Procedure for conducting investigations at Alokai

PROCEDURE FOR CONDUCTING INVESTIGATIONS AT ALOKAI Sp. z o.o.

Report number

Date of Receipt of the Report

Personal details of the Whistleblower (address – if applicable and necessary)

Details of the
person to whom
the report pertains

Object of
the violation of the law

Follow-Up Actions

Date of Case Closure

I. GENERAL REMARKS

1. Reporting information about Violations is an expression of social responsibility and concern for the Company’s well-being, as well as the well-being of its employees and collaborators, demonstrating loyalty towards them.

2. The Company shall provide various channels for making oral and written reports. Some of the available reporting channels allow for anonymous reporting. All reporting channels guarantee confidentiality - the identity of the Whistleblower as well as the person to whom the report concerns, is particularly protected. The Company ensures the protection of the personal data of all persons whose personal data are processed in connection with the recognition of the Report.

3. Detailed rules concerning the submission of reports, including the available reporting channels, are described in the Procedure for Reporting Violations at Alokai sp. z o.o.

4. The scope of this Procedure includes the principles governing the conduct of investigatory proceedings, particularly the rules, rights, and obligations aimed at ensuring the fair and thorough review of a Report.

5. This Procedure, together with the Procedure for Reporting Violations at Alokai sp. z o.o., constitutes the Company’s whistleblowing system. The purpose of this system is to ensure that:

a) Any individual can submit a Report through the method of their choice, which, in their view, is most appropriate for them;

b) The Report is directed to a limited group of individuals who will ensure its confidentiality, as well as the confidentiality of the process of reviewing the Report and conducting the investigatory proceedings;

c) Each Report is reviewed in a fair manner, based on transparent principles;

d) The summary report from the investigatory proceedings enables concrete actions to be taken to remedy the effects of the Violation and to prevent future Violations of the same nature.

II. DEFINITIONS

1. Company – Alokai sp. z o.o. with its registered office at 2 Przeskok Street, 00-032 Warsaw, Poland.

2. Compliance Officer - An impartial internal organizational unit or individual within the Company’s structure authorized to perform the duties of the Compliance Officer.

3. Ethics Committee – A committee established to review the Report, operating based on the principle of confidentiality.

4. Alternative Contact Unit – An impartial internal organizational unit or individual within the Company’s structure authorized to perform the Compliance Officer’s duties under the Procedure in the event that the Report concerns the actions or omissions of the Compliance Officer.

5. Violation – An act or omission by individuals associated with the Company, within the scope of their professional activity or related to the Company, that breaches legal regulations, internal Company regulations, or external regulations to which the Company is committed.

6. Procedure – This Procedure for Conducting Investigations at Alokai sp. z o.o.

7. Whistleblowing Procedures – Procedures regulating the whistleblowing system, namely the Procedure for Conducting Investigations at

Alokai sp. z o.o. and the Procedure for Reporting Violations at Alokai sp. z o.o.

8. Whistleblower – An individual who has made a Report.

9. Report – Information about a Violation or a suspicion of a Violation.

III. RECEIPT OF REPORT

1. The Compliance Officer is responsible for registering the Report and verifying its completeness. If the Report is incomplete, the Compliance Officer will request the Whistleblower to provide the necessary information.

2. The Compliance Officer must confirm receipt of the Report to the Whistleblower within 7 days from the date of its submission.

3. In the case of Reports submitted through a channel managed by the Alternative Contact Unit, that entity will confirm receipt of the Report within 7 days from the date of its submission or promptly forward the Report to the Compliance Officer if it does not concern the actions or

omissions of the Compliance Officer.

4. The confirmation of acceptance of the Application shall be accompanied by an information clause concerning the processing of the Whistleblower’s personal data, a specimen of which is attached as Annex 1 to the Procedure.

5. The information and requests mentioned in sections 1-4 will be sent to the Whistleblower, provided that the Whistleblower has left contact data allowing such information to be sent.

6. The Compliance Officer shall, immediately upon receipt of the Report, pseudonymize the data of the Whistleblower and assign an identifier (e.g. numerical) to be used during the investigation. Pseudonymization includes any type of information that allows the direct or indirect identification of the Whistleblower, with particular regard to whether the content of the Report itself does not indicate the identity of the Whistleblower. There shall be no pseudonymization of the Whistleblower’s data if the Whistleblower has explicitly and unambiguously consented to his/her data being made public.

