Elitmind
Whistleblower Policy

WHISTLEBLOWER REPORTING REGULATIONS in Elitmind sp. z o.o.

GENERAL

1.1 The purpose of the Whistleblower Whistleblower Reporting Regulations (hereinafter: the Regulations) is to introduce in Elitmind sp. z o.o. with its registered office in Warsaw (00-844), Grzybowska 87, KRS 0000581007 (hereinafter: the organization) the rules of conduct in the event of reporting breaches of law made in accordance with the Act of 14 June 2024. on the protection of whistleblowers (hereinafter: the Act).

1.2 The Regulations define the rules for reporting and considering reports of violations of the law in the organization, taking follow-up actions and ensuring protection of persons reporting violations of the law against retaliation.

1.3 Whenever the Regulations refer to:

1.3.1 follow-up action – it should be understood as an action taken by a legal entity or a public authority in order to assess the accuracy of the information contained in the report and to counteract the violation of the law that is the subject of the report, in particular by means of an investigation, initiation of an inspection or administrative procedure, filing an accusation, action taken to recover funds or closing a procedure carried out as part of an internal procedures for reporting and following up breaches of the law or procedures for receiving and following up external reports;

1.3.2 retaliation – it should be understood as a direct or indirect act or omission in a work related context that is caused by a report or public disclosure and that violates or may violate the rights of the whistleblower or causes or may cause unjustified harm to the whistleblower, including the unjustified initiation of proceedings against the whistleblower;

1.3.3 information about a breach of law – it should be understood as information, including a reasonable suspicion of an existing or potential breach of the law, which has occurred or is likely to occur in the legal entity in which the whistleblower participated in the recruitment process or other negotiations preceding the conclusion of the contract, works or worked, or in another legal entity with which the whistleblower maintains or has maintained contact in a work-related context, or information regarding an attempt to conceal such a violation of the law;

1.3.4 feedback – it should be understood as providing the whistleblower with information on the planned or taken follow-up actions and the reasons for such actions;

1.3.5 work-related context – it should be understood as past, present or future activities related to the performance of work on the basis of an employment relationship or other legal relationship constituting the basis for the provision of work or services or performing a function in a legal entity or for this entity, or performing service in a legal entity, within the framework of which information about a violation of the law was obtained and there is a possibility of experiencing retaliatory actions;

1.3.6 public authority – it should be understood as supreme and central government administration bodies, local government administration bodies, local government units, other state authorities and other entities performing public administration tasks by virtue of law , competent to take follow-up actions in the areas indicated in Article 3(1) of the Act;

1.3.7 to the person to whom the report relates – it should be understood as a natural person, a legal person or an organizational unit without legal personality, to which the law grants legal capacity, indicated in the report or public disclosure as a person who committed 3 an infringement of the law, or as a person with whom the person who committed the infringement of the law is related;

1.3.8 a person assisting in making a report – it should be understood as a natural person who assists the whistleblower in reporting or public disclosure in a work-related context and whose assistance should not be disclosed;

1.3.9 a person associated with the whistleblower – it should be understood as a natural person who may experience retaliation, including a co-worker or a person closest to the whistleblower within the meaning of Article 115 § 11 the Act of 6 June 1997 – the Penal Code (Journal of Laws of 2024, item 17);

1.3.10 legal entity – it should be understood as a private entity or a public entity

1.3.11 private entity – it should be understood as a natural person conducting business activity, a legal person or an organizational unit without legal personality, which is granted legal capacity by law, or an employer if they are not public entities;

1.3.12 public entity – it should be understood as an entity indicated in Article 3 of the Act of 11 August 2021 on open data and re-use of public sector information (Journal of Laws, item 1641)

1.3.13 legal proceedings – it should be understood as proceedings conducted on the basis of generally applicable law, in particular criminal, civil, administrative, disciplinary, for violation of public finance discipline, or internal regulations issued in order to implement the provisions of generally applicable law

1.3.14 public disclosure – it should be understood as providing information about the infringement of the right to the public;

1.3.15 report – it should be understood as an oral or made in paper or electronic form internal report or an external report, submitted in accordance with the requirements set out in the Act;

1.3.16 internal reporting – it should be understood as a report made in electronic form, by providing information about the violation of the law to the legal entity using a dedicated application for handling notifications;

1.3.17 external reporting – it should be understood as oral or oral or electronic submission of information about a violation of the law to the Ombudsman or a public authority;

1.3.18 Directive – it should be understood as DIRECTIVE (EU) 2019/1937 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 October 2019 on the protection of persons who report breaches of Union law;

1.3.19 Act – it should be understood as the Act of 14 June 2024 on the protection of whistleblowers (Journal of Laws of 2024, item 928, as amended).

