Logo blanco del Museo del Jamón sobre fondo transparente.

Ethical channel

Access the channel

MUSEO DEL JAMÓN GROUP

Internal Policy on the Whistleblower Channel

Law 2/2023, dated February 20, regulating the protection of persons who report regulatory violations and the fight against corruption (hereinafter, Law 2/2023) transposes into Spanish law Directive 2019/1937 of the European Parliament and of the Council of October 23, 2019, on the protection of persons reporting on breaches of Union law.

This policy applies to all companies within the Museo del Jamón Group*, and aims to establish an internal channel for reporting potential regulatory violations, breaches of internal and/or ethical policies, and to establish a whistleblower protection regime, in compliance with Law 2/2023 of February 20, regulating the protection of persons reporting regulatory violations and the fight against corruption.

Law 2/2023 explains and clarifies in its preamble, Part III, that its purpose is to protect, against possible retaliation, individuals who, in a work or professional context, detect serious or very serious criminal or administrative violations and report them through the mechanisms regulated in this policy.

This Channel, therefore, is a mechanism that allows company employees and other stakeholders to report any type of conduct that is illegal or contrary to our values and ethical principles, without fear of retaliation, thereby strengthening the culture of transparency, organizational integrity frameworks, and the promotion of a culture of reporting or communication as a mechanism to prevent and detect threats to the public interest. In this way, we seek to promote a culture of transparency, integrity, and accountability within our organization, while protecting those employees who decide to make a report in good faith.

*Companies of the Museo del Jamón Group:

  • Piornalego S.L., with Tax ID B82483033, located at Avda de Córdoba 7, 28026, Madrid. Phone: 915003334.
  • Unifamu S.A., with Tax ID: A78076874, located at Calle Victoria 1, 28012, Madrid. Phone: 915315721.
  • Prohermu S.A., with Tax ID: A80952849, located at Calle Postas 8, 28012 – Madrid. Phone: 915314550 / 915312367.
  • Pilarmayse S.A., Tax ID No.: A82097270, located at Calle General Yagüe 5, 28017 – Madrid. Phone: 915553667 / 915552794.
  • Muñysan S.L., Tax ID: B83085696, located at Plaza Mayor 18, 28012 – Madrid. Phone: 915422632 / 917557666.
  • Francisco Muñoz Heras, Tax ID: 02051692T, located at Paseo del Prado 44, 28014 – Madrid. Phone: 914202414.
  • P. de Muñoz y Sanchez S.L., Tax ID: B09939356, located at Gran Vía 72, 28013 – Madrid. Phone: 915463630.
  • MARCELO MUÑOZ E HIJOS, S.A., Tax ID No. A28236792, located at Avda. de Córdoba No. 7, 28026 – Madrid. Phone: (+34) 91 500 36 26.
  • CUHERUN SL, with Tax ID B82152497, located at Calle Antonio López, 200, 28026, Madrid. Phone: 915210346.

The entity has established a whistleblower channel (hereinafter, the CII) as the preferred means for receiving information regarding acts or omissions that may constitute a criminal offense or a serious or very serious administrative violation, as well as other actions provided for in Article 2 of Law 2/2023.

The channel is administered by the Head of the Internal Channel System (hereinafter, the RSII). Access to this channel shall be limited, within the scope of their powers and duties, to:
a. The Head of the Internal Channel System.
b. The administrator(s) delegated by the Head of the System.
c. The managers designated to handle specific communications according to the relevant scope.

The functions of these bodies, as applicable, shall be:

  • Receiving, recording, and managing reports received through the whistleblower channel.
  • Appointing the individual or team responsible for investigating the reports received.
  • Ensuring the protection of whistleblowers and the confidentiality of the reports received.
  • Assessing the accuracy and credibility of the reports received.
  • Making decisions regarding appropriate measures based on the results of the investigation.
  • Monitoring and periodically reviewing the communications management process and the company’s internal policy.
  • Preparing reports and recommendations for senior management regarding the reports received and the measures taken.

The CII must ensure the confidentiality—or, if necessary, the anonymity—of the whistleblower to protect them from any leaks and subsequent retaliation they may face.

