GH GambleHub

Whistleblower channel and data protection

1) Purpose and area

Provide a safe, accessible and trusted way for employees, contractors, affiliates and other stakeholders to report violations (corruption, fraud, AML/sanctions, RG, GDPR/PII, PCI/information security, advertising/affiliates, conflicts of interest, discrimination and harassment, license/law violation). The document regulates channels, anonymity, data processing, investigation procedures and protection from repression.

2) Principles

Zero tolerance for repression. Any retaliation is prohibited.
Data privacy and minimization. Collection is only necessary, according to the need-to-know principle.
Anonymity by choice of informant. The ability to communicate without revealing identity.
Timeliness and fairness. SLA acceptance/review; a documented, unbiased methodology.
Independence. Separation of roles: receiving messages, investigation, sanctions.
Transparency of the process. Status tracking, feedback, public statistics without personalities.

3) Roles and RACI

Whistleblowing Officer (WBO) - process owner, triage, investigation coordination, reporting. (A/R)

Compliance/Legal/DPO - legal assessment, data protection, privacy policy. (R/C)

InfoSec/CISO - channel security, encryption, access control, logging. (R)

HR/ER (Employee Relations) - ethics/behavior cases, support measures. (R)

Internal Audit (IA) - independent quality control of investigations and CAPAs. (C)

Security/Trust & Safety - technical/fraud cases, collection of digital artifacts. (R)

Exec Sponsor (CEO/COO) - "tone from the top," resources, escalation S1. (I/A)

4) Message receiving channels

1. Web form (recommended main): support for anonymity; secure token/pin correspondence.
2. E-mail: a dedicated box with auto-encryption, auto-ventilation without content disclosure.
3. Hotline/Phone: Write to system with data masking.
4. Chatbot in corporate messenger: not for anonymous (or with a proxy mechanism).
5. Mailing address/physical mailbox: for offline messages (scanning and loading into the System).
6. Direct contact with WBO/IA: personal meeting - at the request of the informant.

Channel requirements: TLS end-to-end, storage in encrypted storage, RBAC, access logs are unchangeable, no tracking of IP/devices in anonymous form, transparent cookie/log policy.

5) Data protection and legal grounds

Legal basis: performance of legal duties, legitimate interests of the company, public interest (depending on jurisdiction).
DPIA: before launch - privacy impact assessment; fixing risks and mitigation measures.
Classification of data: personal, sensitive (health, ethnicity, etc.), commercial secrets, artifacts of investigations.
Minimization: do not collect unnecessary; Delete nonconforming documents.
Cross-border transfers: only if there are legal grounds and contractual guarantees.
Rights of data subjects: DSARs are processed by DPOs; exception: not to disclose the identity of the whistleblower and data jeopardizing the investigation/third parties.
Retention: messages and artifacts - usually 5 years or by policy/law/license; then secure deletion (crypto-shred/logical erase with log).

6) Safety and technical measures

Encryption: at-rest (KMS/HSM), in-transit (TLS), keys - with rotation and demarcation.
Access: RBAC/ABAC, principle of least privileges, separate domains for anonymous cases.
Logs: immutable (WORM), monitoring unusual accesses, alerts.
Segmentation: the message system is isolated from the production systems; individual backups with recovery check.
Metadata: masking, removing EXIF from attachments, warning the informant about automatic de-identification.
Secret communication channels: secure mailbox/web mail for two-way anonymous correspondence.

7) Case classification and priorities

S1 (Critical): corruption/bribery, large fraud, PII/PCI leak, life/security threats, serious license/law violations.
S2 (High): systemic policy violations (AML/RG/GDPR/IS), serious conflicts of interest, discrimination/harassment.
S3 (Medium): local violations of procedures, errors in advertising/affiliates, one-time violations of behavior.
S4 (Low): Suggestions for improvements, low-risk incidents.

SLA:
  • Receipt: S1/S2 - ≤ 24 hours; S3/S4 - ≤ 3 business days
  • Primary evaluation (triage): S1 - ≤ 48 h; S2 - ≤ 5 business days; S3/S4 - ≤ 10 business days
  • Investigation plan: S1 - ≤ 3 business days; S2 - ≤ 10 business days

8) Process from message to closure

Step 1 - Receipt and Receipt. Assigning ID, fixing the channel, saving evidence "as is."

Step 2 - Triage and independence. Check for conflict of interest in the appointed persons; in case of conflict - redistribution.
Step 3 - Risk Assessment and Plan. Scope, hypotheses, legality of methods, list of artifacts, roadmap.
Step 4 - Evidence gathering. Documents, logs, interviews, selection of transactions; compliance with chain-of-custody.
Step 5 - Analysis and Conclusions. Fact → criterion (policy/law/license) → risk → impact.
Step 6 - Recommendations and CAPAs. Corrective/Preventive Actions, Owners, Timing, Success Metrics.
Step 7 - Communications and feedback. Without revealing the identity of the informant; neat language (no accusations until the final).
Step 8 - Closure and retention. Final report, status, storage of artifacts, release of impersonal statistics.