1.3.20 Employer – it should be understood as an employer within the meaning of Article 3 of the Act of 26 June 1974 – the Labour Code (Journal of Laws of 2023, item 1465, późn.zm.), which is the Company;

1.3.21 Employee – it should be understood as an employee within the meaning of Article 2 of the Act of 26 June 1974 – the Labour Code and a temporary worker within the meaning of Article 2(2) of the Act of 9 July 2003 on the employment of temporary workers (i.e. Journal of Laws of 2023, item 1110);

1.3.22 Terms and Conditions – it should be understood as this document.

1.3.23 GDPR – it should be understood as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard 4to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

1.3.24 Co-worker – it should be understood as a person providing work or services or performing a function for the Company on the basis of a contract of mandate, contract for specific work or other civil law contract.

1.3.25 Team – it should be understood as an internal organizational unit or a person within the organizational structure, or an external entity, authorized by the Employer to receive internal reports, consider them, take follow-up actions and provide feedback to the Reporting Person.

1.4 The Terms and Conditions apply to a natural person who reports or discloses to the public information about a breach of law obtained in a work-related context, including:

1.4.1 Employee

1.4.2 temporary worker,

1.4.3 a person performing work on a basis other than an employment relationship, including on the basis of a civil law contract,

1.4.4 Trader

1.4.5 shareholder or partner,

1.4.6 a member of a body of a legal person or an organizational unit without legal personality,

1.4.7 a person performing work under the supervision and direction of a contractor, subcontractor or supplier, including on the basis of a civil law contract,

1.4.8 Trainee

1.4.9 Volunteer

1.4.10 trainee,

1.4.11 within the meaning of Article 1(1) of the Act of 18 February 1994. on pension provision for officers of the Police, the Internal Security Agency, the Foreign Intelligence Agency, the Military Counterintelligence Service, the Military Intelligence Service, the Central Anti-Corruption Bureau, the Border Guard, the Marshal's Guard, the State Protection Service, the State Fire Service, the Customs and Tax Service and the Prison Service and their families (Journal of Laws of 2020, items 723 and 2320, and of 2021, items 2333, 2448 and 2490),

1.4.12 a soldier within the meaning of Article 2(39) of the Act of 11 March 2022 on the Defence of the Homeland (Journal of Laws, item 2305 and of 2023, items 347, 641, 1615, 1834 and 1872).– hereinafter referred to as the "Whistleblower".

1.5 The Terms and Conditions shall also apply to a natural person referred to in the paragraph above, in the event of reporting or disclosing to the public information on a breach of law obtained in a workrelated context prior to the establishment of an employment relationship or other legal relationship constituting the basis for the provision of work or services or performing a function in or for a legal entity, or performing service in a legal entity or after the termination of such an employment relationship.

1.6 A violation of the law is an act or omission that is unlawful or aimed at circumventing the law regulated in the Act in the scope of:

1.6.1 Corruption;

1.6.2 Procurement; 5

1.6.3 financial services, products and markets;

1.6.4 preventing money laundering and terrorist financing;

1.6.5 product safety and compliance;

1.6.6 transport safety;

1.6.7 Environmental;

1.6.8 radiation protection and nuclear safety;

1.6.9 food and feed safety;

1.6.10 animal health and welfare;

1.6.11 public health;

1.6.12 consumer protection;

1.6.13 protection of privacy and personal data;

1.6.14 security of networks and ICT systems;

1.6.15 the financial interests of the State Treasury of the Republic of Poland, local government units and the European Union;

1.6.16 internal market of the European Union, including public competitionand state aid rules and corporate taxation.

