Policy of Operation of the Sabang Investments, SGEIC, S.A. Complaints Channel

24 June 2025

1. OBJECTIVE

This policy has been developed by SABANG INVESTMENTS, SGEIC, S.A. (hereinafter "the Company") with the aim of detailing the procedure followed in the internal reporting channel developed in compliance with, among other regulatory provisions, art. 8 of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law.

The purpose of the Whistleblower Channel is to enable employees, customers, suppliers, and third parties related to the Company or its activities to report any incident that may have occurred within the Company and that may constitute an infraction, a crime, or a violation of our internal procedures, including, but not limited to:

  • Violation of AML/CFT regulations
  • Violation of the LOPD regulations
  • Violation of Market Abuse regulations
  • Internal Code of Conduct

The Whistleblower Channel represents an improvement for the Company, which is committed to practicing ethical behavior at all levels of the organization.

Internal reporting channels are an effective tool for detecting irregularities that would otherwise go unnoticed by other controls, although they require compliance with technical and legal measures that guarantee the rights of those affected.

The Company will establish an effective management system that will include the strategies, processes, and reporting procedures necessary to identify, measure, monitor, manage, and continuously report the risks to which the Company itself and the people involved in its activities are or may be exposed...

2. GENERAL RESPONSIBILITIES

The general responsibilities regarding the Reporting Channel are listed below:

  • Board of Directors
    • Approval of this Policy and its successive updates
    • Provide the Company with the necessary means for the proper functioning of the Channel.
  • Control Unit
    • Update of this policy after the Company has communicated any changes to its operations.
  • Criminal Risk Prevention and Control Body
    • Operation of the reporting channel.
    • Ensure the confidentiality of reporting persons, where applicable.
    • Registration of complaints
    • Preservation of documentation
  • Internal Control Body on PBC/FT
    • Support to the Criminal Risk Prevention Body in complaints regarding breaches of the Anti-Money Laundering/Anti-Terrorism Law
  • RIC Monitoring Body
    • Support to the Criminal Risk Prevention Body in complaints regarding breaches of the Company's Internal Code of Conduct
    • Support for the Criminal Risk Prevention Body in complaints regarding non-compliance with Market Abuse regulations.

3. RECIPIENTS OF THE MANUAL

This policy is intended for employees, customers, suppliers, and third parties involved in the Company's activities who may use the Whistleblower Channel as detailed herein.

All managers and employees, regardless of the legal form that determines their employment or service relationship, suppliers, sponsors, collaborators, agents, and members of the Company's various collegiate bodies must report, through the Whistleblower Channel, any irregularities or non-compliance of which they are aware and which fall within its scope of responsibility, without fear of being subject to dismissal or any other type of retaliation, and with the assurance that the information provided will be treated with the utmost confidentiality.

4. COMPLAINTS CHANNEL

4.1 OPERATION

The reporting channel will operate centrally through the following internet address:
https://sabang.factorialhr.es/complaints

The aggregate structure of the channel is as follows:

  1. IDENTIFICATION
    1. COMMUNICATION WITH IDENTIFICATION DATA OF THE COMPLAINANT
    2. ANONYMOUS COMPLAINT
  2. COMMUNICATION DATA
    1. REASON FOR THE COMMUNICATION
    2. DETAILS OF THE COMMUNICATION
  3. SUPPORTING DOCUMENTATION

Complaints will be received by the person designated by the Criminal Risk Prevention and Control Body, whose members are Fernando Becerra, Silvia Irisarri, and Víctor González.

An acknowledgment of receipt is automatically generated and delivered to the complainant at the time the complaint is filed, if they have provided an email address.

Once received and recorded, the report will be communicated to the members of the Criminal Risk Prevention and Control Body who were not previously aware of it, maintaining the confidentiality or anonymity of the complainant. If the report affects a member of the Criminal Risk Prevention and Control Body, the person concerned will not be able to participate in the investigation and deliberation process regarding the reported incident.

In cases of complaints of non-compliance with the RIC, any of the Company's internal control policies or procedures, this manual, or arising from any other type of non-compliance with criminal regulations, the Criminal Risk Prevention and Control Body will assess its validity and proceed to a detailed analysis and investigation, if it reveals evidence of the commission of illegal conduct.

Within the framework of the internal investigation carried out by the Criminal Risk Prevention and Control Body, it may gather all the information and documentation it deems appropriate from any of the different areas, departments, or individuals necessary to clarify the facts, determine the consequences that may arise, and the course of action.