Individuals who have an employment or professional relationship with the AEPD may use the internal reporting channel and benefit from the protection afforded by Law 2/2023 as whistleblowers to report information regarding the acts or omissions described in Article 2 of Law 2/2023. This employment or professional relationship entails a dependency on the Independent Whistleblower Protection Authority (AAI), which makes special protection against possible retaliation necessary and appropriate.

In any case, for the purposes of Law 2/2023, the following are considered whistleblowers by this AAI:

  • Individuals who are employees or workers employed by others.
    Freelancers.
  • Shareholders, partners, and members of the company’s administrative, management, or supervisory bodies, including non-executive members.
  • Any person working for or under the supervision and direction of contractors, subcontractors, and suppliers.
  • Whistleblowers who publicly report or disclose information regarding violations obtained in the context of an employment or statutory relationship that has already ended, volunteers, interns, and trainees—regardless of whether they receive compensation—as well as those whose employment relationship has not yet begun, in cases where the information regarding violations was obtained during the selection process or pre-contractual negotiations.

It is important to note that reports made through the whistleblower channel must be made in good faith; that is, they must be supported by evidence and concrete facts.

Regarding the subject matter of the report, Law 2/2023 provides that the internal reporting channel may be used to report serious misconduct or alleged corruption that may constitute serious or very serious criminal or administrative offenses related to the entity’s activities, which the whistleblower has observed or about which they have received information in the course of their work or professional relationship.

Law 2/2023 itself and Directive (EU) 2019/1937 list as such the information relating to:

1. Offenses falling within the scope of application of the European Union acts listed in the annex to the aforementioned Directive concerning the following areas:

a. public procurement,
b. financial services, products, and markets, and the prevention of money laundering and terrorist financing,
c. product safety and conformity,
d. transport safety,
e. environmental protection,
f. radiation protection and nuclear safety,
g. food and feed safety, animal health, and animal welfare,
h. public health,
i. consumer protection,
j. protection of privacy and personal data, and security of networks and information systems

2. That affect the financial interests of the European Union as provided for in Article 325 of the Treaty on the Functioning of the European Union (TFEU).

3. That affect the internal market, as referred to in Article 26(2) of the TFEU, including infringements of European Union rules on competition and state aid, as well as infringements relating to the internal market concerning acts that violate corporate tax rules or practices intended to obtain a tax advantage that undermines the object or purpose of the legislation applicable to corporate tax.

4. Acts or omissions that may constitute a serious or very serious criminal or administrative offense. In any case, this shall be understood to include all serious or very serious criminal or administrative offenses that result in financial loss to the Treasury or the Social Security system.

5. Violations of labor law regarding occupational safety and health reported by workers, without prejudice to the provisions of the relevant specific regulations.

The whistleblower must provide, at a minimum, the nature of the violation (subject matter or regulations violated: European Union law; criminal offense; or administrative violation); and a description of the facts being reported (relevant information about what occurred), in as much detail as possible, attaching any documentation they may have, if applicable.

Similarly, they may provide their first and last names and a contact phone number, if they choose not to make this report anonymously.

If they know the identity of the person responsible for the reported irregularity, or if they have already reported these facts to another body or entity through an external channel, they may also provide this information.

Information may be reported to the entity anonymously. Otherwise, the identity of the whistleblower will be kept confidential and will be known only to the RSII, the chief executive officers, or the appointed managers.

These members will perform their duties independently and autonomously from the entity’s other bodies and may not receive instructions of any kind in the performance of their duties, having at their disposal all the necessary personnel and resources to carry them out.

The company undertakes to investigate all reports of potential violations or breaches received through the internal reporting system. All reports will be investigated impartially and confidentially, and appropriate measures will be taken based on the results of the investigation to protect the whistleblower.

Information or reports shall be submitted through the internal reporting system using the specific electronic application provided for this purpose, which is identified and accessible on the website: https://www.museodeljamon.com/

At the whistleblower’s request, the report may also be submitted in person at a meeting to be held within a maximum of seven days. If applicable, the whistleblower will be notified that the meeting will be recorded and will be informed of how their data will be processed in accordance with the provisions of the GDPR and the LOPDPGDD.

When submitting the information, the whistleblower must provide an address, email address, or secure location for the purpose of receiving notifications, unless they expressly waive the right to receive any communication regarding actions taken by the RSII as a result of the information.

