Greystar Europe Whistleblower Policy
This policy will be subject to an annual review by the EU Risk Management Committee (‘RMC’). In addition, this policy shall be reviewed upon:
(a) Any material change to (or new) applicable regulations or regulatory guidance; and/or
(b) Any internal or external change in events as indicated by the business.
The next review will be before 31 July 2026.
1. Introduction
1.1. In line with Greystar’s Values, outlined in the Greystar Code of Conduct, and applicable law, including Directive (EU) 2019/1937 of the European Parliament and Council, known as the Whistleblower Protection Directive, Greystar’s European Risk Management Committee (“the board”) has approved the Whistleblower Policy (“this Policy”) on behalf of Greystar’s European entities (“Greystar Europe”). This Policy has been approved as part of the board’s commitment to providing a confidential and secure pathway for the reporting of concerns about wrongdoing in the workplace and to protect those who report from retaliation.
1.2. This Policy ensures that whistleblowers can report concerns without fear and that their reports are dealt with in a confidential and secure manner. A formal channel for reporting such concerns has been established. Where local legislation is more stringent than this Policy, local legislation prevails.
1.3. Please read this document carefully before making a report. It is important to understand that whilst Greystar Europe is committed to responding to all reports and complaints diligently and in respect of applicable law, the protections outlined in this Policy do not apply to all reports/complaints that may be made in a work-related context. The protections in this Policy will only apply to reports that meet the criteria for protection identified in this Policy. It is your responsibility to ensure you meet the criteria for protection under this Policy.
1.4. If you have any queries about this Policy, please contact a member of the European Risk & Compliance team. Consider whether you require confidential, independent advice (including legal advice) on the making of a report that will be protected under this Policy and applicable law.
1.5. European Risk & Compliance has overall accountability for the process set out in the Policy and will review this policy periodically at least on an annual basis.
2. Contents and Scope of this Policy
2.1. This Policy sets out:
a) what can be reported under this Policy;
b) how to make a report;
c) what happens when a report is received; and
d) the protections that are available against retaliation for reporting a concern about wrongdoing.
2.2. In this Policy, Greystar Europe undertakes to:
a) Keep the identity of the reporting person and any person named in a report confidential (subject to the exceptions set out in paragraph 11.4 below);
b) Not tolerate any retaliation or threat of retaliation of the reporting person or persons associated with them;
c) Acknowledge all reports within a specified time;
d) Follow up diligently on all reports of relevant wrongdoing;
e) Provide feedback to the reporting person within a specified time following the acknowledgement; and
f) Provide further feedback at regular intervals on written request.
2.3. This Policy applies to all Greystar offices, operations and activity within Europe (EU and UK).
3. Who is responsible for handling reports made under this Policy?
3.1. Greystar has appointed two Whistleblower Officers who will have day-to-day responsibility for the handling of reports. The Whistleblower Officers will have sufficient experience, knowledge, expertise, independence and resources to perform the role as required by the Policy.
3.2. The Whistleblower Officers will be Caroline Griffiths (Managing Director, HR Europe and APAC) and Wilco Verwijs (Senior Director, European Risk and Compliance).
3.3. The identity of the Whistleblower Officers will form part of the review of the Policy described in paragraph 1.6 above. In the event that an appointed Whistleblower Officer leaves the organisation, a replacement will be nominated and the Policy updated to reflect the change as soon as practicable.
4. Who can make a report under this Policy?
4.1. This Policy applies to employees and any individual in a work-related relationship with Greystar Europe who acquires information on relevant wrongdoings in a work-related context, including:
a) an employee (regardless of the duration or legal basis upon which they are employed)
b) a resident (subject to 4.3)
c) an independent contractor, or somebody working under the supervision and direction of an independent contractor
d) an agency worker
e) a trainee or intern
f) equity partner
g) an individual who acquired information on a relevant wrongdoing during a recruitment process; or an individual who acquired information on a relevant wrongdoing during pre-contractual negotiations (other than a recruitment process).
4.2. "Work-related context" means current or past work activities or off-site activities organised or facilitated by Greystar through which a person acquires information concerning a relevant wrongdoing and within which those persons could suffer retaliation if they reported such information. Examples of off-site activities include conferences, seminars and business development events.
4.3. With reference to residents making a report under this Policy (see 4.1(b) above), the report should concern activity involving a building manager or other Greystar employee. Other complaints (for example concerning other residents) should continue to be reported through existing channels.
