Whistleblowing policy

CXG Outsourcing EOOD

I. INTRODUCTION

On May 4, 2023, the Act on Protection of Persons, Reporting Information, or Publicly Disclosing Information about Breaches (Whistleblowers Protection Act), came into effect. The Act is the internal transposition of EU Directive 2019/1937 of the European Parliament and of the Council from October 23, 2019, regarding the protection of whistleblowers on violations of Union law. This law is in continuation of the directive and aims to protect whistleblowers who report violations of Union law.

The subject of this Act is to regulate the conditions, procedures, and measures for protection of persons in the public and private sectors, who report information, or publicly disclose information about breaches in the Bulgarian legislation, or acts of the European Union, that endanger or damage the public interest, as well as the terms and conditions for submitting and considering such information or publicly disclosed information.

This Act shall also apply to people related to persons, sending information or publicly disclosing information about breaches.

This Act shall not repeal the rules of the current legal framework, that provides the existence of different authorities with powers to check information in different spheres of the public sector.

The purpose of the Act shall be to ensure the protection of persons in the public and private sectors, who report information or publicly disclose information about breaches of Bulgarian legislation or acts of the European Union, which came to their knowledge during or on the occasion of the performance of their work or official duties, or in another work context.

“CXG Outsourcing” EOOD is an obligatory entity under this law.

Both the Whistleblower Protection Act and the Directive focus on the security of whistleblowers.

For this purpose, "CXG Outsourcing" EOOD developed and implemented the current policy, which creates organizational prerequisites:

  • comprehensive information on employee rights under this law;
  • providing a clear and generally accessible internal channel for submitting reports;
  • direct access to communicate with the person responsible for handling reports in the company.

 

II. DEFINITIONS

"Company" – CXG Outsourcing EOOD, UIC 200756313, headquartered in Sofia, 1324, 25 Prof. Petar Dertliev Blvd.

"APPRIPDIB"/"The Act" - Act on protection of persons, reporting information, or publicly disclosing information about breaches.

"Employee, responsible for handling information reports" – Company’s employee responsible for receiving, registering and reviewing the reports.

"CPDP" – Commission for Personal Data Protection

"External Channel" - The central authority for external whistleblowing and for the protection of persons to whom such protection is provided in the sense of the APPRIPDIB is the Commission for Personal Data Protection.

"Internal Channel" – Company`s internal whistleblowing channel;

"Publicly Disclosing Information" – Publicly disclosed information about breaches of Bulgarian legislation or EU acts annexed to the law.

"A whistleblowing person" - Anyone who within a work context becomes aware of a committed or impending violation and reports it.

III . REPORTS TO WHICH APPRIPDIP APPLIES

This Act shall apply to report information or public disclosure of information regarding:

  1. violations of Bulgarian legislation or the acts of the European Union specified in the annex to the law in the field of:
    a) public procurement;
    b) financial services, products and markets and the prevention of money laundering and terrorist financing;
    c) product safety and compliance;
    d) transport safety;
    e) environmental protection;
    f) radiation protection and nuclear safety;
    g) food and fodder safety, animal health and their humane treatment;
    з) public health;
    h) consumer protection;
    i) privacy of personal life and personal data protection;
    j) networks and information systems security;
  2. violations, that affect the financial interests of the European Union in the sense of Art. 325 of the Treaty on the Functioning of the European Union and further specified in the relevant measures of the Union;
  3. violations of the rules of the internal market within the meaning of Art. 26, Para. 2 of the Treaty on the Functioning of the European Union, including the rules of the European Union and Bulgarian legislation on competition and state aid;
  4. breaches, related to cross-border tax schemes, the purpose of which is to obtain a tax advantage, that is contrary to the subject or purpose of the applicable law in the field of corporate taxation;
  5. committed crime of a general nature, for which a person under Art. 5 becomes aware in the course of their work or in the performance of their official duties.

(2) This Act shall also apply to reports or public disclosure of information about breaches of Bulgarian legislation regarding:

  1. The rules for paying outstanding state and municipal debts;
  2. the labor legislation;
  3. the legislation, related to the performance of civil service.

(3) When sectoral acts of the European Union, as listed in Part II of the Annex, contain specific reporting rules, those rules, whether established in the sectoral acts or in national provisions, will take precedence. This Act applies to matters not explicitly regulated by the relevant sectoral acts and national regulations.

Proceedings are not initiated, and APPRIPDIB reports are not considered in the following cases:

  1. if they are anonymous;
  2. where the violations mentioned in the report occurred over two years ago.

