Internal Information System

INTERNAL WHISTLEBLOWER CHANNEL POLICY

1. INTRODUCTION, PURPOSE AND APPLICATION

Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption (hereinafter Law 2/2023) transposes into Spanish law Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of EU law.

This policy applies to Comercial Arque S.A. with VAT number A08275950 and registered office at Ctra del Mig, 54, 8907, Hospitalet de Llobregat (Barcelona) and aims to establish an internal channel for the reporting of possible breaches of regulations, breaches of internal and/or ethical policies and to establish a whistleblower protection regime, in compliance with Law 2/2023, of 20 February, regulating the protection of persons who report breaches of regulations and the fight against corruption.

Law 2/2023 explains and clarifies in its preamble, Part III, that its purpose is to protect, against possible reprisals, persons who, in an employment or professional context, detect serious or very serious criminal or administrative offences and report them through the mechanisms regulated in this policy.

This Channel, therefore, is a mechanism that allows company employees, and other interested parties, to report any type of illegal conduct or conduct contrary to our values and ethical principles, without fear of reprisals, strengthening the culture of information, the integrity infrastructures of organisations and the promotion of the culture of information or communication as a mechanism to prevent and detect threats to the public interest. In this way, we seek to promote a culture of transparency, integrity and accountability in our organisation, while protecting those employees who choose to report in good faith.

1. WHISTLEBLOWER CHANNEL

A whistleblower channel (hereinafter, the CII) has been created by the entity as the preferred channel for receiving information on actions or omissions that may constitute a serious or very serious criminal or administrative offence, and other actions provided for in article 2 of Law 2/2023.

The channel is managed by the Internal Channel System Manager (hereinafter, the RSII). Access to this channel shall be limited, within the scope of its competences and functions, to:

1. The Internal Channel System Manager.
2. The administrator/s delegated by the system manager.
3. To the managers designated for the processing of certain complaints according to the scope to which they correspond.

The functions of these bodies, as appropriate, shall be:

• Reception, registration and management of the complaints received through the whistleblower channel.
• Designation of the person or team in charge of investigating the complaints received.
• Ensuring the protection of whistleblowers and the confidentiality of the reports received.
• Assessing the veracity and credibility of the reports received.
• Decision-making on appropriate action based on the results of the investigation.
• Monitoring and regular review of the complaint management process and internal company policy.
• Preparation of reports and recommendations to senior management on complaints received and actions taken.

The CII must technically guarantee the confidentiality or, eventually, the anonymity of the whistleblower, to protect him/her against any leaks and subsequent retaliation to which he/she may be subjected.

Whistleblowers within the scope of the law can submit their complaints via the following link:

• Link to whistleblower channel:

https://compliance.legalsending.com/canal/?C=48601969019017836

• SUBJECTIVE SCOPE – REPORTING SUBJECTS

Those persons who have an employment or professional relationship with the AEPD in order to communicate information on the actions or omissions described in article 2 of Law 2/2023 may make use of the internal information channel and benefit from the protection granted by Law 2/2023 as informants. This employment or professional relationship, which entails a dependence on the AEPD, is what makes special protection against possible reprisals necessary and appropriate.

In any case, they are considered informants, for this AEPD, for the purposes of Law 2/2023:

• Persons who have the status of employees or workers employed by others.
• Self-employed collaborators (freelancers).
• Shareholders, participants and persons belonging to the administrative, management or supervisory body of the company, including non-executive members.
• Any person working for or under the supervision and direction of contractors, subcontractors and suppliers.
• Whistleblowers who communicate or publicly disclose information on wrongdoing obtained in the framework of an employment or statutory relationship that has already ended, volunteers, trainees, trainees in training, whether or not they receive remuneration, as well as those whose employment relationship has not yet started, in cases where the information on wrongdoing was obtained during the recruitment process or pre-contractual negotiation.

