through one of Ferryhopper official reporting channels.

10 .How is the person accused in a whistleblower 's report protected?

The person against whom an allegation has been made is protected in the same manner as the whistleblower and their identity is kept confidential throughout the investigation of the report, in order to avoid any risk of stigmatization. As long as this does not hinder the investigation, the person accused is informed of the report and given a chance to respond to it. Particularly, the provision of information to the individual against whom an allegation has been made may be delayed in case there is a substantial risk that such information would jeopardize the investigation. This will apply on a case-by-case basis by taking into account the wider interests at stake. The identity of the person against whom an allegation has been made will be treated with utmost confidentiality and will not be disclosed except in certain exceptional circumstances, such as where required by European or national law and where this is necessary for the purposes of this Whistleblowing Policy or to safeguard the rights of the defense of the person accused.

In any case, the persons against whom an allegation has been made reserve all remedies, pleas and actions and enjoy the rights to a fair trial and, in particular, the right to an effective remedy before an impartial tribunal, as well as the presumption of innocence and the right of the defense, including the right to be heard and the right of access to their file.

11. Protection of personal data

Throughout the whistleblowing process, Ferryhopper is expected to receive personal data, either from the whistleblowing report or from the follow-up communications with the whistleblower. The processing of personal data under this Whistleblowing Policy is carried out in accordance with the General Data Protection Regulation (EU Regulation 2016/679 – "GDPR "), Law 4624/2019, as in force or as may be replaced and any other applicable Greek and/or European legislation, and Law 4990/2022. Ferryhopper highly encourages the whistleblower not to include excessive and unnecessary personal data in their report. In any case, any unnecessary or exaggerated or excessive personal data or personal data that are obviously not related to the handling of a specific report will not be taken into account and will not be processed by Ferryhopper. The data controller within the meaning of GDPR is Ferryhopper, however the processing is performed solely by the Whistleblowing Officer any other person deemed necessary in accordance with the Whistleblowing Policy.

a. Purpose and legal bases for processing

Any personal data are processed exclusively for the purposes of the whistleblowing scheme, i.e. for proper handling and further investigation of the whistleblowing reports. The legal basis of the processing is the compliance of Ferryhopper with its legal obligation arising out of Law 4990/2022 regarding the obligation to establish a whistleblowing scheme [Article 6 (1) (c) of the GDPR] and the legitimate interest of Ferryhopper relating to the prevention of and fight against any malpractices or irregularities in the performance of its business activities [Article 6 (1) (f)] of the GDPR. In addition, if the information provided contains special category data, such as health, religious or ethnic information, political opinions, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person 's sex life or sexual orientation, we process such data for the purposes of carrying out the obligations of Ferryhopper in the field of employment law [Article 9 (2) (b) of the GDPR] and for the establishment, exercise or defense of legal claims [Article 9 (2) (f) of the GDPR].

b. Potential recipients of personal data

Any personal data and generally the information provided by the whistleblower will not be disclosed to other persons or departments of Ferryhopper. Any reports are forwarded for investigation to the competent persons or departments of Ferryhopper pseudonymised. In addition, the reports are forwarded for investigation to the competent bodies or authorities, as the case may be, also pseudonymised. By way of derogation from the above, the identity of the whistleblower, the person accused or any third parties named in the report as well as any other personal data may be disclosed in the context of investigations by competent authorities or in the context of judicial proceedings only where such disclosure is required by European or national law and where this is necessary for the purposes of this Whistleblowing Policy or to safeguard the rights of the defense of the person accused in the whistleblower 's report. In cases where the whistleblower 's identity and/or other confidential information needs to be disclosed to judicial authorities during judicial proceedings, the whistleblower will be informed in writing in advance about the disclosure unless such notification would undermine investigations or judicial proceedings.

Finally, where needed, individuals who can add expertise, such as external lawyers or accountants, may be included in the investigation process, subject to their written commitment to confidentiality. In this case, the information exchanged will be communicated on a need-to-know basis. In case personal data are transferred outside the European Economic Area (EEA), Ferryhopper ensures that said transfer will be in compliance with the applicable data protection legislation.

c. Retention of personal data

The personal data processed in the context of the investigation scheme are stored for a reasonable and necessary period of time, in order to be retrievable and to comply with the requirements imposed by Law 4990/20222, European or national law, and in any case until the completion of any investigation or judicial proceedings initiated as a consequence of the report against the person accused, the whistleblower or third persons.

d. Data subjects ' rights and potential restrictions

Data subjects have the following rights with regard to the processing of their personal data:

  • The right of access: You have the right to request, at any time, information about the processing of your data or even copies of your personal data that we keep.

  • The right to rectification: You have the right to request, at any time, the rectification of your personal data you consider to be inaccurate. You also have the right to request the completion of the information you consider to be incomplete.

  • The right to erasure: You have the right to request the erasure of your personal data for certain reasons and under the conditions laid down in the applicable data protection legislation. Please note that we may not satisfy any request for erasure of data in certain cases referred to in the applicable provisions, including cases where the processing is necessary for compliance with a legal obligation.

  • The right to restriction of processing: You have the right to request the restriction of the processing of your data in certain cases under the conditions laid down in the applicable data protection legislation.

  • The right to object to processing: You have the right to object to the processing of your personal data. If, however, there are compelling and legitimate reasons for processing which override your rights and interests, we can reject your objection, depending on the reason for processing.

  • The right to withdraw consent: You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on your consent before its withdrawal.

To request the exercise of the above-mentioned rights or to request information please contact the Data Protection Officer at the e-mail address [email protected].

However, pursuant to Article 15 of Law 4990/2022 and by way of derogation from the relevant provisions of the applicable data protection legislation, Ferryhopper will not provide information on the processing of personal data to the person accused in a whistleblower 's report and any third parties named in the report or whose personal data have resulted from monitoring measures, and in particular on the source of their data to the extent and as long as necessary for the purpose of preventing and countering attempts: (i) to obstruct reporting; (ii) to obstruct, frustrate or delay monitoring measures, in particular with regard to investigations; (iii) to identity whistleblowers, as well as for the purpose of whistleblowers ' protection against retaliation. In addition, in such cases, Ferryhopper may also not satisfy the right of access, the right to rectification, the right to erasure, the right to restriction of processing, or the right to object to processing when exercised by the person accused in a whistleblower 's report and any third parties named in the report or resulting from monitoring measures. Each case will be judged separately and the reasons for Ferryhopper 's refusal to satisfy a data subject request will be presented in writing. Even in cases where Ferryhopper does not satisfy the aforementioned data subject rights or in cases where these rights are restricted, it takes all necessary technical and organizational measures to protect the rights and freedoms of individuals.

If you consider that we have not sufficiently satisfied your request and the protection of your personal data is affected in any way, you may lodge a complaint before the Hellenic Data Protection Authority.

12. Amendments to the Whistleblowing Policy

The Whistleblowing Policy may be supplemented by additional notices or guidance. In addition, we may modify the Policy periodically to reflect amendments in applicable legislation, in regulatory requirements and/or the whistleblowing scheme, given that Ferryhopper aims to continuously improve this whistleblowing scheme. In such cases, you will be able to check the most updated version of the Whistleblowing Policy, as posted on our website.

13. Contact us

In case you need any clarification with respect to the whistleblowing process, the types of misconduct that may be reported under the whistleblowing scheme or any further request, you may contact the Whistleblowing Officer at [email protected]