7. The Compliance Officer verifies the Report to determine whether it is not clearly unfounded. If the Report is found to be clearly unfounded, the Compliance Officer provides appropriate feedback to the Whistleblower and closes the case concerning the Report.

8. The case concerning the Report will also be closed if the information contained in the Report does not allow for the continuation of the investigatory proceedings, and the Whistleblower has not responded to clarifying questions (within 7 days from the date of receipt of the request for additional explanation) or has not provided contact details.

9. If the analysis conducted by the Compliance Officer does not reveal the obvious unfoundedness of the Report, the Compliance Officer will initiate investigatory proceedings.

IV. INVESTIGATORY PROCEEDINGS

A. Preliminary Analysis of the Report – Determining the Appropriate Entity for Conducting Investigatory Proceedings

1. Based on the preliminary analysis of the Report, the Compliance Officer assesses whether the matter addressed in the Report necessitates the appointment of an Ethics Committee or if it falls under the purview of the Compliance Officer. The Compliance Officer’s decision regarding the appropriate entity to conduct the investigatory proceedings must be based on the analysis of the following elements:

a) whether the Report concerns a Violation;

b) the type of Violation described in the Report;

c) the date of the Violation and its duration;

d) the number of individuals implicated in the Report;

e) the number of individuals affected by the Violation;

f) the number of individuals identified by the Reporter as potential witnesses.

2. In the case of Reports that will not be time-consuming and complex to investigate, the investigatory proceedings may be conducted by the Compliance Officer (or a person authorized by the Company). In other cases, the investigatory proceedings are conducted by the Ethics Committee.

3. If the preliminary assessment leads to the conclusion that the Compliance Officer is appropriate to handle the case, but during the investigatory proceedings it becomes necessary to change this decision, the Compliance Officer shall appoint the Ethics Committee. In such cases, the Ethics Committee shall take into account the actions already taken by the Compliance Officer and shall aim to avoid duplicating those actions, unless it is necessary to do so to ensure the principle of fair and thorough proceedings.

B. Ethics Committee

1. The Ethics Committee is appointed by the Compliance Officer, who serves as its Chair and appoints the remaining members. The Ethics Committee may consist of two to three members. In justified cases, the Ethics Committee may decide to expand its composition.

2. Members of the Ethics Committee may only be individuals whose expertise is pertinent to the examination of the Report.

3. If circumstances arise that cast reasonable doubt on an Ethics Committee member’s impartiality, that member is required to abstain from actions and notify the Chair of the Ethics Committee of these circumstances. The Chair of the Ethics Committee may, on their own initiative, exclude a person from the Ethics Committee if there are reasonable doubts about his/her impartiality.

4. Before undertaking any actions within the investigatory proceedings, members of the Ethics Committee:

a) receive written authorization from the Company to process personal data, and

b) provide a declaration committing to maintain confidentiality in connection with the proceedings, which obligation will remain in effect even after the termination of the legal relationship between the individual and the Company.

C. Investigatory Proceedings

1. The tasks of the Compliance Officer or the Ethics Committee in the investigatory proceedings are:

a) to conduct the investigatory proceedings to verify the content of the Report;

b) to prepare a report on the investigatory proceedings, including recommendations for further actions necessary to eliminate the effects of the Violation and to prevent future occurrences of similar issues.

2. The Compliance Officer or the Ethics Committee conducts the investigatory proceedings based on the following principles:

a) striving to establish the actual state of affairs;

b) gathering and evaluating evidence exhaustively—both evidence supporting and refuting the validity of the Report;

c) evidence cannot be disregarded simply because it may show a fact contrary to previous findings;

d) any doubts that cannot be resolved must be resolved in favor of the person to whom the Report pertains;

e) ensuring the confidentiality of personal data—actions are carried out in a manner that guarantees confidentiality; if necessary, personal data is anonymized or deleted;

f) respecting the rights of participants in the investigatory proceedings, especially the rights of the Whistleblower and the person to whom the Report pertains;

g) conducting the investigatory proceedings in a manner that ensures they are concluded within a reasonable time.

