DATA4 Whistleblowing Policy

1.    Introduction

In accordance with European legislation (EU Directive 2019/1937) and the relevant nationalsapin  legislation in the countries of operation of the Group[1], DATA4 ensures the protection of all persons who wantcomos to report an offence, violation or irregularity that they became aware of in the context of their employment or working relationships.

DATA4 is committed to ensuring corporate integrity through transparent and responsible management. An integral part of this is encouraging its employees, and all DATA4 People, to disclose any information related to suspected negligence, unethical conduct or illegal practices in the workplace.

Hereinafter, the term “Whistleblowing” will be used to refer to the guidelines and procedures that make it possible to report illegal, unethical or irregular conduct in the workplace, guaranteeing that the report will be kept in the strictest confidence and that protection will be provided to the person who filed the report.

The term “Whistleblower” will be used to refer to the person who reports the illegal, unethical or irregular conduct or information, of which they have become aware in the course of their work, by using the reporting system made available by DATA4.

2.    Purpose of the Policy

In the light of the applicable European and country-specific legislation, DATA4 has established an internal reporting system. This Whistleblowing Policy outlines the purpose and application of the internal reporting system, as well as the extent and exact nature of violations, misconduct and/or irregularities that could be reported; what to include in such a report; how and to whom submit the report; the Group’s methods for processing and responding to reported violations; the potential consequences and sanctions for verified cases of misconduct; and the rights, protections (and limitations of these protections) provided to those who disclose this information.

The aim of this Policy is to support all DATA4 People and encourage them to report violations, misconduct or anomalies of which they are aware; it also serves to inform them of the procedures laid out by DATA4 for disclosure reports, as well as the rights of Whistleblowers including, first and foremost, the right to anonymity.

3.    Policy Application

The Whistleblowing Policy applies to all DATA4 People. This includes shareholders, management, members of the Board of Administration and supervisory bodies; employees in all countries in which DATA4 operates; temporary workers, consultants, contractors, volunteers, casual workers and trainees; and any persons working under the supervision and direction of DATA4’s contractors, subcontractors and suppliers, as well as external parties entering in business relations with DATA4.

DATA4 People are:

  • Staff members, persons whose employment relationship has ended where the information was obtained in the course of that relationship, and people who have applied for employment with the relevant entity, where the information was obtained in the course of that application;
  • Shareholders, partners and holders of voting rights in the general meeting of the companies of DATA4 Group;
  • Members of the administrative, management or supervisory body;
  • External and occasional collaborators;
  • DATA4’s co-contractors, their subcontractors or, in the case of legal entities, members of the administrative, management or supervisory bodies of such co-contractors and subcontractors, as well as members of their staff.

This Policy also applies to and protects persons who disclose violations they became aware of whilst employed by DATA4, even if the employment relationship has since been terminated. In equal measure, the Policy applies to those who have not yet commenced employment with DATA4 but became aware of a potential violation during the selection process or in pre-contractual negotiations.

In line with European regulations, measures to protect Whistleblowers (see Section 9) also apply to facilitators and third parties connected to the Whistleblower, who could, as a result of such a relationship, suffer retaliation at work. This includes colleagues and relatives of the Whistleblower, as well as any legal entities that the Whistleblower owns, works for, or is otherwise connected to in a work-related context.

4.    What Concerns Could be Reported?

It is important to note that any misuse of the alert system or any abusive alert, even if made outside the system, is prohibited and will be punished.

Reports may relate to all Violations, as defined in Paragraph 3. Reports may also relate to any anomaly or misalignment regarding conduct of company personnel that does not comply with the Compliance Program, of DATA4’s Group Code of Business Conduct or any other internal regulation.

Reported misconduct must relate to situations of which the person has become aware by reason of the employment relationship and includes news acquired on the occasion of and/or because of the performance of work duties, even in a casual manner.

Where there is a likelihood that such a breach may have occurred within DATA4, a report or disclosure should, ideally, be made, as set out below, by the relevant persons. Nonetheless, this is, under French law, never mandatory to anyone to make any such report or disclosure, this is only an option given to DATA4’s employees and external persons, who may or may not use its reporting system. No one could be sanctioned for not having used DATA4’s implemented reporting system or for having chosen not to report a breach/violation it would have been the witness of[2].

The following are examples of illegal acts, violations or unethical conducts which could be reported through DATA4’s Whistleblowers system or any other more informal way :

  •       miscarriages of justice;
  •       health and safety risks, including risks to the public as well as other employees;
  •       damage to the environment;
  •       the unauthorised and unlawful use of public or company funds;
  •       fraud, corruption or any other offence of/breach of probity/integrity;
  •       insider trading;
  •       sexual or physical abuse;
  •       harassment;
  •       any other illegal or unethical conduct.

Illegal conduct includes a violation of civil and/or criminal law in any country in which DATA4 operates.

