Politique du Canal Speak-Up

 

Table of Contents

 

1. Introduction

1.1. Introduction
1.2. Aim of the Policy

 

2. Policy Scope and Coverage
2.1. Stakeholders Covered
2.2. Types of Reportable Concerns
2.3. Subjects of Report

 

3. Speak-Up Procedure
3.1. Reporting Methods
3.2. Acknowledgment and Initial Review
3.3. Investigation Process
3.4. Rights of Subject of Investigation
3.5. Findings and Decision
3.6. Outcome Communication
3.7. Record Keeping

 

 

4. Reporter Protection
4.1. Confidentiality
4.2. Protection from Retaliation and Harassment
4.3. Actions for individuals Engaging in Victimization
 

 

5. Disciplinary Actions for Policy Violations
5.1. Disciplinary Actions for Breaches
5.2. Actions Against Bad Faith Reports
5.3. Company’s Follow-up actions

 

 

6. Data Protection and Privacy

 

7. Contact Information 

 

 

8. Version History

 

 

1. Introduction

 

1.1. Introduction

Celltrion (hereinafter "Company" or "We") is committed to conducting its operations ethically, honestly, and in full compliance with applicable laws and regulations. This commitment underpins every decision made across our global operations. All stakeholders—including employees, directors, officers, affected communities, contractors, and subcontractors (hereinafter “you”) —are required to uphold high standards of conduct and report any activities that violate these principles.

The Global Speak-Up Channel Policy (“this Policy”) applies to all Company stakeholders, promoting transparency and accountability throughout our supply chain. We are committed to fostering a culture where concerns related to ethics, business integrity, the environment, and human rights and labor practices can be reported without fear of retaliation. 

This Policy outlines the roles and responsibilities of all parties involved in the Speak-Up process, detailing the procedures for reporting concerns, conducting investigations, and implementing follow-up actions as necessary.

This Policy must be read in conjunction with the Company’s dedicated Privacy Notice for the Speak Up Channel (as required under Articles 13 and 14 of the GDPR), the Company’s Record of Processing Activities for the whistleblowing scheme (Article 30 GDPR), and the Data Protection Impact Assessment (DPIA/AIPD) carried out for this mandatory high risk processing, as well as the Data Protection Policy and the Data Retention and Erasure Policy.

 

1.2. Aim of the Policy

  • To encourage you to trust the Company and confidently raise concerns when wrongdoing has occurred or is suspected;

  • To provide avenues for you to raise concerns in confidence and receive feedback on any action taken;

  • To ensure that you receive a response to your concerns; 

  • To reassure you that you will be protected from possible retaliation or victimization if you have a reasonable belief that you have made any report which is of the public interest, and

  • To ensure that all personal data processed in the context of this Speak-Up Channel is handled in compliance with applicable data protection regulations, in particular GDPR and the CNIL Framework on Professional Whistleblowing Schemes (“DAP” of July 2023).

 

 

2. Policy Scope and Coverage

 

2.1. Stakeholders Covered

The Speak-Up Channel is accessible to all stakeholders, including current, former, or prospective employees (once the process of establishing an employment relationship has begun), trainees, job applicants, volunteers, and contracting parties (e.g., direct and indirect suppliers, contractors, subcontractors, sole traders) at any stage of the relationship—during contracting, throughout the contract, and after termination. In addition, local residents and civil society organizations may also report concerns.

In all events, any of you raise concerns (“Report”) through the various channels defined under Article 3. of the Speak-Up Procedure shall hereinafter be referred to as “Reporters”.

 

2.2. Types of Reportable Concerns:

All concerns, whether known or suspected, that fall within the following categories may be reported. Reporters are reminded that the information shared should remain factual and directly linked to the subject of the report, in accordance with data minimisation requirements (GDPR §22).

 

Ethics and Business Integrity

  • Accounting irregularities and financial reporting violations
  • Bribery and kickbacks
  • Conflicts of interest
  • Fraud and dishonest conduct
  • Improper disclosure of trade secrets
  • Insider trading violations
  • Unfair business practices with customers, suppliers, or competitors
  • Misuse of company assets

 

Environment

  • Destruction of natural habitats and ecosystems
  • Environmental and safety violations
  • Greenwashing behavior
  • Hazardous waste mishandling

 

Human Rights and Labor

  • Child labor
  • Discrimination and harassment
  • Drug and alcohol abuse
  • Forced labor and human trafficking
  • Labor rights and working condition violations
  • Threats or violence

 

This list is not exhaustive and includes any conduct that violates applicable laws, regulations, ethical standards, or the Code of Conduct, regarding ethical business practices, environmental sustainability, and human rights.

