Policy for the Protection of Individuals Reporting EU Law Violations

Introduction

UNI-PHARMA S.A. (Company) is committed to operating in accordance with the rules of ethics and always within the applicable legislation and the respective regulatory framework. Its ultimate goal is to adhere to high standards of corporate governance, transparency, professional and ethical conduct. In this context, it seeks to establish a healthy corporate environment, so as to ensure a healthy business activity.

Therefore, the Company is committed to safeguarding the highest level of ethical and professional behavior and showing zero tolerance for illegal or irregular actions, which damage its prestige and reputation. All persons associated with it must behave with professionalism, integrity and observe legality in their transactions, preventing any kind of behavior, actions or omissions that could affect the prestige and credibility of the Company, put it at risk or link it with any kind of illegal and unfair practice.

In this context and seeking an open channel of communication with all employees and transacting third parties, the Company encourages them to immediately report cases of violations and improper behavior, as well as any act or behavior that may deviate from the appropriate, as deemed necessary. This is the only way to ensure that its principles and values, as well as the rules of ethical and professional conduct, will continue to be applied and that the Company will be able to take any corrective actions required.

This document constitutes the Report Management Policy to be followed in order to prevent, combat and also manage illegal acts or omissions, including the fight against corruption.

1. Purpose

The purpose of the Report Management Policy (Policy) is to create the framework for the timely detection of irregularities, omissions or criminal acts in the Company’s operations. This Policy sets out the principles and operating framework, under which the Company receives, manages and investigates reports of irregularities, omissions or other criminal acts that have come to the attention of its staff or third parties and concern the Company.

The Company takes all reports of possible misconduct seriously, ensuring the confidentiality of the report and carrying out a pertinent investigation to establish any violation. For each violation, all required, corrective measures and relevant sanctions are taken, according with the nature of the violation, the applicable law and the employment/collaboration contracts.

The ultimate objectives of the Policy are the following:

  • encouraging the disclosure of any illegal, irregular, inappropriate, unethical or improper behavior,
  • the provision of clear procedures for reports and how to deal with them,
  • the prevention and aversion of misconduct that could affect the financial performance and damage the reputation of the Company,
  • to assure that all disclosures will be treated as confidential, with seriousness and diligence, without fear of negative reactions (retaliation) of any kind,
  • to contribute to the promotion and development of a culture of accountability, regulatory compliance and integrity,
  • to ensure the protection of employees, who submit reports when they find or suspect inappropriate, unethical or improper behavior in the Company.

2. Scope

This Policy concerns:

  • Employees (permanent, seasonal, fixed-term, with a service voucher, through an external partner)
  • Contractors and subcontractors
  • Suppliers
  • Consultants, Special Partners
  • Trainees
  • Members of the Management and senior managers
  • Candidates for jobs or other forms of cooperation
  • Customers
  • Shareholders

3. Definitions

In this Policy, the following definitions apply:

i. ‘Report’: the provision of information regarding violations hereof to the Company’s Report Receiving and Monitoring Officer (R.R.M.O.).

ii. ‘Reported party’: a natural or legal person named in the report as the person to whom the violation is attributed or related to the person to whom the violation is attributed that falls within the scope of the present.

iii. ‘Reporting person’: the natural person, who files a report, providing information about violations, information which he obtained in the employment context.

iv. ‘Retaliation’: any direct or indirect act or omission occurring in the employment context, connected with a report, which causes or is likely to cause unjustified harm or disadvantage to the reporting person.

v. ‘Reasonable grounds’: the justified belief of a person, with similar knowledge, training and experience to the reporting person’s, that the information in his possession is true and constitutes a breach of EU Law, falling within the scope of the present.

vi. ‘Information’: the provision of information to the reporting persons about the measures to be taken or already taken in the context of monitoring and the reasons for it.

vii. ‘Employment context’: current, past or anticipated work activities at the Company, regardless of their nature, through which persons obtain information about violations, in the context of which such persons are likely to suffer retaliation, if they report them.

viii. ‘Violations ’: acts or omissions that are illegal under EU Law or contrary to the object or purpose of EU rules, falling within the material scope of the present.

ix. ‘Information about violations’: information, including reasonable suspicions, about violations that have been or are likely to be committed at the Company, as well as information about attempts to conceal violations.

x. ‘Reports Receiving and Monitoring Officer’ or R.R.M.O: the employee responsible for receiving and monitoring reports regarding violations falling within the scope hereof, whose duties are assigned to Maria Mega.

xi. ‘Reports Evaluation Committee’ (R.E.C) is the ad hoc committee that every time undertakes the management, evaluation and investigation of the report.