Additionally, any violation/breach of the principles and rules contained within DATA4’s Group Code of Ethics and Business Conduct or in any other compliance procedure adopted by the Group’s companies at a national level, may also be reported.

The Whistleblowing Policy, however, does not cover personal complaints or claims that fall within the scope of the employment relationship, such as interpersonal conflicts between two or more employees, regarding a difference of opinion, or employee dissatisfaction relating to contractual matters.

DATA4 encourages every individual to report any unethical, illegal or improper conduct or information of which they become aware as a result of their employment relationship.

Absolute certainty is not required in order to report a violation: in accordance with the relevant legislation, the Whistleblower must have reasonable grounds to suspect that a violation has taken place or is being committed.

Communications that have already been rejected by an internal DATA4 reporting channel or that are already available to the public or that constitute mere rumors will not benefit from the protection measures and guarantees described in the policy.

5.    What to Include in the Report

Reports of misconduct or a violation should be as detailed as possible. This allows the necessary internal investigations and checks to be conducted in order to verify the validity of the claims or concerns.

Therefore, Whistleblowers are asked to include the following details in their report:

  • details of the person making the report, with an indication of their position or function held within the company of DATA4’s Group;
  • a clear and complete description of the facts being reported. In addition, a Whistleblower is now allowed to report on events/facts that have already occurred or only likely to occur in the future;
  • if known, the circumstances of time and place in which relevant events took place;
  • if known, the personal details of the person(s) involved in the violation or misconduct;
  • an indication of any other person(s) who may have knowledge of the reported facts;
  • an indication of any documents or other evidence that may confirm the validity of such alleged facts;
  • any other information that may provide useful feedback on the existence of the facts reported.

Whenever it is possible, meaning except when the Report is made anonymously and it is not possible to contact the Whistleblower, the Whistleblower is may be also asked to provide, at the same time of its report submission, any documentation or evidence, to justify its standing to act and allow the Addressees (as such term is defined below) to analyze the admissibility of the Report and assess the accuracy of the allegations made, and may finally support the internal investigations to be made.

If the Whistleblower does not provide much substance to the Report, the Addressees will have to go back to the Whistleblower to ask for more details.

The Company also consents to the receipt of anonymous Reports, i.e., without any elements that would allow the identity of the Whistleblower to be identified, although this might make verification and/or ascertainment of the facts that are the subject of the report more difficult. Nevertheless, in this case:

  • anonymous Reports should be substantiated and, where appropriate, supported by appropriate documentation;
  • the internal channel adopted by the Company allows a dialogue with the anonymous Whistleblower;
  • protection measures will still be applied to the anonymous Whistleblower if despite the anonymous Report the identity of the person emerges from the circumstances or the person is later identified.

6.    How to Report a Violation and to Whom

First of all, it is important to specify that it is forbidden to obstruct any whistleblowing-related report[3].

The purpose of this section is to detail the procedures for reporting or disclosure. Indeed, it is possible for the Whistleblower to make an internal report to the Group’s Addressees (as defined below).

But the Whistleblower can also start while making directly an external disclosure to certain authorities, without going through the internal disclosure.

And finally, he/she may make a public disclosure, if he/she falls into one of the four hypotheses provided for by law and detailed under section 6.3 below.

6.1 Internal reporting

DATA4 has set up two alternative reporting channels described below, both of which guarantee the confidentiality of (i) the Whistleblower’s identity, (ii) the identity of any person involved in the report, and/or even only mentioned as a witness, for instance, and (iii) the disclosed facts’ characteristics, notably by having and maintaining a very restricted access to these data, by only specifically skilled and trained persons, the Group HR Director and the Group Legal Director (hereinafter the “Addressees”).

The Addressees have been selected since they have, by virtue of their position or status, the competence, authority and means necessary and sufficient to carry out their missions. Their independence is protected by the absence of any obligation to report, in real time, their knowledge and findings, regarding any report, to the Company management.

The collected information may only be communicated to third parties (i.e. Departments/Functions/Offices of the company involved in the Report or external consultants) if this communication is strictly necessary to process the alert or is legally required.

The first reporting channel, consists of an IT system called “Navex WhistleB” (hereinafter “WhistleB”) available at the following link https://report.whistleb.com/en/data4group.

WhistleB allows the Whistleblower to choose whether to make a written report through a dedicated web page, or to record a voice message through a dedicated phone line.

Our dedicated whistleblowing hotline channel WhistleB: WhistleB, Whistleblowing Centre, is available for Data 4 Group, 24/7/365, in execution of the national laws applicable to the Group – including the EU Whistleblower Protection Directive, the General Data Protection Regulation (“GDPR”) and ISO 27001.