This Policy covers the Company’s operations, its subsidiaries, business partners throughout the supply chain, and any potential impacts on communities where the Company conducts business.

 

2.3. Subjects of Report 

Reports can concern the Company’s own operations, the operations of its subsidiaries, or the operations of its business partners within the company’s supply chain.

 

 

3. Speak-Up Procedure

 

3.1. Reporting Methods

You can report concerns confidently through the Speak-Up Channel. 

The Speak-Up Channel (see Article 7: Contact Information) is accessible 24/7 and offers multilingual support, making it convenient for users worldwide. It also allows for anonymous reporting, where permissible under applicable laws, providing an additional layer of confidentiality for those hesitant to disclose their identity. 

The Speak-Up Channel provides a direct and reliable means to communicate concerns to the appropriate department (i.e., Global Compliance Team), ensuring that your Report is reviewed and addressed promptly and thoroughly.

If you are an employee and have concerns to raise, you are encouraged to use the Company’s Speak-Up Channel as the primary reporting mechanism. 

 

3.2. Acknowledgment and Initial Review

Upon receiving a Report, the Company will acknowledge receipt to the Reporters and conduct an initial review. A dedicated investigation team (the “Investigation Team”) will be responsible to conduct the initial review. The Team will include members from the Global Compliance Team, relevant subject matter specialists, or external experts as needed. 

During the initial review phase, a plausibility check is conducted to assess the Report’s authenticity and determine whether sufficient evidence exists to indicate a potential or actual breach. Reports with substantiating evidence will proceed to an investigation.

The Company will notify the Reporter (if their identity is known) within 7 days of receipt regarding the result of the plausibility check, whether an investigation will be initiated, the Report will be declined, or the matter will be referred to an appropriate body. 

The Reporter shall be informed of the receipt of the report and, during the investigation phase, of the measures envisaged or taken to assess the accuracy of the allegations, as well as the actions decided or implemented to address the subject matter of the report, in accordance with the updated CNIL Framework (July 2023).

Reports may be closed without proceeding to the investigation stage under the following circumstances:

  1. The subject matter falls outside the scope of human rights, labor, social, ethical, or environmental violations; (in case, it may be referred to another relevant division.);

  2. There is insufficient evidence to establish a factual basis; or

  3. The information provided is overly general or unclear (additional clarification may be requested).

If a report submitted in good faith falls outside the scope of the Speak Up Channel, the Company shall: (i) ensure that the Reporter benefits from the same level of protection against retaliation and the same level of identity confidentiality as under the general whistleblowing framework; and (ii) inform the Reporter that their report cannot be processed under the whistleblowing scheme and will therefore be deleted (or anonymised) from the system in accordance with the applicable data protection rules. This deletion (or anonymisation) obligation forms part of this Policy.

 

3.3. Investigation Process

When a Report passes the plausibility check during the initial review, the investigation will be initiated based on its content. The Investigation Team will primarily conduct the investigation.

During the investigation, the Reporter may be asked to provide additional supporting information and has the right to complete or correct information in good faith. The Investigation Team may conduct interviews and gather information from witnesses with knowledge of reported events.

The investigation must be completed within 30 days from the date of acknowledgment. If unavoidable circumstances arise, the investigation period may be extended by up to 3 months. In such cases, the Reporter (if applicable) will be informed of the reasons for the extension and the expected completion date.

The CCO holds authority over the investigation process, ensuring impartiality and procedural integrity throughout. The CCO may also engage external experts as needed to support and supplement the investigation.

The Company reserves the right to take protective measures against knowingly false Reports.

Access to personal data processed within the Speak-Up Channel is strictly limited to authorised individuals based on their role and in accordance with the need-to-know principle. Access rights are formally documented, and all access to such personal data is logged to ensure traceability. These operational requirements are referenced in the relevant Policy and/or associated Privacy Notice.

During the investigation phase, the Investigation Team shall collect and retain only personal data that is relevant and necessary for the purposes of the investigation. The categories of data that may typically be retained include: 

  • the reported facts;

  • the identity, role, and contact details of the Reporter (if identified);

  • the subject of the investigation;

  • witnesses and persons consulted;

  • evidence gathered;

  • records of verification activities; and

  • follow-up actions taken.

Any data that is not necessary for the investigation must not be collected or, if collected inadvertently, must be promptly deleted.

 

3.4. Rights of Subject of Investigation

The subject of the investigation shall be presumed innocent until proven guilty and will be protected by confidentiality measures throughout the process. They are entitled to present their defense, which includes providing their account of events, submitting evidence that proves their innocence, and presenting relevant arguments.

