Whistleblowing Policy

1. PURPOSE AND SUBJECT MATTER

This Whistleblowing Police (hereinafter referred to as the “Policy”) of the Company under the corporate name “AHB GROUP BOTTLING COMPANY” (hereinafter referred to as “THEONI”), headquartered in Vatsounia, Municipality of Mouzaki, Karditsa, concerns the reporting procedure through the internal channels of the Company, the receipt and monitoring procedure of these reports by the competent bodies of the Company, as well as the protection framework provided to the Reporting persons.

THEONI shall ensure to act with honesty, integrity and fairly in all aspects of its activities and respectively excepts from its employees and partners to always abide by the highest standards of professionalism and ethical conduct, while it values the assistance of those who wish to express their concerns which the company should likely deal with and encourages its employees and other persons present in the workplace to speak up ensuring that such persons will not suffer acts of retaliation and will be protected against any negative consequence. In this context, THEONI shall follow the recognized best practices, as well as the provisions of the applicable Greek legislation on the protection of the persons reporting violations of the Union law, as in force, in order to achieve a healthy professional environment, as well as preserve its reputation, success and the ability to operate efficiently, both in the present and in the future.

2. SCOPE OF APPLICATION

The term “Report” shall mean the provision of information through the procedures set out in this Policy, for actions or omissions which constitute or there are reasonable grounds to consider that they constitute:

• a violation in accordance with the Union law, that is the rules of Union law that fall within the following fields:

- Public procurement contracts;

- Financial services, products and markets;

- Prevention of money laundering and terrorist financing;

- Product safety;

- Transport safety;

- Environmental protection;

- Radiation protection and nuclear safety;

- Food and feed safety, animal health and welfare;

- Public health;

- Consumer protection;

- Protection of privacy and personal data and security of network and information systems;

• a violation detrimental to the Union’s financial interests, as well as violations related to internal market, including violations of the Union rules on competition, state aids, as well as violations related to internal market in relation to actions violating taxation rules for companies or settlements.

Information regarding the above-mentioned violations may constitute reasonable suspicion, about violations, which occurred or are very likely to occur in the Company, and about attempts to conceal such violations.

The provisions of this Policy shall not affect and in no case exclude direct report to the National Transparency Authority or other competent Authorities.

3. PERSONS COVERED

This Policy concerns the following categories of persons (hereinafter referred to as “Reporting persons”):

i. the employees of the Company, regardless of whether their employment is full-time, part-time, permanent or seasonal, or whether they are seconded from another body, and also third parties connected to the reporting persons who may suffer retaliation in the workplace, such as coworkers or relatives of the reporting persons.

ii. self-employed persons, consultants or out-workers;

iii. shareholders, persons who are members of the administrative, management or supervisory body of the Company;

iv. volunteers, paid or unpaid trainees;

v. any persons working under the supervision and the directions of contractors, sub-contractors and suppliers.

vi. outgoing employees in relation to the information acquired in the context of the employment relationship, which has expired for any reason, future (potential) employees in relation to information acquired during the recruitment procedure or in any other stage of negotiation before the conclusion of a contract.

1. SUBMISSION AND RECEIPT OF REPORTS

Each employee, as well as any other person designated above under point 3, who acquired information in relation to violations as set out above under point 2 in the context of their work duties, shall be entitled to submit a Report, which may be submitted anonymously.

The Human Resources Department of the company, which is the department competent for the receipt and examination of Reports, shall be appointed as the Officer in charge for the receipt and follow-up of reports (“Officer”). The Officer shall acknowledge receipt of each Report to the Reporting person within seven (7) business days from the day of receipt.

Reports must be documented and detailed, in order to provide useful and relevant information which allows the effective verification of the validity of the reported events. When the Reporting person has relevant information, it is extremely important that the Report includes:

• a detailed description of the events that took place and the way that the Reporting person became aware of them;
• the date and place of the events;
• the names and the capacities of the involved parties or information allowing their identification;
• reference to any documents or other factors that may document the reported events.

The Report can be submitted as follows:

• via the e-mail address hr@theoniwater.gr to which only the Officer has access,
• through the hotline 2445061200 which is accessible to the Officer;
• by post to the headquarters of company to the attention of the Officer;
• orally, through a personal meeting with the Officer, following an application of the Reporting person.

The above-mentioned channels have been designed and are applied safely, in order to ensure that the identity of the Reporting person, as well as the identity of any third party mentioned in the Report shall remain confidential and that, in any case, access by non-authorized personnel is prevented.

