The Whistleblowing Policy of the Utilitas group (parent company Utilitas OÜ, group companies AS Utilitas Eesti, AS Utilitas Tallinn, OÜ Utilitas Tallinna Elektrijaam, OÜ Utilitas Wind, AS Utilitas Tallinna Soojus) (hereinafter Utilitas group or us) provides for the procedure of filing and processing of whistleblowing reports concerning the Utilitas group and protection of whistleblowers from retaliation.

Honesty is a core value of the Utilitas Group and therefore the Utilitas Group provides a safe environment to report misconduct internally – the procedure sets out a framework and guidelines under which any misconduct in relation to the Utilitas Group can be reported. To promote the integrity and transparency of the Utilitas Group and to protect the concerned parties and the public interest, we protect whistleblowers from retaliation!

2.1 Meaning of the breach. By breach, including potential breach, we mean misconduct where we or our employees, our affiliates or other parties associated with us violate applicable laws or where their conduct, while

2.2 The scope of the Policy. The breach can concern any area, including public procurement, competition law, corruption, accounting, financial and tax law, environmental protection requirements, etc. However, the Whistleblowing Policy is not intended to resolve consumer and labour disputes.

2.3 The personal scope of the Policy. The Policy applies to, and the internal reporting is intended for, all our employees, members of our management and all other persons providing services to us, regardless of their position or status, such as posted worker, trainees and all other persons providing services to us, as well as temporary employees, external consultants and other service providers.

3.1 Reporting channels. If you are aware of a breach relating to us, please report it to us either by email or via the online form:

E-posti aadress:	Veebiteavituse link	Veebiteavituse QR-kood:
vihje.utilitas@triniti.ee	Rikkumisest teavitamise veebivorm

Please note that, in addition to internal reporting, it is also possible to report by other means in accordance with the whistleblowing legislation.

3.2 Reporting anonymously or with personal information. You can report the breach with personal data or anonymously. NB: When reporting anonymously, it is not possible to contact the whistleblower to provide feedback and ask for further information, or to inform about follow-up actions.

3.3 Information to be transmitted. When reporting a breach, please provide at least the following information:

(a) the name of the whistleblower;
(b) the whistleblower ‘s personal identification number or date of birth;
(c) the contact details of the whistleblower (personal e-mail address and phone number, if available);
(d) whistleblower position or cooperation relationship;
(e) if you are reporting on behalf of another person, the name of that person;
(f) the time and place of breach;
(g) description of the breach;
(h) persons involved in the commission of the breach;
(i) who you have informed about the breach and the consequences;
(j) who are aware of the breach;
(k) an indication if acknowledgement of receipt of the breach report and information on the follow-up and outcome are not expected for the published contacts;
(l) a statement that, in the opinion of the whistleblower, the information provided and the statements contained therein are true and that the whistleblower has not knowingly made a false statement or published incorrect information. .

The information referred to in points (a) to (c) does not need to be provided if the whistleblower wishes to report the breach anonymously. NB: If reporting anonymously, it is recommended that the report is submitted via an online form, as the e-mail address may reveal the identity of the whistleblower.

3.4 Prohibition on filing a false report. A whistleblower must act in a good faith and have a good-faith belief that the information provided, and the allegations contained therein are true. Knowingly submitting a false report is prohibited.

4.1 We assure that whistleblowers will be treated with the utmost confidentiality and will be protected as effectively as possible against any retaliation, whether actual or intended.

4.2 Ensuring anonymity and confidentiality. Whistleblowers may remain anonymous. The confidentiality of the whistleblower shall be ensured when receiving the breach report, providing feedback to the whistleblower and implementing follow-up measures. The content of the breach report shall be disclosed and used only for the purpose of identifying the breach and for the follow-up activities. The identity of the whistleblower may be disclosed to a person other than the person competent to receive and deal with the report only with the written consent of the whistleblower. Where criminal or misdemeanour proceedings are initiated on the basis of a report of the breach, the confidentiality of the fact of the notification shall be ensured, subject to the exceptions laid down in the relevant procedural code.

