POLICY AND PROCEDURES FOR THE MANAGEMENT OF REPORTS
CONCERNING BREACHES OF EU LAW

I. REPORTING POLICY

1. INTRODUCTION

1.1 General - Purpose

AS COMPANY S.A. (hereinafter referred to as the "Company") is a Greek société anonyme, listed on the Athens Stock Exchange, and is mainly active in the trade of children's toys.

In the context of its regulatory compliance, the Company adopts this Policy for Reporting Violations of EU Law (hereinafter: "PAPED"), while ensuring the establishment and operation of secure reporting channels.

The PAPED is adapted to the principles and provisions of the European Directive 2019/1937 on the protection of persons who report breaches, which was incorporated into national legislation by Law 4990/2022 "Protection of persons who report breaches of EU law – Incorporation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 (L 305) and other urgent regulations" (Government Gazette A' 210/11.11.2022).

The Company falls within the scope of Law 4990/2022, since it employs more than fifty (50) and less than two hundred forty-nine (249) employees. The calculation of the number of employees is made in accordance with Law 4308/2014.

The PAPED defines the general principles and operating framework under which the Company receives, processes and investigates reports of violations of EU law, violations affecting the financial interests of the EU of article 325 of the TFEU and violations related to the internal market according to article 26 of the TFEU, in accordance with the provision of article 4 of law 4990/2022, which come to the attention of the Personnel and persons falling within the personal scope of Article 6 of Law 4990/2022.

Through PAPED:

• Rules are established to facilitate and encourage named or anonymous reports and complaints in relation to the above.

• The integrity, transparency, accountability and detection of potential violations of the Company's Regulatory Framework are enhanced.

• Appropriate and necessary measures are adopted to prevent and / or deal with potential incidents, in order to protect the prestige and reputation of the Company and its employees.

The approval of the PAPED and any amendments thereto is made by the Board of Directors of the Company.

The PAPED is notified to all the Company's staff (regardless of their employment / employment relationship) in order to be informed and is posted on the Company's intranet, so that every employee has direct and continuous access to its content.

The Company is committed to ensuring a high level of ethical and professional conduct and zero tolerance for behaviors and actions illegal or which stand contrary to EU law, which could damage its reputation and credibility, in combination with the application of the PAPED, the Code of Ethics and the Regulation on violence and harassment.

1.2 Definitions

According to the provisions of Article 3 of Law 4990/2022, in the context of the implementation of the PAPED and Law 4990/2022, the following definitions apply:

• Reporting: The oral or written provision of information about violations in the Company.

• Internal reporting: the oral or written or through an electronic platform provision of information on violations to the Officer for Receipt and Monitoring of Reports (O.R.M.R.) of the Company.

• External reporting: the oral or written or electronic provision of information on violations to the National Transparency Authority (NΤA).

• Inadmissible reporting: A report that refers to a violation, but does not fall within the scope of Article 4 of Law 4990/2022 or is not clear, defined, complete, timely or is manifestly malicious, frivolous or excessive.

• Reporter: The natural person who reports or discloses information about violations obtained in the context of their work or cooperation with the Company.

• External partners: Third parties associated, contractually or not, with the Company, its staff, as well as consultants, subcontractors, contractors, suppliers, all kinds of partners, shareholders, etc.

• Officer for Receipt and Monitoring of Reports (O.R.M.R.): The person responsible for receiving, managing and coordinating the investigation of reports by the Reports Evaluations Committee.

• Reports Management and Evaluations Committee (RMEC): The Committee that manages the reports, conducts the preliminary investigations and prepares the final report of the investigation to the Board of Directors of the Company. It consists of the following members: 1) the ORMR, 2) the General Manager of the Company 3) a member of the Company's Audit Committee, appointed by the Board of Directors.

• Employee: The natural person who contracts with the Company with a fixed-term or indefinite employment contract or with another employment relationship, or the person who is seasonal staff or the person employed as a trainee of the Company.

• Valid grounds: the justified belief of a person with similar knowledge, education and experience to the reporting person that the information available to the latter is true and constitutes a breach of Union law, falling within the scope of this Directive.

• Personal data: Personal data, as defined in Regulation (EU) 2016/679 and Law 4624/2019.

