Whistleblower

Table of content

1. Introduction and Purpose

This policy outlines the guidelines for reporting and the rules for handling reports to Copenhagen Group's whistleblower scheme. The whistleblower scheme applies to Copenhagen Group A/S, CVR no. 28698941, and its wholly owned subsidiaries (collectively "Copenhagen Group").

In accordance with the Whistleblower Protection Act, Copenhagen Group's whistleblower scheme receives and processes reports concerning violations of EU law as defined in the Whistleblower Directive (EP/Rdir 2019/1937), serious legal violations, and other serious matters as defined in this policy.

The purpose of this policy is to make it easy for potential whistleblowers to report justified suspicions and discrepancies as early as possible and to assure whistleblowers that their reports will be taken seriously and investigated as required. It ensures that their confidentiality, and if desired, anonymity, will be respected, and that they can report without fear of personal consequences or retaliation.

2. What is a Whistleblower?

A whistleblower is a person who reports illegal or questionable activities within companies, organizations, or public institutions where they are involved and which they believe in good faith to be true.

In Copenhagen Group, a whistleblower is someone who, in good faith, makes or attempts to make a report to Copenhagen Group's whistleblower scheme about matters covered by this policy.

3. Who Can Report to Copenhagen Group's Whistleblower Scheme?

Copenhagen Group's whistleblower scheme can be used by:

• Current, former, or prospective employees,

• Volunteers and interns,

• Consultants and other self-employed individuals,

• Members of the executive board, board members, and shareholders,

• Partners, suppliers, and customers (including citizens), and

• Individuals working for such parties.

4. What Issues are Addressed in the Whistleblower Scheme?

Copenhagen Group's whistleblower scheme receives and processes reports concerning violations of EU law as defined in the Whistleblower Directive (EP/Rdir 2019/1937), serious legal violations, and other serious matters, including but not limited to reports on:

• Criminal offenses and breaches of laws or regulations, including but not limited to violations of confidentiality obligations, misuse of funds, theft, fraud, embezzlement, and bribery, or attempts to circumvent related rules,

• Threats to any person's health or safety, including cases of sexual or other severe harassment and serious violations of occupational health and safety regulations,

• Breaches of Copenhagen Group's policies, including but not limited to Copenhagen Group's Code of Conduct, HSE Policy, and Q Policy, as well as issues conflicting with the terms of Copenhagen Group's ISO certification,

• Conduct or behavior that may harm Copenhagen Group, or

• Deliberate concealment or suppression of the above.

Copenhagen Group's whistleblower scheme does not accept or process reports from/about employees, partners, and suppliers who are generally dissatisfied with their cooperation with Copenhagen Group, their manager, colleagues, or the work environment in general. Such issues should be addressed through the usual channels in daily cooperation.

5. How to Make a Report to the Whistleblower Scheme

You can report issues to Copenhagen Group's whistleblower scheme by sending an email or a letter, or by contacting one of the responsible members of Copenhagen Group's whistleblower unit directly.

Email

Reports can be sent via email to: whistleblower@cphgroup.com

Letters

Letters can be sent to or delivered to Copenhagen Group A/S’s mailbox:

Copenhagen Group A/S

Skagerrakvej 4

2150 Nordhavn

ATTN: WHISTLEBLOWER

Personal Contact

Reports can be made to one of the responsible members of Copenhagen Group's whistleblower unit, as specified in section 12.

• You can also report to Copenhagen Group's whistleblower scheme through an intermediary/employee representative. The intermediary must be a physical person who also has a work-related connection with Copenhagen Group and assists you with the reporting process. The assistance of the intermediary must be confidential, and the intermediary will be protected in the same way as the whistleblower, as described in this policy.

• Please avoid reporting to the whistleblower scheme by sending/delivering unverified or unmarked letters to Copenhagen Group or leaving letters on the desks of members of the whistleblower unit, as this poses a risk that your report may not be received and/or that the confidential information and/or personal data contained in your report may be accessed by unauthorized persons.

• If you report via email from an email account that is not Copenhagen Group's mail account, for security and data protection reasons, please refrain from including or attaching materials that contain confidential or sensitive personal data. See also section 10. If you possess such materials, they can be securely delivered in a sealed envelope marked "Whistleblower" and the name of the person to whom the report is addressed, as specified in section 12, to Copenhagen Group A/S’s mailbox at Sankt Annæ Plads 11, 1250 Copenhagen K, if you wish to remain anonymous. Alternatively, you can indicate in the report that you wish to submit such materials, and you will receive instructions on how to transfer them securely and appropriately.

