Procedure for reporting irregularities

The purpose of this internal reporting procedure is in particular to:

• regulate the rules for reporting irregularities, managing reports and ensuring compliance with the provisions on whistleblower protection, including the Act of 14 June 2024 on the protection of whistleblowers;
• enable employees, associates and other persons covered by this procedure to report irregularities concerning the Company’s activities;
• ensure that the Company takes all possible measures to protect persons reporting irregularities and to eliminate irregularities within its structures.

This procedure implements the Polish Act of 14 June 2024 on the protection of whistleblowers and applies to reports specified therein. