Whistleblowing Policy and Procedure

Key Points

The Whistleblowing Procedure sets out the framework for dealing with allegations of illegal and improper conduct Whistleblowing according to the laws mentioned below is “reporting breaches of law (regardless of whether they are categorised as administrative, criminal or other types of breaches) that are harmful to the public interest”. The Whistleblowing Procedure also covers reporting unlawful ill-treatment or harassment, may it be direct or indirect, based on discrimination on base of race or ethnic origin, gender, religion or belief, disability, age or sexual orientation.
The Aryza group is committed to the highest standards of transparency, probity, integrity and accountability.

This procedure is intended to provide a means of making a reportable concern about standards, conduct, financial irregularity or possible unlawful action in a way that will ensure confidentiality and protect those making such allegations in the reasonable belief that it is in the public interest to do so or protects an individual from discrimination from being victimised, discriminated against or disadvantaged.

This procedure does not replace other policies and procedures such as the Complaints Procedure, the Grievance, Harassment and Bullying Policies and other specifically laid down statutory reporting procedures. For those, the whistleblower may choose to use the Whistleblowing procedure as an alternative on top and the specifically laid down reporting procedure shall be used in any case. Dutch employees may choose, if they want to talk to their local “Trusted Persons” or use the Whistleblowing Procedure. The Whistleblowing system will also act as “AGG-Beschwerdestelle” (complaints office under the German Equal Treatment Act) in Germany while employees are free to contact the People Team or any other function they trust instead. You can find the AGG under the following link: https://www.gesetze-im-internet.de/agg/BJNR189710006.html.

This procedure is intended to ensure that Aryza complies with its duty under the EU Whistleblower Protection Directive (2019/1937) (incorporated in the German Hinweisgeberschutzgesetz, the Dutch Wet Bescherming Klokkenluiders and the Irish Protected Disclosure Act 2014 (Amendment 2022)) and the Public Interest Disclosure Act 1998 ((incorporated in the Employment Rights Act 1996 (ERA 1996)).
This policy and procedure complies with the legal requirements under the UK Public Disclosure Act 1998 (PIDA) and Supervisory Authority requirements in the FCA handbook SYSC 18 and the PRA Rulebook CRR firms – general organisational requirements 2A.


The purpose of this policy is to encourage staff and other individuals being in contact with Aryza for business purposes (e.g. customers and sub-contractors) who have any concerns about any breaches of law, codes of practice, regulation, or any other perceived wrongdoing to make known their concerns to Aryza and, where appropriate, the Supervisory Authority as mentioned below.

Aryza encourages the disclosure of any such concerns and is committed to maintaining the highest standards of integrity, honesty and professionalism in the workplace. Aryza urges staff to be alert to the possibility of wrongdoing and to raise concerns through an appropriate channel.

This policy reflects legal and Supervisory Authority requirements but does not form part of any contractual terms of employment and may be amended or replaced at any time at Aryza discretion.

The policy sets out a procedure which Aryza encourages staff to follow if they wish to report any matter. Staff should be aware that raising a concern directly
with the Supervisory Authority is not conditional on a report being made using Aryza internal arrangements.

Aryza reassures all members of staff that any matter raised through a Whistleblowing Channel will be treated with proper consideration. Should any person believe that they have suffered any detriment by invoking the procedure they should inform a Director of Aryza immediately.


This procedure applies to all individuals being in contact with Aryza for business reasons, e.g. employees, associates, contractors and customers.
This procedure applies to, but is not limited to, allegations about any of the

  • Conduct which is an offence or breach of the law, in particular the German AGG
  • Alleged miscarriage of justice.
  • Serious Health and Safety risks.
  • The unauthorised use of public funds.
  • Possible fraud and corruption.
  • Sexual, physical or verbal abuse, or bullying or intimidation of employees, customers or service users.
  • Abuse of authority.
  • Other unethical conduct.

Please not that any discrepancies regarding contractual Agreements are out of scope.


Aryza recognises that the decision to make a reportable concern can be a difficult one to make. However, whistleblowers who make reportable concerns in the reasonable belief that it is in the public or a discriminated individual´s interest to do so have nothing to fear because they are doing their duty either to Aryza and/or to those for whom Aryza are providing a service.
Aryza will take appropriate action to protect a whistleblower who makes a reportable concern in the reasonable belief that it is in the public or a discriminated individual´s interest to do so from any reprisals, harassment or victimisation.

