Whistleblowing Rules

Rules for internal reporting and follow-up of them in proceeding under the Protection of Persons Reporting or Publicly Disclosing Information on Violations Act

(This document was adopted by a Decision of the Board of Directors of Tenen Payments AD, adopted at a meeting held on 04.05.2023.) Tenen Payments AD (“Electronic Money Institution”, “DEP”) is an obliged person within the  meaning of Art. 12, para. 1, item 3 of the Law on the Protection of Whistleblowers or Public Disclosure of Violations (the “Act”). These rules are prepared in connection with the application of the law, and the scope of the violations includes fraud, money laundering, bribery,  corruption, unfair practices, insider dealing and other unlawful acts, immoral or unethical behaviour. DEFINITIONS

1. “Violations” are actions or omissions that are:
2. a) unlawful and are related to the Bulgarian legislation or the acts of the European Union in the areas referred to in art. 3 of the Law on the Protection of Whistleblowers or Publicly Disclosing Information on Violations, or

(b) conflict with the object or purpose of the rules in the acts of the European Union and the areas referred to in Article 10; 3 of the Law on the Protection of Persons Reporting or Publicly Disclosing Information on Violations.

2. 2. “Employer” is any natural person, legal entity or its division, as well as any other organizational and economically distinct entity that independently employs workers or employees under an employment relationship, including for carrying out homework and remote work and for sending for performance of work in a user enterprise.

‘  information about a breach‘ means information, including reasonable suspicions, of actual or potential breaches that have occurred or are very likely to occur in the organisation where the reporting person works or has worked or in another organisation with which the reporting person is or has been in contact during their work, and about attempts to cover up breaches; ‘  work context’ means current or past work activities in the public or private sector through which, irrespective of their nature, persons are informed of breaches and within which such persons may be subjected to retaliatory action if they submit such information;

5. ‘person concerned’ means a natural or legal person who is identified when reporting or publicly disclosing information as the person to whom the infringement is attributed or to whom that person is associated;

‘ retaliation’ means any direct or indirect act or omission which occurs in a working context, is caused by internal or external reporting or public disclosure, and which causes, or may cause, adverse effects detrimental to the reporting person; ‘ follow-up’ means any action taken by the person receiving the report or by a competent authority to assess the accuracy of the allegations made in the report and, where appropriate, to address the reported breach, including through actions such as an internal inquiry, investigation, prosecution, freezing action or the conclusion of the procedure; ‘sufficient data  ‘ means data from which a reasonable presumption can be made of an infringement which falls within the scope of this Act. ‘ internal reporting’ means the oral or written communication of information on infringements within a legal entity in the private or public sector; ” External reporting” is an oral or written communication of information about violations to the competent authorities. ” Durable medium” shall be any carrier of information enabling the obliged entities under Art. 12, para. 1 of the Law on the Protection of Persons Reporting or Publicly Disclosing Information on Violations or the Commission for Personal Data Protection to store information that allows its easy use in the future for a period corresponding to the purposes for which the information is intended,  and which allows the unchanged reproduction of the information stored.   GENERAL Art. ( 1) These Rules shall apply to a natural person reporting an infringement that has become known to him in his capacity of:

1. “employee”, “worker” or other person who performs hired work for the IED;
2. a person who works without an employment relationship and/or exercises a liberal profession;
3. volunteer and trainee with the Employer;
4. partner, member of the management or supervisory body of the IED ;
5. all persons counterparties of the IED, including service providers;
6. persons where information about violations has been acquired in a working relationship that has ended, or persons who are about to conclude a contract with the IED, when the information is obtained during the recruitment process or in other pre-contractual relations.