1.6.17 constitutional freedoms and rights of man and citizen – occurring in the relations of an individual with public authorities and not related to the areas indicated in points 1.6.1-1.6.17.

1.7 Each employee and co-worker submits a written statement that they have read the Regulations. The template of the declaration is attached as Appendix No. 1 to these Regulations. The employer is obliged to familiarize each employee with the content of the Regulations before allowing them to work.

1.8 A person applying for work on the basis of an employment relationship or other legal relationship constituting the basis for the provision of work or services or the performance of a function or service is provided with information about the internal reporting procedure along with the commencement of recruitment or negotiations preceding the conclusion of the contract.

1.9 A whistleblower is subject to the protection provided for in the Act from the moment of making the report or public disclosure, provided that he or she had reasonable grounds to believe that the information about a breach of law that is the subject of the report or public disclosure is true at the time of making the report or public disclosure and that such information constitutes information about a breach of law.

2‍

WAYS TO REPORT VIOLATIONS OF THE LAW

2.1 In the event of a justified suspicion of a violation of the law, the Whistleblower has the right to use the internal reporting channel provided by the Employer. Reporting will be done using a dedicated application for reporting violations of the law, using the form available on the website at www.elitmind.com/whistleblowers.

2.2 Reports cannot be anonymous. Anonymous reports will not be recognized.

2.3 In the first place, in the event of a suspicion or finding of a violation of the law, the Whistleblower should use the internal reporting mode specified in point 2.1, provided by the Employer. However, a whistleblower may make an external report without first making an internal report.

2.5. The application should include in particular:

a. name, surname, position;

b. data of persons who committed the infringement/related to the case, including possible witnesses or persons with whom the employee contacted in a given case, i.e. name, surname, position, place of work;

c. a brief description of the irregularities with an indication of the relevant facts and their date,

d. estimation of possible losses and risks related to the case (if possible),

e. source of the employee's knowledge about the violation.

2.6. The report may also be documented by the collected evidence.

3

RECEIPT AND VERIFICATION OF APPLICATIONS

3.1 The Team's task is to accept and verify the received report, take follow-up actions, including further communication with the whistleblower, including requesting additional information necessary to consider the report, as well as preparing feedback including information on whether or not a violation of the law has been found and any measures that have been taken or will be taken in response to the finding of a violation of the law.

3.2 Within 7 days from the date of receipt of the application, the team accepting the reports confirms its receipt to the Applicant.

3.3 The team conducts an investigation and considers the report immediately, within a period of no more than 3 months from the date of its receipt.

3.4 The team accepting reports provides feedback to the Whistleblower, which includes, in particular, information on whether or not a violation of the law has been found and any measures that have been or will be taken in response to the violation of the law. Feedback should be provided immediately after the end of the investigation.

3.5 The employer keeps a register of internal reports and is the administrator of the data collected in this register. The employer authorizes the Team to make entries in the register and update the information in the register on an ongoing basis, in accordance with the actual state.

3.6 In the register of internal reports, the Employer collects, among m.in, the following data:

3.6.1 Your application number

3.6.2 the subject matter of the infringement;

3.6.3 personal data of the whistleblower and the person to whom the report relates necessary to identify them;

3.6.4 Whistleblower contact address

3.6.5 the date of filing the internal report;

3.6.6 information on the follow-up actions taken;

3.6.7 the date the case was completed.

3.7 Personal data and other information in the register of internal reports are stored for a period of 3 years after the end of the calendar year in which the follow-up actions were completed or after the end of the proceedings initiated by these actions.

4

TEAM ACCEPTING APPLICATIONS

4.1 The Team is a permanent body appointed by the Employer. The team is obliged to:

4.1.1 organizing and conducting interviews,

4.1.2 minutes of explanatory interviews,

4.1.3 collecting documentation related to the application and necessary to conduct the proceedings,

4.1.4 developing a position containing an analysis of events, evidence provided, assessment of the legitimacy of the report under consideration as well as conclusions and recommendations for further actions,

4.1.5 provide the employer with a protocol containing the team's position along with justification, conclusions and recommendations,

4.1.6 ongoing contact with the reporting person and providing feedback on the stages of the procedure

4.2 The team accepting applications includes:

4.2.1 Legal and Compliance Lead

4.2.2 Employer Branding & People Ops Lead

4.2.3 Financial Specialist

4.2.4 Business Analysis Domain Lead

4.2.5 AI Lead Consultant

4.2.6 External consultant, representing the consulting company ODO 24

4.2.7 depending on the needs – an additional expert appointed by the Employer, with knowledge and qualifications useful to consider the application depending on the subject of the application.