Please note that WhisleB ensures total anonymity to the whistleblower and transparency on the process, all data is encrypted, stored and safeguarded in EU-based data centers. We have also subscribed a telephone channel, so that a Whistleblower can choose from self-service secure voice messaging in all the Group’s languages – or speak directly with trained specialists.

Follow the instructions that will appear on WhistleB (see the image below) after having selected the relevant channel between: Italy reporting channel, Spain reporting channel and Other countries reporting channel. In both cases, the Report can be anonymous. In order to preserve anonymity of the Whistleblower that make a Report through the phone line, the voice is anonymized before the file is transmitted into the IT system.

Reports (written or oral) that flow into WhistleB are visible only to the Addressees. How to use WhistleB is described below (see Attachment 1).

The second reporting channel, which is alternative to the first, allows Whistleblowers to submit their report via standard mail, which has to be sent in paper format to the following address: 6, rue de la Trémoille, 75008 Paris (France) and addressed to the Group HR Director or the Group Legal Director. In this case, it is requested that the documentation be placed in a double sealed envelope, without indication of the sender, marked “CONFIDENTIAL TO THE WHISTLEBLOWING ADDRESSEES”.

In the case where the alert is about one of the Addressees, to avoid any conflict of interest, we advise the Whistleblower to report to the non-concerned Addressee through the second reporting channel, by sending it a nominated standard mail to the Group HR Director (Marion Enjolras) or the Group Legal Director (Caterina Crivellaro).

If both Addressees are supposedly involved in the reported facts, it is recommended to use the first reporting channel.

This process guarantees that the Addressees act, in any circumstances, with all the impartiality expected from them.

Guarantee of confidentiality in the case of reports by means outside the internal reporting channels.

In the event that alerts are sent outside the internal reporting channels established by this policy, the persons receiving the report must keep the information received confidential and communicate it immediately to the Addressees.

DATA4 will adopt measures to ensure that all its staff has been trained on the obligation set forth in this paragraph.

How the written Whistleblower’s report will be internally processed

Both reporting channels are managed exclusively by the Addressees, who are the only persons in DATA4 who are permitted to access to the Reports. Access, by any way, to information contained in a report, is forbidden to staff members who are not authorized to know about it and may be sanctioned.

The handling of the Report received through an internal channel follows the following steps:

1. Receipt of the Report – Upon receipt of a Report, whether from an identified or anonymous person, the Addressee sends a confirmation notice of receipt to the Whistleblower within a maximum period of 7 days unless the notification of acknowledgment of receipt could jeopardize the confidentiality of the communication.

2. Preliminary Verification – The management and preliminary verification of the merits of the circumstances represented in the Report are entrusted to the Addressee, which does so in accordance with the principles of impartiality and confidentiality by carrying out any activity deemed appropriate, including the personal hearing of the Whistleblower, where it is identified or can be identified, and of any other persons who may report on the facts reported.

3. Internal Investigations – In the event of a positive outcome of the preliminary assessment of the merits of the Report, the Addressee proceeds to initiate internal audits and investigations to gather further detailed information and verify the merits of the reported facts through direct verification or through help of external consultants or suitably qualified internal structures.

To this end, the Addressee may enlist the support and cooperation of a working group that it identifies from time to time depending on the area in which the reported conduct occurred from among the Company Departments/Functions/Offices involved in the Reporting.

If the alert is particularly complicated in term of facts reported or evidence to collect, or is of a special sensitivity, the “ad hoc committee” (“Comité Ad Hoc”), created under the Group Internal Investigation Procedure may, at the request of the Addressees, decide the opening of an internal investigation, which will be carried out by the “investigation committee” (“Comité d’Enquête”) in accordance with the rules laid down in the said procedure.

In the event of a report concerning persons in charge of deciding possible disciplinary measures or handling complaints, the Addressees shall immediately involve the managing body of the Group, if it is not conflicted, in order to co-ordinate and define the subsequent investigation process.

In such an instance that a report concerns senior management, the Addressees shall immediately inform the Board of Auditors.

4. Internal Reporting – The verification phase is concluded with the writing of an internal report, which formalizes the background of the Report, the verification activities carried out and the related results/observations obtained. The internal report also proposes the actions to be taken in relation to each observation/ finding formulated.

5. Responding to the Whistleblower – regardless of the outcome of the investigation, the Addressee shall inform the Whistleblower about the merits of the facts that are the subject of the Report, as well as any measures taken or planned, within three months of delivery of confirmation notice of receipt of the Report, except in cases of special complexity that require an extension of the term, in which case, this term may be extended up to a maximum of three additional months. In the event that the confirmation notice of receipt has not been delivered to the Whistleblower, the shall run from the seventh day following the receipt of the Reporting. However, where the internal investigation has not yet been completed, the Addressee will not disclose information to the Whistleblower where it may affect ongoing investigations or affect the rights of third parties. In the latter case, the Whistleblower will receive a further and subsequent communication containing the outcome of the investigation once it is completed

6.2 External reporting

External reporting means bringing its alert to the attention of the public authorities, by contacting an institution designated by law, known as an “external authority”.