5. What can be reported under this Policy?
5.1. A report can be made under this Policy if it meets the following conditions:
a) a disclosure of “relevant information”
b) that came to the attention of a reporting person in a work-related context (see para. 4.2 above)
c) and was reported in the manner specified in this Policy
5.2. “Relevant information” is information which the reporting person believes shows relevant wrongdoing. The information should disclose facts about someone or something, rather than a general allegation that is not founded on specific facts.
5.3. The following wrongdoing can be reported under this Policy:
a) Suspicion or knowledge of an offence or a breach of applicable law that has occurred, is occurring or is likely to occur
b) a person has failed, is failing or is likely to fail to comply with any legal obligation (other than one arising under a contract of employment or other contract containing an undertaking to perform personally any work or services)
c) a miscarriage of justice has occurred, is occurring or is likely to occur
d) the health or safety of any individual has been, is being or is likely to be endangered
e) the environment has been, is being or is likely to be damaged
f) an improper use of funds or resources of a public body, or of other public money, has occurred, is occurring or is likely to occur
g) an act or omission by or on behalf of a public body is oppressive, discriminatory or grossly negligent or constitutes gross mismanagement
h) information showing any matter falling within any of the preceding paragraphs (a-g) has been, is being or is likely to be concealed or destroyed or an attempt has been, is being or is likely to be made to conceal or destroy such information, i.e. a wrongdoing may be subject to a cover-up.
5.4. It does not matter where the wrongdoing occurred, occurs or would occur.
5.5. The reporting person’s belief must be based on reasonable grounds, but it is not a requirement that the reporting person is ultimately proven correct. Reporting persons are not expected to prove the truth of an allegation. No disciplinary or other action will be taken against a reporting person who genuinely believes the information they have reported shows a wrongdoing even if the concern raised turns out to be unfounded.
5.6. A report made in the absence of a genuine belief is not a protected under this Policy and may result in disciplinary action. It is potentially a criminal offence to make a report that contains any information the reporting person knows to be false. Where someone deliberately makes a false report a person who suffers damage as a result may have the right to take legal action against the reporting person.
5.7. Reporting persons should not investigate allegations of wrongdoing. The Whistleblower Officers are responsible for the appropriate follow up of all reports.
6. What cannot be reported under this policy?
6.1. Where the discovery of wrongdoing forms part of an individual’s job or function or is a responsibility of their role (e.g. an internal auditor, HR professional, IT security professional etc.) it does not qualify as a relevant wrongdoing unless it involves an act or omission on the part of the employer. Individuals should follow existing protocols to address such issues. For example, if you are employed in IT and you detect computer misuse, you should act in line with the relevant policy requirements to address the issue, rather than make a report under this Policy. However, if your line manager then instructs you to ignore the incident, this action may be sufficient to allow the making of a report that could be considered a protected disclosure under this Policy.
6.2. A personal grievance affecting a reporting person is not a relevant wrongdoing and will not be dealt with under this Policy, unless it is based on some breach of law, e.g. sexual or racial harassment. Such matters are dealt with under applicable grievance policies.
6.3. Day-to-day performance management that addresses poor performance or the failure of an individual to perform their role to the expected standard is not a relevant wrongdoing, unless as part of a wider issue such as the bullying or harassment of that worker.
7. How can you make a report under this policy?
7.1. Reports may be made in writing and/or orally in the following ways:
a) Via an independent reporting tool, called Speak Up, https://app.convercent.com. This is a reporting hotline run by a third party, through which reports can be made anonymously, by phone or in writing (in English and/or any local language of countries where Greystar Europe has operations).
b) Directly to either Whistleblower Officer, via email, telephone, or an in-person meeting upon request.
7.2. Reporting persons can choose whether to report anonymously or not through the independent reporting mechanism described above. Persons who choose to report anonymously and whose report meets the requirements of the Policy as set out at section 4 remain entitled to all the protections of the Policy.
7.3. Anonymous reports will be followed-up to the fullest extent possible. However, it may not be possible to fully assess and follow-up on an anonymous report. In addition, implementing certain elements of the Policy – such as seeking further information, maintaining communication and protecting the reporting person’s identity or protecting them from retaliation – may not be possible.
