Information System Policy

INTERNAL INFORMATION SYSTEM – CONFIDENTIAL MAILBOX

1.- Purpose

To define the functions of the Internal Information System (Confidential Mailbox) of Grupo Planeta and to inform employees, executives, suppliers, subcontractors, and customers of the Group, as well as any other interested third parties, about its operation and importance. The purpose is to ensure compliance with applicable regulations regarding the Protection of Natural Persons reporting regulatory violations and the fight against corruption. This system enables individuals to immediately inform the System Manager when they suspect that any type of criminal or serious administrative offense is occurring or may occur, any action or omission that may constitute violations of European Union law, or any breach of the Group’s Code of Ethics.

2.- General Principles

Grupo Planeta requires active collaboration from its employees, executives, partners, suppliers, and customers when they suspect or have knowledge of any crime, violation, fraud, or corruption, as well as breaches or alleged irregularities related to the application of the Code of Ethics in their relationship with Grupo Planeta.

The Confidential Mailbox is the preferred channel for reporting criminal, serious administrative, or European Union law violations and/or breaches or suspected irregularities concerning the application of the Code of Ethics. It also serves to report any other conduct that may constitute fraud and/or a crime in a completely confidential manner, ensuring adequate protection against retaliation for the informant.

If there is suspicion that fraud or a crime is occurring or may occur, it must be reported immediately to the Internal Information System Manager through the Confidential Mailbox, without discussing the matter with anyone in their surroundings and without conducting any investigation on their own. Reports should be made promptly to facilitate appropriate resolution.

It is guaranteed that all received reports will be investigated, ensuring complete confidentiality and anonymity for the person providing the information.

The Internal Information System Manager is the Ethics Committee of Grupo Planeta. This committee consists of the Group’s General Counsel, the Corporate Internal Audit Director, and the Corporate Human Resources Director. Depending on the reported facts, the Committee will designate the appropriate professionals to carry out the verification process, who will be subject to the same confidentiality rules.

The communication channels with the Ethics Committee are as follows:

  • Intranet: “Good Practices Office / Confidential Mailbox”
  • Email address: canal@grupoplaneta.info
  • Mailing address: P.O. Box 14036 (08080 - Barcelona)
  • In-person and/or telephone: Corporate Internal Audit; 93-49283333

3.- Procedure

The characteristics and operating framework of the Internal Information System (Confidential Mailbox) are as follows:

  • Only irregular conduct related to the Code of Ethics, criminal or fraud offenses, serious administrative violations, and European Union law violations should be reported through the Confidential Mailbox.
  • It is guaranteed that all reports, whether identified or anonymous, will be investigated. Whenever possible, additional information constituting evidence of the reported event is recommended.
  • If the report is nominative, the informant will be notified that their complaint is under investigation. Anonymous reports will be investigated with the same diligence.
  • Reports can be made in writing through the Mailbox and/or verbally directly to the System Manager (in person or by phone). Verbal reports will be properly documented (via recording or transcription), in the format chosen by the informant, with their prior consent. The informant may also report directly to the External Information Channel (Independent Authority for Whistleblower Protection) without first contacting the System Manager.
  • All reports will be handled with strict confidentiality and protected with appropriate technical and organizational measures to preserve the identity of informants using the Internal Information System, as well as the identity of any third parties mentioned in the report. Their identity will only be disclosed to the System Manager and designated specialists investigating the reported events, to the extent necessary.
  • Upon receipt of a report, an acknowledgment will be sent to the informant within a maximum of seven calendar days. The System Manager will provide a response on investigative actions within three months from the end of the seven-day period after the report was made. In cases of complexity requiring an extension, this period may be extended for up to three additional months. Once the investigation is concluded, the System Manager will issue a report with findings. If irregularities are confirmed, appropriate measures will be taken.
  • Regarding the retention of personal data in the Confidential Mailbox, data will only be kept for the time necessary to determine whether an investigation should be initiated. In any case, the maximum retention period is three (3) months from the date of the acknowledgment receipt or, if no acknowledgment was sent, three (3) months from the seven (7) days following the report submission. If no investigation is initiated within three (3) months of receiving the report, the data will be deleted from the internal information system unless retained as evidence of the system’s proper functioning, in which case it will be anonymized, without the obligation of blocking.
  • If an investigation is initiated within the three (3) months, the data will be retained outside the email channel@grupoplaneta.info and stored in the dedicated Internal Information System of Grupo Planeta for the duration of the investigation. If the investigation results in specific actions against individuals involved, the data will be retained as long as legal actions remain applicable.
  • Personal data from admitted reports will be kept within the Internal Information System for as long as the investigation lasts and, in general, for the following purposes:
    • A maximum period of ten (10) years, in compliance with the Whistleblower Protection Law.
    • When the reported event constitutes a crime or administrative violation, for the duration of the applicable legal prescription periods.
    • However, data will be immediately deleted from the Internal Information System without being subject to the blocking obligation in the following cases:
      • If it is proven that the provided information is false, unless its falsehood constitutes a criminal offense, in which case data will be kept as needed for judicial proceedings.
      • If personal data unnecessary for investigating the reported actions or omissions were communicated, including special categories of data, such data will be immediately deleted without being recorded or processed.
  • All communications made through the Internal Information System, along with related investigations and outcomes, will be stored in an anonymized communication logbook of Grupo Planeta. This information will remain strictly confidential and will be kept for a maximum of ten years.
  • Additionally, a periodic report on the activity of the Confidential Mailbox, without identifying informants, will be submitted to the Group’s Executive Committee.
  • Grupo Planeta promotes a culture of internal reporting and provides full protection against retaliation for informants, as well as the preservation of their identity and confidentiality of the facts and data of the procedure.

