POLICY ON THE SAINT-GOBAIN GROUP’S ALERT SYSTEM
In 2011, Saint-Gobain set up a professional alert system for reporting serious breaches of the law or internal rules and procedures.
Implementing such an alert system was authorized by the French personal data protection authority in a decision issued on October 8, 2009 (n°2009-572). Complementary formalities were added on November 23, 2017 following the amendment, dated June 22, 2017, of the aforementioned authority’s frame of reference, in light of the law n°2016-1691, dated December 9, 2016, on transparency, the fight against bribery and corruption and the modernization of economic life ("Sapin II Act") (compliance commitment n°2123507). Personal data processing is also included in the Compagnie de Saint-Gobain record, in accordance with the requirements of the General Data Protection Regulation (regulation n°2016/679 dated 26 April, 2016) which entered into force on May 25, 2018.
According to the Sapin II Act and its enforcement decree, dated April 19, 2017, it is mandatory to establish a procedure for collecting alerts. Under the law n°2017-399, dated March 27, 2017, relating to the duty of care pertaining to holding and parent companies, human rights and fundamental freedoms have to be covered by the alert system.
This Policy describes the main characteristics of the current alert system. It is intended to be applied by the whole Saint-Gobain Group. However, when national law requirements differ from this Policy, national law should be applied, with all efforts being made to enforce, as broadly as possible, international standards on professional alerts.
This Policy will be published in the Compliance section of the Group’s eWorkplace and will be, where appropriate, communicated by any means, including email, postings or publications.
1. Who can issue an alert?
The Group’s professional alert system is available to all Saint-Gobain Group personnel and to external and occasional employees (employees on open-ended or fixed-term contracts, trainees, apprentices or work-study students, temporary staff working for, or on behalf of, a Group company, seconded employees…)
2. What is the scope of the Policy?
Under the alert system, it is possible to report potential breaches that would constitute:
- a crime or an offense,
- a serious and manifest breach of an international undertaking or obligation,
- a serious and manifest breach of the law or regulation,
- a threat or serious damage to the general interest.
This may include breaches in the following areas:
- Financial, accounting, tax, banking, asset misappropriation,
- Fight against corruption,
- Rules and procedures described in the "Internal Control Reference Framework" (including the Principles of Conduct and Action),
- Competition law,
- Respect for human rights and fundamental freedoms,
- Prohibition for Group entities to participate in any political financing,
- Prohibition of the use of forced labour, child labour; disregard for the principle of trade union freedom,
- Serious risks to the Group’s IT security, disclosure of strictly confidential strategic information, and infringement of the Group’s intellectual property rights.
However, an alert may not be related to elements that are classified or covered by professional secrecy, i.e. the legal privilege applicable to communications between lawyers and clients, or medical confidentiality.
3. How to issue an alert?
Saint-Gobain’s professional alert system is optional: no penalty or sanction may be imposed on a person not using this system even though entitled to do so.
The alert system is a complementary way of reporting misconduct. It does not replace the other channels existing inside a company (hierarchy, Human Resources department, legal teams…).
Any employee wishing to issue an alert must send an email from his/her Saint-Gobain email address to the dedicated email box. The current list of email boxes for France and for each Delegation is available within the Compliance section of the Group’s eWorkplace.
Persons without a Saint-Gobain email address can still issue an alert by sending a letter to the following address:
Secrétariat Général Compagnie de Saint-Gobain Les Miroirs,
18 avenue d'Alsace 92400 Courbevoie, France
The alert will only be considered if it complies with the admissibility requirements defined in paragraph 4 below.
4. What are the admissibility requirements for an alert?
The breach must be serious, and the alert must be issued in good faith, and selflessly.
The alert must describe objectively, and as precisely as possible, the facts that the issuer personally suffered or personally witnessed, including, if possible, the relevant dates, the entity concerned, and the names of the persons involved
The issuer provides information and documents to support the alert, regardless of their format.
5. Who receives and handles the alerts?
Alerts are received by the people designated below who, due to their position, have the competence, authority and sufficient resources to carry out their duties ("the Officers").
The Officers are:
- For France: the Group General Secretary and the Group Director of Internal Audit and Business Control;
- For other countries: the Group General Secretary, the Group Director of Internal Audit and Business Control, the General Delegate and the Compliance correspondent of the Delegation concerned.
The Officers undertake to comply with the principles detailed below.
6. How is confidentiality ensured?
The Saint-Gobain Group’s professional alert system is not anonymous. Nevertheless, the Officers undertake to treat the identity of the issuer, the information and documents received, as well as the identity of the persons targeted by the alert, with the strictest confidentiality.
However, such confidentiality must not impede or jeopardize the verification and handling of the alert. If handling an alert requires disclosing some information to the competent services of the Group or to third parties, only those details which are necessary for assessing the facts and dealing with the alert will be communicated, taking the following precautions:
- any details which may reveal the issuer’s identity will only be disclosed once the issuer’s consent has been given; any details which may reveal the identity of the person targeted by the alert will only be disclosed once the admissibility of the alert has been established.
In any event, confidentiality may not be opposed to judicial authorities or regulators, nor impede possible disciplinary or judicial procedures.
7. How are the alerts handled?
The Officers acknowledge receipt of the alert to the issuer. They inform the issuer of the foreseeable time required to examine the admissibility of the alert.
Then, the Officers review the reported facts described in the alert. If appropriate, they inform the persons targeted by an admissible alert of the facts relating to them. When precautionary measures need to be taken, especially to prevent the destruction of evidence, the persons are informed only after such measures have been implemented.
The Officers conduct the necessary investigations and verifications of the admissible alerts and analyze their nature and severity. On this basis, they decide what actions should be taken and inform the issuer.
Once the alert has been handled, the Officers inform the alert issuer, and if appropriate the persons targeted, of the closure of the alert.
Exchanges with the alert issuer, if any, are made via the dedicated email box and each Officer shall retain information, ensuring the traceability of the alerts issued.
8. What rights do the persons concerned by the alert have with regard to the processing of their personal data?
The persons concerned by the alert may exercise all the rights they have under the applicable data protection regulation, and in particular their right to access, rectify or delete data, to restrict processing related to the person concerned, to oppose for legitimate reasons the treatment of the data, and to lodge a complaint to a supervisory authority.
Under no circumstances may a person targeted by an alert obtain, on the basis of their right to access data, any information regarding the identity of the alert issuer.
9. How are the data saved?
The elements relating to non-admissible alerts are destroyed as soon as possible, or archived after being anonymized.
Regarding admissible alerts:
- When no disciplinary or judicial proceedings have been undertaken, elements of the file relating to the identity of the issuer and the targeted persons are destroyed within two months from the closure of the operations of admissibility and verification.
- When disciplinary or judicial proceedings have been undertaken, elements of the file are retained for a period not exceeding the litigation timeframe.
In any event, for the purposes of traceability and reporting, the name of the entity concerned and the date of the alert, with a short description of the facts, maybe retained, excluding any information relating to the identity of the persons concerned.
10. How is the issuer protected and what penalties or sanctions are applicable if an alert is made in bad faith?
If the facts reported proving to be incorrect, no action will be taken against the alert issuer, as long as the latter acted in good faith. Here, bad faith means knowledge of the falsity of the allegations.
Disciplinary sanctions and, where appropriate, judicial proceedings may be taken against an alert issuer acting in bad faith. This will notably be true in the case of malicious, vexatious or defamatory allegations or a wrongful alert.
If disciplinary proceedings are to be brought against the issuer, and consequently their identity is to be disclosed, they will be informed prior to the initiation of proceedings.