Special Confidentiality Statement - Whistleblowing

INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA
WITHIN THE FRAMEWORK OF INCIDENT REPORTING CHANNELS

Who is responsible for the processing of personal data?

EPAFOS SA, located at 46-48 Eleftheriou Venizelou Avenue, is the data controller for the personal data (hereinafter referred to as Data) collected through existing incident reporting channels, in accordance with current legislation on personal data.

What is the purpose of collecting and processing your Data?

EPAFOS SA has implemented reporting channels to prevent, detect, and investigate irregular, unethical, illegal, or punishable behaviors within the Company. Reports or complaints of irregularities, negligence, or punishable acts may include, but are not limited to, the following:

• Theft
• Fraud
• Corruption
• Bribery (offer/acceptance)
• Violation of human rights (diversity, discrimination based on gender, religion, nationality, etc.)
• Misuse of proprietary information
• Acts endangering the health and safety of employees
• Acts harmful to the environment
• Acts that may lead to a violation of competition laws
• Acts conflicting with the interests of the Company and/or the Group
• Violation of Company Policies and Procedures, risking financial loss
• Violation of the legal framework governing the Company and its Group companies (including legislation protecting individuals reporting violations of EU law)
• Other unethical or inappropriate behavior (acts that violate the ethical and moral standards of the Group)
• Incidents of violence and harassment
• Incidents of personal data breaches
• Incidents of information security breaches

Please note that the above list is not exhaustive but is intended to explain the indicative nature of the issues.

If any of the aforementioned actions are subject to legal proceedings, as stipulated by national legislation, the Management of the Company or the respective company within the Group will promptly submit the complaint to the competent Service/Authority for further investigation.

What sources are used to collect the Data

The Company receives the Data submitted in the following ways:

• Via email at the address: This email address is being protected from spambots. You need JavaScript enabled to view it.. In the case of an anonymous report/whistleblowing, it is recommended to use a non-corporate email for submitting the report (e.g., gmail).
• Through the Company's website: https://www.epafos.gr/en
• Via email for cases of personal data breach at the address: This email address is being protected from spambots. You need JavaScript enabled to view it.
• Via email for cases of information security breach at the email address: This email address is being protected from spambots. You need JavaScript enabled to view it.
• By mail to the address of EPAFOS S.A., attention to the Regulatory Compliance Group Manager, marked as "Confidential" or if it concerns a personal data breach, attention to the Data Protection Officer, or if it concerns information security breach, attention to the Information Security Officer of the Company.

Additionally, the company may receive data through reports transmitted by its subsidiary companies. This is applicable when a report raises issues of public interest or directly/indirectly concerns the company. During the investigation of a report, the company may collect further data through interviews with involved parties and from other sources, in accordance with its internal policies and procedures.

What data does the company process?

In order to verify the validity of a specific report or whistleblowing and conduct further investigations into the reported incident, the company voluntarily processes the data submitted by the reporters. This data includes, but is not limited to:

1. Detailed information about the events that raised suspicion or concern, including names, dates, documents, and locations.
2. The underlying reasons that led to the submission of the report or whistleblowing.

It is important to note that the purpose of the report or whistleblowing is not to prove the concerns or suspicions of the reporter. However, we strongly encourage reporters to provide all available information to facilitate a thorough investigation of the case.

We would like to emphasize that our company provides established reporting channels that allow reporters to submit their reports either anonymously or with their identity disclosed. It is essential that all reports are made in good faith. We are fully committed to protecting reporters from any form of discrimination or adverse treatment, including targeting or actions that aim to punish them. This includes adverse professional movements, transfers, or termination of employment. It is important to highlight that no sanctions or consequences will be imposed on individuals whose reports are not proven to be malicious after a thorough examination.

Who has access to the data?

Access to the data contained in the reports, for the purpose of examination or management, is strictly limited to individuals involved in the management and investigation of the respective incident, and only to the extent necessary.

Specifically, the disclosure of data included in the reports is done on a case-by-case basis, depending on the nature of the incident, and always in accordance with the relevant policies and procedures. This includes members of the Company's Reports Assessment Committee (in cases involving violence/harassment), the Regulatory Compliance Officer (responsible for receiving and monitoring reports), the Head of Internal Audit (responsible for report management/examination), the Data Protection Officer, the Audit Committee, the Board of Directors, external consultants bound by confidentiality agreements, lawyers, as well as judicial and/or administrative authorities.

Furthermore, the data included in the reports or whistleblowing is shared with the individuals mentioned in the report or whistleblowing, witnesses, and any other parties with a legitimate interest. However, when granting access to the data to the individuals mentioned in the report or whistleblowing, the personal details of the complainant and witnesses are redacted, unless explicit consent has been given, or unless it has been proven that the report or whistleblowing was made with malicious intent. 

Those individuals who are mentioned or involved in the investigation process of the report will be duly informed about the report's content, their related rights, and how they can exercise those rights, in accordance with the applicable framework. However, the provision of information will be evaluated on a case-by-case basis, as there may be situations where disclosing such information could, for instance: a) hinder the investigation and impede the assessment of the report, as well as the collection of necessary information and evidence; b) directly or indirectly reveal the identities of the reporters; c) disclose confidential information that, due to its nature and particularly the Company's overriding legal interests, must remain confidential; or d) obstruct the establishment, exercise, or support of the Company's legal claims and/or any criminal proceedings. If those mentioned in the report or whistleblowing are not promptly informed about its content to prevent actions that could obstruct the investigation, the reasons for the delay must be documented in writing, and the document must be recorded in the case file.

Are the data received by the whistleblowing management team disclosed to third parties?

The data and information received by the whistleblowing management team are not disclosed to any other individuals or teams within the Company or its affiliated companies, unless it is absolutely necessary for further investigation of the complaint. In such cases, disclosure is limited to individuals who possess the required knowledge.

How long are the data contained in a report/whistleblowing kept?

The Company retains the data for a specific period following the completion of the investigation, which varies depending on the findings. Here are the specific guidelines:

• If a report is deemed unfounded, abusive, or lacks substantial evidence of a violation, the data will be deleted within six (6) months from their inclusion in the file.
• If a report/whistleblowing proceeds through legal channels, the data will be deleted upon the issuance of an irrevocable judicial decision.
• If a report/whistleblowing provides documented evidence against an employee/executive of the Company or its affiliated companies, the data will be retained for the duration of their employment/relationship and deleted twenty (20) years after any termination or resolution of the collaboration.
• If a report/whistleblowing yields documented findings against a third party (e.g., customer, supplier, external collaborator) of the Company or its affiliated companies, the data will be retained for the duration of the collaboration and deleted five (5) years after any termination or resolution of the collaboration.

In all cases, the Company adheres to its relevant policies regarding the retention and deletion of personal data.

What technical and organizational measures does the Company implement for data protection?

The Company implements necessary technical and organizational measures to ensure a certain level of security that aligns with the risks associated with data processing and takes into account the nature of the processed data. These measures are in accordance with the Company's applicable policies and procedures regarding data processing and information security. They encompass various aspects such as access control based on need-to-know, commitment of personnel with access to maintain confidentiality, control of access rights, utilization of encryption, supervision of equipment and information technology services in full compliance with current legislation, and more.

Where can I find more information?

For further details regarding the processing of your data and your rights, please refer to the Privacy Statement available at the following link: https://www.epafos.gr/en/privacy-policy. Additionally, you can consult the Reporting-Whistleblowing Management Policy or reach out to the Data Protection Officer (DPO) via email at This email address is being protected from spambots. You need JavaScript enabled to view it..