Internal Information System

INTERNAL POLICY OF THE WHISTLEBLOWER CHANNEL

1. INTRODUCTION, PURPOSE AND APPLICATION

Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption (hereinafter, Law 2/2023) transposes into the Spanish legal system Directive 2019/1937 of the European Parliament and of the Council, of 23 October 2019, regarding the protection of persons who report infringements of Union law.

This policy applies to Twin Inversors 2007 S.L. with Tax ID B64645658 and registered office at Riera Dels Frares 8-10, 8907, Hospitalet de Llobregat (Barcelona) and aims to establish an internal channel for reporting possible regulatory infringements, violation of internal and/or ethical policies, and to establish a protection regime for the whistleblower, in compliance with Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption.

Law 2/2023 explains and clarifies in its preamble, Part III, that its purpose is to protect, against possible reprisals, persons who, in a work or professional context, detect serious or very serious criminal or administrative infringements and communicate them through the mechanisms regulated in this policy.

This Channel, therefore, is a mechanism that allows employees of the company and other interested parties to report any type of illegal conduct or conduct contrary to our values and ethical principles, without fear of reprisals, strengthening the culture of information, the integrity infrastructures of organisations and the promotion of the culture of information or communication as a mechanism to prevent and detect threats to the public interest. In this way, the aim is to promote a culture of transparency, integrity and responsibility in our organisation, while protecting those employees who decide to make a report in good faith.

1. WHISTLEBLOWER CHANNEL

The entity has created a whistleblower channel (hereinafter, the WCI) as a preferred means for receiving information on actions or omissions that may constitute serious or very serious criminal or administrative infringements, and other actions provided for in Article 2 of Law 2/2023.

The channel is administered by the Person Responsible for the Internal System of the Channel (hereinafter, the PRIC). Access to this channel shall be limited, within the scope of their competences and functions, to:

1. The Person Responsible for the Internal System of the Channel.
2. The delegated administrator(s) appointed by the person responsible for the system.
3. The managers designated for the processing of certain reports depending on the corresponding area.

The functions of these bodies, as applicable, shall be:

• Receipt, registration and management of reports received through the whistleblower channel.
• Designation of the person or team responsible for investigating the reports received.
• Ensuring the protection of whistleblowers and the confidentiality of the reports received.
• Assessment of the truthfulness and credibility of the reports received.
• Decision-making on appropriate measures based on the results of the investigation.
• Monitoring and periodic review of the complaints management process and the company’s internal policy.
• Preparation of reports and recommendations for senior management regarding the reports received and the measures adopted.

The WCI must technically ensure the confidentiality or, eventually, the anonymity of the whistleblower, in order to protect them from any leak and subsequent retaliation that they may suffer.

Whistleblowers within the scope of application of the law may submit their reports through the following link:

• Link to the whistleblower channel:

https://compliance.legalsending.com/canal/?C=48601959019017745

• SUBJECTIVE SCOPE – WHISTLEBLOWER SUBJECTS

Persons who have an employment or professional relationship with the AEPD may make use of the internal information channel and benefit from the protection granted by Law 2/2023 as whistleblowers, to communicate information on the actions or omissions described in Article 2 of Law 2/2023. This employment or professional relationship, which entails dependence on the AEPD, is what makes special protection against possible reprisals necessary and appropriate.

In any case, the following shall be considered whistleblowers, for the purposes of this AEPD, under Law 2/2023:

• Persons who qualify as employees or workers employed by another.
• Self-employed collaborators (freelancers).
• Shareholders, participants and persons belonging to the company’s administrative, management or supervisory body, including non-executive members.
• Any person working for or under the supervision and direction of contractors, subcontractors and suppliers.
• Whistleblowers who communicate or publicly disclose information on infringements obtained within the framework of a terminated employment or statutory relationship, volunteers, interns, trainees regardless of whether they receive remuneration or not, as well as those whose employment relationship has not yet commenced, in cases in which the information on infringements was obtained during the selection or pre-contractual negotiation process.