3. The Whistleblower’s data should remain confidential and may not be disclosed in the course of the proceedings to parties and participants in these proceedings without the express and unequivocal consent of the whistleblower. A template of the Whistleblower’s consent to disclosure of his/her identity is attached as Annex 2 to the Procedure.

4. Immediately after receiving express and unambiguous consent from the Whistleblower to the disclosure of his or her personal data making it possible to establish his or her identity, the Compliance Officer or the Ethics Committee shall provide the Whistleblower with the information

clause on the processing of his or her personal data set out in Annex 3 to the Procedure.

5. The Ethics Committee and Compliance Officer may seek support from external or internal experts.

6. The Compliance Officer or the Ethics Committee shall inform the person to whom the Report relates of the initiation of investigatory proceedings, this information is provided in a timely manner, taking into account the need for the unimpeded collection of evidence, preventing the destruction or concealment of evidence, and taking into account the interests of the Whistleblower, the victim, and the witnesses. An information clause on the processing of personal Report relates, a model of which is attached as Annex 4 to the Procedure, shall be attached to the information on the initiation of the investigatory proceedings. The information of the person to whom the Report relates about the initiation of an investigatory proceedings may be abandoned if the content of the Report proves to be manifestly unfounded or unconfirmed.

7. In the course of an investigatory proceedings, the Compliance Officer or the Ethics Committee is entitled to question witnesses and request the production of documents or information. Any person working or collaborating with the Company is obliged to comply with the requests of the Compliance Officer or the Ethics Committee. The Compliance Officer or the Ethics Committee is required to provide witnesses and other third parties indicated in the Report with an information clause on the processing of their personal data, a model of which is attached as Annex 5 to the Procedure. The information clause shall be provided - in a form that makes it possible to demonstrate that the Company has complied with its information obligation - in a timely manner, taking into account the need for the uninterrupted collection of evidence, to prevent the destruction or concealment of evidence, and taking into account the interests of the Whistleblower and the provisions of Art. 13 or 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU. L. 2016 No. 119, p. 1 as amended - the so-called GDPR).

8. The Compliance Officer or the Ethics Committee, in the course of fulfilling the information obligation concerning the processing of the personal data of the person to whom the Report relates or of other persons identified in the Report or the fulfillment of their request for access to their personal data, shall not be allowed to disclose the source of their personal data unless the Whistleblower does not meet the conditions indicated in Article 6 of the Law on the Protection of Whistleblowers or has previously given his/her express consent to the disclosure of his/her identity.

9. The parties to the proceedings (the Whistleblower and the person to whom the Report pertains) and individuals acting as witnesses must commit in writing to maintaining the confidentiality of everything learned in connection with the proceedings. This commitment does not apply if the disclosure of information is required by applicable law.

10. The statements referred to in section B, paragraph 4(b), and paragraph 9 above, are kept in the case files.

11. Witness’s interviews are recorded. Access to the witness’s interview record is restricted to individuals who participated in the interview. Access to the record is granted only immediately after the interview and does not permit copying of its contents.

12. The parties to the proceedings may be accompanied by one representative during the interview. The representative may be a family member, lawyer, legal advisor, or psychologist. The cost of the representative’s remuneration is borne by the party who appointed them.

13. The parties to the proceedings have the right to submit evidence requests to demonstrate the validity or invalidity of the allegations of the Violation. The entity conducting the investigatory proceedings is not bound by the evidence request and may decide not to proceed with it. The decision not to conduct the evidence must be justified.

14. All documents created during the work of the Ethics Committee are confidential.

D. Conclusion of Investigatory Proceedings

1. Upon completing the investigatory proceedings, the Compliance Officer or the Ethics Committee prepares a report which may state:

a) the occurrence or non-occurrence of the Violation or determine that, based on available evidence, it is unable to resolve the issue of the Violation; or

b) the occurrence of a Violation not mentioned in the Report.

2. The report should also include recommended actions based on the findings from the investigatory proceedings, particularly if a Violation is confirmed.