All investigations must be conducted objectively, based solely on facts, and free from presumption of guilt. Information regarding the Report and the subject’s identity will be handled discreetly and shared only with the necessary participants in the investigation.

The subject of the investigation is a data subject whose personal data is being processed. The Company will inform the subject of the existence of a report against them, unless such notification would compromise the investigation. In cases where notification is deferred, the Company will document and justify the reasons for deferral. The subject’s rights under GDPR Articles 15-18 (access, rectification, restriction) are recognized and addressed in the Company’s Privacy Notice, subject to any applicable limitations under whistleblowing law.

The identity of the Reporter will never be disclosed to the subject of the investigation without the Reporter’s explicit consent, except where disclosure is required by judicial authorities in accordance with applicable law.

 

3.5. Findings and Decision

The investigation is completed after it is verified that the reported information is true or not. If at least one reported fact is verified as accurate, the information will be deemed ‘true’; if none are correct, it will be deemed ‘false’. Once the independent and objective investigation of the alleged facts has concluded, not exceeding 30 days, the Investigation Team will formally communicate the proposed resolution or corrective action to the Reporter (if they are not anonymous) and will engage in a discussion with them. The Reporter will be informed of the investigation methodology followed, and all communications will be formally recorded.

 

3.6. Outcome Communication 

  • Specific Communication

The Reporter will be informed of the Report’s outcome via a written determination notice via appropriate communication channel, after the investigation procedure is concluded. The Reporter retains the right to request additional follow-up measures if they find the outcome unsatisfactory.

  • Public Disclosure

Through its official communication channels, the Company may periodically disclose statistical data on received Reports, as well as updates on Reports submitted through the Speak-Up Channel that materially impact the Company’s reputation or present significant financial implications, including their investigation status and relevant outcomes.

The CNIL now recommends that data controllers regularly report on the use of the Speak Up Channel (e.g., number of reports received, number investigated, and outcomes). Any such public reporting must rely exclusively on strictly anonymised and aggregated statistics that cannot, directly or indirectly, identify any Reporter or any individual concerned by a report. Given the size of the organisation, a re-identification risk assessment must be conducted prior to any publication. This anonymisation requirement forms an integral part of this Policy.

 

3.7. Record Keeping

The Global Compliance Team will document and retain all information received through the Speak-Up Channel and subsequent investigation records for maximum period of 5 years from the date of closure of the case, unless a longer retention period is required by applicable law or ongoing litigation. Proper documentation and management of reported information ensures that investigation procedures are conducted fairly and consistently. This information will serve as valuable reference material for improving response measures to similar incidents in the future.

The following data will be recorded and managed:

  • Reporter Information: Name/Contact Details of the Reporter (only where voluntarily provided and to the extent necessary for the investigation)

  • Date Received: The date when the initial Report was received

  • Case Details: A description of the issue or concern reported

  • Actions Taken: Details of the investigation and response measures implemented in relation to the Report

  • Closure Date: The date when the case was closed

  • Communication with the Reporter: Confirmation of whether the results were communicated to the Reporter

Once the decision on follow up has been made, only the data strictly necessary for the following purposes may be retained: (i) protecting stakeholders from the risk of retaliation; (ii) defending rights in court; and (iii) conducting internal or external compliance audits. The Company shall ensure that retention arrangements prevent any misuse of stored data.

The flat 5 year retention period must be refined to distinguish between: (a) active case data; (b) post closure archiving; and (c) anonymised statistical records. The starting point for all retention periods shall be the date of case closure, not the date of receipt.

The Speak Up Channel constitutes a distinct processing activity and must be recorded in the Company’s Record of Processing Activities (ROPA). In accordance with the CNIL Framework (§11), the Data Protection Officer (DPO) must be consulted on any significant changes to this processing activity. The ROPA entry must document the processing purposes, categories of data and data subjects, recipients, data transfers, retention periods, and applicable security measures.

 

 

4. Reporter Protection 

 

4.1. Confidentiality

The Company will handle all Reports of suspected misconduct with strict confidentiality and protect the privacy of Reporters. "Confidential" means that a Reporter’s identity will only be shared with authorized personnel who require access to effectively conduct investigations and implement necessary follow-up actions (including disciplinary measures where warranted). Please note that a Reporter may be required to participate as a witness during the investigation process. 

When reporting a concern, the Reporter should only provide information directly relevant to the matter at hand and refrain from sharing unrelated personal information. Any personal information disclosed during the reporting process will be handled with strict confidentiality.

While anonymous reporting is permitted and respected, the Company recognizes that it may present challenges in thoroughly investigating the facts and resolving the concern due to difficulty in obtaining specific details and/or answers to follow up questions.

