INTERNAL INFORMATION SYSTEM - CONFIDENTIAL MAILBOX

1.- Object

Define the functions of the Internal Information System (Confidential Mailbox) of Grupo Planeta and inform the employees, managers, suppliers, subcontractors and customers of the Group, and in general any interested third party, about the operation and importance of the same, in order to comply with the regulations that apply to it regarding the Protection of Natural Persons who report on regulatory violations and the fight against corruption, so that they immediately inform the system manager when they suspect that any serious or very serious criminal or administrative offence is occurring or may occur, any action or omission that may constitute breaches of the European Union law or any breach of the Group Code of Ethics.

2.- General principles

Grupo Planeta requires its employees, directors, collaborators, suppliers, and clients to collaborate actively when they have suspicions or become aware of any type of crime, offence, fraud or corruption, and breaches or alleged irregularities regarding the application of the Code of Ethics within the framework of their relationship with Grupo Planeta.

The Confidential Mailbox is the preferred channel for reporting serious or very serious criminal or administrative offences, infringements of the European Union law and/or breaches or alleged irregularities in the application of the Code of Ethics, as well as reporting any other conduct that may constitute fraud and/or offences in a completely confidential manner, providing adequate protection to the informant against retaliation.

If you suspect that a fraud or an offence is occurring or may occur, the Group's Internal Information System manager should be immediately informed via the Confidential Mailbox, without discussing the matter with anyone in your environment and without conducting any research on your own. The facts must be communicated promptly to facilitate an adequate resolution.

It is guaranteed that all received reports will be investigated, as well as complete confidentiality and anonymity for the person providing the information.

The responsible for the Internal Information System is the Ethics Committee of Grupo Planeta. Said committee is composed of the General Secretary and member of the Board of Grupo Planeta, the Director of Corporate Internal Audit and the Director of Corporate Human Resources. Additionally, the person holding the position of Director of Corporate Internal Audit is designated as the responsible manager of the Internal Information System. Based on the reported facts, the Committee shall appoint the relevant professionals to carry out the verification of the same, which shall be subject to the same confidentiality rules.

The Ethics Committee shall have the following communication channels:

  • Intranet: “Good Practices Office / Confidential Mailbox”
  • E-mail address: canal@grupoplaneta.info
  • PO Box: 14036 (08080 - Barcelona)
  • Face-to-face and/or telephone: Corporate Internal Audit; 93-4928333

3.- Procedure

The characteristics and operating scheme of the Internal Information System (Confidential Mailbox) are the following:

