INTERNAL WHISTLEBLOWER DEFENCE AND INFRINGEMENT INFORMATION SYSTEM POLICY

1. Purpose

The purpose of this policy ("Policy") is to set out the general principles underlying the internal reporting system ("IIS") implemented by SMC España, S.A.U. (the "Company"), in accordance with the provisions of Law 2/2023, of 20 February, regulating the protection of persons who report regulatory violations and the fight against corruption ("Law 2/2023" or "Whistleblower Protection Law").

In line with the Company's business ethics, the SII has a twofold objective: on the one hand, to protect people who report breaches within its scope of application, and, on the other, to strengthen and promote the culture of information and communication as a mechanism to prevent, detect and react to irregular conduct.

2. Outreach

For the purposes of this Policy, the actions or omissions listed in article 2 of the Whistleblower Protection Act, as well as the non-compliance with any other measures implemented for the prevention of any action contrary to the law, are considered breaches.

Therefore, in relation to the matters to be reported, this scope affects any non-compliance of a general nature related to the Company. In any case, communications or information outside the material scope of application established in article 2 of the Whistleblower Protection Act and their senders shall remain outside the specific scope of protection provided by said Act.

The aforementioned breaches may also be reported when they may have been committed by third parties outside the company, provided that they are involved in the exercise of the company's activities and on its behalf.

This Policy applies to whistleblowers, i.e. any natural person who makes a report of possible acts or omissions as referred to in Article 2 of the Whistleblower Protection Act in an employment or professional context under the terms of Article 3(1) and (2) of the Act.

3. The SII

The SII is mainly composed of the internal channels set up for the reception of reports of non-compliance, the SII Manager and the procedure to be followed for the processing of such reports, known as the "Procedure for the management of information received in the Internal Information System" ("SII Procedure").

3.1 General principles and guarantees

All actions carried out within the framework of the SII will be carried out in a secure manner, in accordance with criteria of proportionality and objectivity, with the utmost respect for the law in force and recognising the rights of all parties involved.

In any case, the confidentiality and the rights to privacy, privacy, honour, defence and the presumption of innocence of the persons involved in the investigation process initiated as a result of the receipt of a communication made through the Company's SII shall be guaranteed.

Communications may be made in writing or verbally at the relevant meeting and may be anonymous.

The identity of the informant, if known, may only be communicated, in addition to the third parties indicated in the privacy policy, to the Judicial Authority, the Public Prosecutor's Office or the competent Administrative Authority within the framework of a criminal, disciplinary or sanctioning investigation, after informing the informant, provided that this circumstance does not compromise the investigation or the judicial proceedings in progress.

The actions aimed at verifying and clarifying the facts contained in the communications received must be carried out in compliance with all the guarantees expressly provided for in the SII Procedure for the persons involved.

In the case of the person concerned by the communication, his or her right to be informed of the facts attributed to him or her and to be heard at any time is recognised.

Investigation actions must be carried out as diligently, swiftly and effectively as possible, taking into account the complexity of the facts, in any case in accordance with the deadlines established in the SII Procedure. In any case, with regard to possible labour offences committed by workers, the statutory and/or contractual limitation period shall not begin until there is full and complete knowledge of what happened, and the investigative actions carried out shall interrupt any limitation period that may have begun.

3.2 Information channels

The SII is a complex system that includes, among its components, the internal channels for reporting possible non-compliance.

The SII should be used as the preferred channel for reporting breaches through the internal channel set up for this purpose, the Ethics Channel, given that diligent and effective action by the Company could limit the damage caused by the actions under investigation.

This internal channel is securely designed to guarantee the confidentiality of the identity of the informant, the person concerned, and any third party mentioned in the communication, as well as the protection of personal data, preventing access by unauthorised personnel.

Without prejudice to the preferential channel of this internal channel, for the communication of possible breaches of the Whistleblower Protection Act, whistleblowers may also access the channels established by the Public Administrations for this purpose ("external channels"), either directly or after notifying through the aforementioned internal channel.

The external channels for reporting non-compliance will be included in this Policy and duly communicated to potential informants once they are enabled, the following being currently in provisional operation:

• For non-compliance in relation to conduct prohibited by Law 15/2007 of 3 July 2007 on the Protection of Competition (LDC) and/or by Articles 101 and 102 of the Treaty on the Functioning of the European Union: https://sede.cnmc.gob.es/tramites/competencia/denuncia-de-conducta-prohibida•

3.3 Responsible for SII

The Board of Directors of the Company is responsible for the implementation of the SII and appoints Mr. Gorka Landa Ruiz de Arcaute ("SII Manager") as the person responsible for its management.

The designation of the IIS Officer shall be notified to the Independent Whistleblower Protection Authority.

In the event that the communication of potential non-compliance involves the IIS Officer, steps shall be taken to maintain sufficient independence by removing the IIS Officer from any function related to the communication in question.

The IBS Manager shall diligently assume, and in the absence of conflict of interest, the management of the information received through of the established channel, ensuring the proper application of the IBS Procedure, without prejudice to the possible outsourcing of the reception of information.

The Head of the IIS shall also keep a register of the information and communications received and of the investigation files ("Investigation Files") to which they give rise, guaranteeing the confidentiality of such information and compliance with data protection regulations.

The IBS Manager has the material and human resources necessary for the proper performance of his or her duties, which he or she carries out autonomously and independently from the rest of the Company's bodies, and his or her actions must be governed by the general principles set out in this Policy.

3.4 Procedure

The SII Procedure regulates the management and processing of communications received through the Company's SII.

