Pursuant to § 95 and § 159 Austrian Stock Exchange Act (Börsegesetz, BörseG), § 9 Benchmark Enforcement Act (Referenzwerte-Vollzugsgesetz) in conjunction with Art 14 Regulation (EU) 2016/1011 (Benchmark Regulation) as well as § 3 Whistleblower Protection Act (Hinweisgeberschutzgesetz, HSchG) Wiener Börse AG (WBAG) must set up a system for submitting reports on possible breaches of law by WBAG, with the person reporting (whistleblower) being protected from any personal disadvantages as well as measures being taken to prevent unfounded and unjustified allegations. To this end, WBAG has commissioned NWT Consulting & Compliance GmbH to provide a whistleblowing system that meets the legal requirements.
Information on whistleblowing and the use of the whistleblower system is given below. To ensure swift and reliable processing of reports, we request you to consider the following principles before submitting reports and information.
Who can use the internal whistleblower system of the Vienna Stock Exchange?
The reporting system can be used by any person who has obtained information about potential breaches of the law based on a current or former work-related relationship with Wiener Börse AG. The group of persons covered by § 2 Whistleblower Protection Act includes:
- Interns, volunteers, other trainees
- Independent contractors
- Members of an administrative, management or supervisory body, and
What topics can be reported?
Breaches relating to the topics listed below may be reported under the Whistleblower Protection Act (§ 3 (3) to (5) Whistleblower Protection Act):
- Public procurement
- Financial services, financial products and financial markets, and the prevention of money laundering and terrorism financing
- Product safety and conformity
- Road safety
- Environmental protection, radiation protection and nuclear safety
- Food and animal feed safety, animal health and welfare
- Public health
- Consumer protection
- Protection of privacy and personal data as well as the security of network and information systems
- Criminal offenses pursuant to § 302 to § 309 Criminal Code (Strafgesetzbuch) ("corruption offenses")
- Breaches relating to EU financial aspects (prevention of fraud)
When is a whistleblower considered worthy of protection under the Whistleblower Protection Act?
A whistleblower is protected by the Whistleblower Protection Act if, at the time of making the report, the whistleblower has reasonable grounds to believe based on the factual circumstances and the information available to him or her that the information the whistleblower is submitting is true and falls within the scope of application of the Whistleblower Protection Act. If these circumstances are given, the whistleblower is considered worthy of protection within the meaning of the Whistleblower Protection Act.
What does worthy of protection mean under the Whistleblower Protection Act?
Worthy of protection means the following: the person may use the procedure defined in the Whistleblower Protection Act for making a report; the person is granted access to legal aid; and the person is entitled to the specific protective measures of the Whistleblower Protection Act.
First, the protective measures include protection against reversible retaliatory measures (§ 20 (1) nos 1 to 9 Whistleblower Protection Act), which occur or have occurred in retaliation to a justified report. Such retaliatory measures have no legal effect.
Second, the protective measures include protection against irreversible retaliatory measures (§ 20 (2) nos 1 to 6 Whistleblower Protection Act), which occur or have occurred in retaliation to a justified report. Such retaliatory measures result in the obligation to restore the situation to a lawful condition.
The group of persons deemed worthy of protection includes all natural persons who support whistleblowers in their reporting, natural persons connected to the whistleblower who may be affected by the adverse consequences of the reporting, as well as legal entities that are wholly or partially owned by the whistleblower or for whom the whistleblower works or with whom the whistleblower is otherwise connected in a professional context (persons pursuant to § 2 (3) Whistleblower Protection Act).
How are reports handled that concern topics outside the scope of the Whistleblower Protection Act or submitted by persons also outside this scope?
The whistleblower system can be used to report information about (potential) breaches of certain legal provisions, regulations and official notices by Wiener Börse AG. Every report sent is reviewed and a plausibility check is carried out. Reports focus mainly, but not exclusively, on breaches of the following laws:
- Whistleblower Protection Act §3 (3) to (5)
- Provisions of the Stock Exchange Act
- Regulations and official notices issued under the Stock Exchange Act
- Regulation (EU) 596/2014 (Market Abuse Regulation) or a delegated act based on this Regulation
- Regulation (EU) 2016/1011 (Benchmark Regulation) or a delegated act based on this Regulation (manipulation or attempted manipulation of a benchmark value)
- Provisions of the Federal Act on the Prevention of Money Laundering and Terrorism Financing on Financial Markets (Financial Markets Anti-Money Laundering Act (Finanzmarkt-Geldwäschegesetzes – FM-GwG)
As the Vienna Stock Exchange gives high priority to the transparent, open and confidential handling of suggestions, criticism and complaints, we request you contact the relevant departments or contact persons if your concern relates to any other topic.
We would like to point out that the reporting form and other reporting channels are not permitted to be used for reports that are obviously false. Such reports will always be rejected and may result in claims for damages, legal action or administrative fines.
How are reports submitted?