  • Only irregular conduct in relation to the Code of Ethics, the commission of offenses or frauds, serious or very serious criminal or administrative offences and infringements of the European Union law shall be reported through the Confidential Mailbox.
  • It is guaranteed that all reports received with or without identification of the informant, shall be investigated. It is recommended, whenever possible, to provide additional information that constitutes evidence of the reported fact.
  • Whenever the report is nominative, the informant shall be informed that his/her complaint is being investigated. In the case of anonymous reports, the complaint will be investigated with the same diligence.
  • The reports may be made in writing through the Inbox and/or verbally directly to the System Manager (in person or by telephone). Verbal reports will be duly documented (by recording or transcription), in the form chosen by the informant, with his/her prior consent. Additionally, the informant may go directly to the External Information Channel (Independent Authority for the Protection of the informant), without previously informing the Responsible of the System. The Independent Authorities responsible for the protection of the whistleblower are detailed in Annex I.
  • All reports will be treated in a strictly confidential manner and will be protected, with the appropriate technical and organizational measures to preserve the identity of the informants who make use of the Internal Information System, as well as to preserve the identity of any third party mentioned in the report, the report may not be made known to persons other than the Responsible of the System and the specialists appointed by the Responsible of the System to investigate the reported facts, insofar as this identification is essential.
  • Upon receipt of the report and within a maximum period of seven calendar days from the date it was received, acknowledgement of receipt shall be made to the informant and the Responsible of the System shall respond of the investigation proceedings within three months of the expiry of the seven calendar days period after the report, except in cases of a complex investigation requiring an extension of the time limit, in which case this may be extended up to a maximum of three additional months. Once the
    investigation of a reported fact is completed, the Responsible of the System will issue a report of findings in this regard. If it is indeed apparent that irregularities have been committed, appropriate measures shall be taken.
  • In relation to the retention of personal data in the Confidential Mailbox, they shall be kept only for the time necessary to decide if it is appropriate to initiate an investigation of the reported facts and, in any case, for a maximum period of three (3) months from the date of sending the acknowledgement of receipt or, if the acknowledgement of receipt was not sent, for a maximum period of three (3) months from the seven (7) calendar days following the receipt of the report. If three (3) months after the report was received, no investigation has been initiated, the data shall be deleted from the Internal Information System, unless they are kept as evidence that the system is working correctly, in which case they will be anonymized, without the obligation to block it.
  • If, within said period of three (3) months, it has been decided to initiate an investigation, the data will be stored outside the inbox: canal@grupoplaneta.info and stored within the Internal Information System of Grupo Planeta enabled for this purpose during the duration of the investigation. In the event that the investigation results in the adoption of certain measures against the persons under investigation, the data will be kept as long as the appropriate legal actions continue.
  • The personal data of the reports admitted for processing will be kept blocked within the Internal Information System for the duration of the investigation and, in general, for the following purposes:
    • Up to a maximum period of ten (10) years in compliance with the provisions of the whistleblowing legislation.
    • When the reported fact constitutes a crime or administrative offence during the statute of limitations of the crimes and the administrative penalties established in the laws applicable to each case.
  • Notwithstanding the above paragraph, we inform you that we will immediately delete the data from the Internal Information System, without the obligation to block them in any of the following cases:
    • If it is proven that the information provided or part of it is not truthful, unless the lack of veracity constitutes a criminal offence, in which case the data will be kept for the duration of the legal proceedings.
    • If personal data has been communicated that is not necessary for the knowledge and investigation of the actions or omissions within the scope of this report channel, including special data categories. In the latter case, they will be immediately deleted, without proceeding to the registration and treatment of the same.
  • All reports made through the Internal Information System will be stored, together with the investigation carried out and the results of the same, in an anonymized reports logbook of Grupo Planeta. This information shall be kept strictly confidential and shall be kept for a maximum period of ten years.
  • In addition, a periodic report of the activity of the Confidential Mailbox, without identifying the informants,
    will be made addressed to the Executive Committee of the Group.
  • Grupo Planeta promotes the internal reporting culture and provides complete protection against retaliation to informants, as well as the preservation of their identity and the confidentiality of the facts and data of the procedure.

4.- Treatment of the obtained data

In compliance with the current legislation on data protection, the Privacy Policy corresponding to processing personal data obtained and/or generated by information received through the Confidential Mailbox is detailed below:

PRIVACY POLICY

The personal data you provide will be processed by PLANETA CORPORACION, S.R.L., with VAT No. B61441127 with domicile at Calle Juan Ignacio Luca de Tena, 17, 28027 Madrid, as responsible and manager of the Internal Information System of Grupo Planeta. In the event that the information provided concerns any of the companies that form part of Grupo Planeta, your data may be communicated to said company in order to carry out the appropriate procedures in relation to the matter you have communicated to us.

Additionally, we inform you that the data may be processed in order to resolve your query, receive and manage the complaints or alerts reported and, in its case, carry out the corresponding investigation, as well as offer you the guarantees provided in the Internal Information System Policy. Additionally, we may process the data to prove the proper functioning of our compliance model, and for the defence of the rights of the company.

Purpose

Description of the purpose and legitimization basis

Legitimization basis

Resolving queries

We will process the data in order to respond to queries made in relation to the operation and management of the Internal Information System and/or the regulatory compliance model.

Legitimate interest

Reception and processing of the complaint or alert that you communicate to us

We will process the data for the reception of complaints, to decide if it is appropriate to initiate or not an investigation of the complaints received, also with the purpose of carrying out the corresponding investigation of the communicated facts, to protect the informant from retaliation, to adopt, if necessary, opportune corrective measures and, in its case, initiate legal actions against the concerned persons and/or third parties.

Legal obligation e public interest

Prove the proper functioning of the Internal Information System and keep evidence for the defence of the company

We may retain your data to prove the proper functioning of our compliance model.

Legitimate interest and legal obligation

In the event that your report is about any of the companies of GRUPO PLANETA, we inform you that we may communicate the data, in order to carry out the appropriate procedures in relation to the matter you have communicated to us. We inform you that, in certain cases, the personal data of the complaints may be communicated to the security forces and bodies, Judges or Courts, as well as any other competent body in case of being required to comply with legal obligations.

Furthermore, if there are indications that the reported facts may constitute a crime, there is an obligation to immediately refer the facts to the Prosecutor’s Office. If the reported facts could affect the financial interests of the European Union, said facts should be referred to the European Public Prosecutor’s Office.