Aryza has set up a Whistleblowing Team consisting out of the functions Legal and Privacy. The Whistleblowing Team will be the only ones within Aryza accessing the Whistleblowing report via the Whistleblowing System. The Whistleblower may use the channels as displayed below to report in a language of his choice (English, Dutch or German).

Where appropriate, a reportable concern may be escalated by a Whistleblower, including to a Supervisory Authority, who is a prescribed person for the purposes of PIDA or a EU Whistleblowing Supervisory Authority. A whistleblower is able to raise a concern directly with a Supervisory Authority, making a report is not conditional on a report first being made using Aryza internal arrangements. It is also possible to use Aryza internal arrangements and to also raise a concern with a Supervisory Authority: the routes may be used simultaneously or consecutively.

The contact details of the FCA’s whistleblowing service are as follows:

Tel: 020 7066 9200
Email: [email protected]
Address: Intelligence Department (Ref PIDA), Financial Conduct Authority, 25 The
North Colonnade, London E14 5HS
The contact details of the PRA’s whistleblowing service are as follows:
Tel: 0203 461 8703
Email: [email protected]
Address: Confidential Reporting (Whistleblowing), PRA CSS, 20 Moorgate, London, EC2R 6DA
The Contacts of the Supervisory authorities within the EU countries, in which an Aryza entity is incorporated, can be found under the following links:

For the Netherlands (Huis voor Klokkenluiders): https://www.huisvoorklokkenluiders.nl/organisatie

For Germany (Meldestelles des Bundes):

For Ireland (Office of the Protected Disclosures Commissioner):

Confidentiality and Protection

All reportable concerns will be treated in confidence and every effort will be made not to reveal a whistleblower’s identity unless the whistleblower otherwise requests. A Whistleblower who requests confidentiality or chooses not to reveal their identity is entitled to remain anonymous save where it is necessary to disclose their identity (for example to a Supervisory Authority).
However, anonymity may hinder an investigation and a Whistleblower is encouraged not to make anonymous reports. Aryza will endeavour to protect confidentiality. Further Information on handling of personal data in the reports is included in the Privacy Policy on the last pages of this Whistleblowing Policy.
More information about the statutory regime can be read here:

https://www.gov.uk/whistleblowing or any other homepage of a Whistleblowing Supervisory Authority as above

Under PIDA a Whistleblower who satisfies the specified criteria under PIDA may be protected from unfair dismissal and from suffering a detriment as a result of making a Protected Disclosure. To ensure protection, a Whistleblower must comply with the specified framework and satisfy the statutory criteria.
. A reportable concern is defined above and includes any disclosure that would fall within PIDA. A Protected Disclosure is a sub-category of a reportable concern, as a reportable concern also covers disclosure under the EU legislation and – for the purposes of this policy – discriminatory cases.
Under EU legislation, the Whistleblower is protected from unfair dismissal or suffering a detriment as a result of making a Protected Disclosure in any case.

Anonymous Allegations

This procedure encourages whistleblowers to put their name to an allegation wherever possible as anonymous allegations may often be difficult to investigate and substantiate/prove. Nevertheless, the Whistleblowing Team will also process anonymous reports.

Untrue Allegations

No disciplinary or other action will be taken against a whistleblower who makes an allegation in the reasonable belief that it is in the public interest to do so or it saves an individual from harm (e.g. in case of discrimination) even if the allegation is not substantiated by an investigation. However, disciplinary action may be taken against a whistleblower who knowingly makes an allegation without reasonable belief that it is in the public interest to do so or saves an individual from harm (e.g. making an allegation frivolously, maliciously or for personal gain).

Procedure for Making an Allegation

The Whistleblowing System is in no way intended to be an exclusive forum. It is preferable for reportable concerns to be made to the Whistleblowing Team via the channels displayed above. Nevertheless, the whistleblower may alternatively make an allegation direct to any of the following: CEO, Board Member, Line Manager, the People Team, Compliance or Trusted Person (NL) or any Supervisory Authority. If there is any more specific reporting procedure in place, the alternative reporting procedure shall be used in any case and the Whistleblowing Process may be used parallelly.