4.3 A team may also be formed by the staff of an external entity engaged by the Employer to handle internal requests. In such a situation, the provisions concerning the team consisting of the Employer's staff shall apply accordingly.

4.4 A member of the Team may not be the person to whom the report relates, the Whistleblower, or a person who is in such a relationship with the person to whom the report relates that causes justified doubts as to the impartiality of the Team member.

4.5 A member of the Team may not be a person who is married to the Whistleblower, in a relationship of kinship, affinity or adoption, guardianship and guardianship, or a person who is in a legal or factual relationship with the Whistleblower that may give rise to justified doubts as to his or her impartiality.

4.6 The assessment of the premises that may constitute the reason for excluding the possibility of performing the function of a Team member is made by the Employer, taking into account the provisions of Section 4.7. Each member of the Team submits an appropriate statement in this matter in accordance with the template constituting Appendix No. 3 to the Regulations.

4.7 If a member of the Team is a person to whom the report relates, as well as a person with respect to whom there is a reasonable suspicion of lack of impartiality or independence, the Employer, after receiving a recommendation from an external Consultant, dismisses such a person from the position of a Team member for the duration of the consideration of the case and appoints another person in his/her place. If a justified suspicion of a lack of impartiality or independence of a team member emerges in the course of the investigation, the Employer dismisses that member for the duration of the case and immediately appoints another person in his place to supplement the composition of the Team.

4.8 The members of the Team elect a chairman from among themselves, who conducts the meetings, takes minutes of them and manages the dates of the meetings.

4.9 In the event of disagreement in this respect, the Panel's decisions as to the legitimacy of the application are made by a simple majority of votes in the presence of the majority of the Team's members. In the event of an equal number of votes, the chairman's vote is decisive.

5

CONFIDENTIALITY AND PROCESSING OF PERSONAL DATA

5.1 Proceedings conducted by the Team are subject to the obligation of confidentiality as to all information disclosed in their course, which means that they may not be made available to any person or entities other than the Employer's top management and authorized public authorities. Each person participating in the investigation is obliged to maintain confidentiality . The above obligation also applies to information contained in the register of notifications.

5.2 Members of the Team, parties to the proceedings and witnesses are obliged to submit a confidentiality statement , the template of which is attached as Appendix No. 2 to the Regulations.

5.3 None of the employees participating in the proceedings conducted by the Team is entitled to disclose information about the fact, place, time and course of meetings organized as part of these proceedings.

5.4 The identity of the Whistleblower, as well as all information enabling their identification, may be disclosed only if such disclosure is an obligation of the Employer under generally applicable law. Disclosure of the identity of the Whistleblower requires prior notification of the Whistleblower, indicating the legal basis for such information, unless such information could jeopardise the ongoing proceedings. The Whistleblower's data may be disclosed in the course of the proceedings to the parties and participants of these proceedings only if the Whistleblower expressly consents.

5.5 The identity of the persons to whom the report relates, persons associated with the report, persons assisting in making the report is subject to confidentiality requirements to the same extent as the identity of the Whistleblower.

5.6 The processing of personal data of the Whistleblower, the persons to whom the report relates, persons assisting in making the report and persons associated with the person making the report is carried out on the basis of the provisions of the GDPR.

5.7 The Employer is the administrator of personal data of persons making the report, persons to whom the report relates, persons assisting in making the report and persons related to the person making the report.

5.8 Access to the data of the Whistleblower and other persons whose personal data is processed in the course of the investigation may only be granted to a person who has been authorised to process personal data in this regard. The template of the authorization to process personal data is attached as Appendix No. 4 to the Regulations.