(2) The identity of the reporting person may not be disclosed to anyone outside the responsible officer competent to receive and process reports of violations without the explicit consent of that person. This also applies to any other information from which the identity of the reporting person can be established. (3) Exceptions to the prohibition under para. 2 shall be allowed if this is a necessary and proportionate obligation imposed by a legal act in the context of investigations by national authorities, including with a view to protecting the rights of the person concerned. Art. ( 1) The IED shall appoint by an internal act of the management body an employee responsible for the consideration of signals under these Rules, as well as a responsible member of the managing body. (2) The appointed employee under para. 1 may be replaced, if necessary, in the same order as it is determined. (3) The appointed employee under para. 1 must be independent in its activities from the other employees of the Company in order to avoid situations where conflicts of interest may arise and ensure the confidentiality of the identity of the reporting persons. (4) In the event that a conflict of interest arises in connection with a specific report, the employee responsible for the consideration of signals shall recuse himself and the alert shall be sent for consideration to the responsible member of the management body.   PROCEDURE FOR SUBMISSION AND CONSIDERATION OF INTERNAL SIGNALS FOR VIOLATION Art. 3. Alerts under these Rules may be submitted through the following internal channels:

1. in writing – to the address for correspondence of the DEP: “Tenen Payments” AD: Sofia, Vazrazhdane district, bul. “Todor Alexandrov”, 20 or a specially created internal channel under art. 4 of these Rules;
2. orally – by phone of the officer responsible for handling the signals under these Rules or through other voice messaging systems or in person – at the request of the reporting person through a personal meeting in an agreed between the parties within a suitable time for them.

Art. ( 1) These Rules establish e-mail: compliance@10npay.com as an internal channel for reporting infringements within the IED. (2) All internal channels shall allow storage of information recorded on a durable medium for the needs of the alert check and for further investigations. (3) Internal reporting channels are managed by the reporting officer, who should ensure the confidentiality of the identity of the reporting person and any third party reporting person and restrict access to it by unauthorised staff. Art. 5. (1) Alerts shall be submitted by filling in a form in a standard form, which can be found on the official website of the Commission for Personal Data Protection (CPDP). https://www.cpdp.bg/index.php?p=sub_rubric&aid=282 and shall contain at least the following particulars:

1. the full name, address and telephone number of the sender, as well as an e-mail address, if any;
2. the names of the person against whom the alert is filed and his/her place of work, if the alert is filed against specific persons and they are known;
3. specific data of a breach or of a real danger of such being committed, place and period of the breach, if one has occurred, a description of the act or situation and other circumstances, insofar as such are known to the reporting person;
4. date of submission of the alert;
5. signature, electronic signature or other identification of the sender.

(2) The oral signal shall be documented by filling in the form under para. 1 by the officer responsible for examining reports, who proposes to the whistleblower to sign it if desired by him and notes his consent or refusal in the appropriate place on the form. (3) The alert may be accompanied by any kind of sources of information supporting the allegations made therein and/or reference to documents, including indication of data on persons who could confirm the data communicated or provide additional information. Art. 6.  (1) The employee responsible for handling alerts shall acknowledge receipt of the alert within 7 days of its receipt by sending a written confirmation to the e-mail address or correspondence address specified in the form. (2) If the signal does not meet the requirements of art. 5, para. 1, the reporting person shall be sent a notice for removal of the irregularities within 7 days of receipt of the report. If the irregularities are not remedied within this period, the report together with its attachments shall be returned to the reporting person. Art. 7. (1) The official responsible for handling alerts may terminate the inspection in the event that:

1. finds that the reported violation is a minor case and does not require further follow-up;
2. in the case of repeated reports, no new information is contained in connection with an already terminated infringement investigation, unless new circumstances and facts require follow-up action;
3. when evidence of a crime has been established. In this case, the signal and the materials to it are sent immediately to the prosecutor’s office.

(2) The reporting person shall be notified of the decision for termination and the reasons thereto. (3) In the cases when the inspection is terminated on the grounds of para. 1, letter “a” and “b” the reporting person may report to the national authority for external reporting – CPDP. Art. 8. The official responsible for examining reports shall be obliged to:

1. ensure that the identity of the reporting person and any other person referred to in the report is properly protected and take appropriate measures to restrict access to the report by unauthorised persons;
2. liaise with the reporting person and, if necessary, request additional information from the reporting person and from third parties;
3. provide feedback to the sender of the alert on the actions taken within no longer than three months after the acknowledgement of receipt of the alert;
4. provide persons wishing to report clear and easily accessible information on the procedures for external reporting to the competent national authority the Commission for Personal Data Protection and, where appropriate, to the institutions, bodies, offices and agencies of the European Union;
5. provide an opportunity for the person concerned to present and identify new evidence to be gathered in the course of the inspection.

