Whistler is an application for reporting violations or suspicions on them, which allows whistleblowers to submit signed or anonymous reports in good faith, and also enables them to re-access the application (their account), using their username and password. Users/whistleblowers select their username and password the first time they log in.
The whistleblower’s security and anonymity are guaranteed. If despite the security a whistleblower prefers not to disclose their identity, the application includes an option that conceals their identity even from the investigator with whom the whistleblower will otherwise have unrestricted communication.
Communication between the whistleblower and investigator is essential to the success of the investigation. The investigator needs to obtain the largest amount of the most accurate and most credible information possible. Experience has shown that reports based on anonymous unilateral letters can be unsuccessful, since the whistleblower may inadvertently fail to provide information (e.g. what, when, and where something happened and who the participants were) that could allow the launching of a focused investigation, due to which the investigation could end up following false leads.
Whistler is located on our public website, www.nlb.si, which allows reports to be submitted from outside the bank, e.g. from libraries, cafés, etc.
The application allows the whistleblower to monitor the status of their individual reports and to keep in constant contact with the investigator. In this way, a completely secure communication channel is established between the whistleblower and the investigator. The whistleblower’s security and anonymity are both guaranteed, and at the same time the investigator is able to obtain potentially critical additional information in connection with the individual report. The application allows the whistleblower to receive information about the progress of the investigation and about its conclusion and results.
On their initial login, the whistleblower selects a username and password, regardless of whether they wish to disclose their identity or remain anonymous. Using these two authenticating elements they enter the application, through which they communicate with the investigator and monitor the reporting procedure. They can update their report at any time, add documents or talk with the investigator in a chat window.
It is extremely important that users remember their username and password. The password is not saved and forgotten passwords cannot be reset. A new login is required in order to re-establish contact, and therefore access to the content associated with the previous (forgotten) username and password will not be possible.
However, in the event that you forget your login details you can always register under a new username and password, and in the new (additional) report notify the investigator about the content of the previous report, which will still be visible to the investigator.
The system is designed for bank customers, individuals who are employed by the bank and for other stakeholders who believe that an act has been committed which is damaging to the bank or its employees, and which could have serious consequences with respect to regulatory sanctions, criminal liability or the bank’s reputation.
The system for reporting violations is not intended to deal with general questions about bank operations, customer questions and complaints or the reporting of workplace mobbing.
In accordance with good management practice, at the bank we would like the identification of deviations, irregularities and even violations to be resolved first and foremost inside the organisational units in which they occur. Therefore, the resolving of such issues is first under the responsibility of the direct supervisor in the organisational unit. However, in real life situations can occur in which for various reasons certain matters cannot be resolved within an individual unit (possible involvement of managers or other similar reasons). In such cases, there are several channels available for reporting observed violations to the NLB Compliance and Integrity, one of which is the Whistler application.
According to the Rules on the procedures for investigating harmful conduct, follow-up and whistleblower protection, each employee is already obliged to report (to their direct superior or directly to the Compliance and Integrity) observed harmful conduct that could lead to serious consequences for the bank (damage, criminal offences, regulatory sanctions, harm to reputation). Only in this way, we can react to serious violations quickly and appropriately, and thereby protect the interests and reputation of the bank and those of its employees and stakeholders. It is also important to identify any systemic weaknesses and adopt systemic measures in order to prevent similar cases in the future.
Upon submitting a report and sending information to the NLB Compliance and Integrity, the whistleblower ensures that the harmful conduct is appropriately documented, and then checked or investigated, and that the bank can respond appropriately and quickly. Whistleblowers’ reports are therefore important from the perspective of preventing the occurrence and recurrence of damage, identifying urgently needed corrections/amendments to business processes, and the discharge of individual responsibilities.
It is also very important for investigators that the whistleblower attempts to answer as many as possible of the following questions in the report:
When receiving, processing, investigating and archiving individual reports, the Compliance and Integrity ensures that the information in the report and thus the personal data of the whistleblower are strictly protected. The whistleblower is therefore completely protected both throughout and after the proceedings.
Protection of internal whistleblowers
The Bank uses various measures to assure the complete protection of whistleblowers who are NLB employees against any retributive measures to which they might be subjected to owing to their whistleblowing activities. To this end, on 10 March 2015 the Management Board of NLB d.d. signed and published the Declaration on the prohibition of retributive measures against whistleblowers. We at the Compliance and Integrity are aware that an individual’s decision to submit a report of a violation is usually exceptionally difficult. Therefore we pay a great deal of attention to whistleblowers who act in good faith.
Protection of personal data
If the whistleblower discloses their identity when registering, the bank in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Personal Data Protection Act (ZVOP-1) must provide appropriate protection of the personal data of persons submitting reports of harmful conduct. All data on the whistleblower is considered confidential.
The bank does not disclose whistleblowers’ personal data to third parties without their explicit consent.
Upon receipt of a report, in the event that the whistleblower wishes protection, all of the whistleblower’s personal data and other data from which the identity of the whistleblower could be determined is removed from the report and kept separately from the investigation file, and protected from unauthorised access.
An audit trail is created for every instance of accessing the whistleblower’s personal data.
If the report is signed, only the investigator processing the individual report and the head of investigations have access to the whistleblower’s personal data.
The whistleblower’s personal data and the information on the violation are kept for 10 years after the conclusion of the case.
If a supervisory procedure is initiated on the basis of an individual investigation, the data will be kept for a further 5 years after the conclusion of those proceedings or judicial proceedings.
More detailed information about how the Bank handles personal data and rights of individuals are available at https://www.nlb.si/general-information-on-personal-data-protection.pdf and/or in the document General Information on Personal Data Processing.
Whistleblowers are not obliged to disclose their personal data and may submit anonymous reports. The application is designed first and foremost so that whistleblowers can submit anonymous reports in such a way that an investigation can proceed without obstruction (feedback).
When filling out the form for reporting violations and when filling out the enclosures, whistleblowers who wish to remain anonymous should make sure that they do not provide data that could directly or indirectly disclose their identity. Whistleblowers may disclose their identity at any time during their anonymous communication with the investigator, should they so choose. We are aware that this requires a considerable amount of mutual trust.
In order to identify and investigate suspicions of violations, NLB collects and processes data on whistleblowers (if they provide it) and data on other participants in the harmful conduct in accordance with GDPR and ZVOP-1.
In connection with the personal data collected and processed by NLB, every individual has the right to access to and review their personal data in accordance with the provisions of the GDPR and ZVOP-1, as well as the right to rectification and the right to erasure.