9) Communications and whistleblower protection

No tipping-off. Do not disclose the fact of reporting/investigation to the alleged violators.
Protection from repression. Lowering, dismissal, deprivation of bonuses, bullying, etc. are prohibited. Retaliatory measures are considered as a separate S1/S2 violation.
Support: if necessary - transfer to another team, vacation, HR/legal advice/psychological support.
Two-way anonymous communication: the informant can ask questions and obtain status through a web inbox/token.

10) Relationship with other policies

Code of Ethics and Conduct - Standards and Channels.
Anti-corruption policy - due diligence, gifts, intermediaries.
GDPR/PII - legality of processing, DSAR, retention.
AML/RG/PCI/IS - specialized procedures and triage.
Internal audit - independent quality control of investigations.

11) Checklists

11. 1 Before starting the channel

  • DPIA and privacy policy approved by DPO/Legal.
  • Technical architecture: Encryption, RBAC, WORM logs.
  • An anonymous web form and two-way token communication are configured.
  • WBO/triage team training in investigation methodology.
  • Templates have been prepared (receipt, investigation plan, report, closure letter).
  • Communication campaign: "tone from the top," posters, intranet, FAQ.

11. 2 Message reception

  • ID assigned, date/channel/S-level recorded.
  • Confirmation sent to informant without disclosing details.
  • A conflict of interest test was conducted for the performers.
  • All attachments/metadata committed, de-authenticated.

11. 3 Investigation

  • Plan and hypotheses approved (Legal/DPO/InfoSec - as required).
  • Chain-of-custody is maintained for each artifact.
  • Interviews are logged; privacy warning.
  • Conclusions based on verifiable facts, peer-review conducted.

11. 4 Closing

  • CAPAs are assigned, dates and metrics are defined.
  • The whistleblower (opportunity) received impersonal feedback.
  • Retention/classification established; artifacts are archived.
  • Statistics updated on dashboard.

12) Document Templates (Quick Inserts)

A) Receipt to informant

key> Thank you for your message. Your ID is WB-XXXX. We will review the information and contact you if necessary through this secure channel. You can remain anonymous. Please do not disclose publicly until verification is complete.

B) Investigation plan (one-pager)

Case: WB-XXXX Priority: S1/S2/S3/S4 Owner:... Timeline:...
Hypotheses/criteria:...
Data/Artifacts:...

Interview: List/Schedule

Privacy risks/legal restrictions:...
Communications and control points:...

C) Final Report (Structure)

Summary Facts Criteria (policy/law) Analysis Conclusions CAPA Recommendations Appendices (artifacts).

D) Closing Letter

💡 Please be advised that WB-XXXX case review is complete. Compliance measures have been taken. Thank you for your contribution to the ethical and safe operation of the company.

13) Metrics and dashboard

Intake Volume - the number of messages by category and channel.
Time-to-Acknowledge / Time-to-Triage / Time-to-Decision.
SLA compliance by S-levels.
CAPA Progress Completed/In Progress/Expired, Median Close.
Retaliation Index: reported response complaints (target 0).
Anonymity Rate: the proportion of anonymous messages and their conversion to confirmed cases.
Repeat Findings: repetition of topics in 12 months.
Awareness Impact: Post-Campaigns Appeal Growth; Channel Trust NPS.

14) Risks and controls

Deanonymization via metadata. → de-identification, EXIF deletion, explicit warnings.
Case access leaks - RBAC →, segmentation, WORM logs, regular access audits.
Fictional messages/abuse. → polite filter and fact-checking; sanctions for knowingly false statements (without the effect of intimidation).
Conflict of interest in the investigation. → rotation of performers, participation of IA/Legal.
Repression. → a separate stream of complaints; rapid HR/Compliance response.

15) Training and awareness

Onboarding: module on channel, anonymity and data protection (test ≥ 85%).
Annual recertification for all; additional training for WBO/investigators.
Quarterly campaigns (posters/bot quizzes/videos): how to submit what is expected, examples.

16) 30-day implementation plan

Week 1

1. Assign WBO and workgroup (Compliance/Legal/DPO/InfoSec/HR/IA).
2. Conduct a DPIA, approve a privacy and retention policy.
3. Specify channels (web form/mail/line), requirements for anonymity and logs.

Week 2

4. Implement a technical platform: encryption, RBAC, WORM logs, anonymous web inbox.
5. Prepare templates and SOPs: receipt, plan, report, closing letter, CAPA.
6. Train WBO/triage team; register RACI and SLA.

Week 3

7. Pilot: 1-2 test cases (table-top), verification of the chain of evidence and retentions.
8. Set up dashboard metrics and reporting for management/committee.
9. Communications: CEO letter, intranet page, FAQ, posters.

Week 4

10. Channel start-up; SLA/load monitoring; hot support.
11. Weekly reviews of S1/S2 cases and CAPA statuses.
12. Retro and v1 adjustments. 1 (policies, forms, training).

17) Related Sections

Code of Ethics and Conduct

Anti-corruption policy

AML and Employee Training/Compliance Awareness

Incident playbooks and scripts

Compliance dashboard and monitoring

Internal Audit and External Audit

Notices of Violations and Reporting Deadlines

Regulatory reports and data formats

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Telegram
@Gamble_GC
Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.