Once the information has been submitted, it will be entered into the information management system by assigning an identification code. This information will be stored in a secure database with access restricted exclusively to duly authorized RSII personnel, and all received communications will be recorded with the following details:

a. Date of receipt.
b. Identification code.
c. Actions taken.
d. Measures adopted.
e. Date of closure.

Upon receipt of the information, within a period not exceeding 7 calendar days from such receipt, an acknowledgment of receipt will be sent to the informant, unless the informant has expressly waived the right to receive communications regarding the investigation. These communications will be processed within a maximum period of 3 months, except in cases of particular complexity that require an extension of the deadline, in which case the deadline may be extended for up to an additional 3 months.

Once the information has been recorded, the RSII and its team will proceed to analyze its admissibility in accordance with the material and personal scope set forth in Articles 2 and 3 of Law 2/2023.

The company undertakes to inform the whistleblower of the status of the investigation and the measures taken, whenever possible and without compromising the confidentiality and protection of the whistleblower, and may request additional information regarding the facts reported through the channel.

In addition, the company undertakes to follow up on all reports received and the measures taken to ensure the effectiveness of this policy and to continuously improve the process.

Any information indicating that the facts may constitute a crime will be immediately forwarded to the Public Prosecutor’s Office. If the facts affect the financial interests of the European Union, the matter will be referred to the European Public Prosecutor’s Office.

The company is committed to protecting individuals who report violations or non-compliance, in accordance with Law 2/2023.

A. Acts Constituting Retaliation.

Acts constituting retaliation are expressly prohibited, including threats of retaliation and attempts at retaliation against individuals who file a report in accordance with the provisions of the law.

Retaliation is understood to mean any act or omission that is prohibited by law, or that, directly or indirectly, constitutes unfavorable treatment that places those who suffer it at a particular disadvantage compared to others in the workplace or professional context, solely because of their status as whistleblowers or because they have made a public disclosure.

For the purposes of Law 2/2023, and by way of example, the following are considered acts of retaliation:

a. Suspension of the employment contract, dismissal, or termination of the employment or statutory relationship, including the non-renewal or early termination of a temporary employment contract after the probationary period has been completed, or early termination or cancellation of contracts for goods or services, the imposition of any disciplinary measure, demotion or denial of promotions, and any other substantial modification of working conditions, as well as the failure to convert a temporary employment contract into a permanent one, in the event that the worker had legitimate expectations that they would be offered permanent employment; unless such measures are taken in the regular exercise of managerial authority under labor law or the relevant regulations governing the status of public employees, due to proven circumstances, facts, or violations, and unrelated to the submission of the notice.

b. Damages, including reputational harm, or financial losses, coercion, intimidation, harassment, or ostracism.

c. Negative evaluations or references regarding work or professional performance.

d. Blacklisting or the dissemination of information within a specific sector that hinders or prevents access to employment or the awarding of contracts for works or services.

e. Denial or revocation of a license or permit.

f. Denial of training.

g. Discrimination, or unfavorable or unfair treatment.

Any person whose rights have been infringed upon as a result of a communication or disclosure, once the two-year period has elapsed, may request protection from the competent authority, which, in exceptional and duly justified cases, may extend the period of protection, after hearing the persons or bodies that may be affected. Any refusal to extend the period of protection must be supported by reasons.

Administrative acts intended to prevent or hinder the submission of communications and disclosures, as well as those constituting retaliation or causing discrimination following the submission of such communications and disclosures under this law, shall be null and void and shall give rise, where appropriate, to disciplinary or liability measures, which may include the corresponding compensation for damages to the aggrieved party.

B. Measures to Protect Whistleblowers from Retaliation

Persons who report information regarding the acts or omissions described in Section FOUR, or who make a public disclosure in accordance with Law 2/2023, shall not be deemed to have violated any restriction on the disclosure of information and shall not incur any liability whatsoever in connection with such report or public disclosure, provided they had reasonable grounds to believe that the communication or public disclosure of such information was necessary to reveal an act or omission under said law, all without prejudice to the provisions of the specific protection rules applicable in the workplace. This measure shall not affect criminal liabilities.