Regardless of how a Report is made, the Company encourages you to share all the information you have concerning the suspected wrongdoing. Providing sufficient details will help the Company in conducting a thorough and effective investigation.

All Reports, whether anonymous or identified, will be handled with strict confidentiality, and appropriate measures will be taken to protect the Reporter from any form of retaliation.

The processing of personal data in the context of the Speak Up Channel is carried out in full compliance with the General Data Protection Regulation (GDPR) and the French Data Protection Act. The applicable legal basis for processing personal data under Article 6 GDPR is:

  1. compliance with a legal obligation (Article 6(1)(c) GDPR), where the whistleblowing scheme (DAP) is mandated by law (e.g., the Sapin 2 Act, EU Directive 2019/1937, or the French Duty of Vigilance Act); or

  2. the legitimate interests pursued by the Company (Article 6(1)(f) GDPR), where the Speak Up Channel is implemented voluntarily.

Where special categories of personal data within the meaning of Article 9 GDPR (such as data relating to health, ethnicity, trade union membership, or sexual orientation) are included in a report — for example in cases of harassment or discrimination — the applicable derogation shall be identified as either Article 9(2)(g) GDPR (processing necessary for reasons of substantial public interest) or Article 9(2)(f) GDPR (processing necessary for the establishment, exercise, or defence of legal claims).

Where criminal offence data is processed in connection with a report, the Company shall ensure compliance with Article 10 GDPR and Article 46 of the French Data Protection Act, including referencing the relevant French statutory authorisation applicable to such processing.

All of the above elements — including the legal basis, applicable derogations, categories of data, purposes, recipients, transfers, and retention periods — are documented in the Company’s dedicated Privacy Notice for the Speak Up Channel.

The Reporter’s identity must be treated confidentially by all persons managing the alerts. The only exception to disclosure of the Reporter's identity is communication to judicial authorities where the persons responsible for processing are legally required to report the facts. This constraint applies even when the report is transferred within a group of companies: the Company may not transfer the alert to another group entity without the Reporter's consent (CNIL Framework §57). The Policy should state this intra-group restriction explicitly.

 

4.2. Protection from Retaliation and Harassment

While the Company acknowledges that reporting illegal activities requires careful consideration from stakeholders, such prompt reporting serves to protect all stakeholders, including the Company and its business partners, from potential unlawful conduct.

The Company is committed to implement appropriate protective measures for Reporters who make Reports in good faith and in the public interest. 

The retaliation measures against a Reporter may include, but are not limited to, the following: 

  1. Suspension, lay-off, dismissal, or equivalent actions

  2. Demotion or withholding of promotions

  3. Discrimination, disadvantageous or unfair treatment

  4. Harm to reputation or financial loss

  5. Blacklisting that affects future employment

The Company maintains a zero-tolerance policy regarding any such form of retaliation, harassment, or disadvantageous treatment (including indirect pressure) against Reporters. The Company will take necessary remedial actions as stated under Article 4.3 in the event that any form of retaliation occurs. 

The Directive requires Member States to prohibit all forms of retaliation, including indirect retaliation and retaliation against facilitators and third parties connected to the Reporter. The Policy's list of retaliation measures correctly captures direct retaliation but should be supplemented to include: 

  1. protection of facilitators (persons who assist the Reporter); 

  2. protection of colleagues or relatives of the Reporter who may be targeted. 

These protections are required under French law (Loi Waserman, Art. 2). The DPO recommends adding an explicit statement that facilitators and connected persons benefit from the same protection as Reporters.

 

4.3. Actions for Individuals Engaging in Victimization

Mistreatment of a Reporter is a disciplinary offense. Individuals who engage in victimization may be subjected to severe consequences which may include:

  • Formal disciplinary proceedings and written warnings

  • Required completion of remedial education programs

  • Temporary removal from position

  • Employment termination

 

5. Disciplinary Actions for Policy Violations

 

5.1. Disciplinary Actions for Breaches

Company aims to ensure that disciplinary measures are proportionate and fair, taking into account the context and severity of violations related to environmental, human rights, and ethical concerns.

Depending on the severity and nature of breaches, the Company may impose a range of disciplinary actions. These can include but are not limited to:

  • Verbal or written warnings

  • Suspension with or without pay

  • Demotion or withholding of promotion

  • Termination of employment or contract

  • Financial penalties or fines

  • Restriction from specific duties or access to Company resources

  • Legal actions, if applicable

 

5.2. Actions Against Bad Faith Reports 

All communications must be made in good faith, with reporters required to: believe the disclosure is in the public interest, believe the information to be substantially true, refrain from acting maliciously or making false allegations, and not seek any personal gain. 

