The information provided below offers guidance and clarification on how to submit reports of alleged breaches by Balkan Services Ltd. If you have additional questions or require assistance, please contact the employees designated to receive and review reports via one of the communication channels listed below in the section “How to submit a report”.

INTERNAL REPORTING

What is internal reporting?

Internal reporting means providing information to the legal entity alleged to have committed a breach, through the publicly announced channels made available by it. The internal channels listed below may be used to submit a report if you believe that our company has committed a breach.

What is a breach?

Breaches are acts or omissions by our company that are:

• Unlawful and related to Bulgarian legislation or acts of the European Union, in one of the areas listed in the section “What can be reported?”
• Contrary to the purpose or objectives of the rules set out in acts of the European Union in one of the areas listed in the section “What can be reported?”

What can be reported and publicly disclosed?

You may submit reports concerning breaches of Bulgarian legislation and acts of the European Union in the following areas:

1. Public procurement;
2. Financial services, products and markets, and the prevention of money laundering and terrorist financing;
3. Product safety and compliance;
4. Transport safety;
5. Environmental protection, radiation protection and nuclear safety;
6. Food and feed safety, animal health and animal welfare; public health; consumer protection;
7. Protection of privacy and personal data;
8. Security of networks and information systems;
9. Competition protection and state aid;
10. Cross-border tax arrangements aimed at obtaining a tax advantage contrary to the object or purpose of the applicable corporate tax legislation;
11. Criminal offences of a general nature, of which you became aware in connection with your work or the performance of your official duties;
12. Breaches of rules regarding the payment of due public state and municipal receivables, labour legislation, and legislation related to the performance of public service.

What is information about a breach?

Information about breaches includes data or reasonable suspicions regarding the existence of data about actual or potential breaches that have occurred or are very likely to occur within our company. This information may also include data obtained while you, as the reporting person, were performing work assigned by another person for us. Information about breaches also includes data concerning attempts to conceal breaches.

Who may submit a report?

Anyone may submit a report. However, protection under the Protection of Persons Reporting or Publicly Disclosing Information on Breaches Act is granted if you have one or more of the following capacities:

1. You are an employee of our company, including former employees, for information learned while you were employed with us;
2. You have provided services to our company as a self-employed person;
3. You have acted as a volunteer or intern with us;
4. You work for another entity that provides services to us;
5. You obtained information about a breach during or prior to the completion of a recruitment process in which you participated, or during other pre-contractual relations.

How can a report be submitted?

Reports may be submitted through one of the following methods:

Orally – through a meeting with the employee designated to receive reports or by calling the following phone numbers:
+359 894 548 747
+359 893 304 434

In writing – by sending the report to the following address:
31 Exarch Joseph Street, Floor 3,
Sofia, Bulgaria

Addressee: Balkan Services Ltd, Report under the Protection of Whistleblowers Act

Electronically – by sending an email to the following address:
signals@balkanservices.com

What must the report contain?

It is mandatory that the report includes your personal details, so that we may assess whether you fall within the scope of the legal protection provided by law. According to the applicable legal regulations, anonymous reports are not subject to review.

Is it necessary to sign the report?

If the report is submitted in writing – yes. For electronic submissions, indicating your full name after the report is considered a signature.

If the report is submitted orally, you may refuse to sign it.

Is it necessary to use a specific reporting form?

No, it is not mandatory. For convenience, if you wish, you may use the form approved by the Commission for Personal Data Protection.

What is the procedure after submitting a report?

After submission, if your report is formally valid (i.e. not anonymous and falling within the areas listed in the section “What can be reported?”), it will be assigned a unique identification number (UIN). The employee responsible for handling the report will provide this number within seven (7) days of submission, using the communication address specified in your report. If no such address has been provided, we will contact you using the method by which the report was submitted, where possible.

What happens if the report contains inaccuracies or omissions?

The employee responsible for reviewing the report will contact you and grant you a seven (7) day period to correct the inaccuracies or omissions. If they are not remedied within the given timeframe, the review of the report will be terminated.

Do I bear liability for submitting a report?

Yes. If you knowingly submit false information, the person against whom the report is directed has the right to compensation for all material and non-material damages suffered. Additionally, you may be subject to a fine ranging from BGN 3,000 to BGN 7,000.

EXTERNAL REPORTING

Which authority receives external reports of breaches?

The central authority for external reporting and for the protection of persons entitled to such protection under the law is the Commission for Personal Data Protection (CPDP).

When can reports be submitted to the external authority?

At any time. Submission of a report through the internal channel is not a mandatory prerequisite for submitting a report to the CPDP.

Additionally, if the review of your report has been terminated on the grounds that the case was considered minor or that the report has already been reviewed, you may also submit the report to the CPDP.

How are reports submitted to the external authority?

By completing the electronic form available at the following address:
https://signal-public.cpdp.bg/