The provisions of the preceding paragraph extend to the communication of information by employee representatives, even if they are subject to legal obligations of confidentiality or non-disclosure of confidential information. All of this is without prejudice, likewise, to the specific protection rules applicable in the labor sphere.

Whistleblower protection measures shall also apply, where appropriate, to:

a. individuals who assist the whistleblower in the process;
b. individuals who are related to the whistleblower and who may be subject to retaliation, such as the whistleblower’s coworkers or family members;
c. legal entities for which the whistleblower works, with which they have any other type of relationship in a work context, or in which they hold a significant stake.

For these purposes, a stake in the capital or in the voting rights corresponding to shares or equity interests is considered significant when, due to its proportion, it allows the person holding it to exert influence over the legal entity in which the stake is held.

Whistleblowers shall not incur liability with respect to the acquisition of or access to information that is publicly communicated or disclosed, provided that such acquisition or access does not constitute a crime.

Any other potential liability of whistleblowers arising from acts or omissions that are not related to the report or public disclosure, or that are not necessary to disclose a violation under Law 2/2023, shall be enforceable in accordance with applicable regulations.

In proceedings before a court or other authority concerning harm suffered by whistleblowers, once the whistleblower has reasonably demonstrated that they have reported or made a public disclosure in accordance with Law 2/2023 and that they have suffered harm, it shall be presumed that the harm occurred as retaliation for reporting or making a public disclosure.

In such cases, the person who took the prejudicial measure shall bear the burden of proving that the measure was based on duly justified grounds unrelated to the report or public disclosure.

In legal proceedings, including those relating to defamation, copyright infringement, breach of confidentiality, violation of data protection regulations, disclosure of trade secrets, or claims for compensation based on labor or statutory law, whistleblowers shall not incur any liability whatsoever as a result of communications or public disclosures protected by Law 2/2023.

Such persons shall have the right to assert in their defense, within the framework of the aforementioned legal proceedings, that they communicated or made a public disclosure, provided they had reasonable grounds to believe that the communication or public disclosure was necessary to bring to light a violation under Law 2/2023.

The following persons are expressly excluded from the protection provided by the law those who communicate or disclose:

1. Information contained in communications that have been rejected by an internal reporting channel or for any of the reasons provided for by law.
2. Information related to complaints about interpersonal conflicts or that affect only the whistleblower and the individuals referred to in the communication or disclosure.
3. Information that is already fully available to the public or that constitutes mere rumors.
4. Information referring to actions or omissions not covered by the scope of the law.

C. Measures for the Protection of Affected Individuals

During the proceedings, individuals affected by the report shall have the right to the presumption of innocence, the right to a defense, and the right to access the case file in accordance with the provisions of Law 2/2023, as well as the same protections established for whistleblowers, including the preservation of their identity and the guarantee of confidentiality regarding the facts and information of the proceedings.

The Independent Whistleblower Protection Authority (A.A.I.) may, within the framework of the disciplinary proceedings it conducts, adopt provisional measures in accordance with the terms established in Article 56 of Law 39/2015 of October 1 on the Common Administrative Procedure of Public Administrations.

D. Circumstances Warranting Exemption from or Mitigation of the Penalty

When a person who participated in the commission of the administrative violation that is the subject of the report is the one who reports its existence by submitting the information, and provided that such information was submitted prior to notification of the initiation of the investigative or disciplinary proceedings, the body competent to resolve the proceedings may, by means of a reasoned decision, exempt that person from the applicable administrative penalty, provided that the following facts are established in the record:

a. To have ceased committing the violation at the time of filing the report or disclosure and, where applicable, to have identified all other persons who participated in or facilitated the violation.
b. To have cooperated fully, continuously, and diligently throughout the entire investigation process.
c. Have provided truthful and relevant information, evidence, or significant data to substantiate the facts under investigation, without destroying or concealing such information or data, nor having disclosed its content to third parties, either directly or indirectly.
d. Have taken steps to remedy the damage caused that is attributable to the party.

When these requirements are not fully met, including partial reparation of the damage, the competent authority may, at its discretion and after assessing the extent to which the individual contributed to the resolution of the case, reduce the penalty that would otherwise have been imposed for the violation committed, provided that the informant or the person who made the disclosure has not previously been penalized for acts of the same nature that gave rise to the initiation of the proceedings.