Making deliberately false or misleading allegations is strictly prohibited. Such actions may result in disciplinary measures, including dismissal of employees. Reports made with malicious intent, for the purpose of defamation, or solely to harm the reported person or related parties will not be protected under Reporter protection provisions. In these cases, the Company reserves the right to pursue administrative, criminal, and civil liabilities in accordance with applicable regulations and may take appropriate disciplinary or legal action to protect its rights and assets, which may include dismissal.

 

5.3. Company’s Follow-up actions

Follow-up actions will be taken if the violation is confirmed. For any violation, an immediate assessment must be conducted not only to address reported issues but also to identify all actual and potential impacts. Such comprehensive assessment is crucial to detect and remediate any negative issues that may have resulted from the violation, followed by implementing appropriate corrective measures. To prevent recurrence, the Company will strengthen its preventive measures through regular monitoring, auditing, and systematic training, while incorporating lessons learned into internal policies and procedures.

In case violations related to business partners are discovered, appropriate preventive measures shall be taken, and failure to implement these measures will influence decisions regarding contract renewal, pricing negotiations, and task assignments, with the possibility of contract termination in severe cases.

 

 

6. Data Protection and Privacy

 

Personal data processed within the Speak-Up Channel will be managed in strict compliance with applicable privacy laws and regulations, aimed at protecting personal data collected. 

The Company has implemented ‘Data protection Policy’, ‘Data Retention & Erasure Policy’ and dedicated ‘Speak-Up Channel privacy Notice’ in accordance with the applicable laws and regulations, and any enquiry with respect to your personal data shall be referred to the Data Protection Officer. 

 

 

7. Contact Information

 

For reporting concerns, please access to the following channel: 

Speck-Up Channel: 

  • Available on your local Celltrion Healthcare webpage under Contact Us – Speak Up Channel

The Speck-Up Channel is the primary and preferred method for reporting concerns, as it provides a secure, confidential, and efficient way to communicate directly with the appropriate personnel.

 

For other inquiries, please contact:

 

 

8. Version History

Version

Date

Author

Description

Approved by

Date Approved

Date Published

V 1.0

2024.12.17.

Global Compliance & ESG Department

Creation of Document

Scottie JongHoon Kim (CCO)

2024.12.17.

2024.12.17.

V 1.1

2026.03.05.

Celltrion Fr DPO

DPO review (GDPR / CNIL Framework_July 2023 alignment

Scottie JongHoon Kim (CCO)

2026.03.16.

2026.03.16.

 

popup
Vous allez quitter le site de CelltrionHealthcare France.

Le site Internet de Celltrion Healthcare auquel vous souhaitez accéder est destiné aux résidents du ou des pays indiqués sur ce site. Par conséquent, il peut contenir des informations relatives à des médicaments et à d’autres produits, ou à des utilisations de ces produits, qui ne sont pas approuvés dans d’autres pays ou régions. Si vous résidez dans un pays autre que ceux auxquels ce site est destiné, veuillez contacter la filiale locale de Celltrion Healthcare afin d’obtenir les informations sur les produits adaptées à votre pays de résidence.

Le site de Celltrion Healthcare auquel vous souhaitez accéder peut être rédigé dans une langue différente de celle de votre pays d’origine. Le site de Celltrion Healthcare auquel vous souhaitez accéder peut ne pas être optimisé pour la taille de votre écran.

Souhaitez-vous quitter ce site?

Vous allez être redirigé vers un site web externe.

※ Nous vous informons que nous n'avons aucun contrôle ni aucune responsabilité quant aux informations, aux contenus ou aux politiques du site.

Nous vous conseillons de vérifier attentivement les conditions et la politique de confidentialité du site de destination.

Nous collectons des cookies.

Nous utilisons des cookies afin de fournir les services et les fonctionnalités disponibles sur notre site et d’améliorer l’expérience des utilisateurs. Les cookies sont des données qui sont téléchargées ou enregistrées sur votre ordinateur ou sur d’autres appareils.

Politique de confidentialité
Cookies essentiels
Toujours activé

Ces cookies sont nécessaires au fonctionnement du site et ne peuvent pas être désactivés dans nos systèmes. Ils sont généralement définis uniquement en réponse à vos actions qui constituent une demande de services, comme la définition de vos préférences de confidentialité, la connexion ou le remplissage de formulaires.

Cookies d’analyse

Les cookies d’analyse collectent et rapportent des informations de manière anonyme, ce qui aide les propriétaires du site à comprendre comment les visiteurs interagissent avec le site.