• Retaliation: Any direct or indirect act or omission, which occurs in the work-related context, in response to the report, and which causes or is likely to cause unjustified harm to the reporter, or to put them at a disadvantage, and is connected with internal or external reporting or public disclosure. Retaliation may include, but is not limited to, harassment, discrimination of any kind, negative evaluation of performance, freezing or reduction of salary, assignment of other or subordinate duties, and, in general, any form of adverse change in working conditions.

1.3 Personal scope

In the context of this PAPED, persons working or providing their services to the Company are encouraged to disclose serious irregularities, violations or criminal offences, which come to their attention and concern any person working or providing services to the Company.

In particular, the provisions of Article 6 of Law 4990/2022 apply:

(aa) employees, regardless of whether their employment is full-time or part-time, permanent or seasonal, or whether they are borrowed workers.

(ab) self-employed persons or counsellors or home workers;

(ac) shareholders and persons belonging to the administrative, management or supervisory body of the undertaking, including non-executive members, as well as volunteers and paid or unpaid trainees;

ad) any persons working under the supervision and instructions of contractors, subcontractors and suppliers of the Company,

(b) persons who report or publicly disclose information on breaches obtained in the context of an employment relationship that has ended for any reason, including retirement, as well as reporters, whose employment relationship has not yet started, in cases where information on breaches has been obtained during the recruitment process or at another stage of pre-contractual negotiation.

The measures for the protection of reporters of Law 4990/2022 also apply, as appropriate, to: a) mediators, b) third parties associated with the reporters who may suffer retaliation in a work-related context, such as colleagues or relatives of the reporters, and c) personal businesses or legal entities of interest of the reporters, or for which they work, or with which they are otherwise linked by an employment relationship.

 

2. SUBJECT MATTER OF REPORTS

The Policy covers, but is not limited to, reports or complaints concerning:

• Violations of rules of European law, as specifically defined in Part I of the Annex to Law 4990/2022, in the areas of:

• public procurement

• financial services, products and markets, as well as the prevention of money laundering and terrorist financing;

• product safety and compliance,

• transport safety,

• environmental protection,

• the protection of personal data,

• radiation protection and nuclear safety;

• food and feed safety, animal health and welfare;

• public health,

• consumer protection,

• violations affecting the financial interests of the EU of art. 325 of the Treaty on the Functioning of the European Union (TFEU) and the specific provisions of the relevant Union measures,

• breaches of rules related to the internal market as referred to in para. 2 of Art. 26 TFEU, including infringements of Union comreport and State aid rules, as well as internal market violations concerning operations in breach of corporate tax rules or arrangements the purpose of which is to obtain a tax advantage that defeats the object or purpose of the applicable corporate tax law.

 

It is clarified that:

• Violations related to violence and harassment at work are reported to the HR Manager.

• Violations related to personal data issues are reported to the Personal Data Protection Officer

• Violations related to network security issues and leakage of highly confidential (and secret) information are reported to the Head of the IT Department and

The above reports are primarily managed in accordance with the existing specific policies and procedures applied by the Company.

2. PROTECTION OF ANONYMITY – PROTECTION AGAINST RETALIATION

 

Reports shall be submitted if there is a sincere and reasonable belief on the part of the reporting person that a criminal offence or misconduct has been or may have been committed.

In any event, prerequisites are reasonable grounds for reporting, i.e. a justified belief that the information is true and constitutes a breach of Union law. Persons who report or publicly disclose violations anonymously, but are subsequently identified and subject to retaliation, are entitled to receive the protection provided.

Reporting persons shall be protected from any acts of revenge or retaliation. Especially:

• Confidentiality shall be ensured and the identity of the reporting person shall be protected, in accordance with the provisions of para. 2 case e’ of article 10 and articles 13 and 14 of Law 4990/2022.

• The submitted reports are disclosed only to predetermined persons, who are deemed necessary to be informed in order to conduct an investigation and are bound by their duties to observe the rules of confidentiality and confidentiality. Compliance with the above also results in the protection of the identity of the persons mentioned.

• The disclosure of the identity of the reporter, if known, may be required during judicial or other legal proceedings, in the context of the investigation of the respective case. In particular, the reporting person shall be informed in writing before his or her identity is revealed, unless such information would undermine relevant investigations or judicial proceedings. When informing the reporter, the Company shall provide him with an explanation of the reasons for the disclosure of this confidential information.

