Article 1. Object

1. 1. The Zitro Group in Spain (“Grupo Zitro en España”, or hereinafter, “GZE”) may set up an ethics channel (hereinafter, the “Channel”) in order to foster legal compliance.
For the purposes of this Procedure, GZE includes the parent company -ZITRO TECHNOLOGIES, S.L.- and its Spanish subsidiaries and/or investees. The scope of application of this internal instrument is thus as follows:

a) ZITRO TECHNOLOGIES, S.L.
b) ZITRO LABORATORY, S.L.U.
c) ZITRO FACTORY, S.L.U.

2. The Channel is an essential element of the Prevention Programme, as a secure and strictly confidential means of communication allowing any GZE employee or third party connected with GZE or any of its companies¹ to inform the Internal Information System Manager (hereinafter, the “IIS Manager”) that an act believed to be unlawful has been committed, within the context of breaches of Union Law (Article 2, Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law).

3. The IIS Manager may be informed of the conduct believed to be unlawful by any of the following means:
3.a. Via the electronic form provided on the website: https://www.zitrogames.com.
3.b. By sending a letter to the following address:

INTERNAL INFORMATION SYSTEM MANAGER

ZITRO TECHNOLOGIES, S.L.
Paseo Club Deportivo 1, Parque Empresarial La Finca, Edif 13, 2º pl, 28223 Pozuelo de Alarcón (Madrid), España.
3.c. Via the telephone number 917997366
3.d. Via the email address: buzon.etico@zitrogames.com. This mechanism combines all procedures for filing complaints and providing the corporation with access to any information that is sensitive or potentially in conflict with different legal or regulatory principles.
3.e. Via a request for a face-to-face meeting, submitted through any of the previous channels.

The IIS Manager will be responsible for administering the Channel.

Article 2. General principles for use of the Ethics Channel

1. A GZE employee, or any third party not employed by GZE and its companies, but that has some connection with them, who has reasonable evidence that some irregularity or unlawful act has been committed, may report this via the Channel.
2. Communications must in all cases be handled in accordance with criteria of accuracy and proportionality. This mechanism must not be used for any purposes other than in the interests of compliance with the laws and regulations in force, at both the national and the supranational level.
3. The identity of the person reporting any of the actions referred to in subsection 1 via the Channel will be considered confidential information, and will therefore not be disclosed without their consent to the accused, guaranteeing the secrecy of the identity of the whistleblower, and avoiding any type of retaliation against them by the accused.
4. Notwithstanding the terms of the above paragraph, the details of the person reporting the incident may be provided to official or court authorities, to the extent required as a consequence of any proceedings derived from the object of the complaint, along with those of the persons involved, in any subsequent investigation or court proceedings instigated as a consequence of the investigation. This transfer of data to the official or court authorities will in all cases be performed fully in accordance with the personal data protection legislation in force at the time in question.
5. GZE undertakes not to adopt any form of direct or indirect retaliation, nor any type of negative consequence, against employees or third parties that have used the Channel to report any of the actions referred to in this document, with the following exceptions:
   5.a. If the internal investigation determines that the complaint is false and was submitted in bad faith, the company may adopt the relevant disciplinary measures against the worker that raised any action through the Channel, in accordance with the collective agreement applicable at the company.
   5.b. If the internal investigation determines that the complaint is false and was submitted in bad faith, the company may initiate the relevant criminal proceedings against the person that raised any action through the Channel, in accordance with the terms of Article 456 of the Spanish Penal Code.
6. Likewise, a person who perpetrated the act or cooperated in the performance thereof and admits to the commission thereof prior to commencement of investigation or court proceedings against them, or reveals the act in order to reduce its effects or make good the damage caused, may benefit from the attenuating circumstances governed by Articles 21.4 and 21.5 of the Spanish Penal Code, respectively.
7. The figure responsible for the internal information system, or ultimately responsible for the whistleblowing administration system (in other words, the IIS Manager) is Fátima Izaguirre Vizcaya.

