For the purposes of this policy, the following definitions shall apply:

• "information about breaches" means information, including reasonable suspicions, about actual or potential breaches, which have occurred or are highly likely to occur, as well as attempts to conceal such breaches;
• "notification" or "reporting" means the oral or written communication of information about breaches;
• "internal reporting" means communicating information about breaches orally or in writing within a legal entity in the private sector;
• "external reporting" means the oral or written communication of information about breaches to the federal coordinator or to competent authorities;
• "disclosure" or "disclosing" means making information on infringements publicly available;
• "reporter" or "whistle-blower" means a person who reports or discloses information about breaches;
• "work-related context" means current or former professional activities in the private sector through which, regardless of the nature of those activities, individuals may obtain information about breaches and where those individuals may face reprisals if they were to report such information;
• "facilitator" means a natural person who assists a reporter in the reporting process and whose assistance must be confidential;
• "data subject" means a natural or legal person named in the notification or disclosure as a person to whom the breach is attributed or with whom that person is associated;
• "Retaliation" means any direct or indirect act or omission in response to an internal or external report or disclosure, and which results or may result in unjustified prejudice to the reporter.

Staff scope:

This policy applies to reporters who have received information about breaches in a work-related context. This means that the reporting channels and protection mechanisms listed below are open to, among others:

• Current employees;
• Ex-employees in case information on breaches was obtained in the context of a now terminated working relationship;
• Candidate employees in case information on infringements was obtained during the recruitment procedure or other pre-contractual negotiations;
• Self-employed people working within the organisation (such as freelancers, consultants, etc.);
• Shareholders and persons belonging to the administrative, management or supervisory body of a company, including non-executive members, volunteers and paid or unpaid trainees;
• Anyone working under the supervision and direction of contractors, subcontractors and suppliers;
• Facilitators;
• Third parties connected to the reporters who may be victims of retaliation in a work-related context, such as colleagues or family members of the reporters;

Material scope:

The reporting channels can be used to raise subsequent breaches:

1. Infringements relating to the following areas:
   1. public procurement;
   2. financial services, products and markets, prevention of money laundering and terrorist financing;
   3. product safety and product conformity;
   4. transport safety;
   5. environmental protection;
   6. radiation protection and nuclear safety;
   7. food and feed safety, animal health and animal welfare
   8. public health;
   9. consumer protection;
   10. protection of privacy and personal data, and security of network and information systems;
   11. combating tax fraud;
   12. combating social fraud;
   13. (cross-border behaviour)
2. Infringements affecting the financial interests of the Union as referred to in Article 325 of the Treaty on the Functioning of the European Union and further explained in relevant Union measures and, where applicable, national implementing provisions;
3. Internal market infringements referred to in Article 26(2) of the Treaty on the Functioning of the European Union, including infringements of Union rules on competition and state aid.

However, do not fall within the scope of this whistleblowing policy:

• Those complaints related to violence, bullying and unwanted sexual behaviour, which an employee who believes he/she is a victim of such acts, can submit to the confidential advisor designated for this purpose in the labour regulations or to the psychosocial prevention advisor of the external service for prevention and protection at work.
• Notifications relating to classified information;
• Reports based on information covered by medical confidentiality;
• Reports based on information covered by the secrecy of judicial deliberations.

Internal reporting procedure

Internal reporting

1. An employee who believes there is an irregularity can file a report through the following application: Whistleblower (complylog.com)
   Designated as the company's reporting manager were:
   - Alex Beckers, Legal Counsel
   - Kati Devos, VP HR&O
2. The existence of the internal reporting channel does not affect the employee's right, if he deems it useful, to consult his staff representative and/or trade union regarding his rights and obligations before making a report.
3. The reporting manager receiving a report will send an acknowledgement of receipt of the report to the reporter within 7 working days of receipt.
4. The reporting manager registers the report with the date it was received and is the only person who knows the identity of the reporter. The confidentiality of the identity of the reporter and of any third parties named in the report is guaranteed at all times . Non-authorised staff members do not have access to the internal reporting channel. If there are ambiguities in the initial report, the reporting manager seeks clarification.
5. The reporting manager is responsible for following up each report carefully. He checks the accuracy of the allegations made in the report and, if necessary, addresses the reported breach, including through measures such as an internal preliminary investigation, an enquiry or the termination of the procedure.
6. As soon as possible, and no later than 3 months after the acknowledgement of receipt of the report or, if no acknowledgement of receipt was sent to the reporter, three months after the expiry of the seven-day period following the report, the reporting manager shall provide the information to the reporter on the actions planned or taken as a follow-up and on the reasons for such follow-up.

