Privacy Policy

PRIVACY POLICY OF THE ETHICS CHANNEL

CARTONAJES VIR, S.A. (hereinafter, CARTONAJES VIR) – A33023581, as the data controller of the Internal Information System of CARTONAJES VIR, uses the Ethics Channel tool to manage communications within the Internal Information System, in accordance with Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019, on the protection of persons who report breaches of Union law, and Law 2/2023, of February 20, regulating the protection of persons who report regulatory infringements and the fight against corruption (hereinafter, the Whistleblower Directive and Law).

The Ethics Channel is hosted on secure servers of DIGITAL PRODUCTS DEVELOPMENT SL (Ithikios) to ensure the confidentiality, integrity, and availability of the information contained therein. We inform you that the data you provide through the Ethics Channel (as well as any personal data of others you may provide) is processed with the utmost confidentiality and in compliance with current data protection laws for the purpose of managing reports or irregularities regarding actions or omissions that may constitute breaches of EU law, in line with the Whistleblower Directive and Law. This includes preliminary review, processing, investigation, resolution, and, if necessary, adoption of disciplinary measures, diligence before relevant authorities, and/or judicial proceedings management.

Who is responsible for processing your data?

Data Controller: CARTONAJES VIR, S.A. – A33023581

Contact for Data Protection Matters: POL. DE MERES, S/N, 33199 SIERO (ASTURIAS), SPAIN – [email protected]

Purpose of data processing To process reports and/or information submitted through the Ethics Channel (hereinafter, your communications) in accordance with the “Ethics Channel Management Procedure” outlined in this policy.

Confidentiality and Respect for Privacy The receiver of the communications is the Internal Information System Manager of CARTONAJES VIR, who strictly respects the privacy of users, handling their data with care and confidentiality. Users are informed that:

Personal data and information, including that of third parties, are processed solely for the purposes outlined in this policy.

No automated decisions or profiling will be carried out based on the collected data.

Data retention period Data will only be kept for the time necessary to decide whether to initiate an investigation. In any case, data will be deleted after three (3) months from entry unless retention is necessary to demonstrate the functioning of CARTONAJES VIR’s compliance system, in accordance with Article 24 of Organic Law 3/2018 on the Protection of Personal Data and Digital Rights (LOPDGDD).

If the report or part of it is proven to be untrue, it will be deleted immediately, unless it constitutes a criminal offense, in which case it will be retained as long as necessary for judicial proceedings.

Legal basis for data processing The legal basis is compliance with a legal obligation related to the internal whistleblowing system, prevention of criminal liability, and regulatory compliance. In anonymous cases, processing is based on the public interest. If the user chooses to identify themselves, the basis is their explicit consent.

Who can access your data? Access is strictly limited to:

The Internal Information System Manager and those directly managing the system.

Human Resources, in the event of disciplinary actions.

Legal Department, for potential legal actions.

Data Processors (advisors, auditors, and subcontracted entities).

The Data Protection Officer.

Disclosure to law enforcement or judicial authorities may occur if legally required, with the informant being notified unless it would jeopardize the investigation.

Data protection safeguards By accepting this policy, users consent to the processing of their data to manage their reports, guaranteeing:

True, accurate, complete, and updated data.

Legal age (14+), legal capacity, or legal representation if applicable.

Confidential treatment and protection from retaliation.

Data may be shared with third parties only when they comply with personal data protection laws.

Data subjects' rights You may exercise your rights of access, rectification, deletion, objection, and restriction of processing, or lodge a complaint with the Spanish Data Protection Agency (www.aepd.es), using the contact provided in this policy.

Security of personal data CARTONAJES VIR and its processors adopt appropriate technical and organizational measures to ensure data security. The Ethics Channel is hosted on encrypted and ISO 27001-certified secure European servers provided by DIGITAL PRODUCTS DEVELOPMENT SL (Ithikios).

Policy changes CARTONAJES VIR reserves the right to amend this privacy policy to reflect legislative changes or strategic decisions. Users are encouraged to review the policy regularly and may exercise their rights if they disagree with any changes.

ETHICS CHANNEL MANAGEMENT PROCEDURE

Scope The Ethics Channel allows reporting of alleged misconduct related to breaches of EU law or national regulations as defined in Directive (EU) 2019/1937 and Law 2/2023. It is not a platform for general complaints or suggestions.

Reports must be based on some form of evidence (documentary, testimonial, digital, etc.).

Protection Against Retaliation and False Reports Good-faith whistleblowers are protected against retaliation. However, disciplinary measures may apply to those who knowingly submit false reports.

Confidentiality and Data Protection

Anonymous reporting is permitted.

Access is restricted to authorized personnel only.

Identities of informants and involved parties are protected.

Affected individuals retain rights to presumption of innocence, defense, and access to the case.

Processing Procedure

Reception: Reports are reviewed by the Internal Information System Manager, who ensures no conflict of interest and may request clarification or evidence from the informant.

Admissibility: Reports that fall within the Ethics Channel’s scope are admitted within 7 days.

Investigation: Admitted reports are investigated to verify facts.

Resolution Proposal: After investigation, a recommendation is made: either to close the case or to take corrective action.

Decision: The General Management decides on actions within 3 months (extendable to 6 months for complex cases).

Sanctions: If disciplinary action is warranted, only HR may access relevant data.

Referral to Authorities: If criminal conduct is suspected, the case may be referred to the Public Prosecutor.

This web portal only uses its own cookies for technical purposes, it does not collect or transfer personal data of users in any case. If you want more information, click on the "Cookies" link below at any time.