5.9 Immediately after receiving the data, the Team Member pseudonymizes the Whistleblower's data and assigns him an identifier that will be used during the investigation. Pseudonymisation includes all types of information that enable direct or indirect identification of the person making the report, with particular emphasis on whether the content of the report itself does not indicate the identity of the person making the report. The identifier is used at all stages of the investigation.

5.10 The Team's responsibility to comply with the information obligation towards the Whistleblower, the person to whom the report relates, the person assisting in making the report, and the person associated with the report. In order to comply with the information obligation, the information clause is applied on the basis of Article 13 and Article 14 of the GDPR.

5.11 Fulfilment of the information obligation towards the person to whom the report relates may be postponed if it may cause the risk of preventing or seriously hindering the conduct of the investigation. In such a case, the Team documents the reasons for postponing the fulfilment of the information obligation. The information clause is provided by the Team immediately after the indicated risk ceases.

5.12 Personal data that is not related to the allegations is deleted immediately after receipt of the report.

5.13 A person whose negative acts are the subject of suspicion cannot be held liable for disciplinary action until the end of the investigation, and any actions directed against such a person in connection with the report are prohibited.

5.14 A whistleblower who has become the target of retaliation should report this fact to the Team. Retaliation against such a person is subject to sanctions under the rules provided for in Article 55 of the Act.

6

EXTERNAL REPORTING AND PUBLIC DISCLOSURE

6.1 A report may in any case also be made to the Ombudsman or to a public authority and, where appropriate, to the institutions, bodies, offices or agencies of the European Union, without following the procedure laid down in the Rules of Procedure.

6.2 The public authority shall establish a procedure for receiving external reports and taking follow-up actions, which shall in particular determine the procedure for dealing with information on breaches of the law reported anonymously.

6.3 The Ombudsman and the public authority shall ensure that the procedure for receiving external reports and the procedure for receiving external reports and the processing of personal data related to the receipt of reports:

6.3.1. prevent unauthorized persons from gaining access to the information covered by the report;

6.3.2. ensure that the confidentiality of the identity of the whistleblower and the person concerned is protected.

6.4 A whistleblower may make a report under public disclosure and is protected if:

6.4.1 submits an internal report, and then an external report and within the time limit for providing feedback set out in the Internal Reporting Regulations, and then within the time limit for providing feedback set in the procedure for reporting breaches of law to a public authority, the employer and then the public authority fail to take appropriate follow-up action or fail to provide feedback to the whistleblower, or

6.4.2 will immediately make an external report and within the deadline for providing feedback set out in the procedure for reporting breaches of law to the public authority The public authority does not follow up or provide feedback to the notifier.– unless the whistleblower has not provided a contact address to which such information should be provided.

6.5 A whistleblower who makes a public disclosure is also protected if he or she has reasonable grounds to believe that:

6.5.1 the infringement may constitute an immediate or manifest threat to the public interest, in particular there is a risk of irreparable harm, or

6.5.2 making an external report will expose the whistleblower to retaliation, or

6.5.3 In the case of an external report, there is a low probability of effective prevention of the infringement due to the specific circumstances of the case, such as the possibility of concealment or destruction of evidence or the possibility of collusion between the public authority and the infringer or the participation of the public authority in the infringement.

7

FINAL PROVISIONS

7.1 To the extent not specified in the provisions of the Directive, the Act and these Regulations, the generally applicable provisions of law and internal company regulations shall apply to the examination of reports.

7.2 The GDPR regulations apply to the work of the team, including the circulation of documentation and the procedure for hearing the parties and witnesses to the proceedings .

7.3 The Regulations enter into force after 7 days from the date of their disclosure to persons performing work for the Employer.

7.4 The Regulations are published on the Employer's website at: www.elitmind.com/whistleblowers

7.5 The employer monitors and regularly reviews the Regulations and makes necessary changes to ensure that they are applied in a consistent and effective manner

‍

APPENDIX 1 TO THE WHISTLEBLOWER REPORTING REGULATIONS

DECLARATION OF READING THE REGULATIONS

‍

I, the undersigned....................... (name and surname), employed as a service provider ......................... (job title)
in ...................... I hereby declare that I have read the Whistleblower Reporting Regulations at Elitmind sp. z o.o.
and I commit myself to obey it.

The town ................, on ............................ .

.........................................

signature of the person making the declaration