Procedure of investigation and decision

1. Upon receipt of the report, the reporting manager starts an investigation into the alleged irregularities.
   In this capacity, the reporting manager is authorised to conduct an independent investigation in the company.
   The reporting manager shall hear the person(s) reported to be involved in the reported irregularities.
   The reporting manager obtains information and consults sources necessary in the context of that investigation. In this way, the reporting manager tries to verify the alleged irregularities reported by the reporter.
2. When informing and reporting, the reporting manager shall neither disclose the identity of the reporter nor the identity of any third parties named in the report.
3. The reporting manager reports its findings in writing to the company's management.
4. The company's management will decide and take any action based on the report of the reporting manager.
5. The reporter and the person(s) charged, will be informed of the conclusion of the investigation.

Safeguards

1. The reporting and handling of a report is done with respect for secrecy and confidentiality.
2. Under no circumstances shall the identity of the reporter be disclosed to anyone other than the authorised personnel responsible for receiving or following up reports without the reporter's free and express consent. This also applies to any other information from which the identity of the reporter can be directly or indirectly deduced.
   This principle may be deviated from only if it is a necessary and proportionate obligation under special legislation in the context of investigations by national authorities or judicial proceedings, including to safeguard the data subject's rights of defence. In this case, before their identity is disclosed, reporters will be informed unless such information would jeopardise related investigations or judicial proceedings.
3. The reporter is asked for a commitment to keep his report confidential and not to disclose it either directly or through third parties until the company's governing body has notified the end of the investigation.

Registration of notifications

The company shall keep a record of each report received, in accordance with the said confidentiality requirements. Reports are kept for the duration of the contractual relationship.

Right to privacy

Any processing of personal data in the context of a notification, including the exchange or transfer of personal data by competent authorities or the federal coordinator, shall be done in accordance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the legal provisions on the protection of natural persons about the processing of personal data. Personal data that is clearly not relevant to the processing of a specific report will not be collected, or, if collected unintentionally, will be deleted immediately.

The name, position and contact details both reporter and each person covered by the protection and support measures and of the data subject, including, where applicable, the company number, shall be kept up to date until the expiry of the limitation period for the reported breach.

These affected persons may each invoke the right to access and correct processed data relating to their person in accordance with the General Data Protection Regulation (GDPR). They may also contact the Data Protection Authority for this purpose.

External reporting procedure

An employee can also report information about breaches by using the external reporting channels and procedures after first making a report through internal reporting channels or by immediately making a report through external reporting channels.

COMPETENT AUTHORITIES

The authorities responsible for receiving reports, giving feedback and providing follow-up on reports are as follows:

1° the Federal Public Service Economy, SMEs, Self-Employed and Energy;

2° the Federal Public Service Finance;

3° the Federal Public Service of Public Health, Food Chain Safety and Environment;

4° the Federal Public Service of Mobility and Transport;

5° the Federal Public Service Employment, Labour and Social Dialogue;

6° the Programme Public Service Social Integration, Poverty Reduction, Social Economy and Metropolitan Policy;

7° the Federal Agency for Nuclear Control;

8° the Federal Agency for Medicines and Health Products;

9° the Federal Agency for the Safety of the Food Chain;

10° the Belgian Competition Authority;

11° the Data Protection Authority;

12° the Financial Services and Markets Authority;

13° the National Bank of Belgium;

14° the College of Supervision of Auditors;

15° the authorities reported in Article 85 of the Law of 18 September 2017 on the prevention of money laundering and terrorist financing and on the restriction of the use of cash;

16° the National Committee for the Security of Drinking Water Supply and Distribution;

17° the Belgian Institute for Postal Services and Telecommunications;

18° the National Institute for Sickness and Disability Insurance;

19° the National Institute for Social Insurance of the Self-Employed;

20° the State Employment Service;

21° the National Social Security Office;

22° the Social Intelligence and Investigation Service;

23° the Autonomous Anti-Fraud Coordination Service (CAF);

24° the Shipping Control.

