Reporting of signals

Internal reporting of signals in accordance with the act on protection of persons reporting information or publicly disclosing information about breaches

Procedure for reporting signals through internal channel

The signal shall be submitted to the employee responsible for reviewing signals, in writing, including by email, or orally. Oral reporting of a signal can be done by phone, through other voice messaging systems, and upon request of the reporting person – in a personal meeting within an agreed-upon period (Section V, Article 3, Paragraph 1 of the Internal Rules of "KARACHI" JSC for internal reporting of signals in accordance with the Act on Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches).

For the registration of signals, sample forms approved by the national authority for external reporting of signals shall be used, containing at least the following data (Section V, Article 3, Paragraph 2 of the Internal Rules of "KARACHI" JSC for internal reporting of signals in accordance with the Act on Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches):

1. Full name, address, and phone number of the submitter, as well as an email address, if available;
2. Names of the person against whom the signal is filed and their work place, if the signal is filed against specific individuals who are known;
3. Specific data on the breach or the real danger of its commission, the place and period of the breach, if committed, a description of the act or situation, and other circumstances known to the reporting person;
4. Date of submission of the signal;
5. Signature, electronic signature, or other identification of the submitter.

The written signal shall be submitted by the reporting person by filling in a sample form, which is kept and provided by the employee responsible for reviewing signals. The oral signal shall be documented by filling in a form by the employee responsible for reviewing signals, who offers the submitter to sign it, if desired (Section V, Article 3, Paragraph 3 of the Internal Rules of "KARACHI" JSC for internal reporting of signals in accordance with the Act on Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches).

Any type of information sources supporting the claims made in it and/or references to documents, including providing data on individuals who could confirm the reported information or provide additional information, may be attached to the signal (Section V, Article 3, Paragraph 4 of the Internal Rules of "KARACHI" JSC for internal reporting of signals in accordance with the Act on Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches).

If the signal does not meet the requirements of Paragraph 1, the reporting person shall receive a message to rectify the identified irregularities within a 7-day period from receiving the signal. If the irregularities are not rectified within this period, the signal, together with its attachments, shall be returned to the reporting person. (Section V, Article 3, Paragraph 5 of the Internal Rules of "KARACHI" JSC for internal reporting of signals in accordance with the Act on Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches).

Each signal shall be verified regarding its accuracy. Signals which do not fall within the scope of the law and whose content does not provide grounds to be considered credible, shall not be considered. Signals containing obviously false or misleading factual claims shall be returned with instructions to the submitter to correct the claims and the responsibility they bear for false reporting. (Section V, Article 3, Paragraph 6 of the Internal Rules of "KARACHI" JSC for internal reporting of signals in accordance with the Act on Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches).

A sample form for registering a signal for providing information about breaches according to the Act on Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches can be found upon request from the employee responsible for receiving signals, as well as on the website of the Commission for Personal Data Protection https://www.cpdp.bg/ (Section V, Article 3, Paragraph 7 of the Internal Rules of "KARACHI" JSC for internal reporting of signals in accordance with the Act on Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches).

HANDLING OF SIGNALS AND INTERNAL REVIEW

Employees responsible for reviewing signals are required to (Section V, Article 4, Paragraph 1 of the Internal Rules of "KARACHI" JSC for internal reporting of signals in accordance with the Act on Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches):

Employees responsible for reviewing signals are required to:

1. receive the signals and confirm their receipt within 7 days of receiving them;
2. ensure that the identity of the reporting person and any other person mentioned in the signal will be duly protected, and take necessary measures to limit access to the signal by unauthorized persons;
3. maintain communication with the reporting person, requesting additional information from them and third parties, if necessary;
4. provide feedback to the reporting person on the actions taken within a period not exceeding three months from confirming the receipt of the signal or, if no confirmation has been sent to the signal submitter, within three months from the expiration of the period under item 1;
5. provide clear and easily accessible information on procedures for external reporting of signals to the competent central authority and, when appropriate, to institutions, authorities, services, and agencies of the European Union, to individuals wishing to submit a signal;
6. document oral signals;
7. maintain a register of submitted signals;
8. hear the person against whom the signal is filed or accept their written explanations and gather and evaluate the evidence provided by them;
9. provide the affected person with all collected evidence and allow them to object to them within a 7-day period while respecting the privacy of the reporting person;
10. give the affected person the opportunity to present and indicate new evidence to be collected during the investigation;
11. in case the facts presented in the signal are confirmed:

