Internal reporting procedures

INTERNAL REPORTING PROCEDURE in force in OPTIDATA SP. Z O.O. WITH ITS REGISTERED OFFICE IN KRAKOW

Having regard to the obligations laid down in Article 24 (1) and others of the Law of 14 June 2024 on the protection of whistleblowers (”The Act”), is entered in Optidata sp. z o.o. with its registered office in Krakow, entered in the register of entrepreneurs of the National Court Register under KRS number 0000141956 (hereinafter: Optidata or Company), the procedure for internal notifications (hereinafter: Procedure).

SECTION I: GENERAL INFORMATION

PURPOSE AND SCOPE OF REGULATION

1.

1. Whistleblowers are legally protected from any retaliatory action, that is, direct or indirect actions or omissions in a work-related context, that is caused by a report or disclosure to the public and that infringes or may violate the rights of the whistleblower or causes or may cause undue harm to the whistleblower, including from the unfounded initiation of proceedings against you signaled. The reporting person is protected, in particular, against termination or termination of employment or other contractual relationship, reduction of remuneration for work, suspension of promotion or omission from promotion and negative evaluation of work performance.
2. The protection indicated above shall be granted to the whistleblower provided that he had reasonable grounds to believe that the information reported or disclosed to the public was true at the time of the notification or disclosure to the public and that it constitutes information of a breach of law. Knowingly reporting false information is subject to liability set out in the relevant legislation and may also result in termination of an employment or other contract, also without notice.
3. The procedure sets out Optidata's internal infringement reporting and follow-up procedure.
4. The procedure was established by the Company after consultation with representatives of persons providing work for the Company.

2.

The terms indicated below have the following meanings in the Procedure:

• information about the violation of the law it is information, including reasonable suspicion of an existing or potential breach of law that has occurred or is likely to occur in the legal entity with which the whistleblower participated in the recruitment process or other negotiations prior to the conclusion of the contract, works or worked, or in another legal entity with which the whistleblower maintains or has maintained contact in a work-related context information about, or information relating to an attempt to conceal such a breach of law;
• internal notification is the transmission of information about the infringement made within the internal procedures in force in Optidata, described in Section II of the Procedure.

AREAS OF REPORTABLE INFRINGEMENT

3

1. 1. An internal reportable violation is an act or omission that is unlawful or intended to circumvent the law relating to:
      • corruption;
      • public procurement;
      • services, products and financial markets;
      • combating money laundering and terrorist financing;
      • the safety of products and their compliance with the requirements;
      • transport safety;
      • environmental protection;
      • radiation protection and nuclear safety;
      • food and feed safety;
      • animal health and welfare;
      • public health;
      • consumer protection;
      • protection of privacy and personal data;
      • security of networks and ICT systems;
      • financial interests of the State Treasury of the Republic of Poland, local self-government units and the European Union;
      • the internal market of the European Union, including public competition and state aid rules and corporate taxation;
      • constitutional freedoms and rights of man and citizen - occurring in the relations of the individual with public authorities and not related to the areas indicated in points 1 to 16.

CHAPTER II: INTERNAL NOTIFICATIONS

PERSONS AUTHORISED TO MAKE THE NOTIFICATION AND THE NOTIFICATION PROCEDURE

4

The persons authorised to make internal reports are:

1. potential employees;
2. employees;
3. temporary workers;
4. persons performing work on a basis other than the employment relationship, including on the basis of a civil law contract;
5. entrepreneurs;
6. prosecutors;
7. partners;
8. members of the Company's bodies;
9. persons performing work under the supervision and direction of the contractor, subcontractor or supplier;
10. interns;
11. volunteers;

5

1. The entity authorized by the Company to accept internal applications in Optidata is the SUBMISSION TEAM.
2. Members of the REPORTING TEAM are authorized to follow up, including the verification of the internal report and further communication with the whistleblower, including requesting additional information and providing feedback to the whistleblower. The Management Board of the Company hereby authorizes the NOTIFICATION TEAM to take any follow-up actions, which should be taken by at least two members of the REPORTING TEAM and guarantees their impartiality, including the undertaking not to influence in any way the decisions of the REPORTING TEAM and to respect their decisions regarding follow-up actions.

