THE WHISTLEBLOWER POLICY AT WAVECREST

WaveCrest’s whistleblower policy is designed to ensure a safe space for WaveCrest employees to speak up and report wrongdoing in the workplace without fear of negative consequences. The purpose of the whistleblower policy is thus to guarantee openness and transparency in relation to possible violations, offences and serious irregularities.

Definitions

According to the EU Directive 1937/2019 on the protection of persons who report breaches of Union Law, violations, offences, and irregularities are defined as “breaches”.

“Information on breaches” means information, including reasonable suspicions, about actual or potential breaches, which occurred or are very likely to occur in the organisation in which the reporting person works or has worked or in another organisation with which the reporting person is or was in contact through his or her work, and about attempts to conceal such breaches.

A “report” or “to report” means, the oral or written communication of information on breaches.

1. WaveCrest’s whistleblower unit

Reports received in WaveCrest’s whistleblower reporting platform are processed by:

• Nordic HR Manager, Johanna Hirvensalo

• Group Chief People Officer, Corina Chiorean Stanciu.

  Questions about the individual reports or WaveCrest’s whistleblower policy and reporting platform can be directed to:

  Corina Chiorean Stanciu Chief People & Culture Officer corina.chiorean@wavecrest.io +40723649124

  Up mentioned WaveCrest personnel are the solely designated persons within the company that receive the reports and will maintain communication with the reporting person and, if necessary, ask for further information from and provide feedback to the reporting person. The WaveCrest whistleblower unit will remain impartial in relation to the reports and will ensure the confidentiality of the reported facts and the privacy of the reporting person according to the subsequent provisions set forth in chapter 7 and 8 of the present Policy.

  WaveCrest’s whistleblower policy uses Globaleaks platform, (hereinafter named “reporting platform”, “platform” or “Globaleaks”) to register and process reports. Globaleaks is an Italian based third party supplier and trusted WaveCrest contractual partner that provides a reliable online whistleblower platform that helps WaveCrest to set up a secure and anonymous whistleblower initiative in order to protect the individual’s privacy and the privacy of its submissions.

Processing reports may also, depending on the content and nature of the report, be done with the help of an external party, for example a lawyer or accountant.

To access the reporting system for the WaveCrest’s whistleblower platform follow the link: https://whistleblow.wavecrest.io/

WaveCrest’s whistleblower platform is intended to supplement the existing communication channels in the workplace, such as contacting the direct manager, HR or union representative regarding errors, unsatisfactory conditions, etc.

WaveCrest encourages employees to use the whistleblower reporting platform and facility so that any offences, violations or similar breach can be dealt with internally, quickly and efficiently. However, the whistleblower is free to choose between submitting a report to the workplace's whistleblower platform or an external whistleblower platform.

WaveCrest’s whistleblower policy does not exclude the option of reporting via external channels such as e.g. supervisory authorities.

In case the report is made orally via the phone number of the WaveCrest dedicated personnel as mentioned above, the latter will create a ticket on the Globaleaks platform in order to track the report in a safe environment.

2. Reportable Information

WaveCrest’s whistleblower policy allows employees to report information about serious violations or other breaches, even if they cannot identify a specific offence. Violations, offences or similar breaches that have happened or you suspect are going to happen in WaveCrest can be reported.

A violation, offence or other breach is generally considered serious if it is in the public interest to bring it to light. Violations of a trivial nature are not covered, just as violations of accessory provisions are not covered either.

The policy does not generally cover reports about the whistleblower's own employment unless it is sexual harassment or serious harassment.

Information about other conditions, such as violations of internal guidelines of a less serious nature, e.g. rules on sick leave, chosen clothing and information on other personnel-related conflicts at the workplace, should not be considered as gross violations and should not be reported into WaveCrest’s whistleblower platform. Instead, such information should be reported in accordance with applicable guidelines and submitted to the line manager, HR department or the trade union representative.

We assume that whistleblowers are acting in good faith and that the information they provide is accurate.

Appendix 1 lists examples of serious offences, serious conditions and information that is not covered by the whistleblower policy.

3. Reporting of violations

Reporting to WaveCrest whistleblower platform must be done by accessing the link https://whistleblow.wavecrest.io/#/ or the button called “Whistleblowing” available in WaveCrest’s Teams app.
Anonymous reports can be made only if the report content contains clues or indications of a breach of law or internal regulation.

4. Groups of people who can submit information to the whistleblower platform

The following groups of people can use WaveCrest’s whistleblower platform:

• WaveCrest’s employees
• Management and board members
• Shareholders
• Suppliers, customers and other business partners • [Other groups of people who must be covered

5. Processing of reports

Upon receiving a whistleblower report, WaveCrest, though its authorized representatives will confirm receipt within seven days via secure email. There is no access to reports submitted in the whistleblower platform for unauthorized personnel of the company. Feedback will be provided directly in the platform and the whistleblower will check the status of the report based on entering a unique code received automatically.

WaveCrest’s whistleblower unit will then carefully review the report. The content and nature of the report will determine the next steps of the whistleblower unit.