 

IV. WISTLEBLOWING PERSON

Protection under this Act shall be provided to a whistleblower from the moment the report is filed or the information about a violation is made public.

A whistleblower within the meaning of the Act shall be a person, who files a report of information or publicly discloses information about a breach, that has come to his knowledge in his role as:

  1. worker in the meaning of Art.45, Para 1 of the Treaty on the Functioning of the European Union, including a worker, employee, civil servant or other person, who is engaged in paid labor, regardless of the nature of the work, the method of payment and the source of financing;
  2. self-employed person in the meaning of Art. 49 of the Treaty on the Functioning of the European Union, including a person who works without an employment relationship and/or practices a free profession and/or craft activity;
  3. a volunteer, paid or unpaid, and intern;
  4. partner, shareholder, sole owner of the capital, member of the management or control body of a commercial company, member of the audit committee of an enterprise;
  5. a person, who works for a person or legal entity, contractors, or its subcontractors or suppliers;
  6. a person whose employment or service relationship is about to start in cases where the information about the violations was received during the selection process or other pre-contractual relations.
  7. worker or employee, when the information was obtained within the framework of an employment or service relationship, that was terminated at the time of the filing of a report, or of the public disclosure.

Protection under this Act shall also be granted to:

  1. persons, who assist the whistleblower in the reporting process and whose assistance should be kept confidential;
  2. persons who are related through the work or relatives of the whistleblower and who may be subject to repressive retaliation, due to the information reporting;
  3. Legal entities in which the whistleblower holds an equity interest, works, or is otherwise associated in a work context.

V . REQUIREMENTS FOR WHISTLEBLOWER PROTECTION

A person reporting violations through an internal or external channel under APPRIPDIB shall be entitled to protection when the following conditions are met simultaneously:

  1. have had a reasonable reason to believe, that the submitted information about the breaches in the report was correct at the time of its submission and that this information falls within the scope of APPRIPDIB;
  2. have reported a breach under the terms and conditions of APPRIPDIB and this Policy where applicable.
    • A person who publicly discloses information about a breach is entitled to protection under this Act if they had a reasonable belief that the information about the breach was true at the time of disclosure and that this information falls within the scope of Art. 3 of APPRIPDIB, provided that any of the following conditions are met:
  1. The person has submitted a report in accordance with the conditions and procedures outlined in this Policy, but no action has been taken on the report within the timeframes specified in Sections I and II of Chapter Two of APPRIPDIB;
  2. The person has reason to believe that:
    • The breach may present an immediate or clear danger to the public interest or there is an emergency situation or risk of irreversible damage;
    • In the event of external reporting, there is a risk of retaliatory actions or a possibility that the breach will not be effectively addressed. This may be due to concerns about the concealment or destruction of evidence, suspicions of collusion between the competent authority and the perpetrator of the breach, or the complicity of the authority in the breach, as well as other specific circumstances related to the case.

Any kind of retaliation against individuals who publicly disclose information about a breach, involving repressive actions or placing them at a disadvantage, as well as threats or attempts at such actions, are strictly prohibited. This includes:

  1. Temporary suspension, dismissal, or the use of other grounds for terminating the employment relationship of the individual.
  2. Demotion or delay in promotion.
  3. A change in the workplace, job description, working hours, or a reduction in remuneration.
  4. Refusal to provide training to maintain and improve the professional qualification of the worker or employee.
  5. Negative evaluation of work, including in a job recommendation.
  6. Imposing property and/or disciplinary liability, which may include disciplinary penalties.
  7. Coercion, rejection, or threats of retaliatory actions, whether expressed physically, verbally, or by any other means, with the intention to harm a person's dignity and create a hostile work environment.
  8. Direct or indirect discrimination, unequal or unfavorable treatment.
  9. Denying the opportunity to transition from a fixed-term employment contract to an indefinite employment contract, when the worker or employee had a legal right to be offered permanent employment.
  10. Early termination of a fixed-term employment contract or refusal to renew it when such action is legally permissible.
  11. Harms, which may include damage to the person's reputation, especially on social networks, as well as financial losses such as business and income loss.
  12. Inclusion in a list, whether formal or informal, within a specific sector or industry that may prevent the person from starting work or providing a product or service in that sector or industry (commonly referred to as a 'blacklist')
  13. Early termination or cancellation of a supply contract when the individual is the supplier;
  14. Termination of a license or permit;
  15. Requiring the individual to undergo a medical examination.