6

1. Internal reports may be submitted as follows:

• using a dedicated online whistleblowing system on the TomHRM portal available at: https://tomhrm.app/public/whistleblower/pl/ma2Rkg/home (Further: Sistema de TomHRM), supplied by ENNOVA Spółka Jawna, Sadowa Street 7/13, 82-300 Elbląg; or
• in writing — in an envelope with the note “internal notification of violations of the law” and placing it in another envelope and sending a letter to the Company's correspondence address; or
• during a direct conversation with the REPORTING TEAM during a meeting or videoconference organized at the request of the whistleblower within 14 (fourteen) days of receipt by the REPORTING TEAM of such a request, from which a protocol of the conversation will be drawn up, reproducing its exact course. The whistleblower can check, correct and approve the minutes of the meeting by signing it.

2. Correspondence address of the Company: Optidata sp. z o. o., ul. Wadowicka 8A, 30-415 Kraków.
3. Internal reports made using the notification channels indicated in paragraph 1 (2) and (3) will be immediately entered by the SUBMISSION TEAM into the TomHRM System.

7

1. The company will not accept anonymous applications.
2. Reports can be made by the whistleblower with the indication of his mailing address or e-mail address.
3. The whistleblower receives confirmation to accept an internal application, within 7 (seven) days from its submission, respectively — via the TomHRM System (for reports made using this TomHRM System) or from the SUBMISSION TEAM (in the case of telephone or direct reports), unless the applicant has provided a contact address enabling confirmation.

FOLLOW-UP

8

1. The authorised person is obliged to follow up with due diligence. Follow-up actions to verify information on infringements shall include in particular:

• an investigation, including asking the whistleblower to provide additional information on the reported infringement, if the information provided in the notification is insufficient, including information on the time, manner and place of the infringement, as well as information on witnesses who may have knowledge of the case, and the whistleblower's sources of knowledge of the infringement;
• an internal investigation to determine whether there has been an infringement, including:
  1. conducting fact-finding interviews with witnesses designated by the complainant and other persons who may have knowledge of the reported violation;
  2. obtaining written explanations from the persons referred to in point (a);
  3. obtaining documents related to the reported violation from employees and persons cooperating with the Company, as well as requesting the transfer of such documents to the Company's business partners;
  4. consultations with the relevant departments of the Company and external advisors, including lawyers;
• initiation of controls or administrative proceedings;
• bringing charges;
• actions taken to recover funds;
• actions taken to close the procedure under the internal infringement reporting and follow-up procedure.

2. Follow-up action is taken by the Authorized Person.

9

1. In the event of a violation of the law, Optidata may apply in particular the following measures in relation to the person who committed the infringement:

• imposition of an injunctive penalty;
• termination of the employment relationship, including without notice;
• termination of the contract binding the violator with Optidata;
• reporting a suspected crime to the appropriate authorities.

2. In addition, in the event of a breach of law, Optidata may take action within the organisation to prevent similar infringements in the future, including introducing additional internal control procedures.

10

The whistleblower will receive feedback, which shall include, in particular, information on the follow-up planned or undertaken and the reasons for such action. The feedback shall be communicated to the notifier within a period not exceeding 3 months from the date of confirmation of receipt of the internal report or, in the case of failure to provide confirmation of acceptance of the internal report, within 3 months of the expiry of 7 days from the date of submission of the internal report, unless the whistleblower has provided the contact address to which the feedback is to be forwarded.

CONFIDENTIALITY OF DATA

11

1. The Company guarantees that the internal reporting procedure and the processing of personal data related to the receipt of reports prevent unauthorized persons from gaining access to the information covered by the report and ensure the protection of the confidentiality of the identity of the whistleblower, the person affected by the report, and the third party indicated in the notification. The protection of confidentiality applies to information from which the identity of such persons can be directly or indirectly identified.
2. Only persons with the written authorisation of the Company may be authorised to receive and verify internal reports, take follow-up actions and process the personal data of the persons referred to in paragraph 1 (Annex 2). Authorised persons are obliged to maintain confidentiality regarding the information and personal data obtained in the course of receiving and verifying internal applications, and to take follow-up actions, including after the termination of the employment relationship or other legal relationship under which they performed this work (the model of the declaration is set out in Annex No. 3).
3. Information on the processing of the whistleblower's personal data constitutes Appendix No. 1 to the Procedure.

CHAPTER III: FINAL PROVISIONS

12

1. In any case, information about a violation of the law may also be reported to the Ombudsman or to a public authority, bypassing the internal reporting procedure. External notification to the Ombudsman should be made in the manner described on the Ombudsman's website at: https://bip.brpo.gov.pl/pl/content/zlozenie-wniosku-do-rzecznika-praw-obywatelskich External notifications to other public authorities and, where appropriate, to the institutions, bodies, offices and agencies of the European Union should be made in the manner described in the appropriate procedures put in place by those institutions, bodies or bodies.
2. The procedure comes into force after 7 (seven) days from its notification to the persons performing work in the Company by sending it to the employee's (e-mail) address.