It is important to highlight that reports made through the whistleblower channel must be made in good faith, that is, they must be supported by evidence and concrete facts.

1. OBJECTIVE SCOPE – REPORTABLE FACTS

In terms of the object of the information, Law 2/2023 stipulates that the internal information channel may be used to report serious improper conduct or alleged corruption that may constitute serious or very serious criminal or administrative infringements related to the entity’s activities, which the whistleblower has observed or about which they have received information in the course of their work or professional relationship.

The Law 2/2023 itself and Directive (EU) 2019/1937 list as such, the information that refers to:

1. Infringements that fall within the scope of the acts of the European Union listed in the annex to the aforementioned Directive relating to the following areas:
2. public procurement,
3. financial services, products and markets, and prevention of money laundering and terrorist financing,
4. product safety and compliance,
5. transport safety,
6. environmental protection,
7. protection against radiation and nuclear safety,
8. food and feed safety, animal health and animal welfare,
9. public health,
10. consumer protection,
11. protection of privacy and personal data, and security of networks and information systems
12. That affect the financial interests of the European Union as contemplated in Article 325 of the Treaty on the Functioning of the European Union (TFEU).
13. That impact the internal market, as contemplated in Article 26(2) of the TFEU, including infringements of European Union rules on competition and State aid, as well as infringements relating to the internal market in relation to acts that infringe company tax rules or practices aimed at obtaining a tax advantage that undermines the object or purpose of the legislation applicable to corporate tax.
14. Actions or omissions that may constitute serious or very serious criminal or administrative infringements. In any case, all those serious or very serious criminal or administrative infringements that entail economic damage to the Public Treasury and Social Security shall be understood to be included.
15. Infringements of labour law regarding occupational health and safety reported by workers, without prejudice to the provisions of their specific regulations.

The whistleblower must provide at least the reference to the subjective scope of the infringement (subject matter or regulation violated: European Union law; criminal infringement; or administrative infringement); and a description of the facts subject to communication (relevant information on what occurred), as detailed as possible, attaching the documentation they may have, if applicable.

Likewise, they may provide their name and surname, and a contact telephone number, if they do not choose to submit this communication anonymously.

If they know the identity of the person responsible for the reported irregularity, or have brought these facts to the attention of another body or entity through an external channel, they may also provide this information.

1. REPORTING PROCEDURE

The information may be communicated to the entity anonymously. Otherwise, the identity of the whistleblower shall be kept confidential and limited to the knowledge of the PRIC, delegated administrators or appointed managers. These members shall carry out their functions independently and autonomously from the rest of the entity’s bodies and may not receive instructions of any kind in their exercise, having all the necessary personal and material resources to carry them out.

The company undertakes to investigate all reports of possible infringements or breaches received through the reporting channel. All reports will be investigated impartially and confidentially, and appropriate measures will be taken based on the results of the investigation aimed at protecting the whistleblower.

The information or report shall be communicated through the internal reporting channel via the specific electronic application for this purpose, identified and accessible from the website: https://www.twin.cat/

At the request of the whistleblower, the report may also be submitted through an in-person meeting that will take place within a maximum period of seven days. In this case, the whistleblower shall be warned that the communication will be recorded and shall be informed of the processing of their data in accordance with the GDPR and the LOPDPGDD. When presenting the information, the whistleblower must indicate an address, email or secure place for receiving notifications, unless they expressly waive receiving any communication regarding actions carried out by the PRIC as a consequence of the information.

Once the information is submitted, it shall be recorded in the information management system by assigning an identification code, which shall be stored in a secure database with restricted access exclusively by PRIC personnel, duly authorised, in which all communications received shall be recorded with the following data:

1. Date of receipt.
2. Identification code.
3. Actions carried out.
4. Measures adopted.
5. Date of closure.

Upon receipt of the information, within no more than 7 calendar days from receipt, acknowledgement of receipt shall be provided to the whistleblower, unless they have expressly waived receiving communications related to the investigation. These reports will be managed within a maximum period of 3 months except in cases of particular complexity that require an extension of this period, in which case it may be extended by up to an additional 3 months.