4. Competences/Duties of the R.R.M.O.

The R.R.M.O. has the following responsibilities:

a) provides the appropriate information regarding the possibility of submitting a report within the Company and communicates the relevant information in a prominent place within the Company,

b) receives reports on violations that fall within the scope herein,

c) acknowledges receipt of the report to the reporting person.

d) takes the necessary steps, in order for the competent body/evaluation committee of the Company to deal with the report, or ends the procedure, by archiving the report,

e) ensures that the confidentiality of the reporting person’s identity and of any third parties named in the report is protected by preventing unauthorized access,

f) monitors reports and maintains contact with the reporting person and, if necessary, requests further information from him,

g) informs the reporting person about the actions taken,

h) provides clear and easily accessible information on the procedures under which reports can be submitted to the National Transparency Authority and, where applicable, to public bodies or institutions and other offices or organizations of the European Union,

i) plans and coordinates training activities related to ethics and integrity and participates in drawing up internal policies to enhance the integrity and transparency of the Company.

The R.R.M.O. must: i) carry out his duties with integrity, objectivity, impartiality, transparency and social responsibility, ii) respect and observe the rules of secrecy and confidentiality for matters he has become aware, while exercising his duties, iii) refrain from managing specific cases, declaring an impediment, if there is a conflict of interest.

5. Subject of reports

The Reporting Policy deals with reprehensible behavior in the sense of illegal, irregular, dangerous or unethical practice that takes place in the context of the company’s activities and raises liability issues. Such behaviors may include, but are not limited to, the following cases:

  • Fraud
  • Corruption / Abuse of power
  • Bribery, gift and hospitality policy violation
  • Conflict of interests
  • Theft, embezzlement
  • Forgery
  • Confidentiality and personal data breach
  • Money laundering
  • Infringement of competition legislation
  • Irregularities in financial data accounting illustration
  • Abuse of company resources
  • Violation of health and safety issues
  • Violation of environmental legislation
  • Discriminatory treatment of employees
  • Threat, Blackmail
  • Insulting, defamation
  • Violation of laws and corporate policies
  • Non-ethical behavior

This policy does not cover incidents of workplace violence and harassment, which are regulated in the Workplace Violence and Harassment Policy.

Personal data not related to the conduct described in the report should not be included in the latter and, in any case, will not be further processed and will be deleted without delay. Special attention should be paid to sensitive, personal data unrelated to the alleged conduct (e.g. data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, health or concerning a natural person’s sexual life or orientation, etc.).

In the context of the implementation of the Reports Policy, the following types of reports are not investigated:

– Information already published (e.g. newspaper articles, websites, etc.)

– Disagreements on issues related to management policies and decisions

– Personal issues and disagreements with colleagues or superiors

– Rumors & Spreads

– Cases of handling customer complaints that are part of the normal operation of the company

– Cases involving personal situations and confrontations

6. Anonymity and protection of the reporting person

Named and Anonymous Reports: The Company offers the possibility for the reporting persons to submit their report either by name or anonymously. However, the Company encourages reporting persons to submit their report by name, as this lends greater credibility to the content of the report and the reporting person’s intentions, while it allows for further clarification to be provided, as well as informing the reporting person about the progress of the report.

Protection of Reporting persons: The Company is committed to protecting reporting persons, given they filed the report in good faith, from any discrimination or adverse treatment, including retaliation. At the end of the report’s examination, there are no sanctions or consequences for those who are not proven to have committed or contributed to an illegal act. Any contribution of the reporting person to the detection and investigation of criminal offences will be appreciated, in case the reporting person was involved in the act during the assessment of responsibilities and consequences.

