ATHENS INTERNATIONAL AIRPORT’S WHISTLEBLOWING POLICY/ EXECUTIVE SUMMARY
1.1 Purpose. The Whistleblowing Policy (the “Policy”) sets the general principles and the operational framework through which Athens International Airport (AIA) (“the Company”) receives, assesses, and investigates reports alleging:
a) breaches of EU Legislation in the areas set out in Law 4990/2022,
b) irregularities, omissions, or offenses of the Company’s “Corporate and Regulatory Compliance System - CRCS”, comprising AIA’s core ethics and business-related Codes and Policies that come to the attention of its Employees, Customers, Suppliers, persons acting on behalf and/or in the name of the Company, or other stakeholders.
The Company endorses the present Policy as demonstration of its commitment to uphold fair business and behavioral values and practices. The Company further ensures its application by providing appropriate guidance and awareness as well as easily accessible channels of confidential reporting.The Policy and any amendments are approved by the Board of Directors of the Company. AIA is committed to maintaining the highest level of ethics and professional behavior, adopting a zero-tolerance approach towards illegal or governance-counter actions which might negatively affect its reputation and credibility.
1.2 Regulatory Framework. The Policy, complies with the requirements of the regulatory framework, as stipulated in the provisions of Law 4990/2022 transposing Directive (EU) 2019/1937 of the European Parliament of 23 October 2019 and of the Council on “the protection of persons who report breaches of Union law”.
1.3 Scope and Obligations. The whistleblowing process is addressed to all Employees of the Company, the Management, and the Members of the Board of Directors, as well as to third parties who have an ongoing relationship with the Company.
Customer complaints pertaining to the quality of services provided for by the Company are managed by the competent Customer Service department and are not under the scope of this Policy.
The Policy constitutes means of ensuring the integrity, ethical governance, and reputation of the Company.
It contributes to the identification of risks and to the adoption of the appropriate corrective measures, including but not limited to, enhancing the Internal Control System, detecting in advance incidents of fraud, harassment, or other serious offenses, applying the appropriate measures to liable parties and, when required, notifying the competent Authorities, as the case may be.
Ensuring an environment of trust and safety for Employees, Customers and Suppliers, the Company encourages reporting in good faith of illegal acts or serious offenses, which come to the attention of persons wishing to report such actual or potential irregularities (“Whistleblowers”).
An inviolable principle of the Policy is to protect anonymity and confidentiality of the personal data of Whistleblowers and, in case of Company Employees, to safeguard that their professional evaluations are and will be performed impartially. The whistleblowing procedure aims at strengthening transparency, which encourages the reporting of incidents that give rise to violations of the Procedures and Policies of the Company as these are provided in the pertinent corporate documents, as well as the reporting of incidents of fraud, corruption, coercion, harassment, abuse of power or other violations.
Reports shall be submitted on condition of sincere and reasonable belief that an offense or misdeed has been or may be committed.The Employees, Customers and Suppliers of the Company, or other Stakeholders are encouraged to report offenses, cases of suspected illegal behavior, mismanagement incidents, or serious omissions with respect to the law, Regulations, Policies and Procedures. Cases that should be reported include:
Reports can be submitted through the following confidential channels:
In all cases, acting in good faith over the legitimacy of a report is a prerequisite.
Whistleblowers are protected against retaliation or reprisal actions, on the following grounds: a) The identity of the Whistleblower, should they have opted not to be anonymous, b) Persons who report or publicly disclose information on breaches anonymously, but who are subsequently identified and suffer retaliation, shall nonetheless qualify for the protection provided, c) Submitted reports are received by the Authorized Reports Receiver and if admissible for further investigation are then communicated only to predefined members of the Whistleblowing Investigation Committee (WIC) and supporting staff all bound to act in due discretion and confidentiality. Respecting the above would also result in protecting the identity of the reported persons, who shall be notified on the existence of a report at a stage which shall not affect the investigation and resolution of the reported case, and in any such case without breaching terms of confidentiality regarding the whistleblower and confidentiality of details included in the report. The Company ensures that the Whistleblower is properly protected against possible negative consequences, such as threats or attempts of retaliation, or discrimination or any other form of unfair treatment.
Depending on the Reported person (i.e. an employee, or a member of Management, or a member of the Investigation Committee, or a Member of the Board of Directors) said reported case will be assessed by an on Purpose established Investigation body not having any conflict of interest with the reported case, i.e the Investigation Committee, or the Company’s CEO, the employees’ Unit Chief Officer, the Board of Directors or any other internal or external to the Company investigation body assigned on purpose.