It is important to note that reports made through the whistleblower channel must be made in good faith, i.e. they must be supported by concrete evidence and facts.

1. OBJECTIVE SCOPE – REPORTABLE FACTS

As regards the purpose of the information, it follows from Law 2/2023 that the internal reporting channel may be used to report serious misconduct or suspected corruption, which may constitute serious or very serious criminal or administrative offences related to the activities of the institution, which the whistleblower has observed or received information about in the course of his work or professional relationship.

Law 2/2023 itself and Directive (EU) 2019/1937 list as such information relating to:

1. Infringements falling within the scope of the acts of the European Union listed in the Annex to the aforementioned Directive relating to the following areas:
2. public procurement
3. financial services, products and markets, and prevention of money laundering and terrorist financing,
4. product safety and conformity,
5. transport safety,
6. environmental protection,
7. radiation protection and nuclear safety,
8. food and feed safety, animal health and animal welfare,
9. public health,
10. consumer protection,
11. protection of privacy and personal data, and security of networks and information systems.
12. Affecting the financial interests of the European Union as referred to in Article 325 of the Treaty on the Functioning of the European Union (TFEU).
13. which affect the internal market, as referred to in Article 26(2) TFEU, including infringements of EU competition rules and aid granted by States, as well as infringements relating to the internal market in relation to acts in breach of corporate tax rules or practices aimed at obtaining a tax advantage that would defeat the object or purpose of the legislation applicable to corporate taxation.
14. Actions or omissions that may constitute a serious or very serious criminal or administrative offence. In any case, this shall be understood to include all serious or very serious criminal or administrative offences that involve financial loss for the Treasury and for the Social Security.
15. Infringements of labour law in matters of health and safety at work reported by workers, without prejudice to the provisions of their specific regulations.

The reporting person must provide at least the reference to the subjective scope of the infringement (subject matter or regulations infringed: European Union law; criminal infringement; or administrative infringement); and a description of the facts that are the object of the report (relevant information on what happened), as detailed as possible, attaching any documentation that may be available, where appropriate.

You may also provide your name and surname, and a contact telephone number, if you do not choose to make this communication anonymously.

If you know the identity of the person responsible for the reported irregularity, or if you have brought these facts to the attention of another body or entity through an external channel, you may also provide this information.

1. WHISTLEBLOWING PROCEDURE

The information may be communicated to the entity anonymously. Otherwise, the identity of the informant shall be kept confidential and shall be limited to the knowledge of the RSII, delegated administrators or appointed managers. These members shall carry out their functions independently and autonomously from the rest of the bodies of the entity or body and may not receive instructions of any kind in the exercise thereof, and shall have all the personal and material means necessary to carry them out.

The company undertakes to investigate all reports of possible breaches or non-compliance received through the complaints channel. All reports will be investigated impartially and confidentially and appropriate measures will be taken depending on the results of the investigation for the protection of the whistleblower.

The information or complaint shall be communicated through the internal reporting channel by means of the specific electronic application for this purpose, identified and accessible from the website: https://www.arque.com/.

At the whistleblower’s request, the complaint may also be submitted by means of a face-to-face meeting that will take place within a maximum period of seven days. Where appropriate, the informant will be warned that the communication will be recorded and will be informed of the processing of his or her data in accordance with the provisions of the GDPR and the LOPDPGDD. When submitting the information, the informant must indicate an address, e-mail address, or safe place for the purpose of receiving notifications, unless he/she expressly waives the receipt of any communication of actions carried out by the RSII as a result of the information.

Once the information has been submitted, it shall be registered in the information management system, by assigning an identification code, which shall be contained in a secure database with access restricted exclusively to RSII personnel, suitably authorised, in which all communications received shall be registered with the following data:

1. Date of receipt.
2. Identification code.
3. Actions carried out.
4. Measures adopted.
5. Date of closure.

Once the information has been received, within a period of no more than 7 calendar days from said receipt, the informant shall be acknowledged, unless he/she has expressly waived receipt of communications relating to the investigation. These reports will be managed for a maximum period of 3 months, except in cases of particular complexity that require an extension of the period, in which case, this may be extended for a maximum of a further 3 months.

