Whistleblowing policy - Luxinnovation

The Policy applies within the legal entity LUXINNOVATION GIE (hereinafter referred to as “Luxinnovation” or as the “Legal Entity”), registered under number C16 in the Luxembourg Trade Register. Its head office is located at 5, Avenue des Hauts-Fourneaux L-4362 ESCH-sur-ALZETTE.

Its purpose is to provide information and to indicate the procedures for collecting, processing and following up internal and external reports made in good faith by the reporting person.

The present Policy is applicable as of 01/12/2023. The Employer reserves the right to modify and amend the content of this Policy at any time.

This policy is available for Luxinnovation employees on the intranet and, for Luxinnovation contacts, on the website (www.luxinnovation.lu).

1. Definitions

Term	Definition
Authorized persons	Persons mandated by Luxinnovation to receive and process the violations reported. Their identity will be communicated to staff by email upon each new appointment.
Breach(es)	Acts or omissions that are unlawful or contrary to the object or purpose of national law or directly applicable provisions of EU law.
External report	The oral or written communication of information about breaches to the competent authority.
Facilitator	A natural person who assists a reporting person in the reporting process in a work-related context, and whose assistance should be confidential.
Information on Breaches	Information, including reasonable suspicions, about actual or potential breaches, which occurred or are very likely to occur in the organisation in which the reporting person works or has worked or in another organisation with which the reporting person is or was in contact through his or her work, and about attempts to conceal such breaches.
Internal report	The oral or written communication of information about breaches within the Legal Entity.
Person concerned	Natural or legal person who is referred to in the report or public disclosure as the person to whom the breach is attributed or with whom that person is associated.
Public disclosure or disclose publicly	The making of information about breaches available in the public domain.
Report or reporting	The oral or written communication of information about breaches.
Reporting person	Any natural person who reports or publicly discloses information on breaches acquired in the context of his or her work-related activities.
Retaliations	Any direct or indirect act or omission, which occurs in a work-related context, is prompted by internal or external reporting or by public disclosure, and which causes or may cause unjustified detriment to the reporting person.
Work-related context	Current or past work activities in the public or private sector through which, irrespective of the nature of those activities, persons acquire information on breaches and within which those persons could suffer retaliation if they reported such information.

2. General provisions - Principles

A Reporting Person could be a present or former employees, but also candidates, trainees (paid or unpaid), volunteers, self-employed persons, directors or managers, as well as any person working for contractors, subcontractors and suppliers.

The Reporting person must report breaches in good faith, meaning he must have “reasonable grounds to believe that the information on breaches reported was true at the time of reporting” (article 4 of the Law). All national law is covered.

The information reported must have been collected lawfully, in compliance with existing legal provisions.

Information on breaches must be reported and will be processed in accordance with article 4 of this Policy.

Reporting persons wishing to report breaches are encouraged to give priority to internal reporting within the Legal Entity before any external reporting to a competent authority.

Individual issues involving staff members are not dealt with under this Policy and are handled separately by the Human Resources department (please contact the relevant staff).

Please note that Luxinnovation has a separate policy regarding moral and sexual harassment. Any person who believes they have been a victim or witness of acts of moral or sexual harassment within Luxinnovation is encouraged to report, within the framework of this separate policy, to the Human Resources department or the Personnel Delegation.

3. Duty of guarantee and confidentiality

3.1. The internal reporting channels provided for in article 4 of the Policy are designed, established and managed in a secure manner that guarantees the strict confidentiality of the identity of the Reporting person, of any third party mentioned in the report and of all information and data contained in the report.

The entire procedure described in article 4 of this Policy will be conducted confidentially, objectively and impartially.

The persons involved in this procedure scrupulously undertake to respect the confidentiality of the information and data brought to their attention. Failure to do so may result in disciplinary action.

3.2. The identity of the author of the report, including any information from which the identity of the latter may be directly or indirectly deduced, may not be disclosed without the express consent of the latter to persons other than the authorised and competent members of staff provided for in article 4 of the Policy.