• The disclosure is made only if it is necessary to serve the purposes of Law 4990/2022 or to safeguard the defense rights of the person against whom the report / complaint is made.

• The Company ensures that the reporter is appropriately protected from negative consequences, such as threat or application of retaliation, discrimination or any kind of adverse treatment. Any act of discrimination or retaliation, as indicatively referred to in article 17 of Law 4990/2022, takes place against a person who makes disclosures or may discourage other persons from making disclosures, is not tolerated.

The person or persons subject to disclosure are also entitled to protection and are covered by the presumption of innocence.

• Protection covers, on the one hand, persons who disclose, if they reasonably believe that the wrongful conduct took place or will take place, even if the allegations subsequently turn out to be inaccurate, and, on the other hand, those who helped or are associated with the persons they disclose.

II. COMMITTEE AND REPORT PROCEDURES

 

1. RECEIVING SUBMITTED REPORTS

Reports can be submitted by telephone, in writing, or by e-mail.

(a) The written report shall be submitted in person or by post to the address of the Company's headquarters, Ionia Street, Oraiokastro, Thessaloniki, in an envelope marked to the attention of: Officer for Receipt and Monitoring of Reports (O.R.M.R.) or "Report of Law 4990/2022" or other indication indicating that the report falls under the provisions of Law 4990/2022.

(b) The written report is also submitted by email to the email address of the Officer for Receipt and Monitoring of Reports (O.R.M.R.) whistleblowing@ascompany.gr.

(c) The oral report shall be submitted by telephone: +302310572021 with a recording of a conversation, provided that the reporter has legally consented. The content of the report submitted by telephone shall be documented either by recording the conversation in a durable and retrievable form or by a complete and accurate transcript of the conversation in a report drawn up by the ORMR, enabling the reporting person to verify; correct and agree to the final transcript of the conversation by signing the relevant minutes. In the case of an oral report, during which no recording of the conversation takes place, the content of the report shall be documented in the form of an accurate report, which shall be drawn up by the Officer for Receipt and Monitoring of Reports, enabling the reporter to verify, correct and agree with it by signing it.

(d) At the request of the reporter, reports may be submitted through a personal meeting with the Officer for Receipt and Monitoring of Reports (O.R.M.R.), within a reasonable period of time from the date of the reporter’s request. In this case, the ORMR shall keep complete and accurate minutes of the meeting in a durable and retrievable form or with a recording of the conversation, provided that the reporter has legally consented; or in writing, which the reporter may verify, correct, agree to by signing.

The ORMR facilitates the reporter in submitting their report by providing, upon request, all necessary information about their rights and the prescribed procedure for handling reports.

Anonymous reports make it extremely difficult or even impossible to investigate an incident thoroughly, due to the difficulty of obtaining information from an anonymous person (e.g. discussing clarification during the investigation), as well as the difficulty of assessing the reliability of the report. Anonymous reports are considered depending on whether it is possible to identify the unlawful acts described and prove them without receiving further evidence from the reporter.

In any reporting case, the following are necessary elements for determining disclosure:

• Description of reprehensible behavior

• Specify an event time period

• Contact details at the choice of the disclosing person, if they choose to identify themselves; and

• Any document or information that contributes to highlighting/proving reprehensible behavior.

The ORMR and the members of the Committee for the successful conduct of the investigations have:

 

• Free and unlimited access to all files and facilities necessary for the investigation of the Company and

• Authorization to examine and receive files or copies thereof, in any form, physical or digital as well as any kind of objects, from any facility of the Company, without prior consent or notification of any person who may use or keep the aforementioned, when they fall within the scope of their research and after the investigators have informed and received approval from the Company's administrator.

 

Both the ORMR and the other members of the Committee must:

• perform their duties with integrity, objectivity, impartiality, transparency and social responsibility;

• respect and observe the rules of confidentiality and confidentiality regarding matters of which they have become aware in the performance of their duties;

• refrain from handling specific cases by declaring an impediment if there is a conflict of interest.