We inform you that it is possible for your personal data to be transferred outside the European Union or the European Economic Area. In any case, the controller will ensure that said data processing is always protected with the appropriate safeguards, which may include (i) EU approved Standard Contractual Clauses, or (ii) third- party certifications. It is possible that in some cases your data may be transferred based on one of the exceptions provided for in article 49, such as when (i) you provide your consent to the transfer, (ii) the transfer is necessary for important reasons of public interest or (iii) the transfer is necessary for the formulation, exercise or defence of claims.

The personal data of the complaints admitted for processing will be kept blocked within the Internal Information System for the duration of the investigation and, in general, for the following purposes:

  • up to a maximum period of ten (10) years in compliance with the provisions of the whistleblowing legislation.
  • When the fact reported is a criminal or administrative offence during the statute of limitations of the offences and the administrative penalties established in the Criminal Code or in the applicable laws of each case.

You may exercise the rights of access, deletion, rectification, opposition, limitation and portability, by writing to the company you are reporting to (PO Box 14036 (08080 - Barcelona or canal@grupoplaneta.info).
Additionally, when you consider it appropriate you may file a claim with the Spanish Data Protection Agency.

You can contact our Data Protection Officer by writing to dpo@planeta.es or Grupo Planeta, at: Data Protection Officer, Avda. Diagonal 662-664, 08034 Barcelona.”

ANNEX I: External Reporting Channels

In accordance with the provisions of the Whistleblower Protection Law, any person is entitled to report criminal offences, serious or very serious administrative offences, as well as infringements of European Union law, directly to the Independent Whistleblower Protection Authority (AAI), without prejudice to prior or simultaneous reporting through the internal reporting channel.

In Spain, the function of Whistleblower Protection corresponds to the Independent Whistleblower Protection Authority (AAI). Likewise, certain Autonomous Communities have designated their own independent authorities, competent to perform functions analogous to those of the AAI in cases where the potential
infringements produce effects exclusively within their territorial scope.

The European Union, as well as the various Member States, also provide external reporting channels for receiving communications concerning infringements of their respective legal systems.

Below is a list of the independent whistleblower protection authorities competent both at the national level (Spain and its Autonomous Communities), and in the different European Union Member States in which the Group conducts its activities.

Whistleblower Protection Authorities

Autoridades de la Unión Europea

Autoridad de la Unión Europea
Oficina Europea de Lucha Contra el Fraude (OLAF)
https://anti-fraud.ec.europa.eu/index_es

Autoridades españolas

Autoridad estatal
Autoridad Independiente de Protección del Informante, A.A.I.
https://www.proteccioninformante.gob.es/

Autoridad de Andalucía (sector público y privado)
Oficina Andaluza contra el Fraude y la Corrupción
https://antifraudeandalucia.es/

Autoridad de Castilla y León (sector público)
Consejo de cuentas
https://www.consejodecuentas.es/

Autoridad de Castilla la Mancha (sector público y privado)
Consejo Regional de Transparencia y Buen Gobierno de Castilla-La Mancha
https://www.consejotransparenciaclm.es/

Autoridad de Cataluña (sector público y privado)
Oficina Antifrau de Catalunya
https://www.antifrau.cat/es/

Autoridad de Comunidad Foral de Navarra (sector público)
Oficina de buenas prácticas y anticorrupción de la comunidad foral de Navarra
https://oana.es/es

Autoridad de la Comunidad de Madrid (sector público y privado)
Consejo de Transparencia y Protección de Datos de la Comunidad de Madrid
https://www.comunidad.madrid/consejo-transparencia

Autoridad de Comunidad Valenciana (sector público)
Agencia Valenciana Antifrau
https://www.antifraucv.es/buzon-de-denuncias-2/

Autoridad de Galicia (sector público y privado)
Valedor do pobo galego
https://www.valedordopobo.gal/es/

Autoridades de Francia


Autoridad de Francia
Défenseur des droits
https://www.defenseurdesdroits.fr/

Autoridades de Italia


Autoridad de Italia
Autorità Nazionale Anticorruzione (ANAC)
https://www.anticorruzione.it/en/-/whistleblowing?utm_source=chatgpt.com

Autoridades de Portugal


Autoridad de Portugal
Mecanismo Nacional Anticorrupção (MENAC)
https://mec-anticorrupcao.pt/