Whistleblowing Policy

1. What is the purpose of this whistleblowing policy?

At Ferryscanner, we are committed to upholding the highest standards of ethical, professional and legal conduct, showing zero tolerance for any unlawful or improper actions that could impact our reputation, credibility, or full compliance with legal and regulatory obligations. To support this commitment, we encourage our employees and partners to report any violations that may threaten these core values, and we provide secure channels for the submission and handling of such reports in accordance with legal requirements.

2. Who and what does this policy concern?

This policy applies to employees, external contractors, shareholders, and suppliers currently or previously associated with Ferryscanner, who report violations of European Union law, national law, or internal company regulations. It covers reports concerning the public interest, particularly in areas such as safety and public health protection, transportation safety, environmental protection, consumer rights, combating corruption, economic and tax crimes, and the protection of personal data. This list is not exhaustive, and we encourage the aforementioned individuals to follow the procedures outlined below, even in cases of suspected misconduct in any of these areas or those specified in the provisions of Law 4990/2020.

3. How to file a report

If you wish to report an incident, action, omission, or behavior that you believe falls within the scope of this policy, we encourage you to follow the confidential process outlined below without hesitation:

You may send an email to whistleblowing@ferryscanner.com,
You may send a sealed letter by postal mail or courier to our office in Athens at: Miltiadou Street No. 7, 10560, 6th Floor, Attention: Whistleblowing Officer.

If you wish, you may submit an anonymous report, provided you include sufficient details so that the Whistleblowing Officer can assess its validity and take appropriate action. The Whistleblowing Officer will investigate every report; however, vague and incomplete reports will not be considered for assessment. Therefore, please attempt to provide as much information as possible.

4. What is your protection as a whistleblower?

Provided you submit a report to Ferryscanner in good faith for any of the above reasons, you are protected from any form of retaliation. Ferryscanner is committed to safeguarding your identity, the confidential information you provide with your report, and all your legal interests, in accordance with Law 5990/2020 and Directive (EU) 2019/1937. This ensures that you will face no adverse consequences regarding your employment, career development, assets, or personal reputation.

Your identity and any confidential information you provide may only be disclosed with your consent or, exceptionally, if required by law as a necessary and proportionate obligation in the context of investigations or judicial proceedings. This is particularly applicable to safeguard the defense rights of the person under report if they become a defendant or are treated as such in criminal proceedings. In such cases, you will receive prior written notification and have the right to submit your written observations.

5. What is the report-handling process?

Following the receipt of a report regarding a violation covered by this policy, the designated Ferryscanner Whistleblowing Officer will ensure the confidentiality of the process and will contact you within seven (7) business days to confirm that your report has been received and is being addressed.

The Whistleblowing Officer will then impartially assess whether the report falls within their remit, whether it is complete or requires clarification, and if it warrants further investigation. If deemed necessary, additional clarification may be requested.

If the report is not evidently unfounded, the Ferryscanner Whistleblowing Officer will conduct an impartial investigation of the alleged complaints and undertake a full, confidential inquiry, employing any necessary legal measures as they see fit.

Should the report be deemed unfounded, it will be archived, and the whistleblower will be informed accordingly.

If the reported issues are valid but fall outside the Whistleblowing Officer’s responsibilities, they will, in accordance with legal requirements, notify both the whistleblower and any relevant authorities, or another department at Ferryscanner, such as Human Resources, legal advisors, etc., in case that the reported issues are substantiated and fall under the purview of another department.

Within three (3) months of receiving the report, the Reporting Officer will reach out to provide an update οn the outcome of the investigation.

If the whistleblower is not satisfied with the handling of the report by the Ferryscanner Whistleblowing Officer, they are entitled to escalate the matter to the National Transparency Authority (https://aead.gr/en/kataggelies/ti-eidos-kataggelias) in accordance with the terms of the law.

6. Training and Awareness

To promote transparency within Ferryscanner, all personnel and general partners are provided with appropriate information on ethics, integrity, and this whistleblowing policy. This policy, along with any updates, will be properly communicated and publicly posted on the Ferryscanner website to ensure all interested parties are informed.

This policy may be periodically reviewed by Ferryscanner to ensure compliance with legal requirements and best practices.

7. Processing of Personal Data

Any processing of personal data under this policy is conducted in compliance with the General Data Protection Regulation (EU Regulation 2016/679-GDPR) and Law 4624/2019, subject to the specific provisions of Law 4990/2022 and any additional regulations regarding data processing by relevant authorities.

The data processing undertaken in this context is meant to establish reporting channels and to implement the necessary monitoring measures. This includes handling any data related to potential violations, such as sharing or forwarding them. The transfer of information contained in reports to relevant oversight and investigative authorities is permitted, and this information may be used as evidence in administrative, civil, and criminal investigations and proceedings.

Ferryscanner, acting as the data controller, implements appropriate technical and organizational measures to collect only the essential personal data needed for the purposes of this policy and in compliance with legal requirements. Any personal data that is irrelevant or excessive is not collected, or if incidentally gathered, it is promptly deleted.

As the data controller, Ferryscanner may limit the application of specific rights under GDPR (Articles 5, 12, 13, 14, and 34) concerning the person named in the report or any third party whose personal data might be processed. This is done when necessary to prevent interference with reporting processes, impede obstruction or delay monitoring efforts, especially investigations, or prevent identification of whistleblowers. Ferryscanner will notify the data subject if doing so does not compromise the purpose of this policy.

Ferryscanner may also limit the rights outlined in Articles 15 to 22 of the GDPR when exercised by persons named in reports or whose data was gathered through monitoring measures. In such cases, Ferryscanner as data controller takes all necessary measures to safeguard the rights and freedoms of the individuals involved. Should a data subject’s rights request be denied without an explanation for the restriction, they may file a complaint with the Hellenic Data Protection Authority, which can investigate whether the restriction criteria are met and inform the data subject if this disclosure does not hinder the policy’s aims.

In the event of a personal data breach, Ferryscanner may refrain from notifying the data subject as per Article 34, paragraph 1 of the GDPR if this could impede the objectives of this policy or the law. Ferryscanner will notify the Hellenic Data Protection Authority, which may investigate and require notification to the data subject if the company’s reasons for omitting notification are not justified.

This Policy may be available in multiple languages; however, in the event of any discrepancies between translations, the English version shall take precedence.