The set of actions carried out to verify and clarify the facts referred to in the communications received through the internal channels set up by the Company within the framework of the SII will make up the Investigation File, the phases of which are regulated in the SII Procedure.

In the event that the facts that are the subject of the information could be indicative of a criminal offence, the Public Prosecutor's Office or the European Public Prosecutor's Office, as appropriate, must be informed, applying in all cases the provisions of the Company's "Special Protocol for internal investigations relating to possible offences of the legal person".

4. Whistleblower protection

4.1 Conditions for protection

Whistleblowers shall act in good faith. Communications shall be made in accordance with the criteria of truthfulness and proportionality and shall only refer to facts that have a bearing on the Company. Manipulated or false communications or information or that respond to motivations that cannot be protected by law may give rise to the application of the disciplinary regime in force, as well as the adoption of the corresponding legal actions for the claim of damages and losses that may have been generated.
In addition to the informants referred to in paragraphs 1 and 2 of Article 3 of the Whistleblower Protection Act, the protection measures provided for in Title VII of the said Act and this Policy shall also extend to natural and legal persons related to the informant under the terms and scope provided for in paragraphs 3 and 4 of the aforementioned Article 3.
All of them shall be entitled to the protection provided for in this paragraph, provided that the following circumstances are met:

• • They have reasonable grounds to believe that the information provided for in this section is true at the time of communication or disclosure, even if they do not provide conclusive evidence, and that the information falls within the scope of the Whistleblower Protection Act.
• • The communication or disclosure has been made in accordance with the requirements of the Whistleblower Protection Act.

Expressly excluded from the protection provided for in this section are persons communicating or disclosing information that is inadmissible under the IIS Procedure, information relating to claims concerning interpersonal conflicts or affecting only the informant and the persons to whom the communication or disclosure relates, information that is completely available to the public or mere rumours, and information relating to actions or omissions outside the material scope of application set out in Article 2 of the Whistleblower Protection Act.

4.2 Prohibition of reprisals

The Company will not adopt (and will ensure that its professionals do not adopt) any form of retaliation, direct or indirect, including threats or attempts of retaliation, against any person who has reported in good faith, through the SII or by any other means, in accordance with the provisions of this Policy and the applicable regulations, a breach.
For the purposes of this Policy, retaliation means any act or omission that is prohibited by law, or that directly or indirectly results in unfavourable treatment that places the person who suffers it at a particular disadvantage compared to another person in the employment or professional context, solely because of his or her status as a whistleblower, or because he or she has made a public disclosure.

4.3 Support and protection measures

The Whistleblower Protection Act also provides for a series of support and protection measures for whistleblowers who report the actions or omissions listed in Article 2. These measures, which, where appropriate, would be provided by the Independent Whistleblower Protection Authority or other competent authority or body, are as follows:

• • Support measures:
• • Full, independent and free information and advice on the procedures and remedies available, protection against reprisals and the rights of the person concerned.
• • Effective assistance by competent authorities to any relevant authority involved in their protection from retaliation, including certification that they are eligible for protection under the Whistleblower Protection Act.
• • Legal assistance in criminal proceedings and cross-border civil proceedings in accordance with Community law.
• • Financial and psychological support, on an exceptional basis, if so decided by the Independent Authority for Whistleblower Protection following an assessment of the circumstances arising from the submission of the report.
• • Protective measures:
• • The whistleblower shall not be deemed to have breached any disclosure restrictions, and shall not incur any liability of any kind in connection with such communication or public disclosure, provided that the whistleblower had reasonable grounds to believe that the communication was necessary to disclose a breach, as defined in the Whistleblower Protection Act. This measure shall not affect criminal liability.
• • The reporter shall not be liable for acquiring or accessing the reported information, provided that such acquisition or access does not constitute a criminal offence.
• • In proceedings before a court or other authority concerning harm suffered by the reporting person, once he or she has reasonably established that he or she has made a communication and suffered harm, it shall be presumed that the harm was caused in retaliation for reporting. In such cases, it shall be for the person who has taken the injurious action to prove that such action was based on duly justified grounds unrelated to the disclosure.
• • In legal proceedings, including those relating to defamation, copyright infringement, breach of secrecy, infringement of data protection regulations, disclosure of business secrets, or claims for damages based on labour or statutory law, the informant and those persons to whom the protection of the informant is legally extended shall not incur any liability whatsoever. The whistleblower and those persons to whom whistleblower protection is lawfully extended shall be entitled to plead in their defence and in the context of such legal proceedings that they have disclosed, provided that they had reasonable grounds to believe that the disclosure was necessary to bring to light an infringement under the Whistleblower Protection Act.

5. Advertising

The IIS Officer shall ensure that the necessary and appropriate information is provided in a clear and easily accessible manner so that informants can make use of the corresponding internal channel of the Company.
All information on the use of the SII and the corresponding internal channel established by the Company, as well as on the essential principles of the SII can be consulted on the Company's website at the following address https://www.smc.eu/es-es and https://www.smctraining.com/es/.

6. Protection of personal data

According to the interpretation of the Spanish Data Protection Agency in its Legal Report of 13 June 2023 (ref. 0054/2023) regarding article 5.1 of the Informant Protection Act, the data controller for the processing of personal data collected through the SII is the Company.
The processing of personal data carried out within the framework of the SII shall be conducted in full compliance with the general principles and obligations laid down in the personal data protection regulations and in the Whistleblower Protection Act.
The data collected in the SII will be processed by the Company acting as data controller. The corresponding data processor agreements will be signed with third parties, where applicable, in accordance with the provisions of the data protection regulations.

7. Entry into force

This Policy will enter into force on 29 October 2024.