The reduction of the penalty may be extended to the other participants in the commission of the violation, depending on the degree of active cooperation in clarifying the facts, identifying other participants, and repairing or mitigating the damage caused, as assessed by the body responsible for the resolution.

Law 2/2023 excludes from the provisions of this section the violations established in Law 15/2007 of July 3 on the Defense of Competition.

The processing of personal data will be carried out in compliance with Law 2/2023 of February 20, regulating the protection of persons reporting regulatory violations and combating corruption, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, Organic Law 3/2018 of December 5 on the Protection of Personal Data and the Guarantee of Digital Rights, and Organic Law 7/2021 of May 26 on the protection of personal data processed for the purposes of preventing, detecting, investigating, and prosecuting criminal offenses and enforcing criminal sanctions.

The personal data being processed, the documents provided, and any other information contained in the communication that includes personal information will be treated confidentially by the channel’s administrators, as well as by its managers and any other personnel involved, for the purpose of fulfilling the obligation to investigate and manage the report submitted, as well as to comply with the legal obligations established in Law 2/2023 of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption. The internal reporting system must prevent unauthorized access, preserve the identity, and ensure the confidentiality of data pertaining to the individuals concerned and any third parties mentioned in the information provided, particularly the identity of the whistleblower if they have been identified. The identity of the whistleblower may only be disclosed to the judicial authority, the Public Prosecutor’s Office, or the competent administrative authority in the context of a criminal, disciplinary, or sanctioning investigation, and such cases shall be subject to the safeguards established in applicable regulations.

If the information received contains special categories of personal data subject to special protection, it will be immediately deleted, unless the processing is necessary for reasons of substantial public interest in accordance with Article 9(2)(g) of the GDPR, as provided for in Article 30(5) of Law 2/2023.

In any case, personal data whose relevance to processing specific information is not evident will not be collected; if collected accidentally, it will be deleted without undue delay.

Communications that have not been acted upon may only be retained in anonymized form, and the blocking obligation provided for in Article 32 of the LOPDPGDD shall not apply.

Access to personal data contained in the internal information system shall be limited to:

a. The Head of the Channel’s Internal System.
b. The administrator(s) designated by the Head of the System.
c. The managers designated to handle specific communications according to the relevant area.
d. The data may be disclosed to the Legal Department, attorneys, judicial bodies, and law enforcement agencies in the event that any of the information received could be considered a crime or legal violation of any kind.

Legal basis for processing: The processing of personal data, in cases of internal communication, shall be deemed lawful pursuant to the provisions of Article 6(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, Article 8 of Organic Law 3/2018 of December 5, and Article 11 of Organic Law 7/2021 of May 26, when, in accordance with the provisions of Articles 10 and 13 of the law, it is mandatory to have an internal information system. If it is not mandatory, the processing shall be presumed to be covered by Article 6(1)(e) of the aforementioned Regulation. The processing of personal data in cases involving external communication channels shall be deemed lawful pursuant to the provisions of Article 6.1.c) of Regulation (EU) 2016/679, Article 8 of Organic Law 3/2018, of December 5, and Article 11 of Organic Law 7/2021 of May 26.

Data subject rights: access, rectification, erasure, restriction, portability, and objection, free of charge, by emailing direccionrrhh@museodeljamon.com in the cases provided for by law.

Retention: The data will be retained for the period established by law for the processing of the case and for as long as necessary to pursue legal action or, if necessary, to provide evidence of the channel’s management. The data subject also has the right to file a complaint with the AEPD at www.aepd.es to request the protection of their rights.

The company will conduct regular training sessions and awareness campaigns to foster a culture of integrity and transparency, and to inform employees and other stakeholders about the internal reporting system.

It will also provide information on the rights and protections afforded to whistleblowers under Law 2/2023.

The company undertakes to communicate this policy to all employees and stakeholders, and will update this internal channel policy at least every three years and, where appropriate, amend it, taking into account the experience gained and the recommendations of the Competent Authority (AAI).

Madrid, April 9, 2026

Logotipo del Museo del Jamón con letras rojas
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.