7.4. Details of information that is recommended to be included in a report can be found in Appendix A. It may not be possible to fully assess and investigate a report that does not contain sufficient information.
8. What is the process following receipt of a report?
8.1. All reports made by an individual in a European jurisdiction through the independent reporting mechanism, Speak Up, will be first received by Managing Director HR, Europe and APAC for a prima facie assessment of whether the report is in scope of this Policy. Where the report appears to be in scope of this Policy, Senior Director, European Risk and Compliance, will be notified (unless it would breach principles of natural justice to do so).
8.2. The remaining report handling process can be found at Appendix C of this Policy.
9. Reporting to authorities
9.1. The aim of this Policy is to provide a means by which individuals can safely and securely raise concerns about relevant wrongdoing and to give individuals confidence that all such concerns will be dealt with appropriately. Greystar Europe is confident that issues can be dealt with internally and strongly encourages all employees and others within the scope of this Policy to report such concerns internally in accordance with this Policy.
9.2. There may, however, be circumstances where an individual may not wish to raise their concern internally or where they have grounds to believe that an internal report they have made has not been followed-up properly.
9.3. External reports can be made to third parties such as law enforcement, regulators, and some EU agencies. A list of such organisations can be found in Appendix D.
9.4. It is important to note, however, that if an individual is considering making a disclosure using these external channels, different and potentially more onerous conditions may apply. Individuals should consider seeking legal advice before reporting externally.
10. Protection from retaliation
10.1. Greystar Europe is committed to protecting reporting persons from retaliation or a threat of retaliation because they made a report under this Policy. Retaliation will not be tolerated and appropriate action, which may include disciplinary action, will be taken against anyone found to have committed an act of retaliation against the following:
a) The reporting person
b) A facilitator (a person who assists the reporting person in the reporting process)
c) A person connected to the reporting person, such as a colleague or a relative
d) An entity the reporting person owns, works for or is otherwise connected with in a work-related context.
10.2. If a reporting person is subject to retaliation or the threat of retaliation, this can be reported to either Whistleblower Officer, who will investigate the circumstances of the allegation.
10.3. Retaliation is any direct or indirect act or omission that occurs in a work-related context, which is prompted by the making of report under this Policy and causes or may cause unjustified detriment to an individual. Retaliation can take a variety of forms. Some examples are listed in Appendix B.
10.4. The normal performance management of someone who has made a report under this Policy is not retaliation. However, if there is a change in how the reporting person’s performance is managed, and this change is a result of them having made a report, this may qualify as retaliation.
10.5. If a report under this Policy is made during an investigation or disciplinary process to which the reporting person is subject, it will not automatically follow that the making of the report will affect the investigation or disciplinary process. Separate processes unconnected with the report will ordinarily continue to proceed.
10.6. The reporting of an alleged wrongdoing does not confer any protection or immunity on a reporting person in relation to any involvement they may have had in that alleged wrongdoing.
11. Confidentiality and protection of identity
11.1. Greystar Europe is committed to confidentiality and protecting the identity of both reporting persons who raise a concern under this Policy and any party mentioned in a report, and to treating the information disclosed in confidence.
11.2. The measures required to maintain confidentiality will vary, but the options under consideration will include, but not be limited to, the following:
a) Application of the “need to know” principle; that is, only releasing sufficient information required to ensure a task can be completed effectively
b) Secure storage of any physical evidence
c) Secure storage of electronic evidence, including access controls and password protection
d) Anonymising individual’s identity in any reports or briefings
e) Use of independent external investigators
11.3. Subject to the exceptions below, the identity of the reporting person and any party mentioned in a report or any information from which their identity may be deduced will not be shared with anyone other than persons authorised to receive reports made under this Policy without the explicit consent of the reporting person. It may not be possible to fully assess and follow-up on a report in cases where a reporting person withholds consent to share their identity (e.g. with a member of the IT team in the case where evidence may be stored digitally).
11.4. The Policy provides for certain exceptions where the identity or information that could identify the reporting person or a party mentioned in a report can be disclosed without their consent. These are:
a) Where the person to whom the report was made or shared shows they took all reasonable steps to avoid disclosing the identity of the reporting person or any information that could identify the reporting person or party named in the report;
b) Where the person to whom the report was made or shared reasonably believes disclosing the identity or information that could identify the reporting person or person named in the report is necessary for the prevention of serious risk to national security, public health, public safety or the environment; and
c) Where the disclosure is otherwise required by law.
