top of page

Internal Information System

Reporting Channel Policy

1. Internal Information System Policy


Immfly, S.L. ("Immfly" or the "Company") has implemented an Internal Information System (the “IIS”) and a Reporting Channel (the "Reporting Channel") that allows any person with the status of employee of the Company as well as any external person who has a relationship with the Company, whether as a shareholder, subcontractor or supplier, among others, to report (the “User”) (in an identified or anonymous manner) any suspicious event of a conduct, regulatory or law breach of which he/she is aware.

This implementation has been done in accordance with the Spanish Law 2/2023, of 20 February 2023, regulating the protection of persons who report regulatory infringements and the fight against corruption (the "Whistleblower Protection Law"), which transposes into Spanish law Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019.

This policy (the “Policy”) intended to regulate the rights, duties, guarantees, terms and conditions of access and use of the Reporting Channel by potential Users. The access and/or use of the Reporting Channel implies full and unreserved acceptance by the User of this Policy and of the conditions of use of the website where the Reporting channel is hosted

2. Scope of the IIS and the Reporting Channel 


This Policy offers the highest level of protection to Users who report:  

  • Actions or omissions that may constitute a serious or very serious criminal or administrative offense. In any case, it shall be understood to include all those criminal or serious or very serious administrative offenses that involve economic losses for the Public Treasury (Hacienda Pública) and Social Security. 

  • Any actions or omissions that may constitute infringements of European Union Law*.

  • Actions or omissions that may constitute a breach of the Company's internal regulations, expressly including the Code of Ethics and Deontology, the Harassment Prevention Protocol, the Anti-Corruption Policy, the Policy for the Prevention of Money Laundering and the principles and values that are assumed as a guide for the conduct of all employees in the framework of any labor context. 

* This Policy shall apply to such acts or omissions provided that: (1st) Fall within the scope of the acts of the European Union listed in the Annex to Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons reporting breaches of Union law, irrespective of their qualification in the internal legal order; (2nd) Affect the financial interests of the European Union as referred to in Article 325 of the Treaty on the Functioning of the European Union; or (3rd) Affect the internal market, as referred to in Article 26 (2) of the TFEU, including infringements of the European Union rules on competition and aid granted by the States, as well as infringements relating to the internal market in connection with acts that infringe the corporate tax rules or with practices whose purpose is to obtain a tax advantage that distorts the object or purpose of the legislation applicable to corporate taxation.

Therefore, communications related to strictly individual opinions and/or work performance not involving any rule infringement (such as the ones mentioned above) are excluded from the scope of this Policy. In such cases, the matter will be referred, if appropriate, to the People and Culture Team.

Likewise, this Policy shall be applicable to all informants and/or Users who have obtained information on any of the actions or omissions referred to in the previous section, in an employment or professional context or situation, including:

  • Any person working for or under the supervision and direction of Immfly, its contractors, subcontractors and suppliers;

  • Persons who have in the past been employees or collaborators of Immfly, having already terminated their employment or statutory relationship with the Company;

  • Volunteers and interns, regardless of whether or not they receive remuneration;

  • Persons whose employment relationship has not yet commenced, in cases where information on breaches has been obtained during the selection process or pre-contractual negotiation; and

  • Shareholders and persons belonging to the Company's board of directors, management or supervisory body, including executive and non-executive members.

The protection measures provided for in this Policy shall also apply (i) to natural persons who, within the organization in which the reporting person provides services, assist the reporting person in the process; (ii) to natural persons who are related to the reporting person and who may suffer retaliation, such as co-workers or family members of the reporting person; and (iii) to legal persons for whom the reporting person works or with whom the reporting person has any other type of relationship in an employment context or in which the reporting person has a significant shareholding.

3. Internal Information System (IIS)


The IIS is the preferred course for reporting the actions and omissions set forth in section two (2) above. 

The IIS is mainly composed of (i) the Reporting Channel, a communication channel enabled for the reception of the communications foreseen in the scope of application of this Policy, (ii) an IIS committee composed of different senior management team members and chaired by the CEO/President of the Company, and (iii) a procedure or protocol to be followed for the processing of each of the communications received through the channel.