 

4.- Processing of Obtained Data

In compliance with applicable data protection laws, the following Privacy Policy details the processing of personal data obtained and/or generated through reports received via the Confidential Mailbox:

PRIVACY POLICY

The personal data provided will be processed by PLANETA CORPORACIÓN, S.R.L., with CIF B61441127 and registered office at Calle Juan Ignacio Luca de Tena, 17, 28027 Madrid, as the controller and manager of Grupo Planeta’s Internal Information System. If the provided information concerns any of the companies within Grupo Planeta, the data may be shared with that company to take appropriate action regarding the reported matter.

Additionally, the data may be processed for handling inquiries, receiving and managing reports or alerts, conducting investigations, and ensuring the guarantees set out in the Internal Information System Policy. Furthermore, the data may be used to verify the proper functioning of our Compliance Model and to defend the company's legal rights.

Purpose

Description of the purpose and legal basis

Legal Basis

Responding to inquiries

We will process the data to respond to inquiries related to the operation and management of the Internal Information System and/or the compliance model.

Legitimate Interest

Receipt and processing of reports or alerts you submit

We will process the data for the receipt of reports, to determine whether or not to initiate an investigation into the reported incidents, to conduct the corresponding investigation of the reported facts, to protect the whistleblower from retaliation, to adopt appropriate corrective measures if necessary, and, where applicable, to take legal action against the reported individuals and/or third parties.

Legal Obligation and Public Interest

Ensuring the proper functioning of the Internal Information System and preserving evidence for the company's defense

We may retain your data to demonstrate the proper functioning of our Compliance Model.

Legitimate Interest and Legal Obligation

If your communication concerns one of the companies within Grupo Planeta, we inform you that we may share the data in order to carry out the necessary actions related to your inquiry.

Additionally, in certain cases, personal data related to reports may be disclosed to law enforcement authorities, judges, or courts, as well as any other competent body if required to comply with legal obligations.

Furthermore, if there are indications that the reported facts could constitute a crime, there is an obligation to immediately forward the information to the Public Prosecutor’s Office. If the reported facts could affect the financial interests of the European Union, they must be referred to the European Public Prosecutor’s Office.

We inform you that your personal data may be transferred outside the European Union or the European Economic Area. In any case, the Data Controller will ensure that such data processing is always protected with appropriate safeguards, which may include: (i) Standard Contractual Clauses approved by the EU, or (ii) third-party certifications. In some cases, your data may be transferred based on one of the exceptions outlined in Article 49, such as: (i) when you provide consent for the transfer, (ii) when the transfer is necessary for important reasons of public interest, or (iii) when the transfer is necessary for the establishment, exercise, or defense of legal claims.

The personal data of reports that are admitted for processing will be retained in a restricted manner within the Internal Information System for the duration of the investigation and, generally, for the following purposes:

  • For a maximum period of ten (10) years, in compliance with the Whistleblower Protection Act.
  • When the reported incident constitutes a crime or administrative offense, for the duration of the statute of limitations for the crimes and administrative sanctions established in the Penal Code or the applicable laws in each case.

You may exercise your rights of access, deletion, rectification, objection, restriction, and portability by contacting the company to which you are reporting in writing at Apartado de Correos 14036 (08080 - Barcelona) or via email at canal@grupoplaneta.info. Additionally, if you deem it appropriate, you may file a complaint with the Spanish Data Protection Agency.

You may also contact our Data Protection Officer by writing to dpo@planeta.es or addressing Grupo Planeta, Attn.: Data Protection Officer, Avda. Diagonal 662-664, 08034 Barcelona.