In the absence of designation or if no authority feels competent to receive a report, the Federal Ombudsman acts as the competent authority for receiving reports, providing feedback, and following up on reports.

PROCEDURES FOR EXTERNAL REPORTING TO THE FEDERAL COORDINATOR AND COMPETENT AUTHORITIES

An employee who believes that an irregularity has occurred may make a report to the competent authority or the Federal Ombudsman.

Each authority sets up an independent and autonomous external reporting channel for receiving and dealing with information on breaches. The external reporting channels allow for written and oral reporting. Oral reporting is possible via telephone or other voice messaging systems and, at the request of the reporter, through a physical meeting within a reasonable time.

The appointed competent authorities shall define, by means of regulations or circulars, concrete rules of procedure for receiving and processing reports.

The competent authority shall always send an acknowledgement of receipt of the report within seven days of its receipt, unless expressly requested otherwise by the reporter or unless the competent authority reasonably considers that an acknowledgement of receipt of the report would compromise the protection of the reporter's identity.

The competent authority shall follow up reports carefully, including anonymous reports, and provide feedback to the reporter within a reasonable timeframe not exceeding three months or, in duly justified cases, six months, except where a legal provision prevents it.

The competent authority shall inform the notifier of the final result of the investigations following the notification, subject to the national provisions applicable to it.

Any authority that has received a report but does not have jurisdiction to deal with the reported breach shall, within a reasonable time and in a secure manner, transfer the report to the federal coordinator, who shall in turn transfer it to the competent authority, and shall promptly inform the reporter of such transfer.

If the authority that received the notification is aware that other authorities are also competent, the notification is transferred within a reasonable time and in a secure manner to the federal coordinator, who transfers it to the competent authorities and ensures its coordination.

External reporting channels must always meet the requirements of independence and autonomy. This means meeting each of the following criteria:

1° by their design, set-up and management, the channels guarantee the completeness, integrity and confidentiality of the information and are not accessible to unauthorised personnel of the competent authority;

2° they offer the possibility of long-term storage of information for the purpose of further investigations;

Competent authorities shall publish on a separate, easily identifiable and accessible page of their website at least the following information:

1° eligibility for protection;

2° the necessary contact details for the external reporting channels, in particular the electronic and postal addresses, and the telephone numbers for such channels, indicating whether telephone calls are recorded;

3° the procedures applicable to the reporting of breaches, including how the competent authority may request the reporter to clarify the reported information or provide further information, whether feedback is provided and, where appropriate, the time limit to provide feedback as well as the type and content of such feedback;

4° the confidentiality rules applicable to the notifications, and in particular the information on the processing of personal data in accordance with Article 21 of the Act of 28 November 2022, Articles 5 and 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) Article 13 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of the prevention the investigation, detection and prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA and Article 15 of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No .... 45/2001 and Decision No 1247/2002/EC, as appropriate;

5° the method of follow-up to be provided to notifications;

6° the remedies and procedures for protection against retaliation and the availability of confidential advice, for persons considering reporting;

7° a statement clearly explaining the conditions under which persons reporting to the competent authority are protected from incurring liability for a breach of the confidentiality rule; and

8° the contact details of the federal coordinator and of the Federal Institute for the Protection and Promotion of Human Rights.

Disclosure

In addition to the possibility of making a report through the internal reporting channel or the external reporting channels, any person has the option of disclosing the information related to a breach.

A reporter making a disclosure is eligible for the protections under this policy set out below if:

1. the employee first made an internal and external report, or immediately made an external report, but no appropriate action was taken in response to that report within the specified time limits;
   or
2. the employee has reasonable grounds to believe that:
   1. the breach may pose an imminent or real danger to the public interest; or
   2. in the case of external reporting, there is a risk of reprisals, or it is unlikely that the breach will be effectively remedied, due to the particular circumstances of the case, because, for example, evidence may be withheld or destroyed, or an authority may collude with the perpetrator of the breach or be involved in the breach.

Conditions

If a reporter:

• had reasonable cause to believe that the reported breach information was accurate at the time of the report and that it fell within the scope of this policy ; and
• they reported information internally or externally, or disclosed information in accordance with this policy;

Does he or she also enjoy specific protection against reprisals.

The reporter does not lose the benefit of protection on the sole ground that the report made in good faith was found to be incorrect or unfounded.