 

 

 

 

2. PERSONAL DATA MANAGEMENT

Any processing of personal data in the context of this policy is carried out in accordance with the national and European legislation applicable to personal data, as well as the Company's personal data protection policy. The data of all parties involved are protected and processed solely in relation to each Report, for the sole purpose of ascertaining the validity or otherwise of the Report and investigating the specific incident.

The Company takes all necessary technical and organizational measures to protect personal data, in accordance with its privacy policy, as applicable.

Sensitive personal data and other data not directly related to the report are disregarded and deleted, as part of the principle of minimisation.

Access to the data included in the reports may be granted only to those involved in the management and investigation of the incident, such as the members of the Committee and the ORMR, as well as other specialized external consultants whose assistance may be requested by the Committee.

Personal data shall be deleted from the Register of Reports within a reasonable period of time from the completion of the investigation initiated on the basis of the Report.

The entire management of personal data is assisted by the Data Protection Officer (DPO).

3. MANAGEMENT OF SUBMITTED REPORTS

   1. The ORMR, upon receipt of the report, first checks its definition and completeness in terms of the required data and communicates it to the other members of the Committee for evaluation and further investigation. The Committee shall decide on appropriate action on a case-by-case basis.

   2. When there is an oral report, the report drawn up by the ORMR, if signed by the reporter, serves as an acknowledgement of receipt of the report. If the reporter refuses to sign the report, it shall be reported by the author.

   3. In case the receipt of the report is made by an incompetent person, the latter is obliged to forward it without delay to the ORMR of the institution, without any modification of its content or disclosure of information that may lead to the identification of the reporter or any third party named in the report.

   4. It is noted that, for the purpose of avoiding conflicts of interest, if a member of the Committee is involved in a report, then under the responsibility of the ORMR, the CEO of the Company is informed so that a replacement can be appointed. If the ORMR itself is involved, then it is limited to registering the report in the special protocol book or relevant file it keeps and transmitting it to the National Transparency Authority as an external reporting channel, informing the reporter.

   5. The acknowledgement of receipt of the report to the reporter shall take place within seven (7) working days of receipt and regardless of how it is submitted. The reporting person may be informed of receipt of the report by any appropriate means, provided that it is evidenced always in compliance with the requirements of confidentiality and protection of personal data. The ORMR is not obliged to inform receipt of the report, where in the absence of necessary contact details of the reporter, such information becomes impossible.

   6. The report, regardless of the way in which it is submitted, is recorded in a special file kept by the ORMR in printed or digital form. The retention period of the relevant records is set at a minimum of 5 years (from the date of receipt of the report) if there are no other legitimate reasons that extend their retention period (e.g. continuation of judicial investigation).

   7. Upon receipt of the report, the Committee checks and decides whether the report submitted concerns irregularities, omissions or criminal offences. It then decides on the investigative actions that will lead to the final characterization of the report as well-founded or not and the relevant documentation of the reported violations. Anonymous reports shall be examined according to the quality of their documentation and the possibility to detect the irregular action reported. The reports are examined with due diligence, impartial judgment and objectivity and at the end a report is prepared with the findings and conclusions of the Committee, which is forwarded to the Board of Directors of the Company. It is clarified that, in case of unanimity, each member of the Committee has the right to record his point of view in the report to be drawn up.

   8. The Committee then takes one of the following actions:

a) transmits the report for investigation anonymized and in accordance with the provisions on confidentiality and protection of personal data: aa) to the competent bodies of the company by updating accordingly the special protocol book or the special file kept, ab) to the competent bodies on a case-by-case basis by updating accordingly the special protocol book or the special file it keeps. Indicatively, such bodies are the Financial Crimes Prosecutor and generally the Public Prosecutor's Offices, the National Transparency Authority, the Competition Commission, the Bank of Greece, the Personal Data Protection Authority, the Single Authority for Public Procurement, the Greek Atomic Energy Commission, the Single Food Control Body, the Consumer Ombudsman, the National Cybersecurity Authority, the Anti-Money Laundering Authority and the Terrorist Financing and Control of Asset Declarations, the Independent Authority for Public Revenue and the General Directorate for the Prosecution of Financial Crime.