3. The report is submitted by the Compliance Officer or the Chairperson of the Ethics Committee to the Company’s Management Board and also to the Compliance Officer (if they are not a member of the Ethics Committee) unless the investigatory proceedings pertain to the Compliance Officer or were initiated based on a Report made by the Compliance Officer. If the Report pertains to the actions or omissions of a Management Board Member, the report is shared with the other Members of the Management Board (if they have been appointed). Disclosure of the report or any part of it to other individuals requires the Management Board’s consent. In cases where the Report involves a Management Board Member, that member does not participate in the decision-making process concerning the matter.

4. After the report is submitted, the Chairperson of the Ethics Committee or the Compliance Officer closes the investigatory proceedings.

5. The individual designated by the Management Board, the Compliance Officer, or the Chairperson of the Ethics Committee provides feedback to the Whistleblower.

6. The feedback must be provided within a period not exceeding 3 months from the confirmation of receipt of the Report (or if no confirmation is sent, within 3 months from the expiry of 7 days after the Report was submitted), unless the Whistleblower has not provided a contact address to which the feedback should be sent. The feedback may include information on the determination or lack of determination of the occurrence of a Violation or on the ongoing investigative actions if the investigation has not been completed.

7. The individual designated by the Management Board, the Compliance Officer, or the Chairperson of the Ethics Committee provides information to the person to whom the Report pertains about the outcome of the investigatory proceedings.

V. SUBSEQUENT ACTIONS TAKEN AS A RESULT OF CONDUCTING INVESTIGATORY PROCEEDINGS

1. The Management Board of the Company is obligated to undertake actions aimed at eliminating the irregularities identified as a result of the investigatory proceedings and to prevent their recurrence. The Management Board designates individuals responsible for implementing these actions.

2. In the event of a Violation committed by an individual who is an employee of the Company, the Management Board decides on disciplinary actions, which may include:

a) disciplinary penalties based on the Labor Code;

b) termination of the employment relationship with the employee (including dismissal without notice for employee fault).

3. For individuals who are engaged with the Company under a form of cooperation other than employment, the Management Board may apply measures provided under relevant legal provisions and agreements, including immediate termination of cooperation.

4. When implementing the actions and measures referred to in paragraphs 2 and 3 above, the Management Board must inform the Compliance Officer of such actions.

5. The Compliance Officer is obligated to verify the status of the implementation of the Ethics Committee’s recommendations six months after submitting the report to the Company’s Management Board. The Compliance Officer presents the Management Board with a report on the status of the implementation of the recommendations. If necessary, further periodic verifications are conducted.

VI. PROTECTION OF THE RIGHTS OF THE PERSON CONCERNED BY THE REPORT

1. Until the conclusion of the investigatory proceedings and the determination of whether a Violation has occurred, the allegations of a Violation are considered unconfirmed.

2. The person who is the subject of the Report has the right to a fair investigatory process, including:

a) the right to be informed of the initiation of the investigatory proceedings in accordance with the provisions of section C, paragraph 6 above;

b) the right to appoint a representative and to submit evidence requests, as per the provisions of section C, paragraphs 12 and 13 above;

c) the right to be informed of the outcome of the investigatory proceedings.

VII. SPECIAL POWERS OF THE COMPLIANCE OFFICER AND THE ETHICS COMMITTEE

1. The Compliance Officer and the Ethics Committee are authorized to request actions aimed at preventing retaliatory actions. Such requests are directed to the Board Member overseeing the segment related to the Report, who makes the final decision based on the content of the request.

2. The Compliance Officer may delegate their responsibilities under the Whistleblowing Procedures to another person. The person authorized by the Compliance Officer must be someone who ensures confidentiality and conducts actions with due diligence.

3. The Compliance Officer has the right to initiate investigatory proceedings based not on a Report from a third party, but on information obtained in the course of their duties.

4. In justified cases, particularly to ensure the proper conduct of the investigatory proceedings, the Compliance Officer may initiate an agreement to relieve the person subject to the investigatory proceedings from work duties. This action should be taken after consulting with the person responsible for employee matters in the Company and the supervisor of the person subject to the investigatory proceedings. For collaborators, the decision to relieve them from service must be consulted with the person responsible for employment in the Company and the person managing the collaboration with the specific collaborator. If an agreement to relieve from work is made, the Compliance Officer is required to promptly inform the HR department serving the Company.