Following the analysis and investigation, which must be carried out as quickly as possible given the complexity and/or severity of the reported events, the Criminal Risk Prevention and Control Body will carry out one of the following actions:

  1. If the complaint is found to be unfounded or of little or no seriousness, it will be closed and the complainant will be notified of the closure.
  2. If it is concluded that there has been behavior contrary to the Internal Code of Conduct, or any other internal control policy or procedure of the Company, it will be transferred to the Administration Manager so that he can initiate the procedures of the corresponding labor disciplinary system, which may conclude with the imposition of a sanction provided that the body instructor deems it necessary, in accordance with the regulations violated and the application of the applicable labor regime.
  3. If it is concluded that the breach has caused a situation of criminal risk, determining whether it affects the Company or the accused, once it has been evaluated with the support of the departments it deems necessary, the Board of Directors will be proposed the measures it deems appropriate to minimize the risk or prevent it in the future, if possible, as well as the possibility of training staff to be aware of them through the different means available in the organization (training, circulars, notices), in coordination with the responsible departments.
  4. If the investigation procedure initiated by the Criminal Risk Prevention and Control Body reveals reasonable evidence of the commission of a crime, the crime detection protocol will be activated. This means that the Criminal Risk Prevention and Control Body must notify the Board of Directors.
    Based on the information received and the legal report, the court will take appropriate measures to report the violation to the relevant authorities, providing all the information to which it has access at the time.

If the complaint concerns any member of the Board of Directors, and after the investigation there is evidence of irregular activity, the Criminal Risk Prevention and Control Body will report to the Board of Directors, specifying that the person or persons affected must be absent when deciding on the resolution to be taken.

The system ensures non-retaliation of the good-faith whistleblower and the confidentiality of all its stages.

4.2. RESPONSE PERIOD

The deadline for responding will not exceed three months from the date of receipt of the complaint, or if no receipt was sent to the complainant, three months from the expiration of the seven-day period after the complaint was filed.

4.3. CONFIDENTIALITY AND PROHIBITION OF RETALIATION

Only the Criminal Risk Prevention and Control Body will have access to the complaint, which will guarantee the confidentiality of the complainant's identity and that of any third party mentioned in the complaint.

The Criminal Risk Prevention and Control Body will maintain the confidentiality of the complainant at all times, unless such information is requested by an administrative or judicial authority.

Individuals who have anonymously reported or publicly disclosed information about violations but have subsequently been identified and suffer retaliation will nevertheless continue to be entitled to protection under Chapter VI of Directive (EU) 2019/1937.

4.4. REGISTRATION

For each of these, a file will be opened in which the actions taken and the documentation generated during their processing and resolution will be kept up-to-date.

Reports will be retained only for the period necessary and proportionate to comply with the requirements imposed by Directive (EU) 2019/1937, or other requirements imposed by Union or national law.

5. BODY FOR THE PREVENTION AND CONTROL OF CRIMINAL RISKS

The Company has a Criminal Risk Prevention and Control Body whose mission is to periodically supervise the risk prevention and control systems established by the Company, so that the main risks are identified, managed, and reported internally in a manner appropriate for their prevention.

The Criminal Risk Prevention and Control Body:

  • It has the support of the areas or organizational units it deems appropriate to ensure the proper and effective performance of its functions.
  • He is responsible for handling complaints received through the Reporting Channel.
  • It guarantees the confidentiality of all information received and is configured as indicated in the following section.

5.1. COMPOSITION OF THE CRIMINAL RISK PREVENTION AND CONTROL BODY

The individuals appointed to the Criminal Risk Prevention and Control Body must possess certain characteristics that ensure their relevance, competence, integrity, autonomy, and independence. The Criminal Risk Prevention and Control Body will be composed of the following individuals or functions:

  • Fernando Becerra
  • Silvia Irisarri
  • Victor Gonzalez

All members will treat all information and documentation they access or have at their disposal with the utmost confidentiality, and may not use it for any purpose other than the prevention of criminal risks and the investigation of incidents in this area.

In its oversight and compliance work, it will have specific support from the Internal Audit function and the Risk Management function.

In the performance of their duties regarding the supervision and control of criminal risks, its members will act with a maximum level of autonomy and in exercising this authority may:

  • Access and collect, when necessary for the performance of their work, information held by the Company.
  • Request the support of any area or organizational unit, employee, administrator, advisor, or any person who maintains a professional and/or employment relationship with the Company in the context of an investigation.
  • Have the appropriate means and resources necessary to carry out their work, including the management of financial resources allocated for the proper development of their work.

6. PROCESSING OF PERSONAL DATA

Any processing of personal data carried out pursuant to Directive (EU) 2019/1937, including the exchange or transmission of personal data by competent authorities, shall be carried out in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680. Any exchange or transmission of information by Union institutions, bodies, offices or agencies shall be carried out in accordance with Regulation (EU) 2018/1725.

Personal data that is not clearly relevant to the processing of a specific complaint will not be collected, or if collected accidentally, it will be deleted without undue delay.

7. INTERNAL REGULATIONS OF APPLICATION

  • Internal Code of Conduct
  • Manual for the Prevention of Money Laundering and Terrorism Financing
  • Data Protection Procedure
  • Criminal Risk Manual

8. APPLICABLE REGULATIONS

  • DIRECTIVE (EU) 2019/1937 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 October 2019 on the protection of persons who report breaches of Union law.
  • Law 10/2010, of April 28, on the prevention of money laundering and terrorist financing.
  • Law 35/2003, of November 4, on Collective Investment Institutions.
  • Organic Law 10/1995, of November 23, of the Penal Code.
  • Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights.
  • Royal Legislative Decree 4/2015, of October 23, approving the revised text of the Securities Market Law.
  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).