VI . INFORMATION REPORTING CHANNELS

  • External channel – Commission for Personal Data Protection
  • Internal channel - an internal information reporting channel that complies with the following criteria:
  1. It is managed to ensure the completeness, integrity, and confidentiality of the information while preventing unauthorized access to it.
  2. Facilitates the storage of information, recorded on a durable medium, for the purposes of information investigation and subsequent inquiries.
  3. At least once every three years, obligated entities shall review their internal reporting rules, assess the implementation of the Act, and, if required, make necessary updates to the rules.

A report may be submitted in writing, via e-mail, or verbally. A report can be submitted personally or through an Authorized Person.

Submitting a report in writing

A written report should be submitted using a specified form. The Bulgarian form can be downloaded from HERE. The English form can be downloaded from HERE. It can be sent to the Company through one of the following two methods:

  • by email to the Company at the following email address: whistleblowing@cx-g.com. This email address is accessible to both the primary employee, responsible for handling information reports and the backup team member.
  • by post or courier service, using a licensed operator, to the Company's address at 25 Petar Dertliev Blvd., Sofia. Address the shipment to Stanislava Plamenova Ivanova, the designated recipient. The shipment should be delivered directly to the primary employee responsible for handling reports without being opened.

 

You can include any supporting information, references to documents, or data on individuals who can confirm or provide additional information with your report.

Submitting a verbal report
Submitting a verbal report can be done:

  • by phone at the following number +359 87 863 1458
  • on-site at the Company's office located at 25 D-r Petar Dertliev Blvd. in Sofia, specifically at the HR department where video surveillance is not in place.

 

When submitting a report through a personal meeting, the reporting individual should coordinate the meeting time to ensure it falls within the Company's established working hours and is convenient for both parties. The verbal report should be documented by completing the specified form. The reporting individual may have the opportunity to sign the report, but in case of refusal, this should be noted.

  • Public disclosure of information – information that is publicly disclosed concerning violations of Bulgarian legislation or acts of the European Union as attached to the law.

Considering the potential of quickly preventing a violation or removing the consequences of such a violation, the report should be submitted as a priority through an internal reporting channel, unless the whistleblower is at risk of retaliatory, discriminatory actions or no effective measures will be taken to verify the whistleblower to remedy the violation.

The reports can be submitted through internal or external reporting channel or through both channels.

VII. EMPLOYEE, RESPONSIBLE FOR HANDLING INFORMATION REPORTS

By Order No175/05.12.2023, the Company's Manager appoints Stanislava Plamenova Ivanova, holding the position of "Head of Human Resources Department" at "CXG Outsourcing" EOOD, as the designated Official who shall be responsible for handling reports under APPRIPDIB.

Stanislava Plamenova Ivanova is responsible for the functions of receiving, registering, and reviewing the reports.

In the event of a conflict of interest arising during the process of receiving, registering, or considering a specific report, Ralitsa Dimitrova Valova, hired on the position of "Office Manager" at the company, will assume the primary role in these functions and is designated as backup member of the APPRIPDIB team.

If a conflict of interest arises regarding the report involving Stanislava Ivanova and Ralitsa Valova, the Company's Manager will issue an order appointing another individual from the Company, whose actions will not conflict with the specific report.

VIII. RECEIVING, REGISTERING, AND REVIEWING REPORTS

The official responsible for reports under APPRIPDIB follows the current sequence of factual and legal actions when addressing each report:

