Whistleblower policy

Intro

It is important to iO to create an atmosphere in which everyone feels at ease and empowered to safely share their concerns.

This policy describes the procedures to file a report on an effective and safe manner with respect to (suspected) wrongdoings or irregularities within iO's organization under the socalled "Whistleblower Legislation".
Below is described who can make a report, how (internally/externally) this can be done and what a ‘Whistleblower’ can expect with respect to communication, protection, and treatment of the report.

iO may amend or supplement this Policy as deemed necessary. If significant changes are made this will be indicated and brought to the attention.

This Policy was updated on 02/02/2024.

Why this policy?

With this Whistleblower Policy, iO aims to keep the threshold for reporting work related malpractices and irregularities within the organization as low as possible and to provide a transparent and safe way to do so.

When filing a report, a person is not expected to be able to prove a malpractice/irregularity. However, the claim made must be plausible and that there are facts or circumstances that indicate a reasonable suspicion of a malpractice/ irregularity.

As an organisation, iO ensures that a report is handled carefully, in all confidentiality and is dealt with without retaliation for the reporter.

Who can make a report?

Any person who, in a work-related context, obtains information about illegal, unfair or abusive behaviour and/or observes other violations (of laws) can file a report. It is irrelevant whether the work relationship has ended, is ongoing or has yet to begin.

Consequently, it applies - but is not limited to - the following persons with a working relationship with iO, being:

  • Employees

  • Interns

  • Freelancers

  • Consultants

  • Shareholders

  • Suppliers

  • Clients

The protected persons also include family members and colleagues of the reporter, if they have a working relationship with the person against whom the report is made and persons who assist the reporter, such as a counsellor.

Outside of a work-related context, reports can only be related to prevention of money laundering and terrorist financing.

A person who makes a report according to, in accordance with this policy is considered a "Whistleblower" and is protected in that sense as also described in this policy.

What can be reported?

Within the Whistleblower Policy, all (suspected) malpractices/ irregularities can be reported with respect to:

  • A legal requirement or internal rules involving a specific obligation and established by an employer pursuant to a legal requirement;

  • A danger to public health;

  • A danger to the safety of persons;

  • A danger to the degradation of the environment;

  • A danger to the proper functioning of the organization due to improper conduct or negligence.

  • Public procurement

  • Financial services, products and markets, and prevention of money laundering - and terrorist financing

  • Product safety and compliance

  • Transport safety

  • Protection of the environment

  • Radiation protection and nuclear safety

  • food and feed safety, animal health and welfare

  • public health,

  • consumer protection

  • protection of privacy and personal data, and security of network and information systems.

  • Tax fraud

  • Social fraud

Any report on a malpractice/irregularity with respect to the above must be based on information obtained from the work environment. To be considered a violation, it must involve an act or omission that is (presumably) unlawful, or that violates any regulation.

The Whistleblower's report must be integral and done in good faith and must be based on reasonable and demonstrable grounds. An integral report is a report that is motivated by a higher interest than that of the Whistleblower itself. In the case of an integral report, it cannot reasonably be expected that the Whistleblower should have raised the report in another way within the organization (for example, through the incident procedure or through regular discussions with teams, supervisors, etc.).

Not all types of misconduct can be reported under this Whistleblower policy, e.g.:

  • If an iO employee encounters wrongdoing at another organisation through their work, it should be reported to the relevant organisation or externally.

  • Personal complaints (e.g., about the workplace, the relationship with colleagues or manager) do not fall under the Whistleblower policy nor do reports made purely in the reporter's own interest (reports not made in good faith). Such irregularities should first be discussed with the immediate manager, HR director or other regular designated person in the normal way.

Protection of the Whistleblower

Any form of retaliation against Whistleblowers, including threats and attempts of retaliation, are prohibited. Thus, the Whistleblower is protected from, among other things, negative evaluations, change of position, other sanctions (financial or otherwise) or dismissal. The Whistleblower is protected indefinitely in time.

The protection however ends if the Whistleblower knowingly reports false and/or misleading information. Gets access to information in order to commit an offence himself. Also, the Whistleblower may still be subject to measures completely unrelated to the report.

Confidentiality of a report

Confidentiality of the identity of the Whistleblower is established by law. Without explicit consent of the Whistleblower, his/her identity will not be disclosed to persons who are not authorized to receive or follow up on reports. This also applies to any other information from which the identity can be (in)directly deduced.

Only if there is a necessary and proportionate obligation, imposed by EU or national legislation, in the context of investigations by the authorities or judicial proceedings, may the identity of the Whistleblower be disclosed.

How can a report be filed?

Reports can be made in writing or orally. A Whistleblower can also use the online report to request a meeting with their local confidential advisor or with the HR department to make a verbal report.

Internal reports

How?

Reports can be made in writing or orally. A Whistleblower can also use the online report to request an interview that allows for an oral report to be made with their local confidential advisor or HR.

Our internal reporting procedures are organized to ensure maximum security and protect the confidentiality and discretion of the identity of the reporter itself, the report and any third parties.

Reports can be made both confidentially and anonymously.

  • In the case of a confidential report, you can state your name and contact information, so that your report can be handled in the most effective way.

  • In the case of an anonymous report, the identity of the person making the report will not be sought or otherwise identified. An anonymous report may lead to the fact that an adequate investigation is not possible. iO will always act to the best of its ability.