In accordance with the Whistleblower Protection Law, the IIS complies with the following principles:


  • Access: It allows all persons referred to in paragraph 2 above, either identified or anonymously, to communicate information on infringements mentioned in the “Scope of the IIS and the Reporting Channel” paragraph.

  • Confidentiality and Safety: It is designed, established and managed in a secure manner, guaranteeing the confidentiality of the identity of the User and of any third party mentioned in the communication, and of the actions carried out in the management and processing of the same, and prevents access by unauthorized personnel.

  • The identity of the User (if known) as well as third parties mentioned in the communication, may only be communicated to the judicial authority, the Public Prosecutor's Office or the Administrative Authority, as appropriate in the context of a criminal, disciplinary or sanctioning investigation, prior notification to the informant and/or User or the third party concerned, provided that such circumstance does not compromise the investigation or the judicial proceeding in progress.

  • Integration: The Reporting Channel is fully integrated and easily accessible through the Company's official webpage at the following link:

  • Proportional and objective: The actions carried out within the scope of the IIS and the Reporting Channel shall be developed in accordance with the standards of proportionality and objectivity, with the utmost respect for the law in force, recognizing the rights of all the parties involved and observing all the guarantees expressly provided for in the IIS information management protocol for the persons involved, and any act constituting retaliation against informants is expressly forbidden.

  • Good faith: It is a requirement for the protection of the informant/User that he/she acts in good faith and with honest awareness that serious harmful facts have occurred or may occur. This principle is opposed to actions such as the forwarding of false or misrepresented information, as well as information that has been obtained illegally. 

3.1. Reporting Channel


Immfly has set up an Reporting channel, which complies with all the requirements of the applicable regulations on the protection of informants and data protection, which is correctly integrated into Immfly's corporate website. 

Additionally, the User may ask the IIS committee, or any of its members if he/she feels more comfortable (also in cases of conflicts of interest), for a face-to-face meeting directed to present the communication verbally. In this case, the meeting must be duly documented in one of the following ways, subject to the prior consent of the reporting person:


  • Through a recording of the conversation in a secure, durable and accessible format; or

  • Through a complete and accurate transcription of the conversation made by the person in charge of handling it. 

Without prejudice to his or her rights under data protection regulations, the informant will be given the opportunity to verify, rectify and agree to the transcription of the conversation by signing it. 

The communications should contain, to the extent possible: 

  • Address, e-mail or safe place to receive notifications, being by default the safe place the Internal Information Channel itself.

  • Name and surname(s) of the person(s) to whom the facts or conduct that are the object of the communication are attributed. 

  • Date on which the reported facts took place and maximum information available about them. 

  • Any documents or other means of evidence available to it that may prove the reality of the facts or conduct that are the subject of the communication. 

All appropriate measures will be taken to ensure the confidentiality of communications sent through non-established channels or to staff members who are not part of the IIS committee (who should immediately forward any communication received to the IIS committee). 

3.2. IIS Committee


The Board of Directors has appointed an IIS Committee composed of different senior management team members and chaired by the CEO/President of the Company.

The Board of Directors has assessed and selected this IIS Committee so that it can offer adequate guarantees of independence, confidentiality, data protection and secrecy of communications, as well as guarantee alternatives to avoid any conflict of interest. 

The Chairman of the Internal IIS Committee has been notified to the Independent Authority for the Protection of the Informant or, as the case may be, to the competent authorities or bodies of the Autonomous Communities, within the scope of their respective competences. 

The IIS Committee as a whole will diligently assume the resolution of the procedures initiated as a result of the communications received through the Reporting Channel, independently and autonomously with respect to the rest of the Immfly bodies, ensuring the proper application of the information management procedure detailed in the following section. 

