Whistleblowing policy & privacy Statement

Whistleblowing policy

Introduction

We consider integrity to be one of the cornerstones of our DNA. Therefore, a whistleblowing system has been established that allows both employees and external parties to confidentially report breaches of internal policies and procedures, laws and regulations.
Making a report is not an easy decision. Within the Matexi entities, we are aware that the reporter is concerned about the possible implications and reprisals of a report. We have therefore drawn up a policy to ensure that a framework is defined within which stakeholders can raise their concerns without fear of reprisals.
Apart from its functionality in itself, the presence of a whistleblower channel also has a deterrent effect on misconduct within the organization.
The whistleblowing system is in line with EU Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of individuals who report breaches of Union law (hereinafter the “Directive”).

Scope

This policy covers the following entities:

  • Abacus Group NV , including its subsidiaries as stated in the financial statements (other than those under Matexi NV or Sibomat NV);
  • Matexi NV , including its subsidiaries as listed in the annual accounts;
  • Sibomat NV, including its subsidiaries as stated in the financial statements.
    The policy covers all stakeholders that have a professional relationship with the above entities, including:
  • Employees ;
  • Temporary workers such as agency workers or job students ;
  • Unpaid volunteers or trainees ;
  • Persons providing services on a self-employed basis, such as consultants ;
  • Shareholders ;
  • Suppliers or subcontractors.

This policy also applies to reporters whose working relationship has ended or is about to begin, if they have obtained information about infringements during or after the termination of the working relationship or during the recruitment process or other pre-contractual negotiations.

What can be reported

The following topics fall within the scope of the whistleblowing procedure:

  • Breaches of policy or internal procedures, including unethical behavior, poor performance, incompetence and professional misconduct.
  • Fraud or theft.
  • Failure to comply with legal obligations (e.g. breaches of environmental legislation, public procurement, money laundering, etc.). ).
  • Protection of privacy and personal data, and security of network and information systems.

Consequently, the policy does not cover complaints about employment or interpersonal grievances between the whistleblower and another colleague. For these complaints, we refer you to the respective HR departments or confidants.

Submission of reports

You are strongly encouraged to report your concerns through the internal channels below if you have knowledge or suspicion of a breach related to any of the above categories.

Reporting channels

We provide the following reporting channels which are accessible to internal and external reporters. Reports can be submitted via:

  • The whistleblowing platform: https://matexi.whistlelink.com
  • A telephone call to +32 56 15 19 67 on Wednesdays between 10 and 11 a.m. CET
  • Written correspondence with “Whistleblowing” in reference to:
  • For Abacus Group NV and Matexi NV:

Matexi NV
for the attention of the Whistleblower Officer
Franklin Rooseveltlaan 180
8790 Waregem

For Sibomat NV
Sibomat NV
for the attention of the whistleblower
Oude Waalstraat 248
9870 Zulte

Anonymous reporting

Matexi makes a platform available that makes it possible for whistleblowers to submit reports anonymously, as required by the European Whistleblower Directive. When making an anonymous report through the platform, it is important that the reporter notes or remembers the case number and the verification code, as this is the only way to access the report afterwards and to communicate with the case manager. As an organization we are obliged to give feedback to the reporter on the status of the report. To be able to give this feedback, it is important that we can contact the reporter via the platform. If a telephone or written report does not contain contact details, we are unable to provide the required feedback to the reporter.

External reporting

Reporters who do not wish to use the internal whistleblower system can opt for an external channel. External reports can be made to the Federal Ombudsman.

Content of the report

In order to process a report in the best possible way, the following information must be provided with each report:

  • Name and relationship with our organization as well as personal contact details (except in the case of an anonymous report).
  • Role or involvement in the named incident.
  • Detailed description of the incident or breach, together with the time, date and location of any specific incidents or breaches:
    • Nature of the incident, what happened?
    • When did this take place (at a time or over a period of time)?
    • Where did this incident take place (at the office, … )?
  • Name and contact details of other persons who witnessed, or have further information on, the incident.
  • Any information about similar previous incidents or infringements involving the person(s) mentioned in the report.
  • Any supporting documents or useful documents relating to the report.

Handling of the report

The report is received and handled by an independent external partner: BDO. Upon receipt of the report, BDO checks whether the report falls within the scope of the Whistleblower Policy. When this is not the case, BDO will inform the reporter and ask him/her to contact the appropriate department within the organization (e.g. HR) or external authorities. Within 7 days after receipt of the report, the reporter will be informed of the acceptance or refusal of the report by BDO, either by telephone, letter or via the platform. To the extent possible, all communication between the reporter and BDO will be done via the secure Whistleblower Platform.