The Whistleblower may submit either directly or by prior communication through any of DATA4’s internal channels Communication to any relevant external authority or body[4], a judicial authority (a public prosecutor, for example: in the case of a felony or misdemeanor), or European Union institution, body or agency competent to collect information on violations falling within the scope of Directive (EU) 2019/1937, as well as to any of the external reporting channels set out in Annex I regarding the commission of the infringements defined in section 3.

DATA4 shall provide clear and accessible information on the external reporting channels to the competent authorities and to the European Union institutions, bodies or agencies that are legally required.

6.3 Public disclosure

Public disclosure means bringing the alert to the attention of the public, for example through the media or by sharing the information on social networks.

The Whistleblower may proceed with a Public Disclosure in the following cases:

  • The Whistleblower has already submitted an Internal and External Report or directly an External Report, without appropriate action having been taken in this regard within the legally established timeframe ;and in accordance with the requirements established by the applicable regulations;
  • The Whistleblower has good reason to believe that either the Violation may constitute an imminent or manifest danger to the public interest, in particular where there is an emergency situation, or there is a risk of irreversible damage, including a danger to the physical integrity of a person;
  • The Whistleblower has good reason to believe that the External Report may result in risk of retaliation or no Follow-up. The Whistleblower has good reason to believe that the External Report may result to a risk of retaliation or there is little likelihood that the information will be dealt with effectively due to the particular circumstances of the case, such as concealment or destruction of evidence, collusion of an authority with the perpetrator, or involvement of the authority in the Violation.

Violations, as defined in Section 3, may be reported through External Reporting channel.

For some countries, there may be specific requirements, please refer to the relevant country’s application of the Whistleblowing Policy[5].

6.4 The particularity of anonymous reporting

Even if the Group does not encourage anonymous reportings, which make alerts handling much more complicated, it does not prohibit them. Consequently, as far as practically possible, all anonymous reportings will be processed the same way as identified ones.

And, in all cases, if the Whistleblower reports or discloses anonymously, subject to compliance with the conditions set out above, it will benefit from the protection afforded by this status.

7.    Whistleblower’s Protection

First of all, it is forbidden to force or encourage a potential whistleblower to renounce its protected status. The protections afforded to whistleblowers cannot be limited (for example, by clauses in an employment contract). It is also forbidden to renounce in advance the benefit of the protective status. Any action taken in disregard of these rules is considered null and void. It cannot be invoked against a potential whistleblower.

Also, the protection described under the present section is nowadays granted, the same way, to other specific individuals, who are (i) the facilitators[6], (ii) the individuals in contact with a Whistleblower[7] and (iii) the legal entities controlled by a Whistleblower[8].

7.1. Duty of Confidentiality 

The alert procedures must enable alerts to be collected and processed in a way that ensures strict confidentiality. Indeed, the identity of the authors of the alert, the persons targeted by the latter, the third parties mentioned, as well as all the information mentioned within it, must be confidential. It is important to underline that Article 9 of the Sapin II Law establishes an offence of breach of confidentiality, punishable by two years of imprisonment and a fine of 30,000 Euros for individuals and 150,000 Euros for legal entities. This obligation of confidentiality is therefore imposed on the Whistleblower himself, the company, the managers and executives as well as on third parties and investigators, who may be informed of the content of the alert, strictly for the purposes of processing it, even though the Group will do everything in its power to limit the number of such persons. Thus, the Addressee who receives the report will be obligated to maintain confidentiality, except in the event that confidentiality is shared with persons[9] who are essential to the processing of the alert.

Whistleblower confidentiality

Both European and national local legislation provide for legal protection for Whistleblowers.

The identity of the Whistleblower is protected throughout this process: not only whilst the report and investigations are ongoing, but also after investigations have been concluded. The Whistleblower has the right to remain anonymous or can place restrictions on who can be informed of their identity and the confidential information included in their disclosure.

On one hand, any information that could identify the Whistleblower may only be disclosed with his or her express consent[10].

On the other hand, these elements can be communicated to the judicial authority in the event that a procedure is opened. In the latter case, the Whistleblower will be informed, unless this would compromise the legal proceedings. This information must be transmitted in writing with explanations.

DATA4 is committed to sanctioning those who violate the right to anonymity provided by law. The Group will take disciplinary action, if necessary, or report the violation to the relevant authorities if national laws provide for appropriate civil or criminal sanctions.

In summary, DATA4 undertakes to not disclose the identity of the Whistleblower – or any information that may lead to the identification of the Whistleblower – except in the following circumstances:

  • the existence of the Whistleblower’s express consent;
  • an obligation for the Group to communicate such information to the relevant authorities (i.e. to judicial authorities in the context of legal proceedings);
  • a necessity to investigate serious allegations (i.e. to prevent a serious threat to a person’s health or safety).