VIII. PROCEDURE IN THE CASE OF A VIOLATION COMMITTED BY THE COMPLIANCE OFFICER

In the event of a Report concerning an action or omission by the Compliance Officer, the responsibilities of the Compliance Officer under this procedure will be carried out by the Alternative Contact Unit. This unit should be notified of the Report’s receipt without involving the Compliance Officer. This provision also applies in cases where the Report is made by the Compliance Officer themselves.

IX. REGISTER OF INTERNAL REPORTS

1. The Compliance Officer is responsible for maintaining the internal reports register.

2. The Company is the data administrator for the information stored in the register.

3. The following information is recorded in the register:

a) Report number;

b) Personal data of the Whistleblower and the person the Report concerns, necessary for their identification;

c) Contact address for the Whistleblower;

d) Date of the report;

e) Subject of the Report;

f) Subsequent actions taken;

g) Date of case closure.

4. The information in the register is confidential and subject to a confidentiality obligation. Access to the register is granted only to individuals with written authorization for personal data processing.

5. The template for the register of reports is provided in Annex 6 to this Procedure.

X. SECURITY MEASURES, RETENTION PERIOD, AND OBLIGATION TO DELETE INFORMATION AND PERSONAL DATA RELATING TO THE IMPLEMENTATION OF THE PROCEDURE

1. The Compliance Officer or the Ethics Committee shall ensure the protection of information and personal data (including documentation) related to the implementation of the Procedure in particular by applying the following measures:

a) information and personal data processed in paper form shall be stored in a locked cabinet to which only persons authorized to process data related to the proceedings shall have access;

b) access to information systems in which information and personal data are processed shall be restricted to authorized users, and each action on the data (access, editing, deletion, etc.) shall be recorded;

c) information and personal data transmitted electronically shall be encrypted and/or pseudonymized beforehand;

d) information and personal data are deleted irretrievably from the IT systems once they are no longer useful, and paper data are destroyed in a shredder.

2. The personal data processed in connection with the acceptance of a Report, the conduct of an investigatory proceedings, or the undertaking of a follow-up action and the documents related to the Report shall be retained by the Company for a period of 3 years after the end of the calendar year in which Report has been transmitted to the public authority competent to undertake the follow-up action or the follow-up action has been completed, or after the proceedings initiated by these actions have been terminated.

3. The Compliance Officer deletes the personal data and destroys the documents related to the Report after the expiry of the retention period. The Act of 14 July 1983 on the national archival resource and archives (Journal of Laws of 2020, item 164) shall not apply.

4. A report in documentary form shall be drawn up on the deletion or destruction of personal data and documents related to the Report.

XI. COMPLIANCE OFFICER’S DUTIES RELATED TO THE IMPLEMENTATION OF THE WHISTLEBLOWING PROCEDURES

1. Compliance Officer:

a) Ensures the currency of the Whistleblowing Procedures;

b) Coordinates the activities of the Company’s organizational units responsible for implementing the Whistleblowing Procedures;

c) Receives Reports;

d) Appoints the Ethics Committee and directs its work;

e) Oversees the process of handling reports and maintaining the register of reports in accordance with the provisions of the Procedure;

f) Recommends and subsequently informs the Company’s Human Resources Department about the conclusion of an agreement regarding exemption from the obligation to perform work;

g) Provides periodic reports to the Management Board regarding the implementation of the Whistleblowing Procedures;

h) Organizes training and other activities aimed at raising awareness among employees and collaborators regarding the reporting process for irregularities;

i) Ensures that each new employee, collaborator, and member of the statutory body is acquainted with the Whistleblowing Procedures before they are allowed to start work, begin collaboration, or assume their role;

j) Ensures that a job applicant, based on an employment relationship or another legal relationship constituting the basis for performing work or services, is informed about the Whistleblowing Procedure at Alokai sp. z o.o. before the commencement of recruitment or negotiations preceding the conclusion of an agreement;

k) Undertakes activities to ensure that each new employee, collaborator, and member of the statutory body is acquainted with the Whistleblowing Procedures before they are allowed to start work, begin collaboration, or assume their role;

l) Undertakes activities to ensure that a job applicant based on an employment relationship or another legal relationship constituting the basis for performing work or services is informed about the Whistleblowing Procedure at Alokai sp. z o.o. before the commencement of recruitment or negotiations preceding the conclusion of an agreement.

XII. FINAL PROVISIONS

1. The Procedure has undergone the required legal consultation with the employee representatives.

2. The Procedure shall come into effect 7 days after the date of sending the internal notification of the Management Board’s approval of this Procedure.

3. The owner of the Procedure is the Compliance Officer.

Annexes:

1. Model information clause concerning the processing of the Whistleblower’s personal data (general clause);

2. Template of the Whistleblower’s consent to the disclosure of his/her identity;

3. Model information clause relating to the processing of the Whistleblower’s personal data (clause after consent to disclosure of the Whistleblower’s identity);

4. Model information clause concerning the processing of the personal data of the person to whom the Report relates;

5. Model information clause concerning the processing of personal data of a third party identified in the Report;

6. Model register of internal notifications.

Annex 1 - Model information clause concerning the processing of a Whistleblower’s personal data (general clause)

Information clause concerning the processing of a Whistleblower’s personal data

for the purpose of accepting a notification and conducting an investigatory proceeding under the whistleblower protection act

1. The controller of your personal data is ALOKAI Sp. z o.o. with its registered office in Warsaw, ul. Przeskok 2, 00-032 Warsaw, www.alokai.com, e-mail: ethics@alokai.com or acu_ethics@alokai.com (hereinafter: ‘the Controller’).

2. In all matters concerning the processing of personal data, please contact the Data Protection Officer appointed by the Controller, electronically at the following e-mail address: privacy@alokai.com or by postal mail to the Controller’s address marked ‘Data Protection Officer’.

3. Your personal data will be processed for the purpose of accepting a notification and conducting an investigatory proceedings or taking follow-up action on the basis of the legal obligation to which the Controller is subjected under the Act of 14 June 2024 on the protection of whistleblowers. Your personal data may furthermore be processed for the purposes of the Controller’s legitimate interests consisting, in particular, of the Controller’s ability to establish or assert possible claims or defend against such claims in connection with Article 6(1) para. f of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU. L. 2016 No. 119, p. 1 as amended) - hereinafter ‘GDPR’.

4. Protection of the whistleblower’s identity: As a result of the requirement to provide personally identifiable information in the notification, your personal data, shall not be disclosed to unauthorized persons (i.e. persons outside the team responsible for the investigatory proceedings of the notified case), except with your express consent.

5. Specific cases where whistleblower’s data may be disclosed: In connection with investigations carried out by public authorities or pre-trial or judicial proceedings carried out by courts, including for the purpose of guaranteeing your rights of defense, your data may be disclosed when such action is a necessary and proportionate obligation under the law. Before such disclosure is made, the competent public authority or the competent court will notify you by sending you an explanation in paper or electronic form of the reasons for the disclosure of your personal data. The notification will not be provided if it may jeopardize the explanatory, preparatory, or judicial proceedings.

6. The Controller shall ensure the confidentiality of your data, in relation to the notification received. Therefore, the data may be disclosed only to entities authorized to do so under the provisions of law and to entities to which the Controller has entrusted data processing, i.e. entities providing services to the Controller in relation to the receipt of a notification or investigation, including, in particular, entities which are providers of IT systems and services, postal or courier operators, entities providing legal services.

7. Personal data processed in connection with the acceptance of a notification, investigatory proceedings or follow-up and documents relating to that notification shall be retained for a period of 3 years after the end of the calendar year in which the notification was transmitted or the follow-up was completed, or after the proceedings initiated by those proceedings have been terminated. Personal data that are not relevant to the processing of the notification shall not be collected and, if accidentally collected, shall be deleted immediately. The deletion of such personal data shall take place within 14 days of the determination that it is not relevant to the case.

8. You have the right to request access to your personal data, as well as to have it rectified (amended). You also have the right to request erasure or restriction of processing, as well as the right to object to processing, but you only have this right if further processing is not necessary for the Controller to comply with a legal obligation and there are no other overriding legal grounds for processing.