Examination of the report

When the report is accepted, an internal case handler is appointed who starts an investigation based on the content of the report. Within three months after acceptance of the report, BDO informs the notifier of the status of the investigation. The notifier has the right to be informed of the status of the investigation. However, the notifier has no right to be informed of the entire contents of the investigation.
The European Whistleblowing Directive requires that the persons named in the report must be given an opportunity to be heard in due time in order to explain their side of the facts, taking into account the anonymity and confidentiality of the report and where this would not be harmful to the investigation.

Termination of the investigation

When the investigation is complete, the reporter is informed of the outcome.
The persons named in the report must be informed in due time of the termination of the investigation, taking into account the anonymity and confidentiality of the report.

Confidentiality of the report

If the reporter raises a concern, the confidentiality of the identity will be ensured in accordance with applicable laws and regulations. The identity will not be disclosed to persons other than those authorized to receive or follow up reports without your express consent. This also applies to all other information from which the identity can be (in)directly derived. The identity may only be disclosed if there is a necessary and proportionate obligation imposed by EU or national legislation in the context of investigations by national authorities or legal proceedings (for example, in order to protect the rights of the defense of the person concerned in a judicial investigation).
If the hearing of a person involved in the report may jeopardize the confidentiality of the report, the person making the report will be contacted in the first instance.

Protection of the whistleblower

No whistleblower, as defined in the scope, who reports an incident can be punished or be the subject of any discriminatory measure because he or she made a report through the whistleblowing system. We do not permit any retaliation against those who report a breach or suspected breach of the rules or guidelines.

Privacy Statement Whistleblowing

Who are we?

Matexi NV, Abacus Group NV and Sibomat NV as data controllers
With this declaration (hereinafter referred to as “Declaration”) we wish to inform you why and how the Matexi entities listed above (hereinafter referred to as “we”) collect and process your personal data within the framework of the whistleblowing system.

As the data controller, we are responsible for the processing of personal data that we retrieve and use for whistleblowing purposes.
In any case, we take measures to ensure that you:

  • keep informed about our processing of your personal data and your rights;
  • continue to monitor the personal data that we process;
  • exercise your rights with respect to your personal data. More information on your rights can be found further in this document.

What data do we collect about you?

Personal data

By “personal data” we mean any information relating to living natural persons. When we receive a report from you, a file is created containing the details of your report. This file contains your identity, contact details and any other information you have given us about the person involved in the complaint. We will treat the information provided as confidential.
You can contact us anonymously if you wish, but the chances of us being able to investigate possible wrongdoing are greater if we can be sure that the person making the report is in a position to make an informed submission. It also means that we are better able to provide feedback on any action we have taken. In any case, we guarantee confidentiality and anonymity, should the person making the report wish to remain anonymous.

We will treat the information you provide as confidential and will not disclose it without legal justification. In the event of a further investigation and contact with other persons within or outside the organization, certain elements relating to the report may need to be disclosed. If certain information in the report may not be disclosed in the context of an investigation, please indicate this explicitly in the report.

Where possible, we will provide you with general feedback on the actions we take as a result of your report and the investigation carried out. We will also publish information in an annual report on all actions taken as a result of disclosures by whistleblowers. This report will only contain generic information in order to protect the identity of whistleblowers.
We only use your personal information to handle your complaint. We collect and publish statistics with information such as the number of complaints we receive, but not in a form that identifies anyone.

Sensitive data

As a controller, we do not intend to collect and process personal data of minors or so-called sensitive data:

  • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
  • genetic or biometric data (e.g. facial images and fingerprints);
  • data relating to health;
  • data relating to sexual behavior or sexual orientation.
    However, should we receive such data in the context of a complaint, we will treat such sensitive data with the highest degree of security and confidentiality.

Why do we need your data?

We need sufficient information from you to investigate your protected disclosure to us, including any evidence you may have to support it.

We need to know the details of your complaint so that we can make a decision on the organization’s compliance with the relevant legislation and fulfil our obligations.

Personal data contained in whistleblower reports on topics related to an incident are processed on the basis of legal obligation, as this information is necessary for compliance with the Directive 2019/1937, i.e. to assess whistleblower reports and conduct possible investigations.

By accessing and using the whistleblowing system in an identified manner, the whistleblower consents to the processing of his/her personal data for the purposes indicated in this Whistleblowing Policy.

With whom do we share your personal data?

