Privacy Policy WHISTLEBLOWER CHANNEL

Additional Information 1. Scope of Application of this Privacy Policy

This document regulates the Privacy Policy of the Whistleblower Channel of PROSEGUR (hereinafter the “Channel”).

The “Whistleblower Channel” was put in place by Prosegur Cash, S.A, and Prosegur Compañía de Seguridad, S.A. (hereinafter PROSEGUR) and its subsidiaries to allow you to report (i) the conduct of an employee of the Prosegur Group – including outside the European Economic Area - that may involve irregular, unethical or unlawful behaviour or an act that may be in contravention of the applicable rules and regulations or the Internal and Corporate Policy System of PROSEGUR or (ii) the commission by a third party (collaborator, supplier, manufacturer, etc., or by one of its subcontractors or their employees) of an act that may be in contravention of the applicable rules and regulations or the provisions of the Code of Conduct within the framework of their contractual relationship with the PROSEGUR companies. Therefore, this privacy policy reflects information on data processing with regard to the different categories of stakeholders indicated.

2. Guarantee of Confidentiality and Responsible Use of the Whistleblower Channel

PROSEGUR guarantees that the information provided and personal data that you submit via the abovementioned Whistleblower Channel shall be treated as strictly confidential.

You undertake to use the Whistleblower Channel in a responsible manner and in no case make unfounded or false allegations. If an allegation is determined to have been made in bad faith or with malicious intent, the applicable legal and/or disciplinary action may be taken against the person making such allegation. Furthermore, the report that you submit must be drawn up in a respectful manner and in accordance with generally accepted moral and ethical standards. PROSEGUR shall not be held responsible for any offensive or derogatory remarks or abusive language used against third parties.

Likewise, you must ensure that the personal data that you have provided is true, accurate, complete and updated.

3. Data Controller

Data controller: Prosegur Cash, S.A. (hereinafter “PROSEGUR”)
Tax ID number (NIF): A28430882
Address: Calle Pajaritos, 24, 28007, Madrid (Spain).
Data Protection Officer contact details: dpo@prosegur.com

Data controller: Prosegur Compañía de Seguridad, S.A. (hereinafter “PROSEGUR”)
Tax ID number (NIF): A28430882
Address: Calle Pajaritos, 24, 28007, Madrid (Spain).
Data Protection Officer contact details: dpo@prosegur.com

4. Purpose

Main purpose of data processing: The data provided by the complainant via the Whistleblower Channel will be used to manage the complaint lodged regarding illegal behaviour such as commercial, accounting or financial malpractice or breach of regulations. This includes:

• Investigate and clarify the facts reported.
• Determine responsibilities.
• Implement corrective actions.
• Take legal and disciplinary action before the bodies responsible in each case.
• Inform you about the result of the procedure, if necessary.

5. Legitimisation for the Processing of your Personal Data and Parties Affected

Legal grounds that legitimise the processing of your personal dat

• GDPR: 6.1.c) Processing needed for complying with a legal obligation applicable to the data controller:
• GDPR: 6.1.f) Processing needed to meet the legitimate interest of the data controller.

Parties affected

The following groups are legitimised to file a complaint through the Whistleblower Channel of PROSEGUR:

• Employees in general.
• Managers.
• Suppliers.
• Customers.
• Other stakeholders.

6. Data Retention

In accordance with the provisions set forth in the applicable data protection regulations, the data of the person filing the complaint will be stored in PROSEGUR’s Whistleblower Channel system only during the time that is essential to decide whether or not an investigation of the reported facts should be undertaken.

However, in the event that the investigation that the company has undertaken regarding the reported facts results in the need to exercise appropriate legal actions and/or leads to the initiation of legal proceedings, the data may be stored for the additional amount of time required until the final ruling is obtained, in compliance with current regulations.

7. Recipients

In accordance with the applicable data protection regulations, access to the data is limited exclusively to those who perform internal control and compliance functions; the Control body of PROSEGUR.

However, in certain circumstances and within the provisions set forth in the laws, the data may be accessed or even disclosed to third parties where deemed necessary for disciplinary action or to file the relevant legal actions, if such were the case:

• The data provided will be submitted to the judicial organs, Judge, Public Prosecutor, State Security Forces and bodies or administrative authority to whom the result of the investigation is transferred, when required by them or when the facts denounced constitute a criminal offense.
• The data provided will be processed and, if necessary, transferred to interested third parties, such as Collaborating Entities, expert advisors who participate in the investigation such as lawyers, forensic and other experts, who will be subject to the same duty of confidentiality.
• Only when the investigation may result in the imposition of disciplinary measures against a worker, access to data shall be granted to staff with HR management and control functions.
• Companies that have a contractual or corporate relationship with the complainant(s) and the person(s) against whom the complaint is brought, if it were deemed necessary to carry out the internal investigation and impose disciplinary or other appropriate measures, depending on the nature of the relationship with the person in question.

8. International Transfer of Data

As a general rule, the data provided through the Whistleblower Channel of PROSEGUR will not be subject to International Transfer of Data.

However, your data may be ceded to other companies of the Prosegur Group – including outside the European Economic Area – in order to manage your claim, if needed for administrative reasons and/or other reasons related to the investigation procedure. If your data has to be transferred to a country that does not have an adequate level of protection, PROSEGUR guarantees that the appropriate safeguards, in accordance with the applicable data protection regulations, shall be implemented.

9. Data Protection Rights of Data Subjects

• You are entitled to access your personal data (the right of access is limited to your own personal data, under no circumstances shall the person against whom the complaint is brought have access to any data that could reveal the complainant's identity), as well as to request the amendment of inaccurate data or, where appropriate, request its erasure when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
• In certain circumstances, you may request the limitation of the processing of your data, in which case we will only keep it for the exercise or defence of claims.
• In certain circumstances and for reasons related to your particular situation, you may object to the processing of your data. PROSEGUR will stop processing the data, except for compelling legitimate reasons, or the exercise or defence of possible claims.
• You are entitled to file a complaint with the Supervisory Authority if you consider that the processing of your data does not comply with the applicable data protection regulations.
• You are entitled to the portability of your personal data.
• You are entitled to file a complaint with the Control Authority of the corresponding country.
• The request may be sent by email to protecciondedatos@prosegur.com, attaching a copy of your national ID (DNI) or documentation proving your identity, identifying yourself as user of the Whistleblower channel of PROSEGUR.

Furthermore, you are hereby informed that you may withdraw your consent whenever you so desire by contacting PROSEGUR at the address or email mentioned above.

Lastly, if you wish to receive further information on your data protection rights or file a complaint, you can contact Supervisory Authority in each country.

10. Security

With the aim of safeguarding the security of your personal data, we inform you that we take all the necessary technical and organizational measures to ensure the security of the personal data supplied and prevent it from being altered, lost, misused, disclosed, processed or accessed without authorization, as required by the personal data protection regulations.

In this regard, PROSEGUR, guarantees the custody of the data being processed and will take all the necessary measures for such purpose bearing in mind the state of technology at any time.

Our security measures are permanently updated to adapt them to the latest technological developments and obligations established in the data protection regulations.

Although we cannot guarantee total protection in data transmission over the internet, we, our subcontractors and business partners, make every effort to maintain the physical, electronic and procedural protection measures with which to guarantee protection of your data in accordance with the legal requirements in force.

We use, among others, the following measures:

• Limit access only to the authorized control body so that they can perform the necessary management tasks to comply with the purposes described.
• Perimeter protection systems of computer infrastructures ("firewalls") to prevent unauthorized access.
• Regularly monitor accesses to personal data to detect and stop any undue or unauthorized access attempts.