9. You have the right to lodge a complaint against the processing carried out by the Controller to the President of the Personal Data Protection Office (www.uodo.gov.pl) if you consider that the processing of personal data concerning you violates the provisions of the GDPR.

10. The provision of data is voluntary and does not constitute a condition for us to accept your notification. If you do not provide your contact data, we will not be able to confirm acceptance of your notification and process your notification.

11. Your personal data will not be subject to profiling nor, on the basis of this data, will decisions be taken in an automated manner.

Contacting the Ombudsman

The Ombudsman can be contacted by anyone who believes that their rights have been violated by the state, that they are being treated unequally.

Citizens’ information line: 800 676 676, e-mail biurorzecznika@brpo.gov.pl,

Correspondence address: Office of the Ombudsman, Solidarności Avenue 77, 00-090 Warsaw.

It is also possible to submit a notification in sign language, anonymously through the contact form on the website or in person at one of the branches.

Annex 2 - Template of the Whistleblower’s consent to the disclosure of his/her identity

CONSENT TO DISCLOSURE OF THE WHISTLEBLOWER’S IDENTITY

..............................................

Name

..............................................

Address of residence

..............................................

E-mail address or telephone number

I hereby give my consent to the disclosure of my personal data, allowing for the establishment of my identity, to unauthorized persons by ALOKAI Sp. z o.o. with its registered office in Warsaw, 2 Przeskok Street, 00-032 Warsaw (hereinafter: the ‘Company’). I acknowledge that giving consent is voluntary and that consent may be withdrawn at any time; withdrawal of consent does not affect the lawfulness of the processing carried out before its withdrawal.

Whistleblower Statement:

I acknowledge that:

- my consent does not apply where disclosure is a necessary and proportionate legal obligation in connection with investigations carried out by public authorities or in connection with preliminary or judicial proceedings carried out by the courts, including in order to guarantee the right of defense of the reported person, I am informed that the disclosure of my personal data in this case entails the possibility of identification of my identity by the authorities, institutions and their representatives to which the report will be forwarded/notified/initiated or otherwise acted upon in connection with such follow-up action;

- I have been informed that if I consent to the disclosure of my identity to unauthorized persons by the Company, the data may be made available to unauthorized persons by the Company, i.e. the persons indicated in the notification or the persons affected by the notification (in the exercise of the information obligation under Article 14 of the GDPR by the Company or in the exercise of the right of such persons to access their personal data under Article 15 of the GDPR).

........................................................................

(legible signature)

Annex 3 - Model information clause on the processing of the Whistleblower’s personal data (clause after consent to disclosure of the Whistleblower’s identity)

Information clause regarding the processing of whistleblower’s

personal data in connection with the consent to disclose their personal data

3. Personal data will be processed on the basis of Article 6(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ. EU. L. 2016 No. 119, p. 1 as amended) - hereinafter ‘the GDPR’ (consent to disclosure of identity), in connection with the provisions of the Act of 14 June 2024 on the protection of whistleblowers (Journal of Laws No. 928), in order to perform tasks related to the handling of internal notifications, including the disclosure, in justified cases, of the identity of the whistleblower.

4. Personal data will be made available only to entities authorized to process them under the law. Personal data will be made available to entities providing, on the basis of contracts concluded by the Controller support for the Controller’s activities (e.g. IT service providers). Personal data may be made available to external entities supporting the Controller in receiving internal requests. Personal data will be made available to separate controllers, i.e. competent authorities, in the event of follow-up, personal data allowing for the identification of the whistleblower may be made available to the persons affected by the notification or indicated in the notification.

5. The personal data will be kept for a period of 3 years after the end of the calendar year in which the follow-up actions have been completed or the proceedings initiated by these actions have ended.

6. You have the right of access to the content of your data and the right to rectification, deletion in cases provided by law and restriction of processing, and to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out before its withdrawal. If you withdraw your consent to the disclosure of your identity, your personal data will not be shared (from the moment you withdraw your consent).

7. You have the right to lodge a complaint against the processing carried out by the Controller to the President of the Personal Data Protection Office (www.uodo.gov.pl), if you consider that the processing of personal data concerning you violates the provisions of the GDPR.

