My AI CouncilMy AI CouncilVolver al inicio

Whistleblowing channel (Internal Reporting System)

Last updated: 17 June 2026

Note: in case of any discrepancy between versions, the Spanish version prevails.

<brand/> provides you with an internal reporting channel to report, securely and confidentially, regulatory infringements you become aware of in a work or professional context, in accordance with Spanish Law 2/2023 and Directive (EU) 2019/1937.

1. Legal framework

This internal channel is established and governed in accordance with the following rules:

  • Spanish Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption.
  • Directive (EU) 2019/1937 of the European Parliament and of the Council, of 23 October 2019, on the protection of persons who report breaches of Union law.
  • Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD) for the processing of the personal data of the reporting person and the persons concerned.
  • The rest of the applicable criminal, administrative and labour legislation.

2. Who can report

Any natural person who, in a work or professional context with <brand/>, has become aware of facts that may constitute an infringement. In particular, and without limitation:

  • Employees, both current and former.
  • Self-employed persons and freelancers who collaborate with <brand/>.
  • Shareholders, members and members of the administrative body.
  • Persons working for or under the supervision of contractors, subcontractors and suppliers.
  • Volunteers and trainees.
  • Persons whose employment relationship has not yet begun, where the information on infringements was obtained during the recruitment process or pre-contractual negotiations.
  • Relatives and persons close to the above who could suffer retaliation.

3. What can be reported

The following may be reported through this channel:

  • Acts or omissions that may constitute a breach of European Union law falling within the material scope of Directive 2019/1937 (sectors such as public procurement, financial services, anti-money laundering, product safety, protection of personal data, public health, consumer protection, security of networks and information systems, etc.).
  • Acts or omissions that may constitute a criminal offence defined in the Spanish Criminal Code or in special criminal laws.
  • Acts or omissions that may constitute a serious or very serious administrative infringement, in particular those involving financial loss to the Public Treasury or to the Social Security system.
  • Breaches of the Code of Ethics, internal policies and operating procedures of <brand/>.
  • Any conduct that endangers the security of the personal data processed, the integrity of the systems or compliance with the GDPR.

Mere complaints, opinions, suggestions, commercial claims about the service or interpersonal matters without regulatory content are not admissible through this channel: for those, the appropriate route is the ordinary contact form.

4. Available channels

Any eligible person may report through the following means, all of them secure and confidential:

  • Email: <mail/>. Communications addressed to the channel are handled confidentially, with access restricted to the Head of the Internal Reporting System.
  • Postal mail: sealed envelope addressed to «Internal Reporting System — My AI Council», registered office of Tarraco App Lab, S.L.U. in Tarragona (the full address may be requested in advance by email if anonymous delivery is required).
  • In-person meeting: at the reporting person's request, at a place and time that guarantee confidentiality, within a maximum of 7 days from the request.
  • External channel: alternatively, without the need to use the internal channel, the reporting person may turn directly to the Independent Whistleblower Protection Authority (A.I.P.I.) created by Law 2/2023, submitting the report —either identified or fully anonymous— through its electronic office <aipi/>, or to the regional authorities and the Public Prosecutor's Office where appropriate.

5. Anonymity and confidentiality

The reporting person may report in an identified or fully anonymous manner. <brand/> guarantees that:

  • The identity of the reporting person will not be disclosed to the persons concerned or to third parties, except by order of the competent judicial authority in the context of a criminal investigation. Where this occurs, the reporting person will be notified in writing in advance, unless prohibited by law.
  • Access to the channel and to the files is restricted to a single person with a specific identity and training: the Head of the Internal Reporting System.
  • Personal data is processed in accordance with the GDPR, on the legal basis of compliance with the legal obligation under art. 32 of Law 2/2023 and public interest in the prevention, investigation and prosecution of infringements (art. 6.1.c and 6.1.e GDPR).
  • The file data will be kept for the time strictly necessary to resolve the investigation and, thereafter, deleted unless subsequent legal retention applies. In any case, no longer than 10 years.

6. Prohibition of retaliation

Any retaliation, whether direct or indirect, against the reporting person, their relatives, persons close to them and facilitators is expressly prohibited. In particular, the following are prohibited:

  • Suspension, dismissal, non-renewal, transfer or any substantial change to working conditions.
  • Imposition of a disciplinary measure or penalty.
  • Coercion, intimidation, harassment or ostracism.
  • Discrimination or unfavourable treatment.
  • Unfavourable entries in performance evaluations.
  • Early termination of the contract for goods or services.

Any retaliation will be subject to the penalties provided for in Law 2/2023 (fines of up to €1,000,000 for legal persons, and a criminal dimension where applicable). The person harmed by retaliation will be entitled to compensation for damages.

7. Handling procedure

  1. Acknowledgement of receipt: the Head of the Internal System will send the reporting person (if they have identified themselves or provided a secure anonymous contact channel) an acknowledgement of receipt within a maximum of 7 calendar days of receiving the communication.
  2. Investigation: the Head will initiate an internal investigation proportionate to the facts. They may request additional information from the reporting person, the person concerned and other witnesses, always with guarantees of confidentiality. If the facts may constitute a criminal offence, the information will be referred to the Public Prosecutor's Office. If they affect the EU's financial interests, to the European Public Prosecutor's Office.
  3. Hearing of the person concerned: before the decision, the person concerned by the report will be given a hearing, with safeguards for their defence, without disclosing the identity of the reporting person.
  4. Decision: the maximum period to resolve and inform the reporting person of the outcome of the proceedings is 3 months from the acknowledgement of receipt, extendable by a further 3 months due to the complexity of the case, with written justification.
  5. Corrective measures: if the investigation confirms the infringement, the necessary corrective, disciplinary and, where appropriate, judicial measures will be adopted.
  6. Closure: if the investigation does not confirm the infringement, the file will be closed with a reasoned decision.

8. Head of the Internal Reporting System

The Head of the Internal Reporting System of <brand/> is the administrative body of <owner/>, owner of <brand/>. In the event of a conflict of interest (a report that may affect the Head themselves or their environment), management will automatically be transferred to the external channel of the Independent Whistleblower Protection Authority (A.I.P.I.), ensuring independence.

9. Processing of the channel's personal data

The processing of the personal data collected through this channel is carried out with the following detailed information:

  • Controller: <owner/> (company in the process of incorporation), with registered office in <address/>, <mail/>.
  • Purpose: management of the Internal Reporting System in accordance with Law 2/2023.
  • Legal basis: compliance with the legal obligation under art. 32 of Law 2/2023 (art. 6.1.c GDPR) and public interest in the prevention and prosecution of infringements (art. 6.1.e GDPR).
  • Recipients: the Head of the Internal System and, where appropriate, the Public Prosecutor's Office, the European Public Prosecutor's Office, the Labour Inspectorate, the AEPD or another competent authority.
  • Retention: the time strictly necessary to resolve the investigation, with a maximum of 10 years. Data that is not necessary will be deleted within 3 months of receiving the communication, unless further evidence is required.
  • Rights: access, rectification, erasure, objection and restriction, on the terms of the GDPR. They may be exercised at <mail/>. They may be restricted on an exceptional basis to preserve the ongoing investigation. The AEPD (<aepd/>) is the competent supervisory authority.

10. Changes to this policy

This policy may be updated to reflect regulatory changes or changes in how the channel operates. The current version and the date of revision are published on this page.

Report to the channelFile a report with the A.I.P.I.