Art. ( 1) The official responsible for examining alerts shall verify within the scope of his competence his credibility, and if he contains obviously false or misleading statements of facts, he shall return it with an instruction to the sender for correction of the allegations and a warning of the responsibility he bears under Art. 286 of the Criminal Code for defamation. (2) No proceedings shall be instituted for violations that are anonymous committed more than two years ago or do not fall within the scope of the Law on the Protection of Persons Reporting or Publicly Disclosing Information on Violations. Art. ( 1) The reporting officer and third parties may request additional information from the reporting person and third parties to clarify the factual situation of the report. (2) In the course of the inspection, written explanations shall also be heard and/or collected by the person against whom the alert has been filed and additional evidence shall be collected in case he/she wishes to present such. Art.  (1) If the facts presented in the alert are confirmed as a result of the inspection carried out and on the basis of the evidence collected and evaluated, the officer responsible for the examination of alerts:

1. organize the follow-up of the alert, and for this purpose may require the assistance of other persons or departments in the IED;
2. suggests that the IED take specific measures in order to stop or prevent the infringement in cases where such an infringement has been established or there is a real danger of its imminent;
3. refer the reporting person to the competent authorities when his/her rights are affected;
4. forward the report to the authority for external reporting CPDP if it needs to take action on its part, and the reporting person shall be informed in advance of the referral;

(2) In the event that the report is filed against the IED in its capacity of employer, the employee responsible for handling reports shall direct the person to simultaneously report to the authority for external reporting. Art. 12.  As a result of the verification, the reporting officer shall draw up an individual report briefly describing the information from the report, the actions taken, the final results of the verification of the report, which, together with the reasons, he shall communicate to the reporting person and the person concerned, subject to the obligation of confidentiality. Art. ( 1) The submitted alerts shall be entered by the responsible person in a register of alerts for violations, established under these Rules, which shall not be public and shall include the following information:

1. the person who has received the signal;
2. the date of submission of the alert and/or a unique identification number (WIN);
3. the person concerned, if such information is contained in the alert;
4. summarized data on the alleged violation, such as the place and period of the infringement, a description of the act and other circumstances in which it was committed;
5. the connection of the alert with other signals after the establishment and in the process of processing the signal;
6. information provided as feedback to the whistleblower and the date of its submission;
7. the follow-up actions taken;
8. the results of the signal check;
9. the period of storage of the signal.

(2) The information entered in the register shall be stored in a way that ensures its confidentiality and security. (3) The person responsible for receiving and viewing signals in the IED shall register the received signal with the CPDP for the purpose of receiving a WIN.   ADDITIONAL RULES Art. (1) Any processing of personal data carried out  under these Rules, including the exchange or transfer of personal data, shall be carried out in accordance with Regulation (EU) 2016/679 (GDPR) and the national legislation and internal policies of the IED. (2) Personal data that is not necessary to conduct a check on a signal shall not be subject to processing and shall be deleted in a timely manner. Art. 15. The IED shall store the received reports of breaches in accordance with the requirements of the applicable legislation, but not longer than 5 years after the completion of the verification of a report and the sending of the result to the reporting person. Art. 16. These rules do not supersede already established and effective ones for action in case of established violations within the IED with a specialized scope (Rules under the LMLDA, MFIA). Art. Art. 17.  (1) The officer responsible for reviewing signals shall acquaint the employees of the IED with these Rules. (2) The rules shall be published on the official website of the IED. Art. 18. The IEC shall review these Reporting Rules and their practical application at least every three years and, if necessary, update them. Art. 19.  These Rules for Internal Signals have been approved by a decision of the Board of Directors of Tenen Payments AD from 04.05.2023.