Facilitators and third parties associated with reporters are also eligible for the protections set out below if they had reasonable grounds to believe that the reporter fell within the scope for protection of this policy.

Protective measures against retaliation

If the reporter, facilitator or third party associated with the reporter meets the above conditions, it shall enjoy protection against any form of retaliation, including threats and attempts of retaliation. Retaliation includes the following measures:

1° suspension, temporary lay-off, dismissal or similar measures;

2° demotion or refusal of promotion;

3° transfer of tasks, change of job location, reduction of salary, change of working hours;

4° withholding of training;

5° negative performance evaluation or employment reference;

6° imposition or application of a disciplinary measure, reprimand or other sanction, such as a financial penalty

7° coercion, intimidation, harassment or exclusion;

8° discrimination, adverse or unequal treatment;

9° non-conversion of a temporary employment contract into an employment contract for an indefinite period of time, in the event that the employee had the justified expectation that he would be offered employment for an indefinite period of time

10° non-renewal or early termination of a temporary employment contract;

11° damage, including damage to reputation, especially on social media, or financial loss, including loss of turnover and income

12° blacklisting on the basis of an informal or formal agreement for an entire sector or industry, preventing the person from finding a job in the sector or industry;

13° early termination or cancellation of a contract for the supply of goods or services;

14° revocation of a licence or permit;

15° psychiatric or medical referrals.

No civil, criminal or disciplinary claims or professional sanctions may be brought against persons who report information about breaches or make a disclosure in accordance with this policy because of such reporting or disclosure.

Reporters cannot be held liable for the acquisition of or access to the information reported or disclosed unless such acquisition or access constituted a criminal offence.

Any protected person who believes he or she has been victimised or threatened with reprisal may submit a reasoned complaint to the federal coordinator, who will initiate an out-of-court protection procedure in accordance with art. 26 et seq. of the Law of 28 November 2022 on the protection of reporters of breaches of Union or national law established within a legal entity in the private sector.

Without prejudice to any other administrative or non-judicial remedy, any protected person has the right to file an appeal before the labour court in case of reprisals under Article 578 of the Judicial Code.

Support measures

Every protected person has access to support measures and in particular:

1° complete and independent information and advice, easily accessible and free of charge, on the remedies and procedures available to protect against retaliation, as well as on the rights of the data subject, including his or her personal data protection rights; moreover, the reporter must be informed that he or she is eligible for the protection measures provided for by this law

2° technical advice regarding any authority involved in the protection of the reporter;

3° legal aid in cross-border criminal and civil proceedings, in accordance with Directive (EU) 2016/1919 of the European Parliament and of the Council of 26 October 2016 on legal aid for suspects and accused persons in criminal proceedings and for wanted persons in proceedings for the execution of a European Arrest Warrant and Directive 2008/52/EC of the European Parliament and of the Council of 21 May 2008 on certain aspects of mediation in civil and commercial matters and on legal aid in other proceedings as well as legal advice or other legal assistance, in accordance with the provisions on second-level legal assistance and legal aid

4° support measures, including technical, psychological, mediation-related and social support, for reporters;

5° financial assistance to reporters in the context of legal proceedings.

Any protected person can also always contact the Federal Institute for the Protection and Promotion of Human Rights for legal, psychological, social, IT and communication support. The Federal Institute is also the central information point on the protection of whistle-blowers.

Data:
Federal Institute for the Protection and Promotion of Human Rights
Leuvenseweg 48,
1000 Brussels

E-mail : rerfhttps://federaalinstituutmensenrechten.be/nl

Sanctions

• Any employee who violates the rules of this policy may be sanctioned with one of the sanctions determined by the labour regulations.
• The employee who has deliberately made a manifestly unfounded report, thus unlawfully using the reporting procedure of these whistleblowing regulations, may also be sanctioned with one of the sanctions determined by the labour regulations.
• Persons associated with the company who do not have the status of employees of the company, and who violate the obligations contained in these whistleblowing regulations, may be sanctioned by the company with a disciplinary sanction.
• In addition, reporters may be punished in accordance with Articles 443 to 450 of the Criminal Code if they are found to have intentionally reported or disclosed false information. Persons who suffer damages because of such reports or disclosures are entitled to compensation measures in accordance with contractual or extra-contractual liability.

Drawn up at Haacht on 31/10/2023