Once the information has been registered, the RSII and his team will proceed to analyse the admissibility in accordance with the material and personal scope provided for in articles 2 and 3 of Law 2/2023.

The company undertakes to inform the whistleblower about the status of the investigation and the measures taken, whenever possible and without compromising the confidentiality and protection of the whistleblower, and may request additional information to the facts communicated through the channel.

In addition, the company undertakes to monitor all reports received and actions taken to ensure the effectiveness of this policy and to continuously improve the process.

Any information will be immediately forwarded to the Public Prosecutor’s Office when the facts could be indicative of a criminal offence. In the event that the facts affect the financial interests of the European Union, it will be referred to the European Public Prosecutor’s Office.

1. PROTECTION OF WHISTLEBLOWERS

The company undertakes to protect persons who report breaches or non-compliance, in accordance with Law 2/2023.

1. Acts constituting retaliation.

Acts constituting retaliation, including threats of retaliation and attempted retaliation against persons who make a report as required by law, are expressly prohibited.

Retaliation means any act or omission that is prohibited by law, or that directly or indirectly results in unfavourable treatment that places the persons subjected to it at a particular disadvantage compared to another in the employment or professional context, solely because of their status as whistleblowers, or because they have made a public disclosure.

For the purposes of the provisions of Law 2/2023, and by way of example, reprisals are considered to be reprisals in the form of:

1. Suspension of the employment contract, dismissal or termination of the employment or statutory relationship, including non-renewal or early termination of a temporary employment contract once the probationary period has passed, or early termination or cancellation of contracts for goods or services, imposition of any disciplinary measure, demotion or denial of promotion and any other substantial modification of working conditions and failure to convert a temporary employment contract into an indefinite one, in the event that the worker had legitimate expectations that he/she would be offered an indefinite job; unless these measures were carried out in the regular exercise of managerial authority under the relevant labour or public employee statute legislation, due to circumstances, facts or proven breaches, unrelated to the submission of the communication.
2. Damage, including reputational damage or financial loss, coercion, intimidation, harassment or ostracism.
3. Negative evaluation or references regarding job or professional performance.
4. Blacklisting or dissemination of information in a particular sectoral area, which hinders or prevents access to employment or the contracting of works or services.
5. Refusal or cancellation of a licence or permit.
6. Denial of training.
7. Discrimination, unfavourable or unfair treatment.

A person whose rights have been harmed as a result of its communication or disclosure after the expiry of the two-year period may request protection from the competent authority, which may, exceptionally and in a justified manner, extend the period of protection, after hearing the persons or bodies likely to be affected. Reasons shall be given for any refusal to extend the period of protection.

Administrative acts aimed at preventing or hindering the submission of communications and disclosures, as well as those that constitute reprisals or cause discrimination following the submission of such communications and disclosures under this Act, shall be null and void and shall give rise, where appropriate, to corrective disciplinary or liability measures, which may include the corresponding compensation for damages to the injured party.

1. Measures to protect the whistleblower against reprisals

Persons who report information about the acts or omissions set forth in Section FOUR, or who make a public disclosure pursuant to Law 2/2023, shall not be deemed to have violated any disclosure restrictions and shall not incur any liability of any kind in connection with such reporting or public disclosure, provided that they had reasonable grounds to believe that the reporting or public disclosure of such information was necessary to disclose an act or omission under such law, subject to any specific employment-related protections. This measure shall not affect criminal liability.

The provisions of the preceding paragraph shall extend to the communication of information made by the representatives of the employees, even if they are subject to legal obligations of confidentiality or of not disclosing reserved information. All of the above is also without prejudice to the specific rules of protection applicable in the field of employment.