THEONI shall be entitled to keep a record for any report received by the Officer, in accordance with the requirements of confidentiality laid down by the legislation. In any case, only reports for which the Reporting person believes in good faith that the information provided is correct must be submitted. It is noted that the persons who knowingly made false statements or false disclosures shall be punished by imprisonment of at least two (2) years and a fine.

5. EXAMINATION OF REPORTS AND SUBSEQUENT ACTIONS

The Officer shall be competent to take the necessary actions and conduct a rapid and accurate investigation, observing the principles of impartiality, fairness and confidentiality towards all involved parties.

In order to address the report, the Officer may be assisted by the competent bodies of the Company or competent authorities, as the case may be, and, when necessary, by external consultants specialized in the field of Reports, the participation of which contributes to the verification of such Report, ensuring the confidentiality of the identity of the Reporting person and any third party named in the Report, preventing access to non-authorized persons and, where possible, ensuring the anonymity of any personal data included in the Report.

During the investigation, the Officer may invite the Reporting person to provide further information, if necessary, so as to assist the investigation. In cases where a physical or an online meeting takes place between the Reporting person and the Officer, full and accurate recording of such meeting is ensured, with the consent of the Reporting person, and access to such recording will be provided to the Reporting person.

Upon the completion of any kind of investigation and verification of the reported events, the Officer shall prepare a report which summarizes the investigations conducted and the evidence collected. These results shall be notified to the competent services of the company and the heads of the involved departments, in order to determine a contingency plan and decide on which measures will be taken to protect the Company, the Reporting person and any other involved parties. During the performance of such activities, THEONI shall guarantee respect of the Reporting person’s privacy and shall prohibit any acts of retaliation against them or against any other involved party, as described in section 6 of this Policy. Further, the Reporting person shall be informed by the Officer on the result of the investigation and on any measures provided or taken to address the issue reveled in the Report within three (3) months from the acknowledgment of receipt of the Report, if even the investigation is still ongoing.

In a different case, if the Officer concludes that the report is incomprehensible or is submitted abusively or does not include facts that establish a violation of Union law or there are no serious indications of such violation, the Report shall be archived, together with its reasoning, by the Officer. Then, the Officer shall notify the archiving decision to the Reporting person who, if they consider that the Report was not handled effectively, may re-submit it to the National Transparency Authority.

6. CONFIDENTIALITY, PROHIBITION OF ACTS OF RETALIATION AND PROTECTION OF REPORTING PERSONS

THEONI, by encouraging the reporting of any conduct that may fall within the scope of application of this Policy, shall guarantee the confidentiality of each Report and the information included in it, as well as the anonymity of the Reporting person, even in the case that the Report is proven to be false or unfounded.

THEONI shall guarantee that the identity of the Reporting person will not be reveled to any party other than the authorized members of its personnel who are competent to receive or monitor the reports, except if the Reporting person provides an explicit consent or if the disclosure is required by the applicable union or national law and in accordance with the relevant conditions each time. In the latter case, the Reporting person will be informed in writing in advance, unless otherwise provided by the relevant legislation.

THEONI shall not tolerate any kind of retaliation against the Reporting person or the reported person or any party that participated in the investigation for the documentation of the Report and will seek to eliminate the consequences of any acts of retaliation suffered by the Reporting person.

Further, THEONI shall reserve the right to take the necessary measures against any party making or threatening to make acts of retaliation against those who submitted Reports according to this Policy, without prejudice to the right of the involved parties to legal protection, if criminal or civil liability related to the falsity of what was declared or mentioned for the party that submitted the Report is found. It is understood that the Company may take all appropriate disciplinary and/or legal measures to protect its rights, its assets and its reputation against any party that has submitted in bad faith false, unfounded or opportunistic reports and/or with the sole purpose of defaming, disreputing or causing damage to the reporting person or other parties included in the Report.

In case of Reports made in accordance with this Policy and the applicable legislation, the Reporting person may not be deemed liable for defamation, violation of the secrecy obligation, of the data protection rules and disclosure of trade secrets etc. The Reporting person shall also not be deemed liable for their conduct upon acquisition of information or access to information contained in the Report, under the condition that such conduct does not independently constitute a criminal offense.

7. PERSONAL DATA PROCESSING

THEONI, in its capacity as the controller, informs that the personal data of the Reporting persons and any other involved party, which were acquired during the handling of the Reports, will be processed in full compliance with the provisions of the applicable legislation on personal data protection.

In particular, THEONI shall provide to its employees and other persons entitled to submit a Report, as described above under point 3, the internal reporting channels for violations of the Union law and shall process such data aiming at the effective receipt and monitoring of Reports, ensuring their proper handling, their documentation and protection of the Reporting persons. Further, following the processing for the anonymity of the data included in the Reports, THEONI shall submit reports towards its administration for accountability and proper functioning purposes.