Informing Reported parties and other persons: Reported parties will be informed about the content of the report, about the people involved in its processing and evaluation, their relevant rights and exercise of them, in accordance with the applicable framework. In principle, all persons affected by the submission of a report, in addition to the person against whom the report is directed, have a right of accessing information, such as the reporting person, witnesses, third parties included in the report, in accordance with the terms and conditions which sets the applicable framework. In this context, information should be provided in due course.

Deviations from the Information access Obligation: The provision of information access will be considered on a case-by-case basis, as cases may arise where the above information may, for example: a) obstruct the investigation of the case and impede the evaluation of the report, as well as the collection of information and data required, b) lead directly or indirectly to the identification of the reporting persons, c) lead to the disclosure of confidential information which, due to its nature and in particular due to the overriding legal interests of the Company, must remain confidential, d) to hinder the establishment, exercise or support of the Company’s legal claims and/or any criminal proceedings. Each case will be judged separately and the reasons for the delay in information access will be recorded in writing. The nature of the information and the risks associated with its disclosure will be taken into account in all cases. When satisfying a certain request, in principle the personal data of third parties will be deleted from the relevant documents.

7. Personal data

The processing of the personal data included in the reports is carried out in accordance with the national and European legislation on personal data and under the relevant policies of the Company. In specific:

For what purpose does the Company process personal data? The personal data of all parties involved in a report are protected and processed solely in the context of preventing, detecting or investigating irregular, unethical, illegal or criminal behavior.

Has the Company the legal right to process personal data? For the reported offenses against the public interest or concerning incidents that fall within the scope hereof, data processing is a legal obligation of the Company. For other reported offences, it is within the legitimate interest of the Company or third parties to disclose illegal or irregular behaviors that expose it to financial and legal risks, to reputation and credibility damage, creating a harmful or unpleasant working environment.

Who can access personal data? Access to the data included in the reports may only be granted to those involved in the management and investigation of the respective incident and to the extent required. In particular, the recipients of the personal data included in the reports may, case dependently, be the members of the Company’s Report Evaluation Committee, the Head of Legal Services and the lawyers assigned to provide legal advice regarding the incident in question, the Data Protection Officer, the Board of Directors, the Company’s shareholders, other companies in the same portfolio, external consultants bound by confidentiality clauses, as well as judicial and/or administrative authorities. When a report raises issues of public interest and/or directly concerns other audit or supervisory authorities, it will also be forwarded to them.

How long will the Company retain personal data? The Company keeps the personal data for a certain period after the completion of the investigation, which varies according to its conclusion. Specifically:

  • If the report is deemed unfounded, the personal data is deleted from the report within two (2) months of its being archived.
  • If the reported situation follows the legal path, the personal data will be deleted with the issuance of an irrevocable court decision.
  • If the report reveals substantiated findings against an employee of the Company, the personal data is kept throughout his employment/relationship with the Company and is deleted twenty (20) years after the – in any way – expiration/ termination of the cooperation.
  • In the event that the report results in documented findings to the detriment of an external partner or supplier of the Company, personal data is kept throughout the duration of the partnership and is deleted five (5) years after the – in any way – expiration/ termination of the partnership.

8. Reporting procedure

This Policy provides clear procedures for submitting and managing reports. Initially, each report must include those incidents that document the reported/offending act, with the exact (if possible) description of date, location and persons involved specified and the report must be accompanied (if possible) by relevant documents. It is not necessary to include evidence, but any relevant information facilitating the evaluation of the report will be considered.

Reports may:

(a) be sent to the Company’s e-mail address unipharma@uni-pharma.gr with the subject ‘Confidential report for the attention of Report Receiving and Monitoring Officer (R.R.M.O.)’

(b) be sent by post to the Company’s address, i.e. at the 14th km of the Athens – Lamia National Road, Kifissia, P.C. 14564, with the indication “Confidential report for the attention of R.R.M.O.”

