Osborne Clarke España, S.L.P. Ethic Line

Start

Step 1/5 Categorize concern

To facilitate the further handling of your submission, please help us to categorise it as best as possible.

In which category does your submission best fit?

Accounting and Auditing Issues

Customer Relations

Disclosure of confidential information

Discrimination

Falsification of contracts, reports or records

Gifts and Donations

Heist

Illegal or improper payments

Misappropriation

Misconduct or inappropriate behavior

Personal information

Retaliation in the workplace

Security and health at work

Sexual harassment

Unauthorized/fraudulent use of company facilities and equipment

Violations of labor or employment legislation

Violations of the law against money laundering

Workplace Harassment

Others

Do you suspect any of the following people?

Risk & Compliance manager

I am not aware of any involvement of these persons

I have read the Terms of use and agree to them in accordance with the notice.

Information

Step 2/5 Personal information

If you prefer not to give your personal details, you can do so by indicating that you want the report to be anonymous.

What is your relationship with the company being reported?

Do you wish to report anonymously?

Yes

This channel requires the whistleblower's identification data are mandatory.

The selected category requires the identification data to be mandatory

First name

Last name

Following the email validation policy, you must validate this email before filing the report.

Contact telephone number

This channel is confidential. Your personal data will not be shared. If someone from the organisation needs to know your data, they will request it through the channel and they will only be able to see it if you authorise it.

Details

Step 3/5 Detailed information

Describe in as much detail as possible the event you wish to report, giving as much information and attaching evidence, if available.

Indicate which person or persons are the subject of the report

First and last name

Position

Have you discussed this with any member of management?

Yes

I do not remember

Are there any witnesses? Please indicate their names.

First and last name

Position

Tell us what you want to report in detail

Would you like to attach any additional documents?

Image (png, jpg, gif), Audio (wav, mp3), Video (ogg, mp4, mov, avi, wmv, mpg, mpeg) or PDF document up to 20Mb. Attention! If you report anonymously, make sure that the attachments do not include information in the content or metadata that could identify you.

Confirm

Step 4/5 Confirmation

As the last step of the process, you must indicate a secret code that only you will know. This password, together with the identification code that we will give you at the end of the process, will be the only way to follow the progress of your submission

Password

Password confirmation

Email address validation

According to the validation policy of this channel, we must validate the indicated email address. To do so, we will send you an email with a validation email with a code that you must indicate in the following field.

Verification code check received

Finish

Step 5/5 Finalize

You have now entered all the information necessary to start the report management process.

The information is ready to initiate the process of determining accountability. The persons or facts reported will be investigated and the resulting actions will be taken.

The whistleblower undertakes that the information provided in this submission is true. Otherwise, the company reserves the right to take legal action against the whistleblower.

This is the last form in the process. When you click on Send, the investigation will begin and the resolution of your claim will be shown on the platform within a maximum period of 3 months.

I have read the Data Protection and Consent Notice and agree to the processing of my personal data in accordance with the provisions of this notice.

Terms of Use

In compliance with the Law on Services of the Information Society and Electronic Commerce, as well as in compliance with current regulations on data protection, it is reported that the owner of the website ithikios.com and canaldenunciasanonimas.com and all its subdomains ( hereinafter, "the Web") is DIGITAL PRODUCTS DEVELOPMENT SL (hereinafter, ithikios), registered in the Mercantile Registry of Barcelona, with CIF B02767010, and with registered office at c / Mont Blanc 17, Sant Cugat del Valles, Spain.

ithikios is the owner of all rights to the Website. The simple access, navigation and use of the Website attributes the condition of user of the same (hereinafter, the "User") and implies the acceptance of this clause of terms and conditions. The information available through this website is not subject to contract and may be modified without prior notice.

ithikios will not be held responsible for problems arising from the consultation or use of this Website. To this end, access is obliged to comply with this, having to act in accordance with current Law, good faith and public order and, refraining from using the Website in a way that could prevent or impair its proper functioning.

This service can only be used to send complaints or inquiries to companies that have contracted the service with ithikios, guaranteeing confidentiality and anonymity (if the user so chooses), regarding the personal data of the complainant.

