(1) The Bank shall establish and maintain effective and reliable mechanisms to enable prompt reporting to it of potential or actual breaches of these Regulations and Regulation (EU) 2019/2033.

(2) The mechanisms referred to in paragraph (1) shall include the following:

(a) specific procedures for the reception, treatment and following up of such reports, including the establishment of secure communication channels;

(b) appropriate protection against retaliation, discrimination or other types of unfair treatment by the investment firm for employees of investment firms who report breaches committed within the investment firm;

(c) protection of personal data concerning both the person who reports the breach and the natural person who is allegedly responsible for that breach, in accordance with the General Data Protection Regulation;

(d) clear rules that ensure that confidentiality is guaranteed in all cases in relation to the person who reports the breaches committed within the investment firm, unless disclosure is required by the law of the State in the context of further investigations or subsequent administrative or judicial proceedings.

(3) The Bank shall require investment firms to have in place appropriate procedures for their employees to report breaches internally through a specific independent channel.