Processing of personal data shall be limited to what is strictly necessary for the documentation of the Report and to serve the above-mentioned legal and legitimate processing purposes and, in particular, to the full name of the Reporting person (provided that they choose to disclose it) as well as the contact information of such person or any other involved parties, to their job position and to other data that the reporting person may choose to disclose.

THEONI shall process personal data though this procedure for the above-mentioned purposes based on its compliance with the legal obligation (Article 6 par. 1 (c) of the GDPR), that is compliance with the obligation to establish reporting channels and take the necessary measures to monitor them, as provided for by the legislation on the protection of person reporting Union law violations, as in force. Further, it shall process such personal data for the purpose of preparing anonymous reports based on its legitimate interest (Article 6 par. 1 (f) of the GDPR) for transparent and proper management.

Any procedures and investigations which include processing of data will be assigned, under the supervision of the Officer, to duly appointed employees, specially trained to manage the Reporting procedure or to selected third party professionals, such as external attorneys or consultants, with particular regard to the protection of the confidentiality of the involved parties and personal data included in the Reports. Further, THEONI may transfer the information included in the reports, which may be used as evidence in administrative, civil and criminal investigations and procedures, to the competent supervising and investigating authorities.

In case that the transmission of data outside the European Economic Area is required, THEONI shall take all necessary protection measures in accordance with the applicable legal requirements, to ensure that the data receive protection equivalent to the one provided by the legislation on data protection that applies within the European Economic Area.

In this context and during the data processing activities that take place for the verification of each Report, THEONI shall take all appropriate technical and organizational measures for the security of personal data, to safeguard the confidentiality of the processing and protect them from accidental or unlawful destruction/alteration, unauthorized disclosure or access and any other kind of unlawful form of processing. In addition, it shall bind the persons having access or processing personal data on its behalf with confidentiality clauses and the obligation of secrecy.

In relation to personal data subjected to the above-mentioned procedure, the data subjects (e.g. Reporting persons, Reported persons or involved third parties), shall have the following rights:

• Right to notification and access: They shall have the right to be notified and have access to their data and receive supplementary information regarding their processing.
• Right of rectification: They shall have the right to correct, amend, supplement and update their data.
• Right of deletion: They shall have the right to request the deletion of their personal data kept when such right is not subject to restrictions in accordance with the applicable legislation or any other restrictions.
• Right to limit the processing: They shall have the right to request the restriction of processing of their personal data when: (a) the accuracy of the personal data is questioned and until they are verified, (b) the processing is illegal and the restrictions on use of the personal data instead of deletion is requested, (c) the personal data are not necessary for processing purposes, but are necessary for the establishment, exercise, support of legal claims, and (d) they object to the processing and until it is verified that there are legal grounds concerning THEONI which prevail over the grounds for which they object the processing.
• Right to object to the processing: They shall have the right to object to the processing of their personal data at any moment, but only under specific conditions provided for by the legislation.
• Right to portability: They shall have the right to receive, free of charge, their personal data in a format which allows access to them, to use them and process them, as well as to request, if technically feasible, to transmit their data directly to another controller. Such right shall apply for data that have been provided and their processing is carried out with automated means based on their consent.
• In order to be able to exercise any of the above-mentioned rights, they may address to the e-mail address: hr@theoniwater.gr.
• Right to complain to General Data Protection Authority: They shall have the right to submit a complaint to the General Data Protection Authority (www.dpa.gr). Call Center: +30 210 6475600, Fax: +30 210 6475628, E-mail address: complaints@dpa.gr.

In the context of prevention and combating attempts to prevent and delay the investigation procedure following a Report, THEONI, under its capacity as the controller, shall not provide relevant information regarding the processing of personal data to the Reported persons and any third party included in the Reports under their capacity as the data subjects and shall also not satisfy their respective rights when exercised by them for the period required and if necessary. In such cases of restriction of the data subjects’ rights, if THEONI refuses to satisfy such rights without providing any information on the ground of restriction, the data subject shall have the right to submit a complaint to the General Data Protection Authority, as provided above. Further, in case of data breach, THEONI may not disclose the incident to the data subject, if such disclosure is deemed detrimental to the purposes of this Policy.

The personal data included in the Reports shall be stored for as long as necessary based on the legislation on the protection of personal data. At the end of this period, the Officer shall delete definitely all personal data included in the Reports.

The above-mentioned policy was approved by the Board of Directors of THEONI during its meeting on 21/11/2023.