In the first instance, only BDO has access to the personal data mentioned in the report, together with an internal back-up case manager. These personal data can be shared with designated case handlers in the context of an investigation.
In case of necessity (such as a technical problem), temporary access can be granted to Whistlelink, the external party that makes the whistleblowing platform available and that acts as (sub)processor. Both BDO and Whistlelink have taken technical, organizational and contractual measures to ensure that your personal data are only processed and used for the purposes mentioned in this document.

Only if we are legally obliged to do so may your personal data be disclosed to supervisory authorities, tax authorities and investigative bodies.

Where is your data stored and processed?

Your data will not be stored and processed outside the European Union and we will ensure that minimum legal requirements and security standards are met at all times.
Apart from the above-mentioned cases, your personal data will never be passed on or made available to third parties and will only be used for our purposes.

How long do we keep your personal data?

Personal data obtained in the context of whistleblowing services shall be retained for as long as necessary for the processing of the report, including any consequences thereof, and in line with internal retention periods.

How do we secure your personal data?

We have implemented generally accepted technological and operational security standards to protect personal data from unauthorized loss, misuse, alteration or destruction.

The whistleblowing system has been set up so that only the persons designated to receive, analyze and process reports will be designated as data processors or persons specifically designated in accordance with Article 28 of the General Data Protection Regulation (GDPR), and will guarantee the full confidentiality of the personal data provided in accordance with the most appropriate security measures implemented for that purpose.

What are your rights?

  • Right of access, rectification, erasure, portability of data and objection
  • Right of access to your personal data
    • You have the right to access and inspect your personal data processed by us at any time. In this context, we will provide you with a copy of your personal data free of charge.
  • Right to correct your personal data
    • You have the right to have inaccurate, incomplete, inappropriate or outdated personal data erased or corrected at any time.
  • Right to withdraw your consent
    • If the processing is based on your explicit consent, you have the right to withdraw it at any time.
  • Right to object to certain processing operations
    • You have the right to object to processing activities on the basis of legitimate interests.
  • Right to have your personal data deleted
    • You have the right to have your personal data deleted. On these grounds, you can request that we no longer use your personal data. However, we may retain personal data necessary for evidentiary purposes. Pursuant to this right of deletion, you also have the right to ask us at any time to stop using your personal data processed on the basis of your consent or our legitimate interest. On the basis of legitimate interests, we may nevertheless continue to process your personal data after balancing your interests against ours.
  • Right to transfer personal data
    • You have the right to request that personal data which you have personally provided to us - in a structured, commonly used and digital form - be transferred to you so that you can store it for your personal (re-)use, or to transfer such personal data directly to another controller, insofar as it is technically possible for us to do so. However, the privacy legislation provides some restrictions to this right, meaning that it does not apply to all data.
  • Right to restrict certain processing operations
    • You can request us to restrict the processing of your personal data if you dispute the accuracy of your personal data, you can request a restriction of the processing for a period that allows us to verify the accuracy of your personal data.

How to exercise rights

To exercise the above rights, please refer to the whistleblowing platform and your personal case number and verification code, where you can submit your request.

When exercising your right, please clearly indicate the right you are invoking and the processing(s) to which you object or wish to withdraw consent. Always be as specific as possible when exercising your rights.
This request is free of charge, except when we consider that the request is manifestly unfounded or excessive (as in the case of a repeated request).

For each additional copy requested, we may also charge a reasonable fee based on the administration costs.
The request for a copy of the data shall be handled within one month. This period may be extended by two months, taking into account factors such as the complexity and number of requests. In the event of an extension of the deadline, you will be notified and informed of the reasons for the extension.

If data is adjusted, changed or deleted, we will communicate this with the persons to whom this data has been provided (such as the case managers and case handlers of the whistleblowing report), unless this is not possible or involves a disproportionate effort. When the data is needed to fulfil a legal obligation, this data cannot be deleted.

How to submit questions or complaints?

For questions or complaints about our processing of personal data, about the exercise of your rights or about this Declaration, we also refer you to our whistleblower platform and your personal case number. In this way, we can ensure the confidentiality of communications.

We strive to find a fair solution to any complaint or concern about privacy. However, if you feel that we have not been able to help you with your complaint or concern, you have the right to lodge a complaint with the data protection authority of your country of residence via their website.

Belgian residents can lodge a complaint with the Belgian Data Protection Authority. All information can be found at https://www.dataprotectionauthority.be/ .

Amendments to this declaration

We may amend or supplement this statement as we deem necessary.

If any significant changes are made to this Declaration, the date on which it is amended will be updated.
We also recommend that you review this Statement regularly to understand how we process and protect personal data.