Whistleblower Policy


SustainCERT is committed to the highest level of ethical practices and honest relationships and to ensuring that its business relations and day-to-day work are conducted with integrity. It is important to us that all our employees and external stakeholders understand, support, and adhere to the values which are outlined in our ethical, social, environmental, and human rights policies. The engagements in these policies are the foundation of responsible business and upholding them is a priority for SustainCERT.

As an important part of our commitment to upholding these values, SustainCERT encourages our employees and external stakeholders to speak up if they see behavior or activity that they believe is illegal. Whilst this can often be done through a direct line management conversation, SustainCERT recognizes that there are instances where the reporting person may need to be assured of their anonymity and have additional support and reassurance to speak up.

It is for this reason that SustainCERT has put in place a formal whistleblowing procedure for our employees and external stakeholders, to ensure that in both instances the report of wrongdoing is managed in a professional and confidential way.



The aims of this Whistleblower Policy are: 

  • To ensure that every employee and external stakeholder knows the procedure for reporting genuine concerns of wrongdoing and that it can be done without fear of retaliation. 

  • To ensure that every report of wrongdoing will be responded to and acted upon in a defined time and the wrongdoing resolved and remedied to prevent reoccurrence. 

  • To ensure that SustainCERT’s management is provided with details of reports made under this Policy to provide them with knowledge of potential risks faced by SustainCERT by the issues raised.



This Policy applies to all employees of SustainCERT, as well as external stakeholders. For the purposes of this Policy, “external stakeholders” include paid or unpaid trainees and interns, former and prospective employees, independent contractors, employees of subcontractors or suppliers, shareholders, members of the administrative management or supervisory body, including non-executive members, and clients.

Whilst this is an internal company policy, our engagement to respond to reports of wrongdoing extends equally to our external stakeholders.



This Policy is intended to cover serious concerns that could have a potential large impact on SustainCERT and therefore the reporting under this Policy can be differentiated from the normal feedback and grievance channels available to employees and external stakeholders.

More specifically, SustainCERT wants its employees and external stakeholders to report if they have witnessed or know about the following behavior that includes but is not limited to: 

  • Harassment and/or bullying of any kind. 
  • Actions which breach any of SustainCERT’s policies (including ethical, social, environmental and human rights policies). 
  • Actions which create an unsafe internal and/or external environment. 
  • Discrimination. 
  • Fraudulent acts. 
  • Illegal acts. 
  • Corrupt acts. 
  • Any conduct which is detrimental to SustainCERT and could cause financial or non-financial loss or reputational risk. 

For the avoidance of doubt, this Whistleblower Policy is not the appropriate channel for grievances or complaints. The purpose is to detect, or ideally prevent, crimes, illegal activity and wrongdoing.



SustainCERT shall strictly safeguard the confidentiality of the whistleblower’s identity, except in the event of a necessary and proportionate obligation imposed by directly applicable national or European law during investigations, in particular with a view to safeguarding the rights of defense of the person concerned.

In some cases, an investigation cannot continue without knowing the reporting person’s identity. Whilst remaining anonymous remains the reporting person’s choice, there might be limitations on what the investigation can achieve without knowing their identity.



All reports made under this Policy will be treated in a confidential and sensitive manner. Any person who in good faith reports their concern of wrongdoing in accordance with this Policy will not be penalized. This includes any reprimand, reprisal, change in work duties, damage to career prospects or reputation or threats to do any of these things or deliberate omissions which result in detriment to the reporting person. SustainCERT has in place formal misconduct procedures for any employee or individual engaged by SustainCERT not respecting this fundamental protection of the reporting person.



SustainCERT recognizes that an effective and efficient investigation and case management system is an essential component of any reporting mechanism. Designated persons at SustainCERT receive specific whistleblowing and case management training for the purposes of handling confidential and sensitive reports of corporate wrongdoing.


Internal Reporting Channels:

Depending on the nature of the wrongdoing, employees are first encouraged to discuss their concern with their line manager. If this is not possible, the concern may be raised with an identified member of the relevant support area, e.g. People & Culture, Legal, Compliance, or the Management Team, depending on the nature of the wrongdoing.

SustainCERT has developed internal procedures for the investigation and follow up of a report under this Policy, including the following: 

  • Reports via internal channels can be made in writing, or verbally, or both, in English or in one of the three administrative languages in accordance with the Amended Law of 24 February 1984 on the Luxembourg Language Regime (i.e. German, French or Luxembourgish). Verbal reports can be made by telephone or via other voice messaging systems and, at the whistleblower’s request, by means of a face-to-face or video conference meeting, within a reasonable period of time. Reports in writing can be submitted to whistleblowing@sustain-cert.com. 
  • The channels for receiving the reports, in writing or orally, or both, are designed, established, and operated in a secure manner that ensures that access to the report is protected from non-authorized staff members. 
  • The acknowledgement of the receipt of the report to the reporting person occurs within seven days of that receipt. 
  • Legal is designated as the impartial contact competent for following up on the reports and will be responsible for maintaining communication with the reporting person and, where necessary, asking for further information from and providing feedback to that reporting person. 
  • The timeframe that is set to provide feedback to the reporting person does not exceed three months from the acknowledgment of receipt. 
  • The ultimate findings of the investigation and, should corrective action be needed, any actions taken will be communicated to the reporting person in a reasonable timeframe. 
  • In some cases, to be determined on a case-by-case basis, a mediation procedure may be set up to address the concern raised (e.g. for identified cases of discrimination and/or harassment).


External Reporting Channels:

Whistleblowers are free to choose whether to report externally to a competent authority listed in article 18 of the Law of 16 May 2023 transposing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the Protection of Persons Who Report Breaches of Union Law.



A whistleblowing office has been set up by authority of the Minister of Justice of Luxembourg, charged with the following tasks: 

  • Informing and assisting anyone wishing to make a report, in particular, by explaining the procedures to be followed. 
  • Raising public awareness of whistleblower protection legislation. 
  • Informing the respective competent authorities of any breaches of obligations to set up internal channels of which the office is aware. 
  • Collect, in collaboration with the competent authorities and the judicial authorities, the information needed to draw up the annual report. 
  • Drawing up recommendations on any matter relating to the application of this law. 
  • Carrying out the tasks assigned to it under the external reporting procedure.



This Policy is reviewed annually in accordance with our governance approach to ensure the Policy remains relevant and operational. This review also ensures that the procedure follows state and international guidance and regulation in this area.



For more information, please contact the People & Culture Team or send an email to people@sustain-cert.com


This Policy was last reviewed and approved in March 2024 by CEO, CFO, Legal and People & Culture.