11.5. Where a reporting person’s identity or information that could identify a reporting person is to be disclosed under exceptions (a) to (c), above, the reporting person will be notified in writing in advance, unless such notification would jeopardise:
a) The effective investigation of the relevant wrongdoing reported
b) The prevention of serious risk to the national security, public health, public safety or the environment
c) The prevention of crime or the prosecution of a criminal offence.
11.6. A reporting person may request a review of a decision to disclose their identity under the System of Review set out in section 13 of this Policy.
11.7. Circumstances may arise where protection of identity is difficult or impossible, e.g. if the nature of the information disclosed means the reporting person is easily identifiable. If this occurs, the risks and potential actions that could be taken to mitigate against them will be outlined and discussed with the reporting person.
11.8. Other employees must not attempt to identify reporting persons. Attempts to do so may result in disciplinary action.
11.9. A reporting person can make a complaint and a request for a review if the person believes their identity has been disclosed in breach of the conditions set in paragraph 11. The reporting person can submit the complaint and the request for a review to the Head of Global Risk, Jennifer Bjork, who will undertake the review, consider the circumstances subject to review and come to a final decision.
12. Data Protection and record retention
12.1. All personal data will be processed in accordance with applicable data protection law, including the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
12.2. Where the exercise of a right under GDPR would require the disclosure of information that might identify the reporting person or persons concerned, or prejudice the effective follow up of a report, exercise of that right may be restricted.
12.3. Rights may also be restricted to the extent, and as long as, necessary to prevent and address attempts to hinder reporting or to frustrate particular investigations. Rights under the GDPR may be restricted if they are being used to find out the identity of reporting persons or persons connected to an investigation.
12.4. If a right under GDPR is restricted, the data subject will be given the reasons for the restriction, unless the giving of such reasons would identify the reporting person or persons concerned, or prejudice the effective follow up of a report, or prejudice the achievement of objectives of general public interest.
12.5. A person whose data subject rights are restricted can make a complaint to the Data Protection Authority in their jurisdiction.
13. Right to review
13.1. A review may be sought:
a) By the reporting person into a decision, following assessment, to close the procedure or refer the matter to another process
b) By any affected party in respect of the conduct or outcome of any follow-up actions (including any investigation) taken following the receipt and assessment of a report
c) By any affected party in respect of the conduct or outcome of any investigation into a complaint of penalisation
d) Except in exceptional cases, by any party affected by any decision to disclose the identity of the reporting person to persons other than those authorised under these procedures to handle reports
A reporting person can submit a request for a review to the Head of Global Risk, Jennifer Bjork, who will undertake the review, consider the circumstances subject to review and come to a final decision.
APPENDIX A – WHAT TO INCLUDE IN A REPORT
a) that the report is or maybe a protected disclosure and is being made under the procedures set out in this Policy
b) the reporting person’s name, position in the organisation, place of work and confidential contact details (unless made anonymously)
c) the date of the alleged wrongdoing (if known) or the date the alleged wrongdoing commenced or was identified
d) whether or not the alleged wrongdoing is still ongoing
e) whether the alleged wrongdoing has already been disclosed and if so, to whom, when, and what action was taken
f) information in respect of the alleged wrongdoing (what is occurring / has occurred and how) and any supporting information
g) the name of any person(s) allegedly involved in the alleged wrongdoing (if any name is known and the worker considers that naming an individual is necessary to report the wrongdoing disclosed)
h) any other relevant information.
APPENDIX B – SOME FORMS OF RETALIATION
a) Suspension, layoff or dismissal
b) Demotion, loss of opportunity for promotion or withholding promotion
c) Transfer of duties, change of location of place of work, reduction in wages or change in working hours
d) The imposition or administering of any discipline, reprimand or other penalty (including a financial penalty)
e) Coercion, intimidation, harassment or ostracism
f) Discrimination, disadvantage or unfair treatment
g) Injury, damage or loss
h) Threat of reprisal
i) Withholding of training
j) A negative performance assessment or employment reference
k) Failure to convert a temporary employment contract into a permanent one, where the worker had a legitimate expectation that he or she would be offered permanent employment
l) Failure to renew or early termination of a temporary employment contract
m) Harm, including to the worker’s reputation, particularly in social media, or financial loss, including loss of business and loss of income
n) Blacklisting on the basis of a sector or industry-wide informal or formal agreement, which may entail that the person will not, in the future, find employment in the sector or industry
o) Early termination or cancellation of a contract for goods or services
p) Cancellation of a license or permit
q) Psychiatric or medical referrals.