(c) be submitted in writing or orally directly to the R.R.M.O.

(d) be submitted by phone at the number (+30) 2108072512 or 2108072534 where the reporting person(s) will ask to be connected to the R.R.M.O.

(e) be submitted orally in a face-to-face meeting with the R.R.M.O. and within a reasonable time frame.

In the case of submitting a report by telephone, where the conversation is not recorded, the Company may document the oral submission of a report in the form of precise minutes of the conversation, which are drawn up by the R.R.M.O., providing the reporting person with the opportunity to verify, correct and agree with the minutes of the conversation by signing them.

If the recording person requests a meeting with the R.R.M.O. to submit a report, subject to the person’s consent, complete and accurate minutes of the meeting prepared by the R.R.M.O. shall be kept in a stable and retrievable format, enabling the reporting person to verify, correct and agree to the minutes of the meeting by signing them.

In case the reporting person refuses to sign the above provided minutes, a relevant mention is made on them by the R.R.M.O.

The Company’s R.R.M.O. is responsible for receiving the various reports and informing about them, in order for an ad hoc Report Evaluation Committee with the reports under examination to be set up, in accordance with the below.

Any protest or complaint or opinion is not a report within the meaning of this policy.

9. Management of submitted reports

Once any report is submitted, the following management and investigation process will be followed:

R.R.M.O.

– confirms receipt of the report to the reporting person immediately and in any case within seven (7) working days from the day of receipt.

– informs the three-member Report Evaluation Committee about the report, which manages it with due diligence, impartially and confidentially, that the Committee consists of members appointed ad hoc, depending on the content of the report.

The Report Evaluation Committee first investigates whether the report falls within the scope of this Policy.

After the above initial control, the Report Evaluation Committee proceeds with the further investigation of the report. If necessary, further information is requested from the reporting person, by the R.R.M.O.

If the report is directed against a member of the Report Evaluation Committee or if any member of the Committee is found to be in a conflict of interest, then that member shall be removed from the list of recipients for the specific report, shall not participate in the relevant investigation and shall be replaced ad hoc by a person designated by the said Committee.

The Report Evaluation Committee investigates the report, conducts audits, assesses the accuracy of the allegations contained therein, decides on the validity or otherwise of the report under investigation and records the results of the investigation. Depending on them, it recommends a) appropriate measures to address the reported violation, such as additional employee training, creation of new internal control channels, modifications to existing procedures, legal actions (prosecution, action to recover funds), b) further investigation of the report, or c) finish of the process and filing of the report to the CEO of the Company, so that he can take the necessary decisions.

In case the report is directed against the CEO or he finds himself in a conflict of interest, then the decision of the Report Evaluation Committee is forwarded to the Chairman of the Company’s Board of Directors, so that he can take the appropriate actions.

The decisions of the Report Evaluation Committee shall be reasoned and taken by majority vote.

The R.R.M.O. shall inform the reporting person of the actions taken within a reasonable period of time, which shall not exceed three (3) months from the acknowledgement of receipt or, if no acknowledgement has been sent to the reporting person, three (3) months from the end of seven (7) working days from the submission of the report.

If the report is rejected by the Report Evaluation Committee, the procedure is terminated. Then the R.R.M.O. archives the report and notifies the reporting person of the Committee’s decision in writing, including the reasons for rejection.

10. Dissatisfaction with the outcome of the report investigation

If the reporting person believes that the internal report was not handled correctly or efficiently, he/she may resubmit it to the National Transparency Authority (N.A.T.). Instructions regarding the process of submitting a report to the N.A.T. are posted on its website www.aead.gr.

Especially for the violations of articles 101 and 102 of the EUR-Lex (on EU free competition law rules), the reported party may address the (Hellenic) Competition Commission (as an external channel).

Instructions regarding the process of submitting a report to the (Hellenic) Competition Commission are posted on its website www.epant.gr.