Conditions for the user

As a user, you are obliged to make correct and lawful use of the platform.
You will use the platform for the purposes it has been designed for, and in no case will you use it for purposes contrary to the law.
The ithikios channel / canaldenunciasanonimas is not an emergency service. In case of emergency contact local authorities.
You must fill in all the information defined as mandatory in order to be able to send it.
This service is not designed to present information that can be considered secret or strictly confidential.
Reflect and review the information you send to ensure that if you do not want it, you do not reveal your identity.
You will be able to choose between sending the communication indicating your contact details or without indicating them. In both cases, the platform will provide you with a unique identification number and a password. It is important that you write them down in a safe place, only with them will you be able to check the status of the communication. If you lose them, you will not be able to access it again. For security reasons, ithikios will not be able to provide access to lost codes.
If the organization proves that there has been bad faith when making the report, it reserves the right to take legal action if the complainant has been identified.
You will be able to download a certificate issued by ithikios in which you will have all the information that has been sent to the company, as well as the result once the investigation is completed.
The query system has traces to help users identify improper access to their query.
The Complainant expressly understands and agrees that ithikios will not be responsible for any direct or indirect, anticipated or unforeseen damage, interest or loss, including, among others, moral damage resulting from the use or inability to use this service.
The Complainant is responsible for the veracity of the information communicated, assuming the consequences of having acted in bad faith or sent false information or documentation.
You will be liable for any loss or damage of any kind that ithikios may suffer, directly or indirectly, as a result of improper use of the product, a breach of the terms and conditions of use or a breach of the law in force on your part.

Data protection and consent to Osborne Clarke

Below is the basic information about how we process your personal data.

Basic information on privacy and data protection
Data Controller	Osborne Clarke España, S.L.P. with registered office at Avenida Diagonal, nº 477, planta 20, Barcelona, 8036 and with NIF B65697609.
Purpose of the processing	Analyse, process and investigate the facts reported by the informant or third parties.
Basis of lawfulness of processing	The basis of lawfulness of the processing that Osborne Clarke Spain, S.L.P. carries out with the personal data communicated is compliant with the obligations (art. 6.1.c GDPR) set out in Law 2/2023, of 20 February, regulating the protection of persons who report regulatory and anti-corruption infringements (hereinafter, the " Law 2/2023 ").
Recipients of the data	Providers of the services necessary for the operation of the Ethics Channel; other members of Osborne Clarke Verein (as that term is defined herein ); competent authorities involved as a result of the events reported.
Rights of Data Subjects	Access, rectification, deletion, limitation, portability, opposition and to file claims with the AEPD. Please note that the rights of access and opposition may be limited in accordance with the provisions of Law 2/2023.
Data Protection Officer	[email protected]
Additional information	Further information can be found below on the processing of personal data we carry out on personal data communicated through the Ethics Channel:

Data Controller

The person responsible for the processing of personal data of the data provided by the informant through the Ethics Channel or by third parties in the course of the investigations motivated by the information communicated is Osborne Clarke España, S.L.P. (hereinafter, the " Data Controller ") with registered office at Avenida Diagonal, nº 477, planta 20, Barcelona, 8036 and with NIF B65697609.

Purpose of the processing

The Data Controller will process the personal data provided for the purpose of analysing, processing and investigating any information that:

· may constitute an infringement of European Union law, with the particularities defined in Article 2.1.a) of Law 2/2023, of 20 February, regulating the protection of persons who report regulatory and anti-corruption infringements (hereinafter, "Law 2 /2023 ");

· may constitute a serious or very serious criminal or administrative offence, including any serious or very serious criminal or administrative offence that involves economic loss for the Public Treasury and/or Social Security.

Basis of legitimacy

The basis for the lawfulness of the processing carried out by the Data Controller with the personal data communicated is compliant with the obligations (art. 6.1.c GDPR) set out in Law 2/2023.

When the information provided by the reporting party or by third parties contains personal data of special categories whose processing is necessary for the fulfilment of the purposes of the processing – described above – such processing will be carried out on the basis of lawfulness of necessity for reasons of essential public interest (art. 9.2.g GDPR).

Data subject to processing and origin

The Data Controller, in order to fulfil the purposes of the processing, may process the following categories of data:

• Your contact details, if provided (first and last name, e-mail, telephone number).

• Name and title of the persons reported in the complaint.

• Any other personal data contained in the information on the facts reported, as well as in the rest of the documentation generated in the course of the investigation by the Data Controller.

Please note that we will only process personal data that is necessary for the knowledge and investigation of the reported facts and that we will immediately delete any other data. In addition, the Data Controller shall delete any information whose lack of veracity is proven at any stage of the investigation, unless such lack of veracity may constitute a criminal offence. In the latter case, the Data Controller will keep the information for as long as necessary to support the corresponding legal proceedings.

Duration of retention of personal data

The personal data communicated through the Ethics Channel and those processed in the course of the investigations carried out by the Data Controller will only be kept for the period that is necessary and proportionate for the purposes of complying with Law 2/2023, in particular:

· The personal data that is subject to processing will be kept by the Data Controller only for the time necessary to decide on the appropriateness of initiating an investigation into the facts reported.