The IIS Committee shall keep a register of the information received and the investigation files to which they have given rise, guaranteeing the confidentiality of the information at all times. The following information shall be entered in the register: 

  • Date of receipt

  • Identification code

  • Actions taken

  • Measures taken

  • Date of closure

Likewise, they have the material and personal resources necessary for the proper performance of their duties, which will be carried out with full respect for the general principles of the IIS, with neutrality, honesty and objectivity towards all persons involved.

4. Information management procedure


The Company has an Information Management Procedure that regulates the management and processing of communications received through the Reporting Channel. 

5. External information channel


Without prejudice to the fact that the preferred course for communications related to paragraph 2 is the Reporting Channel, Users may also access to the channels established by the Public Administrations for these purposes, either before the Independent Authority for the Protection of Reporting persons or before the corresponding regional authorities or bodies, either directly or after communication through the Reporting Channel.

6. Protection granted to the User


Persons who report or disclose violations within the scope of this Policy shall be entitled to the protective measures set forth in this Policy, provided that the following circumstances are met:

  • Have reasonable grounds to believe that the information referred to is true at the time of communication or disclosure, even if they do not provide conclusive evidence, and that such information is within the scope of application of this Policy. 

  • Have made the communication or disclosure in accordance with the requirements set forth in this Policy. 

This protection extends to any natural person who, within the framework of the organization in which the User provides services, assists him/her in the communication process, or is related to him/her, as a representative of the employees, co-worker or family member, and to any legal person for whom the informant works or with whom he/she maintains another type of relationship within the framework of an employment context or in which he/she holds a participation that allows him/her to have capacity and influence over the same.

The protection measures provided for in this Policy are without prejudice to those established in the specific regulations that may be applicable and shall not exclude the application of the rules relating to criminal proceedings, including the investigative procedures of the criminal courts.

The following information, communications or disclosures will be expressly excluded from the protection under this Policy: 

  • Information contained in communications that have been rejected by any internal information channel or for any of the following reasons:

    • When the facts related lack any verisimilitude. 

    • When the facts reported do not constitute a violation of the legal system included in the scope of application of this Policy. 

    • When the communication is manifestly unfounded or there are, in the opinion of the IIS Committee, reasonable indications that it was obtained through the commission of a crime. In the latter case, in addition to the inadmissibility, a detailed account of the facts deemed to constitute a crime shall be sent to the Public Prosecutor's Office. 

    • When the communication does not contain new and significant information on offenses that are the subject of a previous communication in respect of which the corresponding proceedings have been concluded, unless there are new factual or legal circumstances that justify a different follow-up. 

  • Information related to complaints about interpersonal conflicts or that affect only the reporting person and the persons to whom the communication or disclosure refers. 

  • Information that is already available to the public or that constitutes mere rumors.

  • Information concerning actions or omissions outside the material scope of this Policy.

  • Information affecting classified information, or the obligations resulting from the protection of professional secrecy of legal professionals in the scope of their actions.

  • Information relating to infringements in the processing of contracting procedures that contain classified information or that have been declared secret or reserved, or those whose execution must be accompanied by special security measures in accordance with the legislation in force, or in which the protection of essential interests for the security of the State so requires.

6.1. Prohibition of Retaliation


Acts constituting retaliation, including threats of retaliation and attempts to retaliate against persons making a communication under this Policy are expressly prohibited. 

Retaliation means any acts or omissions that are prohibited by law, or that directly or indirectly involve unfavorable treatment solely because of their status as reporting persons, or because they have made a public disclosure. For illustrative purposes, but in no case limited to, any acts of retaliation that are carried out in the following manner shall be considered acts of retaliation:

  • The suspension of the employment contract, dismissal or termination of the employment or statutory relationship; the imposition of any disciplinary measure; the demotion or denial of promotions and any other substantial modification of working conditions; and the failure to convert a temporary employment contract into an indefinite one, in the event that the person  making the communication had legitimate expectations in this regard.

  • Damages, including those of a reputational nature, or economic losses, coercion, intimidation, harassment or ostracism.

  • Negative evaluation or references with respect to work or professional performance.