APPENDIX C – Process for handling reports
1.1. This process shall apply to all reports made in the manner specified in section 5 of this Policy. This process may not apply if a report or other communication is made in a manner other than that specified in section 5.
1.2. All reports shall be acknowledged within seven days of receipt.
Assessment
1.3. The Whistleblower Officer shall assess if there is prima facie evidence that a relevant wrongdoing might have occurred.
1.4. If the decision is that the report contains no prima facie evidence of a relevant wrongdoing, the report may either be closed or referred to another relevant procedure. If this occurs, the Whistleblower Officer will notify the reporting person in writing of this decision and the reasons for it.
1.5. If a decision to close the report or refer it to another process is made, any party affected by this decision may request a review of this decision, via the system of review set out in section 13 of this Policy.
1.6. If the decision is that the report contains prima facie evidence of a relevant wrongdoing, appropriate action will be taken to address the wrongdoing, having regard to the nature and seriousness of the matter. This should include an investigation into the circumstances detailed in the report.
Investigation
1.7. If during the Assessment phase the Whistleblower Officer decides that an investigation is required, they shall also decide how the matter should be investigated.
1.8. Investigations will be undertaken in accordance with the general principles of natural justice and fair procedures and any other relevant procedures of Greystar, as appropriate.
1.9. Responsibility for investigating and addressing allegations of wrongdoing lies with the Whistleblower Officer and not the reporting person. Reporting persons should not attempt to investigate wrongdoing themselves. Depending on the nature of the report, allegations will be investigated internally or by an external, independent investigator appointed by the Whistleblower Officer.
1.10. A review of a decision not to investigate can be requested via the system of review set out in section 13 of this Policy.
Feedback
1.11. Feedback includes information on action taken or envisaged in response to a report, and the reasons for such action.
1.12. Feedback does not include any information that could prejudice the outcome of an investigation or any other action that might follow, nor does it include any information relating to an identified or identifiable third party. Feedback will not include any information on any disciplinary process involving another person.
1.13. Feedback will be provided to the reporting person within a reasonable period of time and no later than three months after the initial acknowledgement of the report.
1.14. A reporting person can request in writing that the Whistleblower Officer provides further feedback at 3-month intervals until the process of follow-up is completed.
1.15. Any feedback is provided in confidence and should not be disclosed by the reporting person other than:
a) as part of the process of seeking legal advice in relation to their report from a lawyer or a trade union official; or
b) if required in order to make a further report through this or another reporting channel provided for under the Policy (see section 10 below).
c) If the investigation determines that no relevant wrongdoing has occurred, the reporting person will be informed of this in writing and the reasons for this decision. A review of this decision may be requested via the system of review set out in section 13 of this Policy.
1.16. The final outcome of the process triggered by the report will be communicated to the reporting person, subject to any legal restrictions concerning confidentiality, legal privilege, privacy and data protection or any other legal obligation.
APPENDIX D – External Reporting Organisations
Spain
Autoridad Independiente de Protección del Informante (AAI)
The legal statute establishing this body has been approved but the AAI has not yet been formally established. We will continue to research and monitor the situation.
Germany
Bundesamt für Justiz (BfJ)
Online: www.bundesjustizamt.de/DE/MeldestelledesBundes/MeldestelledesBundes_node.html
Austria
Bundeswettbewerbsbehörde (Federal Competition Authority)
Online process: www.bwb.gv.at
France
Commissioner for Human Rights (Défenseur des Droits)
By Mail: Free answer 71120, 75342 Paris CEDEX 07
By Phone: +33 (0) 9 69 39 00 00
Online secure form: www.defenseurdesdroits.fr
Ireland
Office of the Protected Disclosures Commissioner
By Mail: 6 Earlsfort Terrace, Dublin 2, D02 W773
General enquiries: info@opdc.ie
To report a wrongdoing: disclosures@opdc.ie
By phone: 01 639 5650
Netherlands
Huis Voor Klokkenluiders (The House for Whistleblowers)
Online: www.huisvoorklokkenluiders.nl
Policy last updated: February 2025