If the Whistleblower has any concern about any matter concerning whistleblowing, they may wish to speak with Protect, an independent whistleblowing charity. Protect can be contacted on tel.: 020 3117 2520 and details are available at: www.pcaw.co.uk. They may also choose to contact a competent Whistleblowing Supervisory Authority (contacts above).

Making a Reportable Concern

Whether a written or oral report is made it is preferred that relevant information is provided as it facilitates examination. This relevant information includes:

  • The name of the person making the allegation and a contact point.
  • The background and history of the allegation (giving relevant dates and names and positions of those who may be able to provide information as part of the investigation).
  • The specific reason for the allegation. Although someone making an allegation will not be expected to prove the truth of any allegations, they will need to provide information to the person they have reported to, to establish that that there are reasonable grounds for the reportable concern.

For the avoidance of doubt, the Whistleblowing team will investigate each report, even if reported anonymously. If information, which is necessary for investigation, is missing, the Whistleblowing Team will request further information, if it there is contact data in the report.
Someone making an allegation may be accompanied by another person of their choosing during any meetings or interviews in connection with the reportable concern. However, if the matter is subsequently dealt with through another procedure the right to be accompanied will at that stage be in accordance with the relevant procedure.

Action on receipt of an Allegation

The Whistleblowing Team will send an acknowledgement of receipt as appropriate for the reporting channel within 7 days upon receipt of the report. The report will be added to the Whistleblowing Register.

The investigator will ask the whistleblower for his/her preferred means of communication and contact details and use these for all communications with the whistleblower in order to preserve confidentiality.
If the reportable concern relates to fraud, potential fraud or other financial irregularity The CFO will be informed within 5 working days of receipt of the allegation. The CFO will determine whether the reportable concern should be investigated and the method of investigation.

If the reportable concern discloses evidence of a criminal offence it will immediately be reported to the Board and a decision will be made as to whether to inform law enforcement. If the reportable concern is regarding suspected harm to children, the appropriate authorities will be informed immediately.


An acknowledgement of the reportable concern will be sent in writing within 7 (seven) working days. The Whistleblowing Team will then add the report to the Whistleblowing register and investigate the issue and will send content-related feedback no later than 3 (three) months upon receipt of the report. Personal data will be retained as described in the Privacy Policy on the last pages of this Whistleblowing Policy.

Where the reportable concern has been made anonymously, Aryza will be unable to communicate what action has been taken.


Aryza guarantees that the Whistleblower will not face any negative consequences from Aryza due to them raising a report in good faith.
Furthermore, Aryza will take steps to minimise any difficulties which may be experienced as a result of making a reportable concern. For instance, if a whistle-blower is required to give evidence in criminal or disciplinary proceedings Aryza will arrange for them to receive advice about the procedure and advise on the support mechanisms that are available.

Aryza accepts that whistleblowers need to be assured that the matter has been properly addressed. Thus, subject to legal constraints, we will inform those making allegations of the outcome of any investigation.

Responsibility for the Procedure

The CEO and Board have overall responsibility for the operation of this Procedure as they are generally responsible for the Business. Nevertheless, the Whistleblowing Reports will be exclusively accessed by the Whistleblowing Team. If it is necessary to reveal personal data in a report to any other individual within Aryza for investigation, the Whistleblowing Team will only do so with the relevant individual´s approval. If the individual chooses not to approve of revealing his personal data necessary for further investigation, the Whistleblowing Team will stop investigating.


A Register will record the following details:

  • The name and status (e.g. employee) of the whistle-blower
  • The date on which the reportable concern was received
  • The nature of the reportable concern
  • Details of the person who received the reportable concern
  • Whether the reportable concern is to be investigated and, if yes, by whom
  • The outcome of the investigation
  • Any other relevant details

The Register will be exclusively accessed by the Whistleblowing Team and only available for inspection by competent authorities.

The Whistleblowing Team will report annually to the Board on the operation of the Procedure and on the reportable concerns made during the period covered by the report. The report will be in a form which does not contain personal data.