It should be noted that in disciplinary proceedings the identity of the Whistleblower may only be disclosed to the disciplinary authority and to the accused persons when there is either the express consent of the Whistleblower, or when knowledge of the Whistleblower’s identity is absolutely essential in order for the accused to defend themselves. If the accused are able to defend themselves without knowing the identity of the Whistleblower, the identity of the Whistleblower should not be disclosed. If the Whistleblower’s consent is not forthcoming and it is necessary to know the identity of the Whistleblower in order to defend the accused, DATA4 will waive the disciplinary sanction for breach of confidentiality.

Finally, if, for example, the Whistleblower has to be heard as a witness in criminal proceedings, their identity will be known because superior interests take precedence.

Confidentiality of the persons referred to in the report

Concerning the elements allowing the identification of the person(s) implicated or of witnesses mentioned into the report, they can only be disclosed once it has been established that the alert is well founded. This condition does not apply if this information is to be disclosed to the judicial authority.

7.2. Prohibition of retaliation linked to the alert

The law forbids anyone to take unfavorable decisions/retaliatory measures, directly or indirectly, against a Whistleblower, either an employee or a public servant, in connection with their alert.

What can be considered a reprisal/retaliatory measure

According to article 10.1 of the Sapin II Law, the following are some examples of prohibited reprisals in the exercise of a Whistleblower’s professional duties:

  • Suspension, layoff, dismissal or equivalent measures;
  • Demotion or denial of promotion;
  • Transfer of duties, change of work location, reduction in salary, change in work schedule;
  • Suspension of training;
  • Negative performance evaluation or negative proof of work;
  • Disciplinary action imposed or administered, reprimand or other sanction, including a financial penalty;
  • Coercion, intimidation, harassment or ostracism;
  • Discrimination, disadvantageous or unfair treatment;
  • Non-conversion of a fixed-term or temporary employment contract into a permanent contract, where the worker had a legitimate expectation of being offered permanent employment;
  • Non-renewal or early termination of a fixed-term or temporary employment contract[11];
  • Damage, including damage to the person’s reputation, in particular on an online public communication service, or financial loss, including loss of business and loss of income;
  • Blacklisting on the basis of a formal or informal industry-wide or sectoral agreement, which may imply that the person will not find employment in the future in the industry or sector;
  • Early termination or cancellation of a contract for goods or services;
  • Cancellation of a license or permit;
  • Improper referral for psychiatric or medical treatment.

Any act or decision taken in disregard of the above paragraphs is void as of right.

What to do if a Whistleblower feels he/she has been the victim of retaliatory measures following their alert

The Whistleblower who believes that he/she has suffered discrimination because he/she has made a Report of wrongdoing must give detailed notice of the discrimination that has occurred to the Addressee, which, having assessed the existence of the elements, will report the hypothesis of discrimination to the hierarchical superior of the employee who is the author of the alleged discrimination and to the Country Director to promptly assess the advisability/need to adopt acts or measures aimed at restoring the situation and/or aimed at remedying the negative effects of discrimination administratively, and the existence of the grounds for initiating disciplinary proceedings against the discriminating employee.

The adoption of discriminatory measures against Whistleblowers may be the subject of complaint to request the annulment of such measures before the competent authority[12]. In such case the Whistleblower will only have to provide evidence to suggest that it made its alert in compliance with the applicable regulations.

DATA 4 Group takes all reasonable measures to protect Whistleblowers from such retaliatory measures as a result of a disclosure. Any individual found to have retaliated against a Whistleblower will be subject to disciplinary action. The individual may also be subject to criminal or civil liability under applicable national laws.

An employee who believes that he/she has been discriminated against, as a result of a report they submitted, should give detailed notice of said discrimination to the Addressee as well as to senior management.

The Group guarantees that any alleged retaliation or discrimination will be duly and carefully investigated. This includes assessing any grounds for initiating disciplinary proceedings against the employee responsible for the discrimination. If the Whistleblower was subject to retaliatory or discriminatory measures, such as suspension or a change of function, such measures will be immediately overturned by the Group.

In addition, discriminatory measures enacted against a Whistleblower may be reported to the relevant judicial authorities in accordance with the applicable law.

8.    PROCESSING OF PERSONAL DATA

All personal data of the Group’s employees and external parties collected and processed as part of the implementation of its whistleblowing system are collected and processed in strict compliance with the European Union Regulation on the protection of individuals with regard to the processing of personal data[13] transposed by local EU laws in 2018[14].

According to Article 6 of the GDPR, processing is only lawful if it is based on one of the legal bases listed in this text, i.e. the management of alerts in response to a specific text or the management of ethical alerts that the organization proposes to set up on its own initiative.