Once the information has been registered, the PRIC and its team shall proceed to analyse its admissibility in accordance with the material and personal scope provided in Articles 2 and 3 of Law 2/2023.

The company undertakes to inform the whistleblower about the status of the investigation and the measures adopted, whenever possible and without compromising the confidentiality and protection of the whistleblower, and may request additional information regarding the facts communicated through the channel.

Additionally, the company undertakes to monitor all reports received and the measures adopted in order to ensure the effectiveness of this policy and continuously improve the process.

Any information shall be immediately referred to the Public Prosecutor’s Office when the facts may be constitutive of a crime. In the event that the facts affect the financial interests of the European Union, it shall be referred to the European Public Prosecutor’s Office.

1. PROTECTION OF WHISTLEBLOWERS

The company undertakes to protect persons who report infringements or non-compliance, in accordance with Law 2/2023.

1. Acts constituting reprisals.

Acts constituting reprisals, including threats of reprisals and attempts of reprisals, against persons who submit a communication in accordance with the provisions of the law, are expressly prohibited.

Reprisal means any act or omission that is prohibited by law, or that, directly or indirectly, constitutes an unfavourable treatment that places the persons who suffer it at a particular disadvantage compared to another in the work or professional context, solely because of their status as whistleblowers or for having made a public disclosure.

For the purposes provided in Law 2/2023, and by way of example, reprisals shall be considered those adopted in the form of:

1. Suspension of the employment contract, dismissal or termination of the employment or statutory relationship, including non-renewal or early termination of a temporary employment contract once the probation period has been passed, or early termination or cancellation of goods or services contracts, imposition of any disciplinary measure, demotion or denial of promotions, and any other substantial modification of working conditions, and the non-conversion of a temporary employment contract into a permanent one where the worker had legitimate expectations of being offered permanent employment; unless these measures were carried out within the regular exercise of managerial powers under applicable labour legislation or regulations governing public employee status, due to circumstances, facts or proven infringements unrelated to the submission of the communication.
2. Damages, including reputational damages, or economic losses, coercion, intimidation, harassment or ostracism.
3. Negative evaluation or references regarding work or professional performance.
4. Blacklisting or dissemination of information in a specific sectoral environment that hinders or prevents access to employment or contracting works or services.
5. Denial or cancellation of a licence or permit.
6. Denial of training.
7. Discrimination, or unfavourable or unfair treatment.

Any person whose rights have been violated because of their communication or disclosure after a period of two years may request protection from the competent authority, which, exceptionally and with justification, may extend the protection period, after hearing the persons or bodies that may be affected. The denial of the extension of the protection period must be duly reasoned.

Administrative acts intended to prevent or hinder the submission of communications and disclosures, as well as those that constitute reprisals or cause discrimination following their submission under this law, shall be null and void and may give rise, where appropriate, to corrective disciplinary or liability measures, which may include compensation for damages suffered by the affected party.

1. Measures for the protection of whistleblowers against reprisals

Whistleblowers who report information on the actions or omissions set out in Section FOUR, or who make a public disclosure in accordance with Law 2/2023, shall not be considered to have breached any restriction on disclosure of information and shall not incur any liability in relation to such communication or public disclosure, provided that they had reasonable grounds to believe that the communication or public disclosure of such information was necessary to reveal an action or omission under the law, all without prejudice to the specific protection rules applicable in the labour field. This measure shall not affect criminal liability.

The provisions of the previous paragraph shall extend to communications made by worker representatives, even if they are subject to legal obligations of confidentiality or to not disclose reserved information. All this without prejudice, likewise, to the specific protection rules applicable in the labour field.

