For reports alleging certain breaches of EU law, specific EU whistleblowing rules may apply. IBM screens all raised concerns to identify if these rules should apply to your concern.

IBM will follow its established programs to manage your concern. However, if your concern should relate to the EU and fall into certain areas, its handling will follow a distinct procedure with the variations set out in this Q&A. This includes:

• Public procurement
• Financial services
• Product and transport safety
• Protection of the environment
• Food and feed safety
• Public health
• Consumer protection
• Protection of privacy and personal data
• Tax
• Competition law
• Radiation protection and nuclear safety
• Security of network and information services
• Anti-money laundering and terrorist financing

Note that some EU countries extended the above list and IBM will handle each allegation in line with local requirements transposing the Directive. 

Note that for the directive to apply you must have reasonable grounds for believing that information submitted on suspected breaches of applicable law was correct at the time of the notification. Frivolous, trivial, repetitious, or malicious issues will not be addressed under this process.

• Current and former IBM employees;
• Persons having self-employed status;
• Shareholders and persons belonging to the administrative, management, or supervisory board of IBM, including non-executive members, as well as volunteers, paid or unpaid trainees, and job applicants;
• Any persons working under the supervision of contractors, sub-contractors, and vendors engaged in work at IBM (including staff leasing personnel).

The scope of these rules is not limited to concerns in the IBM workplace. The rules cover any IBM-related business operations.

Use our established IBM channels for raising a concern. A concern may be raised in person, online, by email, by regular mail or by phone.
If you choose to submit your concern anonymously, please consider providing a means for us to contact you (for example an anonymous email account). Otherwise we will not be able to provide you with feedback.

Regardless of which option you choose, you should know that (1) information submitted through Ombudsman is only shared on a "need to know" basis in compliance with Data Privacy regulations and are aimed to ensure confidentiality of the alleger,  (2) IBM prohibits threats or acts of retaliation for reporting in good faith potential wrongdoing or inappropriate behavior.

Certain country legislation may require additional requirements for handling any allegations. In this respect please refer to the specific country procedure available on the https://www.ibm.com website (selecting the relevant country in the “about” section).

The handling of your concern will depend on its nature and may vary across different countries.  In any case for all concerns, IBM ensures that designated impartial persons and/or departments will be entrusted with handling your concern.

The person or department ultimately investigating your concern may not be based in your country.
At all times, IBM will ensure independence, confidentiality, data protection and secrecy relating to your concern.

You will generally be contacted within 48 hours of submitting your concern (unless lodged anonymously).
You will in any case receive a confirmation of receipt within seven days of submitting your concern.

Unless differently stated in local legislation, IBM will provide feedback to you within a reasonable timeframe. Such timeframe should not exceed three months, but, unless otherwise provided for by mandatory law, it could be extended, where necessary, due to the specific circumstances of the case.

IBM prohibits threats or acts of retaliation in any form, including for reporting a concern based on reasonable grounds that lead you to believe that the information on any violation reported was true at the time of reporting.
This protection will not be limited to you, but also to any facilitators, third persons such as colleagues or relatives and businesses that you own, work for or are otherwise connected with.

When something matters to you, it matters to IBM, and we expect you to report any potential concerns at first through IBM’s Communication Channels. The EU Whistleblowing Directive encourages reporting through internal reporting channels before reporting through external reporting channels, where the breach can be addressed effectively internally and where the reporting person considers that there is no risk of retaliation.

Some EU Member States require that the list of external bodies be inserted into the internal reporting channel too. The specific country procedure available on the https://www.ibm.com website (selecting the relevant country in the “about” section) lists such external bodies per each country.

The complaints procedure is open for every person who wants to report human rights and environment-related risks as well as violations of human rights-related or environment-related obligations that have arisen as a result of the economic actions of the IBM enterprise the Act on Corporate Due Diligence Obligations in Supply Chains applies to in its own business area or of any of its direct or indirect suppliers.

Any human rights and environment-related concern according to the scope of the Act on Corporate Due Diligence Obligations in Supply Chains (Germany) may be reported to the IBM Procurement Ombudsman office.
A concern may be raised in person, by email, by regular mail, or by phone.

If you choose to submit your concern anonymously, please consider providing a means for us to contact you (for example an anonymous email account). Otherwise, we will not be able to provide you with feedback.

You can raise your concern through these routes:

• Email: IBM.Ombudsman@ibm.com
    (The email box has limited access for the Procurement Ombudsman office only.)
• Phone: +36-20-823-5681
• Regular mail address: IBM Hungary ISSC Kft , Szigony utca 26-32, 1083 Budapest , Hungary
• Any of the listed Ombudsman 

For all concerns brought to the Ombudsman office, designated impartial persons bound to confidentiality will be entrusted with handling the concern.

The IBM Ombudsman office has been established in 1994 being the safeguard of the ethics and integrity of IBM’s supply chain. The experts of Ombudsman office have decades of investigative experience and concern management practice.

The IBM Procurement Ombudsman office is an independent team within the Global Supply Chain Organization of IBM having the authority to investigate and resolve matters outside of the normal business channels.

The Ombudsman office is acting as an avenue to bring concerns and allegations to a neutral party. Since its inception the office does not serve as an advocate for any person or organization, but rather an advocate for a fair outcome.

The claimant will generally be contacted within 48 hours of submitting a concern (unless lodged anonymously).

After receipt of a complaint and entry confirmation, the Ombudsman office will promptly start the work in regard to the respective case.

Subject to the respective allegation, within reasonable time.

• facts will be collected, discussed, and reviewed,
• dedicated experts (always subject to confidentiality) will be involved,
• interviews and observations will take place,
• findings will be reviewed and discussed,
• claimant will be informed about the completion of investigations,
• subject to the outcome of the investigations reasonable measures will be taken.

It will be always acted with the intention to reasonably investigate the case and to find a for all parties involved reasonable solution. 

The persons entrusted with the Ombudsman procedure will take care about the confidentiality of claimant’s identity. In addition, IBM prohibits threats or acts of retaliation in any form in context with concerns made under the Ombudsman Procedure, including for reporting a concern based on reasonable grounds that lead the claimant to believe that the information on any violation reported was true at the time of reporting.
This protection will not be limited to the claimant, but also to any facilitators, third persons such as colleagues or relatives and businesses that the claimant owns, works for or is otherwise connected with.

At all times, the Ombudsman office will take care about confidentiality and protection of personal data relating to your concern. 

Case documents are stored in Ombudsman data repository for at least seven years. 

Reviews of the procedure will take place at least once a year and on an ad hoc basis.