All reports (confidential and anonymous) will be accepted and handled by the notification manager (the designated HR directors). Continuity with respect to the follow up of notifications is guaranteed. All those involved in the receipt, handling and follow-up of the report will observe the principles of confidentiality, objectivity, and impartiality. Third parties (e.g., those involved in the report) will never receive the identity of the Whistleblower.

Information, advice and support
The Whistleblower may also consult an adviser in confidentiality about suspected wrongdoings. An advisor is defined as a person who has a duty of confidentiality by virtue of their position and who is consulted in confidentiality e by a Whistleblower about suspected wrongdoing.

Procedure
Each report is made through the internal online reporting tool accessible through vibe.iodigital.com where one can choose "Campus" and then "Whistleblower report". The report is anonymous unless the reporter provides his contact details. To ensure anonymity, the tracking code on the application side is disabled, as well as user details such as username or IP addresses will not be stored. iO guarantees not to trace the identity of the reporter in any other way.

The following must be included in the report:

  • A detailed description of what you identify and wish to bring to attention. (e.g. those involved or not, sources, date, place) and how they came to the attention of the Whistleblower;

  • The names of other persons, if any, who can confirm the facts reported

  • The contact details of the Whistleblower if preferred;

  • any other information or elements that may help the investigation team to verify the facts.

Within 7 days, the Whistleblower will receive a confirmation of receipt, unless the notification manager was unable to respond to the report (in case of anonymity). In doing so, the Whistleblower Manager first checks whether the report falls within the scope of the Whistleblower Regulation.

Investigation
Each notification is then carefully investigated by the notification manager. Other departments may or may not be involved on a need-to-know basis (e.g., legal) to help conduct the investigations. If necessary, an outside party may be involved to conduct a thorough, confidential and impartial investigation.

No later than three months after the confirmation of receipt, the Whistleblower will receive feedback on the investigation and follow-up of his/her report (if possible when made anonymously). The Whistleblower maintains centrally a summary of each report describing any actions taken (whether anonymized or not).

Outcome
If a report reveals a breach, iO guarantees that appropriate and corrective yet proportionate action will be taken.

Privacy
When handling a report, iO will comply with any applicable law on the protection of personal data.

External reports

Violations of internal rules, processes, etc., must always first be reported internally according to the procedure described above.

There is also the possibility of reporting a violation externally to the competent authorities. Each of these authorities is competent for a particular domain and is responsible for the investigation and monitoring of reports, as well as possible sanctions. The list of competent authorities for receiving external reports is listed below for both Belgium and the Netherlands.

Belgium:

The Competent authorities for external reporting are listed in the Royal Decree (Koninklijk besluit van 22 januari 2023 tot aanduiding van de bevoegde autoriteiten voor de uitvoering van de wet van 28 november 2022 betreffende de bescherming van melders van inbreuken op het Unie- of nationale recht vastgesteld binnen een juridische entiteit in de private sector):

These are the following authorities, each with jurisdiction over its own domain (in Dutch): de Federale Overheidsdienst Economie, K.M.O., Middenstand en Energie;

  • de Federale Overheidsdienst Financiën;

  • de Federale Overheidsdienst Volksgezondheid, Veiligheid van de voedselketen en Leefmilieu;

  • de Federale Overheidsdienst Mobiliteit en Vervoer;

  • de Federale Overheidsdienst Werkgelegenheid, Arbeid en Sociaal Overleg;

  • de Programmatie Overheidsdienst Maatschappelijke Integratie, Armoedebestrijding, Sociale Economie en Grootstedenbeleid;

  • het Federaal Agentschap voor Nucleaire Controle;

  • het Federaal Agentschap voor Geneesmiddelen en Gezondheidsproducten;

  • het Federaal Agentschap voor de veiligheid van de voedselketen;

  • de Belgische Mededingingsautoriteit;

  • de Gegevensbeschermingsautoriteit;

  • de Autoriteit voor Financiële diensten en Markten;

  • de Nationale Bank van België;

  • het College van toezicht op de bedrijfsrevisoren;

  • de autoriteiten gemeld in artikel 85 van de wet van 18 september 2017 tot voorkoming van het witwassen van geld en de financiering van terrorisme en tot beperking van het gebruik van contanten;

  • het Nationaal Comité voor de beveiliging van de levering en distributie van drinkwater; • het Belgisch Instituut voor postdiensten en telecommunicatie;

  • het Rijksinstituut voor ziekte- en invaliditeitsverzekering;

  • het Rijksinstituut voor de Sociale Verzekeringen der Zelfstandigen;

  • de Rijksdienst voor Arbeidsvoorziening;

  • de Rijksdienst voor Sociale Zekerheid;

  • de Sociale Inlichtingen en Opsporingsdienst;

  • de Autonome dienst Coördinatie Anti-Fraude (CAF);

  • de Scheepvaartcontrole.

The Netherlands

The competent authorities for external reports are, according to the nature of the report and the employer's sector, among other things: Netherlands Authority for Consumers & Markets

  • Dutch Authority for the Financial Markets

  • Dutch Data Protection Authority

  • Dutch Central Bank (De Nederlandsche Bank)

  • Inspectorate for Health and Youth Care

  • Dutch Healthcare Authority

  • Authority for Nuclear Safety and Radiation Protection

If no other specific authority is competent, one can turn to the Dutch Whistleblowing Authority (https://www.huisvoorKlokkenluiders.nl/)