WHISTLEBLOWER CHANNEL OF CINTAS ADHESIVAS UBIS, S.A.

In accordance with the provisions of Act 2/2023, of 20 February 23, governing the protection of those reporting regulatory violations and on combating corruption, all companies with more than 50 workers are obliged to have an internal information channel in place for the communication of any acts which could constitute a serious criminal or administrative violation, or otherwise a violation of EU law.

Meanwhile, the regulations establish the obligation to provide interested parties with information as to the use of the entire internal information channel, as well as its essential procedural principles.

To ensure compliance with these requirements, we provide you with access to the following:

• 1. General Internal Information System Policy. PDF - 114Kb
• 2. Internal Information Channel User Manual. PDF - 71Kb

CINTAS ADHESIVAS UBIS, S.A., declares:

WHISTLEBLOWING CHANNEL

This whistleblowing channel guarantees fulfilment of the terms of the aforementioned regulations, as established in Articles 7 and 9 of the Act.

ANONYMOUS COMMUNICATIONS AND PERSONAL DATA

Communications may be anonymous, with no mandatory requirement to identify the whistleblower, and a reply will be given via the same channel as used to receive the report. The tracking code assigned to the message when the complaint is received must be stored for this purpose.

Anonymity will be lifted only with the explicit consent of the whistleblower or where this is a necessary and proportionate obligation imposed by EU or national law within the context of an investigation conducted by the national authorities or in the framework of court proceedings, in particular to safeguard the right of defence of the person affected.

Compliance with the data protection legislation in force will thus be guaranteed throughout the process. (Spanish Data Protection Act and GDPR).

USE OF THE WHISTLEBLOWING CHANNEL

If you plan to file a complaint, you will see that this is sent to an online tool outside the domain of Cintas Adhesivas UBIS, S.A., with the message being sent to the tool operated by an external service provider so as to ensure complete objectivity and transparency in the process of handling the complaint.

The external service provider will in all cases comply with the instructions established by CINTAS ADHESIVAS UBIS, S.A., and abide by the data protection legislation in force at all times, ensuring compliance with the obligations established in Article 28 of the GDPR.

This tool may therefore be used by any employee of CINTAS ADHESIVAS UBIS, S.A., or otherwise any other third party that may learn of unethical, fraudulent or unlawful conduct committed within our organisation.

This whistleblowing channel is not the appropriate channel for matters concerning your employment conditions or disciplinary issues. In this case you will need to follow the policies established at your organisation.

Click here to access the whistleblowing channel

BASIC PERSONAL DATA PROTECTION INFORMATION

The data controller is CINTAS ADHESIVAS UBIS, S.A., which will process the information gathered via the channel in fulfilment of a legal obligation established in Act 2/2023, of 21 February 2023, governing the protection of those reporting regulatory violations and on combating corruption, in order to administer any complaints received via the channel, guaranteeing the confidentiality of the complainant's data, which will remain anonymous and not be communicated to third parties unless they must be identified as a necessary and proportionate obligation imposed by EU or national law within the context of an investigation conducted by national authorities or in the framework of court proceedings, in which case they must be communicated to the authorities responsible for the matter.

Your data will be stored for a maximum period of 3 months from when the data are entered in the channel, but may remain blocked where necessary to provide evidence of the criminal offence prevention model, or may be demanded by the competent authority to begin the corresponding investigation of the events.

For further information as to the processing of your data or how to exercise your rights, you may consult our Privacy Policy.

WHISTLEBLOWER CHANNEL PRIVACY POLICY

In fulfilment of Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, Article 11 of Spain's Act 3/2018, of 5 December 2018, on the Protection of Personal Data and guarantee of digital rights, and Article 31 of Act 2/2023, of 20 February 23, governing the protection of those reporting regulatory breaches and on combating corruption, we detail below the personal data protection information concerning the processing of data within the Internal Information System:

1. DATA CONTROLLER

The Data Controller is CINTAS ADHESIVAS UBIS, S.A., holder of Tax Identification Number A20034567, of registered office at the address Polígono Lastaola - Apartado 39 - 20120 Hernani, and telephone number (+34) 943 335 077.