Whistleblower protection measures shall also apply, where appropriate, to:

1. a) natural persons who assist the whistleblower in the process;
2. b) natural persons who are related to the whistleblower and who may suffer reprisals, such as co-workers or relatives of the whistleblower;
3. c) legal entities for which they work or with which they maintain any other type of relationship in an employment context or in which they hold a significant participation.

For these purposes, participation in the capital or voting rights corresponding to shares or participations is understood to be significant when, due to its proportion, it allows the person holding it to have the capacity to influence the participated legal entity.

Whistleblowers shall not incur liability regarding the acquisition or access to the information communicated or publicly disclosed, provided such acquisition or access does not constitute a criminal offence.

Any other possible liability of whistleblowers derived from acts or omissions not related to the communication or public disclosure, or that are not necessary to reveal an infringement under Law 2/2023, shall be enforceable in accordance with the applicable regulations.

In proceedings before a judicial body or other authority, relating to the harm suffered by whistleblowers, once the whistleblower has reasonably demonstrated that they have communicated or made a public disclosure in accordance with Law 2/2023 and that they have suffered harm, it shall be presumed that the harm occurred as retaliation for reporting or making a public disclosure. In such cases, the burden of proof shall fall on the person who took the harmful measure to demonstrate that the measure was based on duly justified reasons unrelated to the communication or public disclosure.

In judicial proceedings, including those relating to defamation, copyright infringement, breach of secrecy, infringement of data protection regulations, disclosure of trade secrets, or requests for compensation based on labour or statutory law, whistleblowers shall not incur any liability as a consequence of communications or public disclosures protected by Law 2/2023. Such persons shall have the right to allege, in their defense and within such judicial proceedings, that they communicated or made a public disclosure, provided they had reasonable grounds to believe that the communication or public disclosure was necessary to demonstrate an infringement under Law 2/2023.

Expressly excluded from the protection provided by the law are persons who communicate or disclose:

1. Information contained in communications that have been inadmissible by an internal information channel or for any of the reasons provided by the law.
2. Information related to claims about interpersonal conflicts or that affect only the whistleblower and the persons referred to in the communication or disclosure.
3. Information already fully available to the public or that constitutes mere rumours.
4. Information referring to actions or omissions not covered by the law.
5. Measures for the protection of the affected persons

During the processing of the file, the persons affected by the communication shall have the right to the presumption of innocence, the right to defence, and the right of access to the file under the terms provided in Law 2/2023, as well as the same protection established for whistleblowers, preserving their identity and guaranteeing the confidentiality of the facts and data of the procedure.

The Independent Authority for Whistleblower Protection, I.A.I., may, within the framework of the sanctioning procedures it conducts, adopt provisional measures under the terms established in Article 56 of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations.

1. Cases of exemption and mitigation of the sanction

When a person who has participated in the commission of the administrative infringement subject to the information is the one who reports its existence by submitting the information, and provided that it was submitted before the initiation of the investigation or sanctioning procedure has been notified, the competent body to resolve the procedure, through a reasoned decision, may exempt them from complying with the administrative sanction that would correspond, provided that the following requirements are proven in the file:

1. a) Having ceased the commission of the infringement at the time of submitting the communication or disclosure and having identified, if applicable, the rest of the persons who participated in or favoured it.
2. b) Having cooperated fully, continuously and diligently throughout the entire investigation procedure.
3. c) Having provided truthful and relevant information, evidence or significant data for the accreditation of the investigated facts, without having destroyed or concealed such information or revealed its content to third parties, directly or indirectly.
4. d) Having proceeded to repair the damage caused that is attributable to them.

When these requirements are not fully met, including the partial repair of the damage, it will be at the discretion of the competent authority, after assessing the degree of contribution to the resolution of the case, to decide whether to mitigate the sanction corresponding to the committed infringement, provided that the whistleblower or author of the disclosure has not previously been sanctioned for acts of the same nature that originated the initiation of the procedure.