· In any case, if three months have elapsed since the receipt of the informant's communication without any investigation actions having been initiated, the Data Controller will delete the personal data communicated, unless the purpose of the storage is to provide evidence of the operation of the Ethics Channel.

Communications that have not been followed up by the Data Controller will be anonymised, so that any personal data communicated will no longer identify the informant or the person whom such data would identify or make identifiable.

Recipients of the data

The Data Controller may not communicate the identity of the reporting person to any third party, except to the judicial authority, the Public Prosecutor's Office or the competent administrative authority in the context of a criminal, disciplinary or punitive investigation. In such a case, the informant shall be notified, provided that such communication does not jeopardise the investigation or judicial proceedings.

Notwithstanding the above, in order to allow the operation of the Ethics Channel, the personal data communicated by the informant must be communicated to the person in charge of the Ethics Channel, the entity Digital Products Development S.L. This entity has the appropriate technical and organisational measures in place to ensure the protection of the personal data communicated. These measures extend to the agreements entered into with its sub-processors, who provide you with storage, emailing, password storage, and firewall backup services. Below we detail the most relevant information regarding the identity and type of service offered by the sub-processors of Digital Products Development S.L. to allow the operation of the Ethics Channel:

Use	Service	Supplier
Hosting	It provides the application and database servers, where the reported facts are collected. The systems are managed by Digital Products Development S.L. The provider that supports customers in the European Union has outsourced the service to: Interxion HeadQuarters B.V.Scorpius 30,2132 LR Hoofddorp,The Netherlands P.O. Box 75812 The data from the Ethics Channel is stored in a data centre in Frankfurt. https://www.interxion.com/locations/europe/frankfurt	DIGITAL OCEAN, 101 Avenue of the Americas, 10th Floor, New York, NY 10013 VAT ID: EU528002224
Sending Emails	Sending warning and alert emails to the users of the platform. It does not process information contained in the information provided by the informant, it only manages email addresses. Digital Products Development S.L. has signed a DPA with standard clauses: https://postmarkapp.com/dpa	POSTMARK: ActiveCampaign, LLC, 1 North Dearborn St, 5th Floor, Chicago, IL 60602
Key Storage & Backups	Encryption keys are stored in Amazon's KMS system.	AMAZON KMS, AMAZON WEB SERVICES EMEA SARL, SUCURSAL EN ESPAÑA, CALLE RAMIREZ DE PRADO, 5, 28045 MADRID, SPAIN• CIF ES W0185696B
Web Application Firewall	Firewall that protects the platform from potential third-party attacks. The provider does not store any personal information on its systems.	Cloudflare, Inc. 101 Townsend St, San Francisco, CA 94107 USA

In addition to the person in charge of the Ethics Channel and its sub-processors, the personal data contained in the Ethics Channel may only be accessed, to the extent of their competences and functions, by:

1. The Ethics Channel Manager or the Compliance Manager Back Up in case of conflict with the former.

2. In the event of disciplinary action being taken against an employee. the duly designated competent body.

3. In the event that legal measures are to be adopted in relation to the facts reported in the communication, the head of the Office designated for the relevant legal area with respect to the facts reported.

4. The Firm's Data Protection Officer.

In addition, during the course of an investigation it may be necessary for us to share the facts you report – including necessary personal data – with another member of Osborne Clarke Verein (more information here ) or other third parties, where this is necessary to take corrective action on the part of the Controller.

Rights of Data Subjects

The informant or any natural person whose personal data is provided (hereinafter, the " Data Subject ") may exercise their rights of access, rectification, deletion, limitation, portability, opposition. You can consult the following link where the AEPD offers detailed information on each right and the conditions for exercising it: https://www.aepd.es/derechos-y-deberes/conoce-tus-derechos .

To exercise their rights, the Data Subjects may contact the address [email protected]

In any case, Data Subjects should be aware that the right to object may be limited within the framework of Law 2/2023. In this regard, article 31.4 of said Law establishes that, once the right to object has been exercised, the Data Controller may continue the processing of the data based on the existence of compelling legitimate reasons, unless proven otherwise. In addition, the right of access may also be limited, including in those cases where the interested party requests to know the transfers that the Data Controller has made to public authorities.

The Data Subject has the right to submit the claims he/she deems pertinent to the AEPD, for which the following addresses are provided:

· https://sedeagpd.gob.es/sede-electronica-web/vistas/infoSede/tramitesCiudadano.jsf

· https://www.aepd.es/la-agencia/donde-encontrarnos

DPO

You can contact the data protection officer by email: [email protected]