Wiener Börse AG has appointed an external organization, NWT Consulting & Compliance GmbH, with its registered office in 1190 Vienna, Döblinger Hauptstraße 38, Commercial Court of Vienna registration number FN 198797a (hereinafter "NWTCC") to receive and initially process reports under the whistleblower system (“notification office").
Reports may be submitted to NWTCC in any form deemed appropriate, but primarily using the web-based form provided by NWTCC (“reporting form").
The reports may also be sent to the internal notification office:
- Phone: +43 (0)664 / 9333 2100
- E-Mail: whistleblowing(a)nwt.at
- Letter (anonymously if necessary)
The law provides for the notification to be made mainly through these internal notification channels, as this ensures that the report is processed as quickly and reliably as possible.
In special cases, reports may also be submitted to external notification offices. When the report cannot be processed using internal reporting channels, because it is not appropriate or reasonable or has proven ineffective or futile, the reports may be submitted to external notification offices instead of through internal reporting channels. The external notification office is the Federal Bureau of Anti-Corruption (Bundesamt zur Korruptionsprävention und Korruptionsbekämpfung) which has been established as an institution of the Austrian Federal Ministry of the Interior. In special cases, other external entities pursuant to § 15 (2) of the Whistleblower Protection Act may be the competent bodies.
Are anonymous reports permitted?
Yes. It is also possible to submit a report anonymously (e.g. by submitting an anonymous report via the web form) to the competent third party. However, to be able to resolve questions and uncertainties, we recommend providing contact data (e-mail, phone).
How are reports processed?
Receipt of a written report must be confirmed in writing without delay, but no later than seven calendar days, to the postal address, e-mail or other electronic address specified by the whistleblower, or to an established whistleblower system, unless the whistleblower has specifically stated that he or she does not wish to receive such confirmation or the notification office has reason to believe that confirmation would compromise the protection of the whistleblower's identity.
NWTCC treats all reports received with due care, completely (provided the information is available to NWTCC), impartially and confidentially. Therefore, NWTCC documents and scrutinizes the validity of each report.
At the request of the whistleblower, a meeting of the whistleblower and NWTCC is arranged within 14 calendar days of receipt of the report to discuss it. The meeting may take place in person, by phone or by video conference call. With the consent of the whistleblower, NWTCC will document the report and the content of the meeting by creating a transcript or an audio recording. NWTCC has the right to document a verbal report in the form of detailed interview minutes. When the whistleblower discloses his or her identity to NWTCC, or if feasible in the case of anonymous reports without disclosure of identity, the whistleblower is given an opportunity to review and correct the interview minutes and to confirm these by providing a signature.
NWTCC will not pursue the report further if it reaches the conclusion that
- the report does not contain information that indicates validity
- does not report a breach of a law
- the same information has already been forwarded.
If a report proves valid after the first plausibility check by NWTCC, it is forwarded by NWTCC to the competent unit at Wiener Börse AG.
As the notification office (NWTCC) also acts as internal auditor for Wiener Börse AG, in the case of a notification it receives through the whistleblower system concerning internal audits, the notification office will not process the relevant report itself, but will forward the report together with any relevant documents to the Management Board of Wiener Börse AG as well as to the Compliance Officer of Wiener Börse AG or another person or entity designated by Wiener Börse AG.
The processing of reports forwarded is done by the competent unit of Wiener Börse AG. It is responsible for ensuring that the report is investigated in accordance with the principles defined and that the information reported is investigated. Reports are investigated comprehensively, and depending on the individual case, as fast as possible.
The investigation may be carried out if necessary with the support of suitable persons (employees and third parties), whereby care must always be taken to ensure that the information is investigated by as few persons as possible and ensuring the greatest possible confidentiality.
Documents and information are treated confidentially and in accordance with the requirements of the law. Any third parties employed must be contractually bound to secrecy unless this is already ensured by the legal provisions applicable to their profession.
Information rights of the whistleblower
Provided it does not jeopardize the investigation of the breaches reported, whistleblowers are to be informed by Wiener Börse AG of the following as soon as possible:
- The fact that the report will not be investigated by Wiener Börse AG due to lack of substance or relevant content
- Processing of the report
- Initiation of legal action with the state prosecutor or a court of law or administrative proceedings based on the report
- Completion of the in-house investigation of the report
- Completion of processing
The whistleblower must be informed no later than three months after receipt of a report of the consequences and measures taken or planned by the internal notification unit or the reasons why the internal unit will not investigate the report.
Protection of whistleblowers by maintaining confidentiality
To ensure protection of the whistleblower, the person submitting the report as well as persons affected by the report are ensured strictest confidentiality with respect to the information submitted as defined by the Whistleblower Protection Act. The name of the whistleblower as well as the names of the persons affected by the report are only disclosed to the third party, NWTCC, commissioned to act as notification office. Apart from NWTCC forwarding the information to the competent unit of the Wiener Börse AG (see "How are reports submitted?"), the disclosure of the content of the report and the identity of the whistleblower or of the persons affected by the information is prohibited. Upon the explicit request of the whistleblower, the third party commissioned shall not disclose the identity of the reporting employee to Wiener Börse AG.