(b) archive the report by means of a decision notified to the reporting person, where practicable, where:

(ba) the reference is manifestly absurd, vague, unintelligible or repeated in an abusive manner, such as in the case of resubmission of the same content without the presentation of new evidence.

bb) The content of the report does not fall within the scope of Article 4 of Law 4990/2022. If, however, the above report contains information on violations for which another body of the body and/or another public body is competent, the ORMR is obliged under Article 4 of the CAP to forward it to the competent body. In this case, there is no longer an obligation to follow up the report of case f of para. 2 of article 10 of Law 4990/2022.

bc) There are no serious indications of violations falling within the scope of Article 4 of Law 4990/2022.

9. In case of submission of new information for a report that has already been archived, the ORMR retrieves the archived report and proceeds with the actions of either case a' or of case b' of this document.

10. If, from the evidence provided, the ORMR finds indications of the commission of a crime prosecuted ex officio, it must immediately forward a copy of the report to the competent local Public Prosecutor, informing the reporter. If the breach falls within the scope of Law 4990/2022, the transfer is made in accordance with the provisions on confidentiality and protection of personal data and at the same time there is an obligation to follow up the report of case f of para. 2 of Article 10. If the violation does not fall within the scope of Law 4990/2022, a copy of the report is transmitted without the obligation to monitor case f of para. 2 of Article 10.

11. Depending on the results of the investigation and if there are documented reprehensible behaviors and actions, the Board of Directors of the Company, taking into account the recommendation of the Committee, decides corrective and/or disciplinary/legal actions. These actions may include (but are not limited to): a) further investigation if it considers that the evidence is not sufficient to fully clarify the case, b) additional employee training, c) establishment of new internal control controls, d) amendments to existing policies and/or procedures, e) disciplinary sanctions including the permanent removal / dismissal of the reported person or f) report or other imposed action to the judicial or other competent authorities.

12. Upon completion of the investigation, the ORMR informs the reporter (if the report was named) of the decision taken on his or her report. A case is considered to be completed when a final decision has been taken by the Company's management, which takes note of the report that will be submitted to it by the Committee. The relevant feedback to the reporter shall be provided no later than three (3) months from the acknowledgement of receipt of the report or, if no acknowledgement has been sent to the reporter, three (3) months from the end of the seven-day period following the submission of the report.

13. It should be noted, however, that the reporter/complainant, if they consider that their complaint has not been dealt with effectively, may resubmit it to the National Transparency Authority (hereinafter referred to as "NTA"), which, as an External Reporting Channel, exercises the legally prescribed responsibilities, in accordance with art. 12 of Law 4990/2022. For additional information on how to file a complaint with the NTA, please consult the agency's website: https://aead.gr/submit-complaint

14. Exceptionally, if the report turns out to be false and/or malicious, and if the complainant so requests, he/she may be informed of the identity of the reporter in order to exercise his/her legal rights. It is clarified that reports, which are proven to be manifestly false and / or malicious, will be further investigated at the discretion of the Board of Directors of the Company both as to the motives and as to those involved, in order to restore order in any legal way and means.

15. Finally, it should be noted that reporters have access to all legal remedies, enjoy the rights to a fair trial and, in particular, the right to an effective remedy before a fair trial, as well as the presumption of innocence and the rights of defence, including the right to be heard and the right of access to their file. The identity of those mentioned in the complaint shall be protected throughout the investigations initiated by the report or public disclosure.

III. APPROVAL, REVIEW AND NOTIFICATION

The PAPED is approved by the Board of Directors of the Company, which is also responsible for its review, whenever deemed appropriate.

With the care of the ORMR, the PAPED is notified to the Personnel and posted on the Company's website in a separate, easily recognizable and accessible section. The Board of Directors informs the ORMR of any revision – reissue of the PAPED in order to take the appropriate actions to communicate its updated form.

The ORMR ensures that all employees of the Company are informed about the content of this Policy. Information is provided in any appropriate way, such as, indicatively, by sending printed information material, emails, newsletters, depending on the category of employees and their accessibility.

For anything not regulated in this Policy, the provisions of Law 4990/2022 apply.

Edition	Date	Description	Approval
1st	25.09.2023	Initial version of a Policy and Procedures for the Management of Complaints concerning violations of EU Law	25.09.2023 Board Meeting
2nd	03.07.2024	Second edition of the Policy and Procedures for the Management of Complaints concerning violations of EU Law	03.07.2024 Board Meeting