The measures for the protection of the informant shall also apply, where appropriate, to:

1. (a) natural persons assisting the whistleblower in the process;
2. (b) natural persons who are related to the whistleblower and who may suffer retaliation, such as co-workers or relatives of the whistleblower;
3. (c) legal persons, for whom he/she works or with whom he/she has any other relationship in an employment context or in which he/she has a significant shareholding.

For these purposes, an interest in the capital or in the voting rights attaching to shares or participations is deemed to be significant when, by virtue of its proportion, it enables the person who holds it to have the capacity to influence the legal person in which he/she has an interest.

Insiders shall not incur liability in respect of the acquisition of or access to information that is publicly reported or disclosed, provided that such acquisition or access does not constitute a criminal offence.

Any other potential liability of insiders arising from acts or omissions that are unrelated to the communication or public disclosure, or that are not necessary to disclose a breach under Law 2/2023 will be enforceable under applicable law.

In proceedings before a court or other authority, concerning harm suffered by whistleblowers, once the whistleblower has reasonably demonstrated that he or she has communicated or made a public disclosure pursuant to Law 2/2023 and has suffered harm, it shall be presumed that the harm occurred in retaliation for reporting or making a public disclosure. In such cases, it shall be for the person who has taken the injurious action to prove that such action was based on duly justified reasons not linked to the communication or public disclosure.

In legal proceedings, including those relating to defamation, copyright infringement, breach of secrecy, breach of data protection rules, disclosure of trade secrets, or claims for compensation based on employment or statutory law, informants shall not incur liability of any kind as a result of communications or public disclosures protected by Law 2/2023. Such persons shall be entitled to assert in their defence in such legal proceedings that they communicated or made a public disclosure, provided that they had reasonable grounds to believe that the communication or public disclosure was necessary to expose a violation under the 2/2023 Act.

Persons who communicate or discloseare expressly excluded from the protection provided by the Act:

1. Information contained in communications that have been inadmissible by any internal information channel or for any of the causes provided for in the law.
2. Information linked to complaints about interpersonal conflicts or affecting only the informant and the persons to whom the communication or disclosure refers.
3. Information which is already fully available to the public or which constitutes mere hearsay.
4. Information which relates to acts or omissions outside the scope of the law.
5. Measures for the protection of the persons concerned

During the processing of the file, the persons affected by the communication shall have the right to the presumption of innocence, the right of defence and the right of access to the file under the terms provided for in Law 2/2023, as well as the same protection established for informants, preserving their identity and guaranteeing the confidentiality of the facts and data of the procedure.

The Independent Authority for Whistleblower Protection, A.A.I. may, within the framework of the sanctioning proceedings it conducts, adopt provisional measures under the terms established in article 56 of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations.

1. Cases of exemption and mitigation of the penalty

When a person who has participated in the commission of the administrative infringement that is the object of the information is the one who reports its existence by submitting the information and provided that the information was submitted before the notification of the initiation of the investigation or sanctioning procedure, the body competent to resolve the procedure, by means of a reasoned resolution, may exempt him/her from compliance with the administrative sanction that corresponds to him/her, provided that the following points are accredited in the file:

1. a) To have ceased to commit the infringement at the time of submission of the communication or disclosure and to have identified, where appropriate, the other persons who participated in or favoured the infringement.
2. (b) cooperated fully, continuously and diligently throughout the investigation procedure.
3. c) To have provided truthful and relevant information, means of proof or significant data for the accreditation of the facts under investigation, without having proceeded to destroy or conceal them, or having directly or indirectly disclosed their content to third parties.
4. d) To have made reparation for the damage caused that is attributable to him/her.

When these requirements are not met in their entirety, including the partial repair of the damage, it shall be at the discretion of the competent authority, after assessing the degree of contribution to the resolution of the case, the possibility of mitigating the sanction that would have corresponded to the offence committed, provided that the informant or author of the disclosure has not previously been sanctioned for acts of the same nature that gave rise to the initiation of the procedure.