8. The provision of personal data is voluntary.

9. Personal data will not be subject to profiling nor, on the basis of such data, will decisions be taken in an automated manner.

Annex 4 - Model information clause concerning the processing of the personal data of the person to whom the Report relates

Information clause on the processing of personal data of the person to whom the Report relates

3. Your personal data will be processed on the basis of Article 6(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU. L. 2016, No. 119, p. 1, as amended) - hereinafter the ‘the GDPR’ - obligation of the controller, in connection with the provisions of the Act of 14 June 2024 on the protection of whistleblowers (Journal of Laws No. 928), in order to perform tasks related to the handling of internal notifications.

4. The Controller will process the following personal data, indicated in the whistleblower’s notification: .................... (to be completed according to the facts) - as personal data relating to the person to whom the notification concerns, understood as the natural person indicated in the notification as a person who has committed a violation of the law, or as a person with whom the person who has committed a violation of the law is associated.

5. Your personal data has been provided by the whistleblower, i.e........................ (provide the data of the whistleblower if the whistleblower has consented to the disclosure of his/her identity or if the whistleblower has not fulfilled the requirements set out in Article 6 of the Law on the Protection of Whistleblowers. Otherwise delete).

6. Personal data will only be shared with entities authorized to process them under the law. Personal data will be made available to entities providing, on the basis of contracts concluded by the Controller, support for the Controller’s activities (e.g. IT service providers). Personal data may be made available to external entities supporting the Controller in receiving internal requests. Personal data will be shared with separate controllers, i.e. competent authorities, in case of taking follow-up actions.

7. Personal data will be retained for a period of 3 years after the end of the calendar year in which the follow-up action is completed or after the proceedings initiated by the follow-up action are completed.

8. You have the right of access to the content of your data, with the proviso that the provision of Article 15(1)(g) of the GDPR regarding the provision of information about the source of the personal data does not apply, unless the whistleblower does not meet the conditions indicated in Article 6 of the Act of 14 June 2024 on the protection of whistleblowers or has expressly consented to such provision.

9. You have the right to rectification of personal data, deletion in cases provided for by law and restriction of processing.

10. You have the right to lodge a complaint against the processing carried out by the Controller to the President of the Personal Data Protection Office (www.uodo.gov.pl), if you consider that the processing of personal data concerning you violates the provisions of the GDPR.

11. The provision of your personal data to the Controller is voluntary and occurred in the whistleblower notification.

12. Your personal data will not be subject to profiling nor, on the basis of such data, will decisions be taken in an automated manner.

Annex 5 - Model information clause relating to the processing of personal data of a third party indicated in the Report

Information clause regarding the processing of personal data of a third party indicated in the whistleblower’s notification

3. Your personal data will be processed on the basis of Article 6(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ. EU. L. 2016 No. 119, p. 1 as amended) - hereinafter the GDPR - the obligation of the controller, in connection with the provisions of the Act of 14 June 2024 on the protection of whistleblowers (Journal of Laws No. 928), in order to perform tasks related to the handling of internal notifications.

4. The Controller will process the following personal data, as indicated in the whistleblower notification: …………………….

(to be filled in according to the facts)

- as personal data of the so-called third party indicated in the notification.

5. Your personal data has been provided by the whistleblower, i.e........................

(provide the data of the whistleblower if the whistleblower has consented to the disclosure of his/her identity or if the whistleblower has not fulfilled the requirements set out in Article 6 of the Law

on the Protection of Whistleblowers. Otherwise delete).

8. You have the right of access to the content of your data, with the proviso that the provision of Article 15(1)(g) of the GDPR regarding the provision of information about the source of the personal data does not apply unless the whistleblower does not meet the conditions indicated in Article 6 of the Act of 14 June 2024 on the protection of whistleblowers or has given his/her express consent to such provision.

9. You have the right to rectification of personal data, deletion in cases provided for by law and restriction of processing.

11. The provision of your personal data to the Controller is voluntary and occurred in the whistleblower notification.

12. Your personal data will not be subject to profiling nor, on the basis of such data, will decisions be taken in an automated manner.

Annex 6 - Sample Internal Report Register