11. Terms of protection of persons submitting reports

The Company protects persons reporting violations within the scope of this Policy and ensures non-retaliation. In this context, any form of negative behavior/retaliation against anyone who has made a report, including threats and retaliatory actions, is prohibited. In particular, the following forms of retaliation are prohibited: a) suspension, dismissal or other equivalent measures, b) demotion, omission or deprivation of promotion, c) removal of duties, change of place of work, reduction of salary, change of working hours, d) training deprivation e) negative performance evaluation or negative professional recommendation, f) reprimand, imposition of disciplinary or other measure, including financial penalty, g) coercion, intimidation, harassment or marginalization, h) discrimination or unfair treatment, i) non-conversion of a fixed-term employment contract into an open-ended one, j) non-renewal or early termination of a fixed-term employment contract, k) intentional harm, including damage to reputation, especially on social media, or economic damage, including business damage and loss of income, l) blacklisting, based on a sectorial or sectoral formal or informal agreement, which may entail that the person is not going to find a job in the sector or industry in the future, m) early termination or cancellation of a contract for goods or services, n) refusal or deprivation of providing reasonable accommodations to persons with disabilities.

Any act of retaliation should be reported immediately to the Reports Evaluation Committee.

Similarly, third persons associated with reporting persons who may suffer retaliation in a work-related context, such as colleagues and relatives of reporting persons, personal businesses or legal entities of the reporting persons’ interest or for whom they work or with which they are in any way linked by an employment relationship, shall be protected on a case-by-case basis.

12. Consequences of violating the policy

The Company reserves the right to take any appropriate measure against any employee, counterparty or partner of any kind, if it appears or is established in any way that a) has obstructed or attempted to obstruct the submission of a report, in cases of violations that fall within the scope hereof, b ) exposed any person who submitted a report based on this Policy to any form of adverse treatment, c) retaliated against or initiated malicious proceedings against a person who submitted a report based on this Policy, d) breached the obligation to maintain the reporting person’s confidentiality of identity.

The same procedure can also be carried out in the event that an employee, counterparty or partner of any kind intentionally misled the Company on any matter under investigation in the context of this Policy, or made false allegations against a colleague, counterparty or partner of the Company.

13. Criminal sanctions

The law provides for a prison sentence and a fine for persons who: (a) obstruct or attempt to obstruct the filing of a report, (b) retaliate against or initiate malicious proceedings against reporting persons, and (c) breach the obligation to maintain the reporting person’s confidentiality of identity. Also, persons who knowingly made false reports or false public disclosures are punished with a prison sentence of at least two years and a fine. If any of the infringements were committed for the benefit or on behalf of a legal entity, an administrative fine is imposed on it, the amount of which cannot be less than ten thousand (10,000) euros and more than five hundred thousand (500,000) euros.

14. Reports archive

The Company keeps records of every report received, in accordance with the confidentiality requirements set forth herein. The reports are stored for a reasonable and necessary period, so that they are retrievable and in compliance with the requirements imposed hereby, or by EU or national law. Also, they are always kept until the conclusion of any investigation or judicial process initiated as a consequence of the report against the reported party, the reporting person or third parties.

15. Amendments – Revisions

This policy will be continuously evaluated in terms of its functionality and, if deemed necessary, will be adapted to the requirements of new conditions. It will be modified, updated and revised, in order to continuously improve its efficiency and effectiveness. Each new integrated version will supersede the previous one.

Maria Mega has been appointed as Report Receiving and Monitoring Officer (R.R.M.O.). Reports may:

(a) be sent to the Company’s e-mail address unipharma@uni-pharma.gr with the subject ‘Confidential report for the attention of the Report Receiving and Monitoring Officer (R.R.M.O.)’

(b) be sent by post to the Company’s address, i.e. at the 14th km of Athens – Lamia National Road, Kifissia, P.C. 14564, with the indication “Confidential report for the attention of R.R.M.O.’

(c) be submitted in writing or orally directly to the R.R.M.O.

(d) be submitted by phone at the number (+30) 2108072512 or 2108072534, where reporting persons will ask to be connected to the R.R.M.O.

(e) be submitted orally in a face-to-face meeting with the R.R.M.O. and within a reasonable time frame.

Athens, June 11, 2024