a/ handle the taking of follow-up actions in connection with the signal, for which they may require the assistance of other individuals or units within the structure of the respective obligated subject;

b/ propose to the management of the enterprise/employer the taking of specific measures to cease or prevent the breach in cases where it is identified or there is a real danger of its occurrence;

c/ direct the reporting person to the competent authorities when their rights are affected;

d/ forward the signal to the external reporting authority when action is necessary on their part, with prior notification to the reporting person; in the event that the signal is filed against the employer of the reporting person, the employee responsible for reviewing the signal directs the person to simultaneously report to the external reporting authority.

In the case of a submitted signal, the employee responsible for reviewing signals must obtain a Unique Identification Code (UIC), which should be used by them to register the submitted signals with the obligated subjects (Section V, Article 4, Paragraph 2 of the Internal Rules of "KARACHI" JSC for internal reporting of signals in accordance with the Act on Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches).

To obtain the UIC, the employee responsible for reviewing the signal must provide the following information (Section V, Article 4, Paragraph 3 of the Internal Rules of "KARACHI" JSC for internal reporting of signals in accordance with the Act on Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches):

1. Name and Unified Identification Code (EIK/BULSTAT) of the employer to whom the signal was submitted;
2. Identification data of the employee responsible for reviewing the signal;
3. Subject of the signal/the relevant areas specified in Article 3, Paragraph 1 and Paragraph 2 of the law;
4. Method of receipt/written or oral.

FOLLOW-UP ACTIONS

The employer (Section V, Article 5, Paragraph 1 of the Internal Rules of "KARACHI" JSC for internal reporting of signals in accordance with the Act on Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches):

The employer:

1. on the grounds of the received signal and the proposals of the employee responsible for reviewing the signal, shall take actions within its competence to stop the breach or prevent it, if it has not started;
2. shall prioritize, according to predetermined criteria and rules, the review of the received signals for more serious breaches;

3. shall terminate the investigation:

   a/ when the breach for which the signal is submitted is a minor case and does not require taking additional follow-up actions; the termination does not affect other obligations or applicable procedures related to the breach for which the signal was submitted, nor the protection under the law regarding internal or external reporting of signals;

b/ for a repetitive signal that does not contain new information of substantial importance for a breach for which an investigation has already concluded, unless new legal or factual circumstances provide a basis for taking follow-up actions.

c/ when data indicating a committed crime is established; the signal and the materials related to it shall be immediately sent to the prosecutor's office;

4. shall prepare an individual report briefly describing the information from the signal, the actions taken, the final results of the investigation into the signal, which, together with the reasons, is communicated to the employee or official who submitted the signal and to the affected person while respecting their obligation for privacy protection.

In cases where the investigation is terminated based on point 3, letters "a" and "b," the reporting person may submit a signal to the central authority for external reporting of signals (Section V, Article 5, Paragraph 2 of the Internal Rules of "KARACHI" JSC for internal reporting of signals in accordance with the Act on Protection of Persons Reporting Information or Publicly Disclosing Information about Breaches).

CONTACT DATA OF THE EMPLOYEE RESPONSIBLE FOR RECEIVING SIGNALS UNDER THE ACT ON PROTECTION OF PERSONS REPORTING INFORMATION OR PUBLICLY DISCLOSING INFORMATION ABOUT BREACHES:

Rozalina Dimitrova Koseva

Phone: +359884/857-627

Address: Varna, Sts. Constantine and Helena resort, Astor Garden Hotel

Email address for submitting signals: signals@astorgardenhotel.com