By way of derogation from the preceding paragraph, the identity of the author of the report and any other information referred to in the preceding paragraph may be disclosed where this is a necessary and proportionate obligation imposed by the amended Law of 8 June 2004 on freedom of expression in the media or by European Union law in the context of investigations carried out by national authorities or in the context of legal proceedings, in particular with a view to safeguarding the rights of defence of the person concerned.

4. Procedure to follow in case of internal report

The internal reporting procedure described hereafter applies to all of Luxinnovation employees as well as, to persons working under the supervision and direction of contractors, sub-contractors and suppliers, to its independent contractors, to its members and to the members of its administrative, management or supervisory body, as well as to former employees, paid or unpaid trainees, volunteers and candidates.

4.1. Rules for the internal report of breaches

1. Reporting channel

The breach must be reported in sufficiently precise terms.

The Reporting person must report in good faith to competent persons in writing, signed and dated:

by email to be sent to the following address whistleblowing@Luxinnovation.lu or
by letter to be sent to the following postal address Luxinnovation GIE – Whistleblowing/lanceur d’alerte 5, Avenue des Hauts-Fourneaux L-4362 Esch-sur-Alzette

2. Content of the report

The report shall include at least the following information:

the identity, the function and the contact details of the Reporting person;
the subject of the report;
the identity of the person(s) to whom the report relates;
a precise and detailed description of the facts (dates, witnesses, etc.);
any information or any document, in whatever form or on whatever support, that may support the report.

3. Anonymous report

The Reporting person may issue an anonymous report, although identified reports are strongly encouraged. Please note that all reports, even if anonymous, must be made in good faith.

Luxinnovation to accept the exceptional circumstances justifying the anonymous reporting and to deal with the report.

If the authorized person receiving the written report considers it sufficiently precise and the exceptional circumstances justified, the anonymous Reporting person must be willing to answer any questions deemed useful in the context of processing the report.

Failing this, the Legal Entity will not be obliged to deal with the anonymous report.

If all requirements for an anonymous report are met and any additional questions are answered, the report will be processed and followed up in the same way as non-anonymous reports.

4. Acknowledgement of receipt of the report

An acknowledgement of receipt of the report will be sent to the Reporting person as soon as possible and at the latest within 7 working days of receipt of the report.

5. Admissibility of the report

To enable the Legal Entity to process and follow up the report, it must be phrased in sufficiently precise terms. Failing this, the report will not enable the Employer to fulfil its obligations and Luxinnovation may decide either to file the report with no further action or to request additional information.

Where the report is sufficiently precise, it will be dealt with in accordance with the following point.

4.2. Processing and follow-up of the report

1. Contemplated follow-up measure(s)

The report is forwarded to [to the authorized persons (designated by the Management Committee and whose names are communicated to Luxinnovation staff at each new appointment) who will decide on the measures to be taken in the light of the information reported by the Reporting person and, where appropriate, any additional information gathered by the authorized persons.

The contemplated measures may include in particular:

the referral of the Reporting person to the appropriate person or department within Luxinnovation in the event of inadmissibility (e.g. HR department, superior, management, etc.);
the closure of the procedure, including when the elements reported do not make it possible to conclude that a breach has occurred, in the event of a manifestly minor breach requiring no further action other than the closure of the procedure, due to insufficient evidence or for other reasons that will be specified to the Reporting person (the procedure will be closed, for example, in the event of repeated reports that contain no significant new information in relation to any previous report);
the opening of an investigation when the reported elements require so (please refer to article 4.2. point 2 of the Policy);
sanctions against the perpetrator(s) of the breach when the reported elements are sufficient in themselves to come to the conclusion that a breach has occurred (please refer to article 6 of the Policy);
the referral to a competent authority for further investigation, insofar as this information would not prejudice the internal investigation or infringe the rights of the person concerned.

Information on the contemplated or taken measures as part of the follow-up and on the reasons for this follow-up must be provided within a reasonable timeframe, and at the latest within 3 months of the acknowledgement of receipt of the report or, in the absence of an acknowledgement of receipt, within 3 months of the expiry of a period of 7 days following the receipt of the report.