The Company ensures that Reported Persons are fully protected against potential negative impact, in such cases where the assessment of the report does not reveal a Policy breach. Even when the investigation decides upon a justified violation and measures have been taken against the Reported Persons, their protection is ensured against involuntary negative effects, irrespective of potential sanctions imposed by the competent bodies.
Revealing the identity of the Whistleblower may be required by a judicial or other legal procedure in the context of investigating the corresponding case. The Whistleblowers shall be informed before their identity is disclosed unless such information would jeopardize the related investigations or judicial proceedings. When informing the Whistleblower, the Company shall provide justification for sharing the confidential data concerned.
The Company takes all necessary technical and organizational measures to protect personal data. Any processing of personal data under this Policy is carried out in accordance with relevant national and European regulations. The Data Protection and Compliance department retains in electronic format, a file per case, with the necessary security specifications.
5.1. Governance. According to the provisions of L.4990/2022, the Company assigns the responsibilities of receipt and follow up of Reports to the Company’s Manager Data Protection and Compliance. The Investigation Committee is responsible for assessing reports and proposing measures it deems necessary.
5.2. Receiving Reports. To facilitate the proper examination and assessment of the submitted reports, the Whistleblowers are encouraged to provide all available information, including the facts giving rise to the suspicion/concern related with the report, indicating the date and nature of the event, the name(s) of the person(s) involved as well as potential witnesses, or other evidence, including documents and locations.
5.3. Handling Reports. When a report is forwarded to the Investigation Committee, the latter shall resolve on whether the report indicates irregularities, omissions, or offenses. In such a case, the Committee shall refer the report to the competent Division(s) of the Company to proceed with any further necessary actions. Subsequently, the Committee resolves on whether to close the case or to inform the Management of the company about the identified violations.
When an Employee has been found violating the Company’s Internal Regulations, Policies and Procedures, the Investigation Committee escalates the case for the purpose of deciding upon the imposition of measures, as follows: i. To the CEO with the support and recommendations of the Committee when the reported person is a member of the middle management or an employee, ii. To the Human Resources Division, in any other case. In case the report engages members of the Company’s Chief Officers, or members of the Investigation Committee, the report is put to the attention of the CEO, who assigns the respective investigating team, excluding and replacing any involved persons, or engages external advisors to this effect.
Any report engaging the CEO, or a Member of the Company’s Board of Directors, is duly forwarded to the Chairman of the Audit Committee of the Boards of Directors, for further evaluation and to set the next steps in the investigation process and provision of information to the Board of Directors.
The Manager Data Protection and Compliance is responsible to receive and follow up on the reports, to communicate with the Whistleblower, and, if deemed necessary, to request further information and update on the progress of their report. In case the report has been submitted on an eponymous basis, the assigned responsible Manager acknowledges receipt of the report within seven (7) business days following its submission. Upon completion of the case, informs the Whistleblowers of the decision taken on their report. A case shall be regarded as complete when a final decision has been resolved by the Company or the Committee when its decision is to close the case, or, in any other case, when actions by the competent Division(s) of the Company have been concluded. Feedback to the Whistleblower shall be provided no later than three (3) months from the acknowledgement of receipt of the report or, if no acknowledgement was sent, three (3) months from the expiry of the seven-business day period after the report was submitted.
Access to whistleblowing data is restricted to the Employees on a “need to know” basis and only for whistleblowing management purposes.
5.4. Adoption, Review and Update. Under the responsibility of the Data Protection and Compliance department, the Policy shall be communicated to Employees and posted on the Company’s website in a separate, easily identifiable, and accessible section. Information shall include the procedures applicable for reporting a case, including the template and the way the Company may request the Whistleblower to clarify elements of the report, or to provide additional information, the timeframe for providing feedback and the type and content of such feedback, as well as the nature of the follow-up over the reports.
The Data Protection and Compliance Division is responsible for the evaluation and annual review of the Policy and, if deemed necessary, proposes amendments to the Audit Committee of the Board of Directors, in order to recognize changes of the respective regulatory framework and continually improve operational efficiency and effectiveness. In such cases, following a recommendation by the Authorized Reports Receiver, in collaboration with the Investigation Committee, the Management proposes to the Audit Committee of the Board of Directors revisions of the Policy, which are then approved by the Board of Directors.
The present document is issued on June 23, 2023 and may be subject to revision, as per applicable regulatory requirements.