Changes to the Procedure shall be made after consultation with the employees' representatives and shall enter into force after 7 (seven) days from the date of its notification to the persons performing the work in the manner set out in § 12 point 2.

3. An integral part of the Procedure are the Annexes:

• Appendix No. 1 — Information on the processing of personal data of whistleblowers.
• Annex 2 — Model AUTHORISATION
• Annex 3 — model DECLARATION OF CONFIDENTIALITY

Information on the processing of personal data SYGNALISTA

required pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “GDPR”.

1. Administrator of personal data

The administrator of your personal data is Optidata Sp. z o.o. with its registered office in Krakow, ul. Wielicka 50/5, 30 — 552 Kraków, entered in the register of the National Court Register under number 00000141956 (hereinafter also the “Company”). You can contact us as follows:

• by mail to the address: Optidata Sp. z o.o. ul. Wielicka 50/5, 30 — 552 Kraków;
• by e-mail: optidata@optidata.pl;
• by phone: +48 12 299 60 00;

2. Data Protection Officer:

We have appointed a Data Protection Officer (DPO). This is the person with whom you can contact in all matters concerning the processing of personal data and the exercise of rights related to data processing. The IOD can be contacted as follows:

• by mail to the address: Optidata Sp. z o.o. ul. Wielicka 50/5, 30 — 552 Kraków;
• by e-mail: abi@optidata.pl;
• by phone: +48 12 299 60 00;

3. Purposes of processing and legal basis of processing

We process your personal data in order to:

Implementation of the legal obligation incumbent on the Administrator to accept and verify reports of violations of the law, including establishing factual circumstances, obtaining additional information and taking possible follow-up actions, in accordance with the internal Procedure for making violations of law and taking follow-up actions in the OPTIDATA Company

4. Legal basis:

The legal basis for processing is Article 6 (1) (c) of the GDPR in conjunction with the provisions of the Act on the Protection of Whistleblowers of 14 June 2024 (Journal of Laws of 2024 item 928)

5. Retention period of personal data

We will retain your personal data for the period necessary to achieve the purposes of the processing, but no longer than 3 years after the end of the calendar year in which the external notification was submitted to the public authority competent for follow-up action or the completion of follow-up actions, or after the completion of the proceedings initiated by these actions. After the expiration of the specified period, the Company deletes personal data and destroys the documentation related to the internal notification, unless the documentation related to the internal notification is part of the files of the preparatory proceedings or the court case.

Personal data that are not relevant to the processing of the application are not collected and, in case of accidental collection, are deleted immediately. The deletion of this personal data takes place within 14 days from the moment it is determined that it is not relevant to the case.

6. Recipients of data

We will share your personal data:

— our employees authorized to access your data, due to the type of employee duties entrusted to them or functions performed in connection with the performance by the Administrator of the obligations in terms of receiving, verifying information, conducting possible follow-up actions and archiving reports of legal violations in accordance with the internal Procedure for committing legal violations and taking follow-up actions in the OPTIDATA Company.

— entities to which the Company is obliged or authorized to disclose your data on the basis of legal provisions. Such entities may in particular be law enforcement agencies and courts.

7. Transfer of data to third countries or international organisations

We do not transfer your data outside the Polish/EU/European Economic Area.

8. Rights related to the processing of personal data and automated decision-making

You have the following rights related to the processing of personal data:

1. the right to access your personal data;
2. the right to request rectification of your personal data and their completion;
3. the right to request the deletion of your personal data, in the event of the circumstances indicated in Article 17 of the GDPR;
4. the right to request restriction of the processing of personal data, in the cases indicated in Article 18 of the GDPR;
5. the right to lodge a complaint with the supervisory authority dealing with the protection of personal data, i.e. the President of the Office for Personal Data Protection;
6. the right to withdraw consent to the processing of personal data that we process on the basis of your consent. The withdrawal of consent will not affect the lawfulness of the processing carried out on the basis of your consent before its withdrawal.

In order to exercise your rights, please contact the REPORTING TEAM to which the violation was reported.

Voluntary provision of personal data

Providing your personal data is to the extent that we process them on the basis of your voluntary consent, but necessary for the purposes related to establishing contact or providing information about the activities carried out and the final conclusions of such a procedure.

VALID FROM: November 2024

‍