Terms and procedure

Appendix

This document, in accordance with the provisions of Art. 12, para. 4 of the APPRPDIB, regulates the terms and procedure for internal reporting and for follow-up actions on them at EOS MATRIX EOOD. These terms and procedures are directly and effectively applicable to branches and subsidiaries of EOS MATRIX, including those registered abroad, in compliance with regulatory requirements. The terms and procedure apply to reports of breaches of Bulgarian legislation or acts of the European Union falling within the scope of Art. 3 of the APPRPDIB. These terms and procedures apply to persons who have reported information about a breach that became known to them in their capacity as persons within the meaning of Art. 5, para. 2 of the APPRPDIB.

No proceedings are initiated, and no action is taken under these terms and procedures for anonymous reports, except in cases expressly provided for by law.

Employees responsible for a received report

By an explicit decision of the manager of EOS MATRIX, employee(s) at EOS have been designated to be responsible for handling reports.

The employee(s), together with the Sales and Marketing department, maintain the current information on the website according to Art. 12, para. 4 of the APPRPDIB. The information is placed in a visible location in the offices of EOS MATRIX by the designated employee(s).

Procedure

The procedure for examining reports begins with the receipt of a report at EOS MATRIX under the terms and conditions of the APPRPDIB. Each report is checked for its credibility. Reports that do not fall within the scope of Art. 3 of the APPRPDIB and whose content does not give grounds to be considered plausible will not be reviewed. Each report is checked by the designated employee(s) for its admissibility and credibility. If the check establishes that the report does not fall within the scope of the APPRPDIB and its content does not give grounds to be considered plausible, an opinion is prepared for the manager(s) of EOS MATRIX. Reports containing obviously false or misleading statements of fact are returned with an instruction to the reporter to correct the statements and information about the liability they bear for making false accusations.

Submitting a Report

An internal channel has been established at EOS MATRIX through which a report can be submitted - in writing or orally. Reports are submitted only to the employee(s) designated by the manager of EOS MATRIX.

Written reports are submitted by filling out the 'Form for registering a report for submitting information on breaches', according to the template approved by the CPDP (Commission for Personal Data Protection), available at the following web address: https://www.cpdp.bg/

1. By mail or courier to the address: Sofia, Bulgaria, Mladost 4 residential complex, 1 Business Park Sofia Str., Building 15, Entrance A, Floor 4, with the inscription on the envelope 'Report under the APPRPDIB'. The envelope is handed over by the employee responsible for correspondence to the designated person(s) under these terms and procedures without being opened, and an incoming number is placed on the envelope.
2. By e-mail to [email protected]. Access to the e-mail's content is restricted to the persons designated under these terms and procedures.

If the report does not meet the requirements of the law and these terms and procedures, a message is sent to the reporting person to rectify the irregularities within a 7-day period from the receipt of the report. If the irregularities are not rectified within this period, the report, together with its attachments, is returned to the reporting person.

Oral reports are submitted:

1. By phone at +359893752407;
2. At the request of the reporting person, through a personal meeting, at a suitable time and date agreed upon with the designated employee(s), within the established working hours of EOS MATRIX. The report is submitted in compliance with the provision of Art. 15, para. 2 of the APPRPDIB, and the oral report is documented by the designated employee(s) by filling out the 'Form for registering a report for submitting information on breaches', according to the template approved by the CPDP. The person submitting the report is offered the opportunity—if they wish—to check, correct, approve, and sign it.

Registering a Report

For each report received at EOS MATRIX, actions are taken by the designated person(s) to generate a Unique Identification Number (UIN) and it is entered into a register of reports, in accordance with the requirements of the law and subordinate legal acts.

Within 7 days of receiving the report, the designated employee(s) perform a regularity check and confirm its receipt, providing the reporting person with information about the UIN and the date the report was registered.

If the report does not meet the requirements of Art. 15, para. 2 of the law, a message is sent to the reporting person to rectify the irregularities within a 7-day period from the receipt of the report. If the irregularities in the report are not rectified within the deadline, the designated employee(s) prepare an opinion for the manager, after which the report is returned to the reporting person along with its attachments.

Register of Reports

The manager(s) of EOS organize(s) the creation and maintenance of an internal Register of reports of breaches according to the CPDP template, which is not public and access to it is strictly limited in accordance with the requirements of the law. The register is kept by the designated employee(s). Only the designated employee(s) have access to the Register.

The manager(s) of EOS organize the activities for creating and maintaining the register in such a way that the information entered in the register is stored in a manner that guarantees its confidentiality and security. The register is kept and maintained on a durable medium in accordance with §1, item 18 of the additional provisions of the law and in accordance with the requirements of Ordinance No. 1 of July 27, 2023, on keeping the register of reports under Art. 18 of the Act on the Protection of Persons Who Report or Publicly Disclose Information about Breaches. The information from the register is stored in a way that allows its reproduction without data loss.

Work related to receiving and registering documents for reports is carried out in compliance with the EOS MATRIX Privacy Policy and the EOS MATRIX General Information Security and Confidentiality Policy.

Terms and Measures for the Protection of Reporting Persons

In the event that the facts presented in the report are confirmed, the designated employee(s) organize(s) the undertaking of follow-up actions in connection with the report, and for this purpose may require the assistance of other persons or units within the company. The designated employee(s) prepare(s) and provide(s) an opinion with attachments on the case to the manager(s) of EOS, which contains information about the report, the follow-up actions taken, and proposals for taking specific measures to stop or prevent the breach.

The manager(s) of EOS take(s) the necessary measures to prohibit any form of retaliation against a reporting person that has the character of repression and places them at a disadvantage, as well as threats or attempts at such actions, according to the definitions in the law.

The manager(s) of EOS take(s) the necessary measures to ensure that persons reporting irregularities at EOS MATRIX are informed of their right to support measures, in particular free and accessible information and advice, assistance before any authority necessary for their protection against retaliatory actions, including by duly communicating the fact that they are entitled to protection under the law, legal aid, and mediation, as well as about the bodies that can provide it to them.