8.1  The personal data in question

Principle of relevance and minimization of data collection and processing

To comply with article 5 (1)(c) of the GDPR, the Group remind the Whistleblowers that the information communicated within the framework of a whistleblowing system must remain factual and have a direct link with the subject of the alert.

During the investigation stage, which begins with the company’s receipt of the report and ends with the decision on the follow-up, the Group will conduct an investigation into the reported incident. During this period, in which the alert system can be used to document the steps the Group has taken (legal and technical analysis of the facts, collection of evidence, exchanges with various stakeholders, hearing of witnesses, performance of expert testimony, etc.), it will ensure that only relevant and necessary information with regard to the purposes of the processing is collected and/or kept in the alert system (for example, the identity, functions and contact details of the Whistleblower, of the persons who are the subject of the alert, of the persons involved in the collection or processing of the alert; the facts reported; the reports of the verification operations; the follow-up given to the alert).

Processing the identity of the author of an alert

The Group’s alert system offers the author of an alert to identify himself or herself or to remain anonymous. If the author of the alert must identify himself, his identity is treated confidentially by the people in charge of managing the alerts, the Addressees.

An alert from a person who wishes to remain anonymous should be handled under the following conditions:

  • The seriousness of the facts mentioned must be established and the factual elements given in support of the alert must be sufficiently detailed;
  • The treatment of this alert must be surrounded by particular precautions, such as a prior examination, by the first Addressee, of the appropriateness of its diffusion within the framework of the whistleblowing system.

8.2 Recipients of the information

The personal data must only be made accessible to those persons who are entitled to know about it in view of their attributions. These persons have been mentioned above as the Addressees.

Within the framework of the data processing, the data may be communicated within the Group, but only if this communication is necessary for the sole purpose of verifying or processing the alert. On the other hand, information that could identify the sender of the alert may only be disclosed, except to the judicial authority, with the express consent of the individual. Likewise, information identifying the person who is the subject of the alert may only be disclosed, except to the judicial authority, once the validity of the alert has been established.

8.3 Duration of data retention

Personal data must be kept in a form that allows the identification of individuals only for as long as is strictly necessary to achieve the purposes for which they are collected[15]. It is therefore with regard to the purpose that the retention period will be determined. The length of time the data is kept or the criteria used to determine it are part of the information that must be communicated to the persons concerned.

Data retention periods

Data relating to an alert that does not fall within the scope of the system must be destroyed without delay or anonymized.

When no action is taken on an alert (which falls within the scope of the system), the data relating to this alert is destroyed or anonymized by the organization in charge of alert management, within two months of the end of the verification operations.

When disciplinary or litigation proceedings are initiated against a respondent or the author of an abusive alert, the data relating to the alert may be kept by the organization in charge of alert management until the end of the proceedings or the limitation period for appeals against the decision.

Retention of anonymized data

These retention period regulations for the protection of personal data do not apply to anonymized data. In other words, data that can no longer be linked to an identified or identifiable natural person or persons. Therefore, the Addressees will be able to retain anonymized data without time limitation. The Group must, however, ensure that the data is permanently deidentified.

8.4 Information to the individuals

The Addressees must ensure that the principles of transparency and fairness are respected with regard to the persons whose data may be processed. The respect of this obligation implies informing the persons concerned individually and collectively.

Identification of data subjects

The individuals concerned by an alert system are all those whose personal data is actually processed within the framework of the system (for example, the authors of the alerts, the persons targeted, the persons heard in the framework of the investigation, etc.).

Content of the information to be provided

The information communicated to the data subjects must be done in accordance with the conditions set out in articles 12, 13 and 14 of the GDPR. The information must mention:

  • The existence of the processing, its characteristics (the purposes pursued, the types of data, the types of persons likely to issue the alert or to be the subject of it, the main stages of the procedure triggered by the alert, the data retention periods…); AND
  • The rights of the persons concerned.

8.5 Rights of the persons

The individuals concerned by the data collection and processing have the following rights:

Right of access

Any person whose personal data are or have been processed in the context of an alert (Whistleblower, alleged victims of the facts, persons targeted by the warning/alert, witnesses and persons heard during the investigation, etc.), has the right to have access to them in accordance with the provisions of articl 15 of the GDPR. The exercise of this right must not allow the person exercising it to access personal data relating to other natural persons.

Right to object

Principle

According to article 21 of the GDPR, anyone has the right to object, at any time, on grounds relating to his or her particular situation, to processing of personal data concerning him or her.

Exception

Based on the same article, the right to object cannot be exercised for processing necessary to comply with a legal obligation to which the controller is subject and which could demonstrate compelling legitimate grounds for the processing which override the interests and rights and freedoms of the data subject. And, under Sapin II Law, any submitted company has the legal obligation to process any and all alerts received, regardless of its reception channel.

The Group will ensure that this right is duly respected.