  1. Receiving the report through the methods specified by the Company, as described in Section V of this policy.
  2. The report is logged with a unique number in the electronic Register of reports, as established and maintained by the Company under Art. 18, para. 2 of APPRIPDIB, following the provided template. This register is stored and managed within a dedicated workspace, known as the 'Whistleblowing SharePoint' at 'CXG Outsourcing' EOOD. The register is not publicly accessible and is limited to the employee responsible for receiving, registering, and reviewing reports.
    Electronic whistleblowing documents are processed and stored in official folders organized in the dedicated Whistleblowing SharePoint workspace.
    Paper documents on signals are stored by the official responsible for reports, organized in separate folders in a metal cabinet and in a way that ensures their confidentiality and security. Only the official has access to the cabinet.
  3. Within 7 days of receiving the signal, the official verifies the completeness and accuracy of the report and acknowledges its receipt. The official also provides the reporting person with information about the UIN (Unique Identification Number) and the date of registration of the report.
  4. If the initial formal review indicates that the report falls within the scope of Art. 3 of APPRIPDIB, a unique identification number (UIN) is generated through the CPDP website.
  5. The UIN is entered into the report registration form falling within the scope of Art. 3 of APPRIPDIB.
  6. Filling in the report registration form with the information available at the time of its submission.
  7. Identifying the missing information to the details of the report registration form.
    If the report does not meet the requirements of Art. 15, para. 2 of the APPRIPDIB, the whistleblower is sent a message to address the admitted inadequacies within 7 days of receiving the report.
    If the irregularities in the report are not corrected within the above-mentioned period, the official returns the report to the reporting person along with its attachments.
    Reports that contain patently false or misleading statements of fact will be returned with instructions to the sender to correct the statements and the sender's responsibility for persuasion.
  8. Communicating with the whistleblower to fill in the missing information on all details of the form.
  9. Investigating the allegations of violations presented in the report, and if necessary, engaging in internal communication with other employees or units responsible for carrying out this investigation.
  10. Maintaining communication with both the reporting person and the affected individual to clarify all matters related to the subject of the report.
  11. Within a maximum of three months after confirming receipt of the report or if no confirmation has been sent to the whistleblower, after the expiration of no more than three months, counted from the expiration of the period under item 3, the official prepares a brief report summarizing the report's information, the actions taken, and the final check results. This information, along with the reasons, is communicated in writing to both the sender and the individual concerned, with their confidentiality and protection obligations maintained.
  12. If the facts stated in the report are confirmed, the employee responsible for reviewing reports will initiate appropriate actions such as:
    • organizes follow-up actions in relation to the report, and for this purpose may require the assistance of other people or units within the Company structure.
    • proposes that the company consider implementing specific measures aimed at halting or preventing violations, particularly in instances where such violations have been substantiated or where there is a credible threat of their immediate occurrence.
    • refers the whistleblower to the competent authorities when their rights are affected.
    • forwards the report to the external whistleblowing authority when necessary, providing prior notification to the whistleblower.
    • in case the report is filed against the whistleblower's employer, the person responsible for reviewing the report directs the submitter to simultaneously report to the external whistleblowing authority.
  13. Actions are taken to store the reports following the provisions of Art. 8 of Ordinance No. 1 dated July 27, 2023, regarding the maintenance of the register of reports as outlined in Art. 18 of the Act on the Protection of Persons Reporting or Publicly Disclosing Information on Violations and forwarding internal reports to the Commission for Personal Data Protection.

    Reports and their associated materials, including subsequent documentation related to their review, shall be retained by the obligated party for a period of five years after the completion of the report's review, except in cases involving criminal, civil, labor law, and/or administrative proceedings connected to the submitted report.
  14. In the case of multiple reports of more serious violations, prioritization is carried out. Priority is given to reports when the committed violation has or could have a significant and long-lasting negative impact on the public interest.

IX. REPORT CHECK TERMINATION

  1. The report check is terminated when: The reported violation is minor and doesn't necessitate further follow-up actions. The termination doesn't impact on other obligations, applicable procedures, or the protections provided by the Act related to internal or external whistleblowing.
  2. On a repeated report that doesn't contain new, essential information regarding a violation for which an investigation has already been concluded, no further actions will be taken unless new legal or factual circumstances justify additional steps.
  3. If evidence of a committed crime is established; the report and its associated materials are promptly forwarded to the prosecutor's office.
  4. In cases where the investigation is terminated in either of the first two scenarios under item 1 above, the whistleblower may submit a report to the central authority for external whistleblowing.
  5. After the investigation is concluded, an individual report is prepared, providing a summary of the information from the report, the actions taken, and the final investigation results. This report, along with the reasons, is communicated to the worker or employee who submitted the report and to the affected person, in compliance with the obligation to protect their identities.

Final Provisions

§ 1. The present rules are issued following Art. 13 of APPRIPDIB.
§ 2. The present rules were approved on 05.12.2023 by the Manager of the Company and entered into force from the day of their approval.
§ 3. Whenever personal data is processed, including the exchange or transmission of personal data by competent authorities, it must comply with Bulgarian and EU legislation and the internal rules of 'CXG Outsourcing' EOOD.
§ 4. The official responsible for the reports is obliged to review and analyze the practice of applying these rules at least once every three years and, if necessary, take follow-up actions to update them.
§ 5. For unresolved points in these rules, the provisions of APPRIPDIB shall apply.

 

© Copyright 2009-2025 CXG. All Rights Reserved. Powered with Drupal by SkadIT.

Scroll to Top