6. Confidentiality and Anonymity

• All reports made through Copenhagen Group's whistleblower scheme are kept confidential, ensuring that the whistleblower's identity is only known to those who need to know it in order to receive and process the report, and to any relevant public authorities, such as the police, to whom the report may need to be forwarded.

• You can also report anonymously to Copenhagen Group's whistleblower scheme, and this will always be respected. However, whistleblowers are encouraged to reveal their identity, as anonymity can complicate or hinder investigations and accurate conclusions if missing or additional information cannot be obtained from the original whistleblower.

7. What Happens After You Report to the Whistleblower Scheme?

• If you do not report anonymously, you will receive an acknowledgment of receipt within 7 days of submitting your report.

• If you report verbally, the report will be documented either by recording the conversation (with your consent) or by preparing a summary of the conversation, which you will have the opportunity to review and correct by signing the summary. If your verbal report is not immediately documented, you have the right to request a physical meeting to document the report as described above. This meeting will be arranged as soon as possible.

• Copenhagen Group's whistleblower scheme ensures careful follow-up on all reports. All reports are given high priority and are processed as quickly as possible. The responsible person(s) in the whistleblower unit, who are appropriate for handling the specific report, will process the report and initiate the necessary and relevant investigations. This includes determining which other individuals and experts need to be involved. If your report concerns one of the responsible persons in the whistleblower unit, they will not be involved in or responsible for handling your report.

• If you do not report anonymously, you may be asked to participate in meetings or respond to inquiries during the investigations. Participation is not mandatory, but you are encouraged to participate if asked, as your involvement may be crucial for the investigations and for reaching accurate conclusions. If you choose to participate, you are entitled to bring a companion from Copenhagen Group.

• The report and the results of the whistleblower unit's investigations will be forwarded to Copenhagen Group's management or, if relevant, the board of directors (unless the report concerns one or more members of Copenhagen Group's management or board of directors, as specified in section 12). The management or board will make the final decision on any sanctions or other consequences resulting from the investigations, including possible reporting to the police, contractual actions, employment-related consequences, changes to internal procedures, etc.

• If you do not report anonymously, you will receive feedback on your report as soon as possible and no later than 3 months after receiving acknowledgment of receipt. The feedback will include information on the actions taken or planned in response to the report, such as filing a police report, initiating further internal investigation, or submitting a report to the relevant supervisory authority, along with the reasoning for such actions. Feedback will be provided in compliance with applicable laws, particularly regarding confidentiality, data protection, and privacy, which means that details and personal data may be excluded from the feedback. If investigations are not completed when you receive this feedback, you will be informed of the results once the investigations are concluded.

• If your report is outside the scope of the whistleblower scheme, it may be rejected. If deemed relevant, you may be encouraged to discuss the matter with your manager or other departments. However, your report will not be automatically forwarded internally or to other authorities. If your report is rejected from the whistleblower scheme, you will be informed of the rejection and the reasons why.

• If your report is considered to fall within the scope of the whistleblower scheme but, after due investigation, is found to lack sufficient evidence or documentation, the case may be closed without a definitive conclusion. In such cases, you will also be informed accordingly.

8. The Whistleblower Unit

Reports to Copenhagen Group's whistleblower scheme are handled by the whistleblower unit. The members of the whistleblower unit are listed in section 12.

The member(s) of the whistleblower unit responsible for a specific report will act as impartial individuals for that particular report and will undertake the following tasks:

• Receive reports and maintain contact with the whistleblower,

• Follow up on reports, ensure they are processed correctly, and provide feedback to the whistleblower.

All members of the whistleblower unit are subject to a special duty of confidentiality regarding the information contained in the reports to the whistleblower scheme and the subsequent investigations.

9. Protection and Support for Whistleblowers

Copenhagen Group is dedicated to protecting and supporting its whistleblowers. Whistleblowers are protected from and must not face any form of retaliation, including threats or attempts of retaliation.

In this context, retaliation refers to any direct or indirect action or omission, such as harassment, discrimination, or other negative consequences for the whistleblower's employment, cooperation, or other relationship with Copenhagen Group, resulting from a report or intended report to Copenhagen Group's whistleblower scheme, which causes or may cause unjustified harm to the whistleblower.

Harassment and discrimination can include, but are not limited to, intimidation, bullying, exclusion, denial of deserved promotion, negative impact on salary or other employment terms, demotion, or dismissal.