4.3 Lack of accountability. In the case of whistleblowing, the whistleblower is not liable for the legal consequences of disclosing the information if the whistleblower had reasonable grounds to believe that the disclosure was necessary to disclose the breach (unless such disclosure is punishable as a criminal offence).

4.4 Right to information. The whistleblower has the right to receive acknowledgement of receipt of the report and information on follow-up action.

4.5 Presumption of good faith. We will always presume good faith of the whistleblower until proven otherwise. This is an important safeguard to ensure that protection is not lost if the whistleblower has made an incorrect report in good faith. If a whistleblower later discovers that the information disclosed is untrue, he or she may still benefit from the protection offered to whistleblowers, if he or she has disclosed this new information in a timely manner. At the same time, the absence of good faith means that those who do not act in our best interest and/or who knowingly and intentionally report abusive, false or malicious statements, in particular when based on knowingly false or misleading information, will not be considered whistleblowers for the purposes of this Policy.

4.6 Prohibition of retaliation. The whistleblower will not be subject to retaliation. If a Utilitas Group employee is found to have used pressure, harassment, attempted to use pressure, or threatened to use retaliation against a whistleblower, the case will be investigated and, if necessary, the necessary measures will be taken to eliminate the retaliation. The employees involved in the use of reprisals shall be held accountable for his/her actions in accordance with the law. Whistleblowers who believe that they have been subjected to retaliation or who have reasonable grounds to believe that they are under threat of retaliation should report it immediately.

5.1 The processor of reports. Breach reports are handled by TRINITI Law Office, which is responsible for:

(a) for receiving breach reports;
(b) keeping in touch with the whistleblower and providing feedback and requesting further information where necessary;
(c) informing on the implementation of follow-up measures.

5.2 Independent procedure. To ensure the independent handling of breach reports, reports are transmitted directly to the TRINITI information system, and the law firm guarantees the confidentiality of the whistleblower. In a situation where TRINITI Law Office is unable to process the reports in accordance with the requirements laid down by law, the breach report, together with the relevant annexes, will be forwarded to the person designated by us to process the breach report, and who will ensure compliance with the requirements of the law, including the confidentiality of the whistleblower.

5.3 Receipt of a breach report. Acknowledgement of receipt of the breach report is sent to the whistleblower within 7 days of receipt of the notification. If there is no competence to deal with the breach report, the report would be forwarded to the competent authority without delay, but no later than 5 working days after its receipt, informing the whistleblower at the same time.

5.4 Careful handling of breach reports. Breach reports are dealt with thoroughly and comprehensively. Where necessary, the whistleblower or others are asked for further explanations about the breach.

5.5 Follow-up and feedback. The whistleblower will be given information on the follow-up action taken as soon as possible, but no later than 3 months after receipt of the breach report. The whistleblower shall also be given feedback on the outcome of the procedure.

5.6 Not providing information. Notifications will not be sent to a whistleblower if the report is made anonymously or if the whistleblower has explicitly refused to provide the information or there are reasons to believe that doing so would jeopardise the confidentiality of the whistleblower.

5.7 Co-operation with the prosecutor’s office and the police. If, based on the information provided in the report, there is a suspicion that an offence has been committed or is about to be committed, in addition to other legal measures, a report of the offence may be submitted to the prosecutor’s office and the police.

5.8 Publication of whistleblowing. In the interests of a possible or ongoing investigation, a whistleblower may be under an obligation not to disclose information about the report, the existence or the progress of the investigation.

6.1 Principles of processing personal data. Personal data collected in the framework of the processing of breach reports, including special categories of personal data, are processed in accordance with the Utilitas Group’s rules on the processing of personal data, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and the Estonian Personal Data Protection Act, taking into account the specificities of the whistleblower protection regulation.

6.2 Retention of the breach report. Breach reports are kept for 3 years from the date of the feedback. Breach reports are kept in accordance with the Regulation of the Government of the Republic.

6.3 Read the privacy policy. Our policy on the processing of personal data is published in the respective Utilitas Group Privacy Policy.

7.1 For further information and clarification on the whistleblowing procedure and whistleblower rights, please contact utilitas@triniti.ee. Confidentiality is guaranteed!