The Company will make prompt reports to the FCA about each case that it has contested but lost before an employment tribunal where the claimant successfully based all or part of their claim on either detriment suffered as a
result of making a Protected Disclosure under section 47B ERA 1996 or being unfairly dismissed under section 103A ERA 1996.

Privacy Policy

Aryza GmbH (hereinafter referred to as “Aryza”, “we”) is subject to the duty to inform about the processing of your personal data in accordance with the European General Data Protection Regulation (GDPR).

The purpose of the following information is to give you an overview of what data is being processed, to whom it may be transmitted and for what purposes it is necessary to process it.

You will also be informed about the rights you are entitled to in connection with the processing your personal data.

Should you have any further questions, please do not hesitate to contact us.

1.Who is responsible for processing your personal data within the meaning of the GDPR?
Controller within the meaning of the GDPR is Aryza GmbH; Niederkasseler Lohweg 18, 40547 Düsseldorf, Germany

2.Who is the Data Protection Officer at Aryza?
By ordinary mail: Data protection officer of Aryza Germany,
Aryza GmbH, Niederkasseler Lohweg 18, 40547 Düsseldorf
By email: dataprotection@aryza[dot]com

3.For what purposes and on what legal basis will your personal data be processed?
Your personal data will be processed for the purpose of investigating your Report as further defined in this Whistleblowing Policy. The legal basis for the processing of personal data is to fulfil a legal obligation to which Aryza is subject (Art. 6 para. 1 lit. c GDPR).

4.Who will receive your personal data?
Your personal data will not be passed on to anyone outside the Whistleblowing Team and only be used for the fulfilment of the purpose. If a disclosure to anyone else is required to investigate the case, the Whistleblowing Team will only disclose your personal data with your prior approval or, if you do not want to give such approval, stop working on your report.

5.How long will your personal data be stored?
Your personal data will be stored for as long as it is required to fulfil the above-mentioned purposes. It will be deleted as soon as the purpose of storage no longer applies.
At the end of the Whistleblowing process, the data is deleted 3 years after closure of the case.

6. What are your rights with regard to your personal data (data subjects’ rights)?
If you process personal data, you are a data subject within the meaning of the GDPR and you are entitled to the following rights vis-à-vis Aryza.

You have a right of access pursuant to Art. 15 GDPR about your personal data processed by us. You should specify your request in order to make it easier for us to compile the necessary data.

If the information concerning you is (no longer) accurate, you can request rectification in accordance with Art. 16 GDPR. If your data is incomplete, you may request that it be completed.

You can request the erasure of your personal data under the conditions of Art. 17 GDPR.

Within the scope of the provisions of Art. 18 GDPR, you have the right to demand that processing of your personal data be restricted.

Pursuant to Art. 21 GDPR, you have the right to object to the processing of your data at any time for reasons arising from your particular situation.

Within the framework of data portability pursuant to Art. 20 GDPR, you have the right to receive the personal data concerning you which you have provided to us in a structured, common and machine-readable format.

In order to exercise your rights, please contact the above-mentioned person responsible, as they are responsible for implementing your rights.

7.Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State where you reside, at your place of work or at the place where the infringement is alleged, if you consider that the processing of your personal data is in breach of the GDPR or other relevant data protection provisions. Here the contact data of the Supervisory Authorities of the countries, where Aryza is doing business:

State Commissioner for Data Protection and. Freedom of Information North Rhine-Westphalia Kavalleriestr. 2-4, 40213 Düsseldorf for Aryza GmbH

Office of the Information Commissioner, 6 Earlsfort Terrace, Dublin 2, D02 W773. Phone: +353-1-639 5689, Email: [email protected]

Information Commissioner’s Office (UK), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

The Netherlands
Dutch Personal Data Authority (Autoriteit Persoonsgevens), PO Box 93374 2509 AJ The Hague

Data Protection Office , Address: 5th Floor, Sicom Tower, Wall Street, Ebene Email: [email protected] | [email protected] Website: http://dataprotection.govmu.org, Tel: 4600251 Fax: 4897341

Office of the Privacy Commissioner of Canada, 30 Victoria Street, Gatineau, Quebec, K1A 1H3

Office of the Australian Information Commissioner, GPO Box 5288 Sydney NSW 2001, Phone: 1300 363 992