The issues reported by a whistleblower to Copenhagen Group's whistleblower scheme, especially if the whistleblower is an employee or close partner, often but not always, involve confidential and loyalty obligations. This means that the whistleblower might need to override or worry about overriding their confidentiality and loyalty obligations towards Copenhagen Group to uphold law and order, freedom of expression, and safety within Copenhagen Group. The whistleblower scheme ensures that employees and close partners who, in good faith, make a report covered by this scheme, are not considered to have breached any legal or contractual confidentiality or loyalty obligations and will not be held liable, provided they acted in good faith and had reasonable grounds to believe the report was necessary to disclose an issue covered by the scheme.

A whistleblower who, in good faith, makes a report about issues covered by this scheme will also not be held liable for accessing the reported information, as long as such an act does not itself constitute an independent criminal offense.

Employees or others who attempt to prevent an employee from reporting to Copenhagen Group's whistleblower scheme, or who subsequently harass or discriminate against a whistleblower, will be confronted by Copenhagen Group's management and may face employment-related consequences, including dismissal or other relevant consequences for the specific cooperation.

Whistleblowers who experience retaliation due to their report or intent to report (or assist with reporting) are encouraged to contact their immediate supervisor or a member of the whistleblower unit, as specified in section 12, as soon as possible.

Copenhagen Group takes its obligations and responsibilities in the whistleblower scheme very seriously. It is crucial that the whistleblower scheme is respected and used in accordance with its purpose. Therefore, reports made in bad faith or with knowingly false information or fabricated material will result in employment-related consequences, including dismissal.

10. Personal Data and Data Protection

• The primary purpose of Copenhagen Group's whistleblower scheme is to fulfill its objectives in accordance with the law (see section 3), including protecting employees who report in good faith (see sections 1.4 and 9). Copenhagen Group also has a duty to protect the individuals being reported on and their personal data in compliance with applicable data protection laws, ensuring the utmost confidentiality within Copenhagen Group.

• Reports to Copenhagen Group's whistleblower scheme may contain personal data about the whistleblower, witnesses, employees, or partners of Copenhagen Group, which Copenhagen Group is obligated to process in accordance with applicable data protection laws.

• The processing of personal data within Copenhagen Group's whistleblower scheme is required for companies where the establishment of a whistleblower scheme is mandatory under the Whistleblower Protection Act, section 22. For group companies not directly legally required to have a whistleblower scheme, processing is conducted under Article 6(1)(f) of the General Data Protection Regulation (GDPR), where the company has a legitimate interest in receiving and processing reports to the whistleblower scheme, and it has been assessed that the interests and rights of the individual whose personal data is processed do not override this legitimate interest. In rare cases where sensitive personal data is processed, it will only be done under Article 9(2)(b) of the GDPR, if necessary for the company (the data controller) to comply with its obligations and specific rights in the field of employment, health, and social law, or under Article 9(2)(f), if necessary for the establishment, exercise, or defense of legal claims.

• The specific company within Copenhagen Group that is most closely connected to your report, as outlined in section 1, will be the data controller for the personal data contained in the report. This company may share the relevant personal data with one or more companies within the Copenhagen Group or with professional partners (such as lawyers assisting with the processing of the whistleblower report) if it is relevant or necessary for handling your report or for following up on the information obtained during the investigation. If legally required, personal data may also be shared with authorities. Copenhagen Group will not share personal data with parties outside the EU.

• Copenhagen Group will keep all reports and associated documents and materials, including any personal data, confidentially and for the period necessary to act upon and follow up on the reported issues, and further for the period Copenhagen Group is legally entitled to retain such personal data.

• Individuals whose personal data is processed in Copenhagen Group's whistleblower scheme have specific rights, including the right to information, access, rectification, deletion, restriction, and data portability, as described in Copenhagen Group's general data protection policy and here (to the extent it does not conflict with obligations in the whistleblower scheme). They also have the right to lodge a complaint with the Danish Data Protection Agency regarding the processing of their data.

• There are no automated decisions made in Copenhagen Group's whistleblower scheme.

11. Annual Report and Follow-Up

Copenhagen Group's whistleblower unit prepares an annual report on all reports made to the whistleblower scheme, which is reviewed by Copenhagen Group's board of directors. This report and the annual review aim to ensure timely follow-up on all reports made to Copenhagen Group's whistleblower scheme. The information and experiences from the reports are appropriately incorporated into optimizing Copenhagen Group's operations, organization, legal compliance, and ethics.

12. The Whistleblower Unit and Members

The whistleblower unit consists of the company's chairman of the board and the company's auditor. They can be contacted via email at: whistleblower@cphgroup.com

Refer to section 5 for details on reporting.