Rights of rectification and deletion

The right of rectification, provided for in article 16 of the GDPR, must be assessed with regard to the purpose of the processing.

In particular, it must not allow the retroactive modification of the elements contained in the alert or collected during its investigation. It must not lead to the impossibility of reconstructing the chronology of any modifications of important elements of the investigation. Therefore, this right can only be exercised to rectify factual data, the material accuracy of which can be verified with evidence, and this without deleting or replacing the data, even if erroneous, initially collected.

The right to erasure/deletion shall be exercised in accordance with the conditions set forth in article 17 of the GDPR.

Data security

The organization must take all necessary precautions with regard to the risks presented by its processing to preserve the security of personal data and, in particular, at the time of their collection, during their transmission and storage, to prevent them from being distorted, damaged or accessed by unauthorized parties. For example, it will be necessary to raise awareness among users, authenticate them, manage authorizations, trace access and manage incidents, secure workstations, secure mobile computing, protect the internal computer network, secure servers and websites, back up and provide for business continuity, archive in a secure manner.

9.    The Whistleblower’s Responsibilities

The rules established in this Policy are without prejudice to the Whistleblower’s criminal and disciplinary liability in case of Reporting for bad faith under the relevant Criminal Code and other regulations applicable in the relevant jurisdiction.

Any forms of abuse, such as Reports that are manifestly opportunistic and/or made for the sole purpose of harming the reported person or others, and any other hypothesis of improper use or intentional instrumentalization of the institution that is the subject of this Policy, are also a source of liability in disciplinary and other competent fora.

In contrast, erroneous Reporting made in good faith is not subject to any sanction.

10.                    Training and Information

DATA4 organises training activities on the content of this Group Policy and its local versions for all personnel, to create an appropriate awareness of the purposes and protections recognised by each applicable local law, as well as a culture of integrity and responsibility within the Company.

Finally, the knowledge of the discipline contained in this Policy is guaranteed, for employees, through the sharing of the document in the intranet of the Group and for third parties through its publication on the website.

APPENDIX 1 – competent EXTERNAL authorities for Whistleblowing external alerts AS STATED in the ANNEX of THE FRENCH 2022-1284 Decree

  1. Public Procurement
  • French Anti-Corruption Agency (“AFA”), for breaches of probity;
  • Directorate General for Competition, Consumer Affairs and Fraud Prevention (“DGCCRF”), for anti-competitive practices;
  • Competition Authority (“Autorité de la concurrence”) for anti-competitive practices;
  1. Financial services, products and markets and prevention of money laundering and terrorist financing:
  • Financial Markets Authority (“AMF””), for providers of investment services and market infrastructures;
  • Prudential Control and Resolution Authority (“ACPR”), for credit institutions and insurance.
  1. Product safety and compliance:
  • Directorate General for Competition, Consumer Affairs and Fraud Prevention (“DGCCRF”);
  • Central Service for Arms and Explosives (“SCAE”);
  1. Transport safety:
  • General Directorate of Civil Aviation (“DGAC”), for air transport safety;
  • Bureau for the investigation of land transport accidents (“BEA-TT”), for the safety of land transport (road and rail);
  • Directorate General for Maritime Affairs, Fisheries and Aquaculture (“DGAMPA”), for the safety of maritime transport.
  1. Environmental protection:
  • General Inspectorate for the Environment and Sustainable Development (“IGEDD”);
  1. Radiation protection and nuclear safety:
  • Nuclear Safety Authority (“ASN”);
  1. Food safety :
  • General Council for Food, Agriculture and Rural Areas (“CGAAER”);
  • National agency responsible for food, environmental and occupational health safety (“ANSES”);
  1. Public Health:
  • National Agency responsible for food, environmental and occupational health safety (“ANSES”);
  • National Public Health Agency (Public Health France, “SpF”);
  • High Authority for Health (“HAS”);
  • Biomedicine Agency;
  • French Blood Establishment (“EFS”);
  • Compensation Committee for Victims of Nuclear Tests (“CIVEN”);
  • General Inspectorate of Social Affairs (“IGAS”);
  • National Institute of Health and Medical Research (“INSERM”);
  • National Council of the Order of Doctors, for the practice of the medical profession;
  • National Council of the Order of Masseurs-Physiotherapists, for the practice of the profession of masseur-physiotherapist;
  • National Council of the Order of Midwives, for the practice of the midwifery profession;
  • National Council of the Order of Pharmacists, for the practice of the profession of pharmacist;
  • National Council of the Order of Nurses, for the practice of the nursing profession;
  • National Council of the Order of Dental Surgeons, for the practice of the profession of dental surgeon;
  • National Council of the Order of Chiropodists-Chiropodists, for the practice of the profession of pedicure-podiatrist;
  • National Council of the Order of Veterinarians, for the practice of the veterinary profession;
  1. Consumer protection :
  • Directorate General for Competition, Consumer Affairs and Fraud Prevention (“DGCCRF”);
  1. Protection of privacy and personal data, security of networks and information systems:
  • National Commission for Computing and Liberties (“CNIL”);
  • National Information Systems Security Agency (“ANSSI”).
  1. Violations affecting the financial interests of the European Union:
  • French Anti-Corruption Agency (“AFA”), for breaches of probity;
  • Directorate General of Public Finances (“DGFIP”), for VAT fraud;
  • Directorate General of Customs and Indirect Taxes (“DGDDI”), for fraud in customs duties, anti-dumping duties and similar;
  1. Violations related to the internal market:
  • Directorate General for Competition, Consumer Affairs and Fraud Prevention (“DGCCRF”), for anti-competitive practices;
  • Competition Authority, for anti-competitive practices and state aid;
  • Directorate General of Public Finances (“DGFIP”), for corporate tax fraud;
  1. Activities under the authority of the Ministry of Defense:
  • General Control of the Armies (“CGA”);
  • College of Inspectors General of the Armed Forces;
  1. Official Statistics:
  • Official Statistics Authority (“ASP”);
  1. Agriculture :
  • General Council for Food, Agriculture and Rural Areas (“CGAAER”);
  1. National education and Higher education:
  • National Education and Higher Education Mediator;
  1. Employment and Labor Relations, working conditions:
  • General Directorate of Labor and Employment (“DGT”)
  1. Employment and Vocational Training:
  • General Delegation for Employment and Vocational Training (“DGEFP”);
  1. Culture:
  • National Council of the Order of Architects, for the practice of the profession of architect;
  • Council of auction houses, for public auctions;
  1. Rights and freedoms in the context of relations with State administrations, local authorities, public establishments and bodies vested with a public service mission:
  • Human Rights Defender;
  1. Rights and best interests of children:
  • Human Rights Defender;
  1. Discrimination:
  • Human Rights Defender;
  1. Professional Ethics of Security activities’ Personnel:
  • Human Rights Defender.