Mitigation of the sanction may extend to the rest of the participants in the commission of the infringement, depending on the degree of active collaboration in clarifying the facts, identifying other participants, and repairing or reducing the damage caused, as assessed by the body responsible for the resolution.

Law 2/2023 excludes from the provisions of this section the infringements established in Law 15/2007, of 3 July, on the Defence of Competition.

• CONFIDENTIALITY AND DATA PROTECTION

The processing of personal data shall be carried out ensuring compliance with Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption, with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, with Organic Law 3/2018, of 5 December, on Personal Data Protection and guarantee of digital rights, and with Organic Law 7/2021, of 26 May, on personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offences and execution of criminal sanctions.

Personal data subject to processing, any submitted documents and any other information provided in the report that contains personal information, will be processed confidentially by those responsible for the channel, as well as by administrators and possible managers, for the purpose of fulfilling the obligation to investigate and manage the submitted report and to comply with the legal obligations established in Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption.

The internal reporting system must prevent unauthorised access and preserve identity and guarantee the confidentiality of the data corresponding to the persons affected and any third party mentioned in the submitted information, especially the identity of the whistleblower if they have identified themselves. The identity of the whistleblower may only be communicated to the Judicial Authority, the Public Prosecutor’s Office, or the competent administrative authority within the framework of a criminal, disciplinary, or sanctioning investigation, and such cases shall be subject to the safeguards established in the applicable regulations.

If the information received contains special categories of personal data, subject to special protection, it shall be immediately deleted unless processing is necessary for reasons of essential public interest in accordance with Article 9.2(g) of the GDPR, as provided in Article 30.5 of Law 2/2023.

In any case, personal data that is clearly not relevant to processing specific information shall not be collected, or if collected accidentally, it shall be deleted without undue delay.

Communications that have not been processed may only be recorded in anonymised form, without the obligation of blocking provided for in Article 32 of the LOPDPGDD being applicable.

Access to the personal data contained in the internal reporting system shall be limited to:

1. The Person Responsible for the Internal System of the Channel.
2. The delegated administrator(s) appointed by the person responsible for the system.
3. The managers designated for the processing of certain reports according to the corresponding area.
4. Data may be made available to the Legal Department, Lawyers, Judicial Bodies, and State Law Enforcement Authorities if any of the received information could be considered a crime or legal infringement.

Legal basis for processing: The processing of personal data in the case of internal communications shall be considered lawful pursuant to Articles 6.1(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, 8 of Organic Law 3/2018 of 5 December, and 11 of Organic Law 7/2021 of 26 May, when, in accordance with Articles 10 and 13 of the law, it is mandatory to have an internal reporting system. If it is not mandatory, the processing shall be presumed to be covered under Article 6.1(e) of the said regulation. The processing of personal data in cases of external communication channels shall be considered lawful pursuant to Articles 6.1(c) of Regulation (EU) 2016/679, 8 of Organic Law 3/2018, of 5 December, and 11 of Organic Law 7/2021, of 26 May.

Data subject rights: access, rectification, deletion, limitation, portability and opposition, free of charge by email to: protecciondedatos@twin.cat in the legally established cases.

Retention: Data shall be retained for the legally established period for processing the file and for the time necessary to exercise legal actions or if it is necessary to keep evidence of channel management. The data subject also has the right to file a complaint with the AEPD at www.aepd.es to request the protection of their rights.

• COMMUNICATION AND REVIEW OF POLICIES AND PROCEDURES

The company will carry out periodic training and awareness campaigns to foster a culture of integrity and transparency, and to inform employees and other interested parties about the reporting channel. It will also provide information on the rights and protections offered to whistleblowers under Law 2/2023.

The company undertakes to disseminate this policy to all employees and stakeholders and will update and, where appropriate, amend this internal channel policy at least every three years, taking into account the experience gained and the recommendations of the Competent Authority.