The mitigation of the sanction may be extended to the rest of the participants in the commission of the offence, depending on the degree of active collaboration in the clarification of the facts, identification of other participants and repair or mitigation of the damage caused, as assessed by the body responsible for the decision.

Law 2/2023 excludes from the provisions of this section the infringements established in Law 15/2007, of 3 July, on the Defence of Competition.

• CONFIDENTIALITY AND DATA PROTECTION

The processing of personal data will be carried out in compliance with Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption, Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, Organic Law 3/2018 of 5 December 2018 on the protection of personal data and guarantee of digital rights and Organic Law 7/2021 of 26 May on the protection of personal data processed for the purposes of the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties.

The personal data subject to processing, the documents provided and any other information provided in the complaint containing personal information will be treated confidentially by those responsible for the channel, as well as by the administrators and possible managers, in order to comply with the obligation to investigate and manage the complaint submitted and to comply with the legal obligations established in Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption.

The Internal Reporting System must prevent unauthorised access and preserve the identity and guarantee the confidentiality of the data corresponding to the persons concerned and to any third party mentioned in the information provided, especially the identity of the informant in the event that he/she has been identified. The identity of the informant may only be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority in the context of a criminal, disciplinary or sanctioning investigation, and these cases shall be subject to safeguards laid down in the applicable regulations.

If the information received contains special categories of personal data subject to special protection, it shall be deleted immediately, unless the processing is necessary for reasons of essential public interest as provided for in Article 9.2.g) of the GDPR, as provided for in Article 30.5 of Law 2/2023.

In any case, personal data shall not be collected if they are not manifestly relevant to the processing of specific information or, if they are collected by accident, they shall be deleted without undue delay.

Communications that have not been followed up may only be recorded in anonymised form, without the obligation to block provided for in Article 32 of the LOPDPGDD being applicable.

Access to the personal data contained in the internal information system shall be limited to:

1. The person in charge of the Channel’s internal system.
2. The administrator/s delegated by the system manager.
3. To the managers designated for the processing of certain complaints according to the area to which they correspond.
4. The data may be brought to the attention of the Legal Department, Lawyers, Judicial Bodies and State Security Forces and Corps in the event that any of the information received is likely to be considered a crime or legal infringement of any kind.

Legal basis for processing: The processing of personal data, in cases of internal communication, shall be deemed lawful under the provisions of articles 6.1.c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, 8 of Organic Law 3/2018 of 5 December and 11 of Organic Law 7/2021 of 26 May, when, in accordance with the provisions of articles 10 and 13 of the law, it is mandatory to have an internal information system. If it is not mandatory, the processing shall be presumed to be covered by Article 6.1.e) of the aforementioned regulation. The processing of personal data in the cases of external communication channels shall be deemed lawful by virtue of the provisions of articles 6.1.c) of Regulation (EU) 2016/679, 8 of Organic Law 3/2018, of 5 December, and 11 of Organic Law 7/2021, of 26 May.

Rights of the data subject: access, rectification, deletion, limitation, portability and opposition, free of charge by email to: protecciondedatos@arque.com in the cases provided for by law.

Retention: The data will be kept for the legal period established for the processing of the file and for the time necessary for the exercise of legal actions or if it is necessary to leave evidence of the management of the channel. The interested party has the right to submit a complaint to the AEPD at www.aepd.es to request the protection of their rights.

• COMMUNICATION AND REVIEW OF POLICIES AND PROCEDURES

The company will conduct regular training and awareness-raising campaigns to foster a culture of integrity and transparency, and to inform employees and other stakeholders about the whistleblowing channel. It will also provide information on the rights and protections afforded to whistleblowers under Law 2/2023.

The company commits to disseminate this policy to all employees and stakeholders, and will update, at least every three years and, where appropriate, amend this internal channel policy, taking into account lessons learned and recommendations from the Competent Authority.