The whistleblower unit will initially decide whether the report falls within the scope of the whistleblower policy. If the report falls outside the scope of the whistleblower policy or is noticeably unfounded, the report will be rejected. The whistleblower will be notified of this.

If the report falls within the scope of the policy, the report will be processed. This implies, among other things, that WaveCrest’s whistleblower unit, depending on the content and nature of the report, will obtain additional information internally within the organization. This may also involve further dialogue with the whistleblower.

6. Examples of follow-up:

• Initiation of an internal investigation in the company.

• Inform the company's senior management or board of directors.

• Reporting to the police or relevant supervisory authority.

• Case closure due to lack of or insufficient evidence.

WaveCrest’s whistleblower unit will provide feedback to the whistleblower within three months of confirming the receipt of the report. This means that WaveCrest’s whistleblower unit, depending on the content and nature of the report, will inform the whistleblower about which measures have been initiated or are intended to be initiated, and why the unit has chosen this follow-up.

If it is not possible to provide feedback within the deadline, WaveCrest’s whistleblower unit will inform the whistleblower accordingly and whether any further feedback can be expected. For example, we may need to extend the deadline if we have launched an internal investigation that cannot be completed within three months. However, any extension will have to be duly justifies and will not exceed a total of six months.

The feedback must comply with applicable legislations, including data protection legislation. This means, among other things, that there must be a legal basis for passing on sensitive information. The specific information we can share with the whistleblower will depend on the specific circumstances of the case.

In case of any personal data breach suspected in relation to a report or the handling of the report, the reporting person may contact the internal Data Protection Officer by e-mail at gdpr@wavecrest.io or may contact the relevant Data Protection Authority.

Reporting persons can find information about the Data Protection Authority from their country of residence HERE.

Personal data included in the report as received by WaveCrest that go beyond what is necessary for the purposes of the present Policy and for a proper follow-up and resolution on the reported facts, will not be further processed.

7. Confidentiality and processing of information

Employees associated with WaveCrest whistleblower unit have a duty of confidentiality in relation to the information included in the reports.

The duty of confidentiality only covers information included in the report. If a report leads to an investigation, other information collected during the investigation will not be covered by the confidentiality duty.

Information from a report is processed in accordance with the processing rules in Section 22 of the Whistleblower Act and the provisions of the General Data Protection Regulation (GDPR). According to Section 22 of the Whistleblower Act, WaveCrest’s whistleblower unit may process personal data, including sensitive information and information on criminal breaches, if it is necessary to process a report received in connection with WaveCrest’s whistleblower platform.

Information from reports may be disclosed and passed on depending on the circumstances, e.g. with the aim of following up on the reports. The whistleblower will be notified before any information about their identity is disclosed unless doing so would jeopardize a related investigation or legal proceeding. This may be the case, for example, if there is a concrete risk that evidence will be hidden or destroyed, that witnesses will be influenced, or in case of suspicion that the whistleblower has deliberately submitted a false report.

Appendix 1

Examples of serious offences

Violations of the Criminal Code that will generally be covered by the scope:

• Bribery

• Document forgery

• Hacking, eavesdropping, recording of conversations between others, etc.

• Theft

• Embezzlement, cf. § 278 of the Criminal Code.

• Fraud, cf. Section 279 of the Criminal Code.

• Data fraud, cf. § 279a of the Criminal Code.

• Mandate fraud, cf. § 280 of the Criminal Code.

• Blackmail, cf. § 281 of the Criminal Code.

  Violations of special legislation or other legislation that will generally be covered by the scope of application.

• Violations of tax legislation.

• Violation of confidentiality obligations.

• Violations of the Bookkeeping Act.

• Violations of the goods transport act, cf. the goods transport act §§ 17-17 b.

• Violations of the Aviation Act, cf. Section 149 of the Aviation Act.

• Ignoring a statutory duty to act.

• Violation of rules on the use of force.

• Gross or repeated violations of principles of administrative law, including the principle of

  investigation, requirements for objectivity, the principle of abuse of power and

  proportionality (cf., however, further below on trivial violations).

• Deliberate misleading of citizens and business partners.

  Harassment

• Sexual harassment, cf. Section 1, subsection of the Equal Treatment Act. 4, cf. subsection 6.

• Serious harassment, e.g. because of race, sex, colour, national or social origin, political or

  religious affiliation.

  Examples of serious conditions

  Conditions that are generally considered serious:

• Disregarding professional standards, which e.g. could result in a risk to people's safety and

  health.

• Gross or repeated violations of the workplace's internal guidelines on e.g. business trips,

  gifts or accounting (cf., however, in more detail below regarding trivial violations).

• Serious errors and serious irregularities associated with IT operations or IT system

  management.

• Special cases where minor cooperation difficulties involve major risks, and thus constitute

  a serious situation.

Examples of information that is not covered by the scope of the law

• Information of a trivial nature, information about other conditions, including information about violations of internal guidelines on sick leave, smoking, clothing or ancillary regulations such as e.g. non-compliance with documentation obligations.

• Information about the whistleblower's own employment, including conflicts between employees, cooperation difficulties or conditions that fall under the industrial law system, unless it is a question of sexual harassment or other forms of serious harassment.