[1] For France: the Law no. 2016-1691 of December 9, 2016 on transparency, the fight against corruption and the modernization of economic life (hereinafter, “Sapin II Law”), for Spain the Law 2/2023, of February 20, regulating the protection of persons who report regulatory violations and the fight against corruption., have adopted an Internal Information System (hereinafter also “Internal Information System”).

[2] This is never legally mandatory for anyone to disclose a breach of the law, except when the French Criminal Code obliges to it, notably regarding crimes that may still be prevented thanks to the whistleblower’s report. It is to be noticed that, in accordance with French law, revelations or disclosures concerning facts, information or documents that involve national defense secrets, medical secrets, the secrecy of judicial deliberations, the secrecy of judicial investigations or proceedings or the professional secrecy of lawyers are excluded from DATA4’s Whistleblowers system.

[3] Under French law, for instance, any person who obstructs the transmission of an alert can be punished with one year of imprisonment and a fine of 15,000 Euros (Article 13 of the Sapin II Law).

[4] This committee is composed of the Group Legal Director, the Group Human Resources Director and a representative of the Group’s sole shareholder, Brookfield.

[5] This committee is composed of the Group Legal Director, the Director of information systems, an external lawyer and, eventually, the operational director of the Whistleblower’s department/division/entity, once any risk of conflict of interest has been eliminated.

[4] –             For France, the competent authorities designated by the annex of the Decree no. 2022-1284 of October 3, 2022, a non-exhaustive list is attached in Appendix 1 below. It is recommended to the Whistleblower to select the authority whose area of competence best corresponds to the subject of its alert. Also the “Défenseur des droits”may be contacted.

[5] Article 3 of the 2022-401 Law of 21 March 2022 aiming to improve the protection of whistleblowers.

[6] A facilitator is defined as any natural person or non-profit legal entity under private law who assists a Whistleblower in making a report or disclosure in accordance with the conditions set out by the law.

[7] Such individuals being defined as those who risk to suffer one of the retaliatory measures in the context of their professional activities by their employer, their client or the recipient of their services.

[8]Within the meaning of article L. 233-3 of the French Commercial Code or in which a Whistleblower works or with which he or she is linked to in a professional context.

[9] Notably persons of judicial authority when breach of confidentiality is made mandatory by law.

[10] Subject to other countries’ national laws regarding the need to report serious violations.

[11] This and the above measures will be considered as retaliation contrary to the Law and to this policy unless they were carried out within the regular exercise of management power under labor legislation or the corresponding public employee statute, due to circumstances, facts or accredited infractions, and unrelated to the presentation of the communication.

[12]

[13] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

[14] In France, Law n° 2018-493 of June 20, 2018 on the protection of personal data, in Italy the “Legge Provacy”..

[15] Article 5-1-e) of the GDPR.