Your personal data will be processed in the strictest confidentiality, only by personnel authorised for this purpose.

2. DATA SOURCE

If you have opted to identify yourself, your personal data were obtained by means of the form that you completed via the whistleblowing channel established by CINTAS ADHESIVAS UBIS.

3. PURPOSE OF PROCESSING

The personal data that you provided via the form, and the contents of the documentation sent in support of your report, will be processed for the sole purpose of handling any complaints received via the channel, and processing investigations of the alleged acts reported, or as the case may be, in response to the query raised, and also, where applicable, to adopt measures for protection and/or prevention of retaliation, all the foregoing in fulfilment of the provisions of the Internal Information System Policy and the Protocol for the administration of the whistleblowing channel.

4. LEGITIMATE BASIS FOR PROCESSING

The legal basis for the processing of your personal data in the administration of the Internal Information System will be as established in Article 6(1)(c) of the GDPR, insofar as the processing is required to fulfil a legal obligation applicable to the data processor under the provisions of Act 2/2023, of 20 February 23, governing the protection of those reporting regulatory violations and on combating corruption.

5. STORAGE PERIODS

The data processed may be stored in the information system only for the essential time required to decide whether or not an investigation should be initiated as to the acts reported.

If it is demonstrated that all or any of the information provided is untrue, it must be immediately deleted from the point at which this circumstance is confirmed, unless the untruth could constitute a criminal offence, in which case the information will be stored for as long as necessary to conduct the court proceedings.

In any event, three months after the report is received, if no investigative actions have begun, the information must then be deleted, unless the purpose of storage is to retain evidence of the functioning of the system. Those reports that have not been investigated may only be recorded in anonymised form, without application of the obligation to block access, as provided in Article 32 of Act 3/2018, of 5 December 2018.

Under no circumstances will personal data be processed other than as necessary to examine and investigate those actions or omissions subject to Act 2/2023, of 20 February 2023, governing the protection of those reporting regulatory violations and on combating corruption, and must, as applicable, be immediately deleted. Any personal data that may have been reported and that refer to conduct not covered by the scope of application of the aforementioned Act will likewise be deleted.

If the information received contains personal data included within special categories of data, they will be immediately deleted, without being registered and processed.

Personal data regarding the information received and internal investigations contained in the register book will be stored only for as long as necessary and proportionate in order to comply with the aforementioned Act. Under no circumstances may data be stored for more than 10 years.

6. RECIPIENTS OF THE DATA

We hereby inform you that your identity, if you provide this or you are identifiable, will in all cases remain secret, and will not be communicated to the persons to whom the acts recounted refer, nor to third parties not involved in the administration and processing of the communication, except as necessary to adopt corrective measures at the organisation or to conduct any disciplinary or criminal proceedings that may apply, in which case they must be communicated to the authorities responsible for this matter.

The personal data processed in the Internal Information System may be communicated to the court authorities, the State Prosecution Service, State Law Enforcement Agencies or the competent administrative authority within the context of any investigation conducted or within the framework of court proceedings. They may likewise be communicated to the competent national or regional whistleblower protection authorities.

If administration of the Internal Information System is outsourced, the information provided via the channel established online may be processed by the external third party, as data processor, in accordance with the provisions of Article 6 of Act 2/2023, of 20 February 2023, governing the protection of persons reporting regulatory violations and on combating corruption.

No provision is made for international transfers of data by assignment or processing engagement.

7. RIGHTS OF DATA SUBJECTS

Whistleblowers are entitled to access the personal data and to obtain the rectification of any inaccurate or incomplete personal data, to request the erasure of their personal data and call for the restriction of processing, by writing to the postal address given above or the email address info@ubis.es, at any time and free of charge. They will also be entitled to file a grievance with the Spanish Data Protection Agency (www.aepd.es), if they believe that a violation of data protection legislation has been committed with regard to the processing of their personal data.