The Reporting person will be kept informed on a regular basis, and at their reasonable request, of the progress of the processing of the report. The Reporting person may also be asked to provide any additional information deemed necessary to process the report.

2. Investigation

a) If the reported elements require so and on the decision of the Management, an investigation will be carried out by the authorized persons as soon as possible, depending on the availability of all parties and the complexity of the case.

In this respect, depending on the situation, the Management will appoint the members of the Ethic Committee , constituted of Luxinnovation employees, or an external service provider if necessary.

As part of the investigation, individual interviews may be conducted with the following people:

the Reporting person;
the alleged perpetrator(s) of the breach;
if necessary, any person mentioned in the report or any person who can provide clarification on the reported facts (work colleagues, superior, etc.).

A report of each interview will be signed and dated by the person interviewed and the persons who conducted the interview.

These exchanges are intended to supplement any documents and information gathered to enable a decision to be taken on the reported breach.

b) On the basis of the reports and other elements gathered, the Ethic Committee will draw up its final investigation report in order to determine whether or not the reported breach has been established. This report will be sent to relevant external final advice (legal, accounting, etc.), before submission to the Management Committee for final decision.

The conclusions of the investigation, i.e. whether or not a breach has been established, will be communicated to the Reporting person and to the perpetrator(s).

The reports of the interviews and any documents and information gathered remain strictly confidential. They may, if necessary, be forwarded to the competent authority at its request or to the courts in the event of a dispute.

c) If the breach is established, appropriate sanctions will be taken against the perpetrator(s) in accordance with article 6 of the Policy.

If the breach is not established, the procedure is closed.

5. External report to a competent authority

The Reporting person may lodge an external report to the competent authority and in accordance with the reporting channels and procedures set up by the competent authority:

either after having made an internal report in accordance with this Policy;
or directly if it is impossible to effectively remedy the breach internally or if there is a risk of retaliation against the Reporting person.

Under the Law, the Reporting person is encouraged to privilege internal reporting channels before reporting externally.

6. Sanctions against the perpetrator(s) of the breach

When a breach is established, appropriate sanctions will be taken against the perpetrator(s) of the breach.

The perpetrator of the breach is informed that, depending on the nature and the extent of the breach, legal, criminal and/or administrative proceedings may be taken against him/her.

7. Protection of the Reporting person

1. The Reporting person who makes a report in good faith in accordance with this Policy and the legal provisions in force shall not be subject to retaliations for the reported facts.

2. However, any report which is not made in good faith, which contains misleading information or which is made in particular with the intention of harming Luxinnovation or of harming a specific person may be subject to disciplinary sanctions up to a dismissal with immediate effect.

In addition, pursuant to article 27(5) of the Law, a Reporting person who has knowingly reported or publicly disclosed false information may be subject to a sentence of imprisonment of 8 days up to 3 months and a fine of between EUR 1,500 and EUR 50,000.

The author of a false report may also be held civilly liable (including in the case of a report made when its author was aware of the falseness of the information reported) and the Employer may claim damages for the loss suffered in front of the competent court.

Finally, it should be remembered that the person targeted by false accusations benefits from a personal action for defamation or slanderous denunciation against the reporting employee.

3. The protection measures provided for in point 1 also apply to facilitators and third parties who are related to the Reporting person and who are at risk of retaliations in a work-related context (e.g. colleagues, relatives of the Reporting person).

8. Processing of personal data

1. Any processing of personal data under this Policy and the Law shall be carried out in accordance with:

the Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation, hereinafter referred to as "GDPR");
the Law of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal matters as well as in matters of national security;
the GDPR Policy implemented within Luxinnovation’ privacy notice.

2. Personal data that is clearly not relevant to the processing of a specific report shall not be collected or, if collected accidentally, shall be deleted immediately.

3. In accordance with the Law of 16 May 2023 and the GDPR, the storage period for documents in connection with a report of a breach will be determined on a case-by-case basis depending on the nature of the reported breach or misconduct.

Last modification: December 2023