Notwithstanding the foregoing, the identity of the whistleblower and information that permits a person’s identity to be inferred directly or indirectly may only be disclosed if an administrative authority, a court of law or the public prosecutor's office deems this to be necessary in the context of administrative proceedings, court proceedings or a criminal investigation pursuant to the Code of Criminal Procedure and reasonable regarding the risk to the whistleblower and with respect to the validity and severity of the allegations. In this case, the public authority must inform the whistleblower of its intention, unless informing the whistleblower would jeopardize the administrative or court proceedings or the criminal investigation under the Code of Criminal Procedure. The reasons for the disclosure must be presented in writing by the public authority.
The whistleblower should bear in mind that the disclosure of facts, in particular, the identity of person(s) affected by the report, may trigger investigations by the public prosecutor, a court of law or an administrative authority. This applies particularly to cases of deliberate false reports. Allegations that are proven to be deliberately false may result in legal consequences.
The processing of personal data contained in a whistleblower’s report is permitted for the purposes of the Whistleblower Protection Act, the Stock Exchange Act, the Market Abuse Regulation (MAR), the Benchmark Regulation (EU) and the Financial Markets Anti-Money Laundering Act (Finanzmarkt-Geldwäschegesetzes – FM-GwG).
The permission to process personal data pursuant to the Whistleblower Protection Act includes the processing of personal data of the following persons:
- Person(s) affected by the report
- Person(s) assisting whistleblowers in making a report
- Persons close to the whistleblower who, without supporting the whistleblowing, may be affected by the adverse consequences of the report such as by retaliatory measures, and
- Persons affected by the subsequent measures or involved in subsequent measures
The processing of personal data is permitted if it is in the public interest to prevent or sanction breaches of the law, to provide reports and verify validity for these purposes; it is also limited to data required to establish the sanctions for breaches of the law.
The parties authorized to process the data are:
- Whistleblowers regarding the data needed for their report
- The notification offices (NWTCC, Wiener Börse AG) with regard to data received from whistleblowers
- Public authorities for the purpose of processing data they receive as a result of a report submitted, provided the data are required for further investigations or to initiate proceedings.
The persons responsible for data processing (controllers) pursuant to Art 4 no 7 GDPR are the following unless otherwise stipulated by federal law
- Whistleblowers regarding personal data that they know goes beyond what is necessary to investigate the report,
- NWTCC and Wiener Börse AG
- Public authorities that process data transmitted as a result of a report.
The processing of personal data pursuant to Art 9 (1) GDPR ("sensitive data") is permitted if the processing is absolutely necessary to achieve the purposes of the Whistleblower Protection Act (§ 1 and § 8 (2) 1 Whistleblower Protection Act), and there is a substantial public interest in the processing of the data for this purpose, and effective measures are taken to protect the rights and freedoms of the data subjects. Wiener Börse AG protects the whistleblower as well as the persons affected by the report by taking appropriate data protection and confidentiality measures and, in the case of the third party commissioned with the task, NWTCC, by entering into the corresponding contractual agreements. Any collection, processing and use of personal data will be kept to a minimum in compliance with statutory requirements (GDPR, Austrian Data Protection Act, § 8 Whistleblower Protection Act) and in the interest of investigating the reports received.
The rights listed below shall not apply to a natural person or a legal entity affected by a whistleblower’s report as long as and provided this serves the purpose of protecting the identity of a whistleblower, of a person who supports the whistleblower or persons close to the whistleblower who may be affected by the adverse consequences of the report such as by retaliatory measures or measures to hinder the purpose of the Whistleblower Protection Act (e.g. attempts to prevent or delay reports), specifically for the duration of administrative or court proceedings or criminal investigations pursuant to the Code of Criminal Procedure:
- Information rights (§ 43 Data Protection Act, Art 13 and 14 GDPR)
- Right to request information (§ 1 (3) 1 and § 44 Data Protection Act, Art 15 GDPR)
- Right to demand corrections (§ 1 (3) 2 and § 45 Data Protection Act, Art 16 GDPR)
- Right to demand deletion (§ 1 (3) 2 and § 45 Data Protection Act, Art 17 GDPR)
- Right to restrict processing (§ 45 Data Protection Act, Art 18 GDPR)
- Right to file an objection (Art 21 GDPR), and
- Right to be notified of a personal data breach (§ 56 Data Protection Act and Art 34 GDPR)
The deletion of personal data which was legitimately collected is done five years after their last processing or transmission. Personal data may be stored for a longer period only in cases, and as long as necessary, when already initiated administrative proceedings, court proceedings or criminal investigations pursuant to the Code of Criminal Procedure are still ongoing. After the obligation to store the data expires, the data shall be deleted unless there is an obligation based on a legal provision to continue to store the personal data.
If a report is not pursued due to lack of substance, personal data must be deleted within six months.
Processing operations actually executed including but not limited to changes, queries and transmissions are logged by the notification office. The log data on these processes are stored by the controller from the time of their last processing or transmission up to three years after the mandatory storage period pursuant to § 8 (11) Whistleblower Protection Act expires.