The internal information system (IIS) is the system implemented by IRIZAR, S.Coop to receive and handle information about possible irregularities and guarantee whistleblowers are protected from retaliation, as long as the information is within the legal framework.

The reference regulation is the Whistleblowing Directive (European Directive 2019/1937) and its transposition to Spanish law is Law 2/2023 regulating the protection of persons who report regulatory infringements and the fight against corruption.

Anyone with a professional or employment relationship with our organisation will be able to notify us through the internal channels about any possible (serious or very serious) criminal, administrative infractions or violations of European Union law or any non-compliance with our code of ethics, with a full guarantee of security and confidentiality and without the possibility of being retaliated against, as long as they have acted in good faith.

The IIS is part of our compliance system, and it is made up of the following elements.

• Policy or fundamental principles of the internal information system
• A system manager, specific and independent, legally designated by the Governing Council and who has named a physical person to be in charge of receiving and processing information
• Some internal channels for receiving notifications, designed and enabled to meet the legal requirements for security and confidentiality
• A procedure for handling notifications, which must be complied with, that guarantees the requirements for the protection, confidentiality, objectivity and effectiveness of the reception, handling and resolution process for the notifications received
• And a digital platform that can be used to report cases and process them internally We will do that in a secure way with access to the data restricted exclusively to people legally authorised to do so with a private website area for bidirectional monitoring and exchanging information and documentation for the case with the whistleblower.

When you enter our internal channel platform, you arrive at a main page with a reminder about the general aspects of the channel and where you can read detailed information about our privacy policies for whistleblowers and affected parties.

From there you can access the form where you can provide details about your information either in writing or a secure audio recording, and you can also attach additional documentation if you wish. We use technical measures to protect your identity that remove metadata from files, distort your voice and always encrypt all exchanges of information.

You can report information anonymously or using your name. Your personal data will be used exclusively for the anticipated purposes, which you can see in the privacy policy, and it will be processed by authorised staff without ever revealing your identity to the person the incidents described in the notification are imputed to or any third parties.

On the form you can request an appointment to present or expand the information in person to the case handler. The appointment will be made within a maximum of 7 days after requesting it through the private monitoring area of the website, which will be explained below.

Verbal communications must be documented, with consent by the whistleblower, by recording them in a secure, durable and accessible format or by a complete and accurate transcription of the communication. Notwithstanding their rights in accordance with data protection regulations, whenever possible, the whistleblower will be given the opportunity to verify, rectify and accept the transcription of the conversation with their signature.

After the form is filled out, we will confirm that it has been received and you will be given an access code for the private monitoring area, where, if you wish, you can see the progress of your case and communicate or exchange information and documentation with the case handler in an easy, secure and confidential way. The access code must be saved appropriately because, for reasons of confidentiality, it cannot be recovered and if it is lost or forgotten the information must be sent again.

While the case is being processed, more information may be requested through the private monitoring area, so you should check it periodically to see the status. If you wish, when you are given the access codes to the private monitoring area, you will be given the chance to provide an email address whose sole purpose is to alert you of developments in your case.

The case handler will analyse the information sent to determine whether it can be processed or not, and they will send the whistleblower a notification about whether their notification will be accepted for processing or not.

If your notification is accepted for processing an internal investigation will be started. And within a maximum period of three months (which may be extended to six months for complicated cases), you will be notified of the orientation of the final resolution.

External Channel of the Independent Whistleblower Protection Authority:

Even though the preferred avenue for informing about possible non-compliance is the internal one, if the irregularity you want to inform about falls under article 2 of Law 2/2023, that is it involves possible serious or very serious criminal or administrative infractions or violations of EU law, it can be reported through the external channel of the competent Independent Whistleblower Protection Authority [link or access info for the channel] , either directly or after having made a report through our internal channel.