  • The inclusion in "black lists" or the dissemination of information in a certain sectorial area, which hinder or prevent the person from accessing employment or contracting works or services.

  • The denial or cancellation of a license or permit.

  • The denial of training.  

  • Discrimination, or unfavorable or unfair treatment.

The measures listed (specifically, number 1, 2, 3 and 4) will not be considered retaliation when they are carried out within the regular exercise of managerial authority under labor legislation or the corresponding public employee statute, due to circumstances, facts or accredited infractions, and unrelated to the presentation of the communication or the reporting activity.  

Likewise, it is made known that any actions aimed at preventing or hindering the submission of communications and disclosures, as well as those that constitute retaliation or cause discrimination after the submission of such communications and disclosures shall be null and void and shall give rise, where appropriate, to disciplinary or liability corrective measures, which may include the corresponding compensation for damages to the injured party. 

In addition, reporting persons will be able to access, as appropriate, the support measures provided in Spain by the Independent Authority for the Protection of the Informant.

6.2. Support Measures


Individuals who report or disclose breaches within the scope of this Policy through the procedures set forth in this Policy will be eligible for the following support measures:

  • Full, independent and free information and advice on the procedures and remedies available, protection against retaliation and the rights of the person affected.

  • Effective assistance by competent authorities before any relevant authority involved in their protection against retaliation, including certification that they are eligible for protection under the Whistleblower Protection Law.  

  • Legal assistance in criminal proceedings and cross-border civil proceedings in accordance with EU regulations.

  • Financial and psychological support, on an exceptional basis, if so decided by the Independent Authority for the Protection of the Informant, following an assessment of the circumstances arising from the submission of the communication.

6.3. Protective measures against retaliation


As set forth in Whistleblower Protection Law: 

  • The User will not be deemed to have violated any disclosure restrictions and, therefore, will not incur any liability of any kind in connection with such disclosure, provided that the User had reasonable grounds to believe that the disclosure was necessary to disclose a breach as defined in the Whistleblower Protection Law. This measure shall not affect criminal liabilities.

  • The provisions of the preceding paragraph extend to the communication of information made by workers' representatives, even if they are subject to legal obligations of secrecy or not to disclose confidential information. All the above without prejudice to the specific rules of protection applicable in accordance with labor regulations.

  • The User shall not incur liability for acquiring or accessing the information that is reported, provided that such acquisition or access does not constitute a criminal offense. Any other potential User liability arising from acts or omissions that are unrelated to the communication or that are not necessary to disclose a violation under this Policy will be enforceable under applicable law.

  • In proceedings before a court or other authority concerning prejudice suffered by Users, once the User has reasonably demonstrated that he or she has made a communication and suffered prejudice, it shall be presumed that the prejudice occurred in retaliation for reporting. In such cases, it shall be for the person who has taken the injurious action to prove that such action was based on duly justified grounds not connected with the communication. 

  • In legal proceedings, including those relating to defamation, copyright infringement, breach of confidentiality, violation of data protection regulations, disclosure of trade secrets, or claims for damages based on labor or statutory law, the User and those persons to whom the Whistleblower Protection Law is legally extended shall not incur liability of any kind as a result of communications protected by the Whistleblower Protection Law. Such persons shall be entitled to plead in their own defense and in the context of such legal proceedings that they have communicated, provided that they had reasonable grounds to believe that the communication was necessary to bring to light an infringement under the aforementioned Law. 

  • During the processing of the file, the persons affected by the communication shall have the right to the presumption of innocence and the right of defense. Likewise, restricted access to the file shall be allowed, their identity shall be preserved and the confidentiality of the facts and data of the proceedings shall be guaranteed. 

7. Data Protection


The processing of personal data carried out within the framework of the IIS will be carried out in full compliance with the general principles and obligations established in the Data Protection Law and in the Whistleblower Protection Law.  
The data collected in the IIS will be processed by Immfly, S.L., with registered office at Calle Albert Einstein, 1-3, 08940, Cornellà de Llobregat, Barcelona, acting as data controller.

bottom of page