Internal whistleblower channel policy

Introduction, Purpose and Application

The Law 2/2023, of 20 February, regulating the protection of persons reporting regulatory breaches and combating corruption (hereinafter, Law 2/2023) transposes into Spanish law Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019, on the protection of persons who report breaches of Union law.

This policy applies to KUNAK TECHNOLOGIES, S.L. with CIF B71110837 and registered office at P.E. La Muga 9, 4°, office 1, 31160, Orcoyen, Navarra. Its objective is to establish an internal channel for reporting potential regulatory breaches, violations of internal and/or ethical policies, and to establish a protection regime for whistleblowers in compliance with Law 2/2023.

Law 2/2023 explains and clarifies in its preamble, Part III, that its purpose is to protect individuals who, in a work or professional context, detect serious or very serious criminal or administrative offences and report them through the mechanisms regulated in this policy, safeguarding them from possible retaliation.

This Channel, therefore, is a mechanism that allows company employees and other stakeholders to report any type of illegal conduct or behaviour contrary to our values and ethical principles without fear of retaliation. It strengthens the culture of reporting, integrity infrastructures within organisations, and fosters a reporting culture as a means to prevent and detect threats to the public interest. In this way, the aim is to promote a culture of transparency, integrity, and responsibility within our organisation while protecting employees who make a report in good faith.

Whistleblower Channel

The entity has created a whistleblower channel (hereinafter, the CII) as the preferred means for receiving information on actions or omissions that may constitute a serious or very serious criminal or administrative offence, as well as other actions provided for in Article 2 of Law 2/2023.

The channel is administered by the Internal System Manager of the Channel (hereinafter, the RSII). Access to this channel is limited, within their scope of competence and functions, to:

1. The Internal System Manager of the Channel.
2. The administrator(s) delegated by the system manager.
3. The designated managers responsible for handling specific complaints based on their respective areas.

The responsibilities of these bodies, as applicable, include:

• Receiving, recording, and managing complaints received through the whistleblower channel.
• Appointing the person or team in charge of investigating received complaints.
• Ensuring the protection of whistleblowers and the confidentiality of received complaints.
• Assessing the truthfulness and credibility of received complaints.
• Making decisions on appropriate measures based on investigation results.
• Regular monitoring and review of the complaints management process and the company’s internal policy.
• Preparing reports and recommendations for senior management regarding complaints received and actions taken.

The CII must technically ensure confidentiality or, where applicable, the anonymity of the whistleblower, to protect them from any leaks and subsequent retaliation.

• Link to the whistleblower channel: https://compliance.legalsending.com/canal/?C=48605329019048412

• QR Code:

• Sending an email to the following address: [email protected]

• Postal mail addressed to P.E. La Muga 9, 4°, office 1, 31160, Orcoyen, Navarra. A/A: Compliance

Subjective Scope – Whistleblowers

Persons who have a work or professional relationship with AEPD can use the internal information channel and benefit from the protection provided by Law 2/2023 when reporting actions or omissions described in Article 2 of the Law. This work or professional relationship, which entails dependency on AEPD, necessitates and justifies special protection against possible retaliation.

In any case, the following are considered whistleblowers under Law 2/2023:

• Employees or workers under an employment contract.
• Self-employed collaborators (freelancers).
• Shareholders, partners, and individuals belonging to the company’s administrative, management, or supervisory body, including non-executive members.
• Any person working for or under the supervision and direction of contractors, subcontractors, and suppliers.
• Whistleblowers who disclose information about breaches obtained in a past employment or statutory relationship, volunteers, interns, trainees—whether or not they receive remuneration—and those whose employment relationship has not yet begun, in cases where the information about breaches was obtained during the selection or pre-contractual negotiation process.

It is important to emphasise that reports made through the whistleblower channel must be in good faith, meaning they must be supported by evidence and concrete facts.

Objective Scope – Reportable Acts

Under Law 2/2023, the internal information channel can be used to report serious misconduct or suspected corruption that may constitute serious or very serious criminal or administrative offences related to the entity’s activities, which the whistleblower has observed or been informed about in the course of their work or professional relationship.

Law 2/2023 and Directive (EU) 2019/1937 list the following as reportable information:

1. Breaches falling within the scope of Union acts listed in the Annex to the Directive in the following areas:
   1. Public procurement
   2. Financial services, products, and markets, and prevention of money laundering and terrorist financing
   3. Product safety and compliance
   4. Transport safety
   5. Environmental protection
   6. Radiation protection and nuclear safety
   7. Food and feed safety, animal health, and animal welfare
   8. Public health
   9. Consumer protection
   10. Privacy and personal data protection, and network and information systems security
2. Breaches affecting the EU’s financial interests as outlined in Article 325 of the Treaty on the Functioning of the European Union (TFEU).
3. Breaches affecting the internal market as per Article 26(2) TFEU, including competition law violations, state aid infringements, and corporate tax rule violations.
4. Actions or omissions that may constitute serious or very serious criminal or administrative offences, including those causing economic damage to public finances and social security.
5. Breaches of labour law regarding health and safety at work reported by workers.

