Legal · Whistleblowing

Whistleblowing Policy

A framework for reporting potential misconduct, legal violations, or unethical conduct within the Samarkand group — in accordance with the EU Whistleblower Protection Directive (EU 2019/1937) and its Estonian transposition.

Last updated: April 2026 Version: 1.0 Directive: EU 2019/1937

1. Purpose and scope

Samarkand OÜ is committed to operating with integrity and transparency. This policy establishes the framework for reporting concerns about potential misconduct, legal violations, or unethical conduct within the Samarkand group, in accordance with the EU Whistleblower Protection Directive (EU 2019/1937) and its Estonian transposition.

This policy applies to:

  • All employees and contractors of Samarkand OÜ and its portfolio companies
  • External parties who have obtained information in a work-related context: suppliers, partners, clients, consultants, and former employees

2. What can be reported

You may use this channel to report concerns about:

  • Violations of EU law, including but not limited to: financial services regulation, data protection (GDPR), competition law, environmental law, consumer protection, and anti-money laundering obligations
  • Breaches of Samarkand’s internal policies, including this policy, our data protection policy, and our code of conduct
  • Financial misconduct: fraud, falsification of records, misappropriation of assets, corrupt practices, improper payments
  • Cybersecurity incidents that have been improperly handled or concealed
  • Harassment, discrimination, or other workplace conduct violations where systemic concealment is suspected
  • Actions or omissions that endanger health, safety, or the natural environment
Not for routine grievances. This channel is not intended for commercial complaints, employment disputes, or performance-related grievances — these should be addressed through appropriate HR or contractual processes.

3. How to report

3.1 Internal reporting channel

Email: whistleblowing@samarkandindustries.com

Reports are received by a designated responsible person independent of line management. You may report anonymously. Anonymous reports will be investigated to the extent practicable, subject to any limitations on our ability to gather additional information.

3.2 External reporting channel

You have the right to report directly to competent external authorities, including:

  • Estonian Financial Supervision Authority (Finantsinspektsioon): for matters relating to financial regulation
  • Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): for matters relating to data protection
  • Estonian Consumer Protection and Technical Regulatory Authority: for consumer protection matters
  • European Anti-Fraud Office (OLAF): for matters involving fraud affecting EU financial interests
  • You may also report directly to the relevant supervisory authority in any EU member state

You are not required to use internal channels before reporting to external authorities.

4. Protections for reporters

4.1 Confidentiality

The identity of the reporter will not be disclosed to anyone beyond those directly responsible for receiving and investigating the report, except:

  • Where disclosure is required by law or judicial process
  • Where the reporter has given explicit written consent

Reports and all related investigation materials will be handled with strict confidentiality.

4.2 Protection from retaliation

Samarkand OÜ prohibits any form of retaliation against anyone who makes a good-faith report under this policy, including:

  • Dismissal or threat of dismissal
  • Demotion, salary reduction, or change of role
  • Harassment, intimidation, or exclusion
  • Negative performance evaluations or references
  • Disciplinary action

Any person found to have retaliated against a reporter will be subject to disciplinary action up to and including termination.

4.3 Good faith requirement

Protection under this policy applies to reports made in good faith — that is, where the reporter reasonably believed the information to be true at the time of reporting, even if the report is ultimately not substantiated. Protection does not extend to knowingly false or malicious reports.

5. Investigation process

Upon receipt of a report:

  1. Acknowledgement: The reporter will receive acknowledgement within 7 days (where contact details have been provided)
  2. Initial assessment: Within 14 days, an initial assessment will be made as to whether the report falls within scope and warrants investigation
  3. Investigation: A proportionate investigation will be conducted by a designated person independent of the subject of the report. Where internal independence cannot be ensured, an external investigator will be appointed.
  4. Outcome: The reporter will be informed of the outcome within 3 months of acknowledgement, subject to confidentiality constraints and the complexity of the investigation
  5. Documentation: All reports and investigation steps are documented and retained for 5 years

6. Confidential treatment of reports

All reports, investigation materials, and outcomes are treated as strictly confidential. Access is limited to:

  • The designated receiving officer
  • The investigator(s)
  • Legal counsel where necessary
  • Senior management where escalation is required

Records are stored securely and are not accessible to individuals who are the subject of a report.

7. Feedback and review

This policy is reviewed annually. Samarkand OÜ will report on the number and nature of reports received, in aggregated and anonymised form, as part of its internal governance review.

8. Contact

Whistleblowing channel:
whistleblowing@samarkandindustries.com

This inbox is monitored by the designated responsible person and is not accessible to general management.

For questions about this policy (not for submitting reports):
legal@samarkandindustries.com

Samarkand OÜ
[Address], Tallinn, Estonia