Article 3. Handling of complaints

1. The IIS Manager is responsible for registering and subsequently processing all complaints received via the Channel. Notwithstanding the above, if the complaint is brought against the IIS Manager, it will be handled by the person appointed for this purpose by the Corporate Regulatory Compliance Manager.
2. As a general rule, the whistleblower must be sufficiently identified, guaranteeing the confidentiality of their identity at all stages of the process, in particular with regard to third parties, the accused, or hierarchical superiors; unless otherwise required by the authorities, as established in the Spanish Personal Data Protection Act. Likewise, during the process all identification details of third parties, such as informants or witnesses, must be redacted in all documents.
3. Anonymous complaints are permitted, although the whistleblower must identify the personal information involved in the contents, in order to allow subsequent investigation. Anonymous complaints will be subject to special examination by the IIS Manager with regard to their admission and contents.
4. Reports will not be processed if the action reported clearly does not constitute conduct which could entail the commission of any irregularity or any unlawful act of significance in maintaining the contractual relationship between GZE and the employee or third party that allegedly perpetrated the breach.
5. Complaints that are not deemed eligible for processing must likewise be registered, in terms of both receipt, and the contents and duly reasoned decision not to investigate.
6. The decision not to process a case will not prevent a subsequent investigation from being launched following receipt of additional information that could provide a basis for this.
7. In order to ascertain whether the report should be admitted for processing, the IIS Manager may, if they see fit, call on the whistleblower to clarify or supplement the report, providing any documentation and/or data that may prove necessary in accreditation of the existence of irregular conduct.
8. The rights of privacy, defence and presumption of innocence of those investigated will be guaranteed in all investigation procedures.
9. It is established as a mandatory requirement that confirmation of receipt of the complaint filed be provided within no more than 7 (seven) days of receipt thereof, unless the whistleblower explicitly requests otherwise, for example because this could compromise their identity.
10. The whistleblower must be informed within a reasonable period of the actions planned or adopted in order to pursue the complaint, and the reasons for choosing such follow-up. A reasonable period to report back to the whistleblower must be no more than 3 months, or 6 months in duly justified cases. If the appropriate follow-up measures are still under consideration, the whistleblower must be informed of this, together with any other response that they may reasonably expect.
11. The hearing process will include at least a private interview with the person allegedly responsible for the conduct complained of, at which they will be informed of the factual circumstances of the investigation, while respecting guarantees as to the presumption of innocence; they will be invited to set out their full version of the events; they will be allowed to provide any relevant evidence and will be asked the appropriate questions, depending on the circumstances of the case and the acts reported. All those affected will likewise be informed as to the processing of their personal data, along with fulfilment of any other duty imposed by the legislation in question.
12. Once the case has been investigated, the IIS Manager will issue the relevant ruling in accordance with the legislation and regulations in force.
13. The ruling must be set out in writing, and must be duly reasoned. If it is concluded that the employee or third party has committed some irregularity, or illegal act, the ruling will contain the appropriate actions to apply the relevant disciplinary measures, notwithstanding the commencement of the relevant official or court proceedings in each case.
14. The accused will be notified within 10 days of issuance of the ruling. This notification must be in writing, with a copy of the ruling being passed on to the corresponding hierarchical manager. In any event, notification of the end result must be given to the whistleblower within a period of no more than 3 months of receipt of the complaint, or 6 months in duly justified cases. Notwithstanding the above, the IIS Manager will periodically report to the Corporate Regulatory Compliance Manager about the complaints received and their outcome.
15. Where so provided in Union Law or national law, the information contained in the complaint will be passed on to the competent institutions or bodies for investigation.
16. Complaints will be stored only for a necessary and proportionate period of time.
17. If a phone line or some other voice messaging system with recording is used for the complaint, with the prior consent of the whistleblower, the legal entity will be entitled to document the verbal complaint by one of the following methods:
    17.a. By recording the conversation in a secure, lasting and accessible format.
    17.b. Through a complete and precise transcript of the conversation drawn up by the IIS Manager. The whistleblower will be given the opportunity to check, rectify and sign in acceptance of the transcript of the call.
18. If a person requests a personal meeting to file the complaint, this will take place within a maximum of 7 (seven) days, and with the prior consent of the whistleblower, a guarantee will be given that complete and precise records of the meeting will be kept, in a lasting and accessible format. GZE will be entitled to document the meeting by one of the following methods:
    18.a. By recording the conversation in a secure, lasting and accessible format.
    18.b. By means of detailed minutes of the meeting drawn up by the IIS Manager. The entity will likewise give the whistleblower the chance to check, rectify and sign in acceptance of the minutes of the meeting.

ANNEX I. DATA PROTECTION INFORMATION

Who is the controller of the personal data?

ZITRO TECHNOLOGIES, S.L., in the capacity of Personal Data Controller, informs you that these personal data derived from the existence of the ethics channel will be processed in accordance with the provisions of Regulation (EU) 2016/679, of 27 April 2016 (GDPR) and Spanish Data Protection Act 3/2018, of 5 December 2018 (the ‘LOPDGDD’). You are accordingly provided with the following information about the processing:

Processing purposes: what do we process your personal data for?

We will process the data for the appropriate administration of our ethics channel, and will to this end register and examine the corresponding irregularities reported via this channel, and conduct the necessary investigative procedures in order to uncover any possible offences and prevent GZE from incurring any type of liability, and likewise to prevent any type of conduct in breach of the organisation’s internal or external regulations.

Legitimate basis for processing: why may we process your personal data?

On the basis of the existence of public interest (Article 6(1)(e) GDPR), comprising the prevention of unlawful conduct.

Data storage criteria: how long will we store your personal data for?

We will store your data for a maximum of three months following notification of the irregularity, if the events have not been proven and provided that they are not required for other purposes or to provide evidence of the functioning of the information system. If the events are proven or reveal sufficient evidence, the data will be stored for as long as necessary in order to allow the organisation to exercise its rights before the courts, and once they are no longer required for this purpose, will be erased with appropriate security measures, to guarantee the anonymisation of the data or their complete destruction.

Communication of data: who do we provide your personal data to?

Absent any other legal obligation, your data will only be communicated to the following categories of recipient:

• Courts and Tribunals, in addition to other possible dispute resolution bodies.
• State Law Enforcement Agencies.
• Notaries and Registrars.

We have signed non-disclosure and personal data processing agreements as required and demanded by the regulations to protect data privacy (GDPR article) with those vendors requiring access to your personal data to provide the services we have contracted, or those that because of the inherent functioning of our electronic services (website and email) could have access to certain personal data.

Your rights: what are your rights under the GDPR?

• Right of access, rectification, portability and erasure of your data, and of restriction of or objection to the processing thereof.
• Right to file a grievance with the supervisory authority (www.aepd.es) if you believe that the processing does not comply with the regulations in force.

Contact details to exercise rights: ZITRO TECHNOLOGIES, S.L., Paseo Club Deportivo 1, Parque Empresarial La Finca, Edificio 13, Planta 2, 28223 Pozuelo de Alarcón, Madrid, Spain, email: buzon.etico@zitrogames.com.

¹ Shareholders, directors, executives, interns, volunteers in the service of the company, casual workers, those on a work experience or training placement, those involved in selection processes, various third parties (such as contracted sole traders), agents, collaborators, subcontractors, suppliers and all personnel in the service of the aforementioned.