For these purposes, participation in the capital or voting rights corresponding to shares or holdings is considered significant when, due to its proportion, it allows the person holding it to have the capacity to influence the legal entity in which they participate.

Informants shall not incur liability regarding the acquisition or access to the information that is communicated or publicly disclosed, provided that such acquisition or access does not constitute a criminal offence.

Any other possible liability of informants arising from acts or omissions not related to the communication or public disclosure, or that are not necessary to disclose an infringement under Law 2/2023, shall be enforceable in accordance with applicable regulations.

In proceedings before a judicial authority or another body regarding damages suffered by informants, once the informant has reasonably demonstrated that they have reported or made a public disclosure in accordance with Law 2/2023 and have suffered harm, it shall be presumed that the harm occurred as retaliation for reporting or making a public disclosure. In such cases, the person who took the harmful measure must prove that the measure was based on duly justified reasons not linked to the communication or public disclosure.

In judicial proceedings, including those related to defamation, copyright infringement, breach of secrecy, data protection violations, trade secret disclosures, or compensation claims based on labour or statutory law, informants shall not incur any liability as a consequence of protected communications or public disclosures under Law 2/2023. Such persons shall have the right to argue in their defence within the framework of said judicial proceedings that they have reported or made a public disclosure, provided that they had reasonable grounds to believe that the communication or public disclosure was necessary to expose an infringement under Law 2/2023.

Expressly excluded from the protection provided by the law are persons who communicate or disclose:

1. Information contained in communications that have been rejected by an internal reporting channel or for any of the reasons established by law.
2. Information related to complaints about interpersonal conflicts or that affect only the informant and the persons referred to in the communication or disclosure.
3. Information that is already fully available to the public or that constitutes mere rumours.
4. Information concerning actions or omissions not covered by the scope of the law.

Measures for the protection of affected persons

During the processing of the file, the persons affected by the communication shall have the right to the presumption of innocence, the right to defence, and the right to access the file under the terms provided in Law 2/2023, as well as the same protection established for informants, preserving their identity and ensuring the confidentiality of the facts and data of the procedure.

The Independent Authority for Whistleblower Protection, A.A.I., may, within the framework of the sanctioning procedures it conducts, adopt interim measures under the terms established in Article 56 of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations.

Cases of exemption and mitigation of sanctions

When a person who participated in the commission of the administrative offence being reported is the one who informs of its existence by submitting the information, and provided that it has been submitted before notification of the initiation of the investigation or sanctioning procedure, the competent authority to resolve the procedure, through a reasoned decision, may exempt them from compliance with the administrative sanction that would have corresponded to them, provided that the following conditions are accredited in the file:

1. Ceasing to commit the offence at the time of submitting the communication or disclosure and identifying, where applicable, other persons who have participated or facilitated it.
2. Fully, continuously, and diligently cooperating throughout the investigation procedure.
3. Providing truthful and relevant information, evidence, or significant data to prove the facts investigated, without having destroyed or concealed them, nor disclosed their content to third parties, directly or indirectly.
4. Taking steps to repair the damage caused that is attributable to them.

When these requirements are not fully met, including partial reparation of the damage, the competent authority shall assess the degree of contribution to the resolution of the case and may mitigate the sanction that would have corresponded to the committed offence, provided that the informant or author of the disclosure has not previously been sanctioned for similar acts that led to the initiation of the procedure.

The mitigation of the sanction may also extend to other participants in the commission of the offence, depending on their degree of active cooperation in clarifying the facts, identifying other participants, and repairing or minimising the damage caused, as assessed by the decision-making authority.

Law 2/2023 excludes from this provision offences established in Law 15/2007, of 3 July, on Competition Defence.

Confidentiality and data protection

The processing of personal data shall be carried out in compliance with Law 2/2023, of 20 February, on the protection of persons reporting regulatory infringements and combating corruption, Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights, and Organic Law 7/2021, of 26 May, on the processing of personal data for the purposes of preventing, detecting, investigating, and prosecuting criminal offences and executing criminal penalties.

Personal data subject to processing, the documents provided, and any other information provided in the complaint containing personal data shall be treated confidentially by those responsible for the channel, as well as by administrators and potential managers, in order to comply with the obligation to investigate and manage the submitted complaint, as well as to comply with the legal obligations established in Law 2/2023.

Communication and review of policies and procedures

The company shall carry out periodic training sessions and awareness campaigns to foster a culture of integrity and transparency and to inform employees and other stakeholders about the whistleblowing channel. It shall also provide information on the rights and protections offered to whistleblowers under Law 2/2023.

The company is committed to disseminating this policy to all employees and stakeholders and will update it at least every three years or modify this internal policy where necessary, taking into account the experience gained and the recommendations of the competent authority.

In Orcoyen, 7 February 2025.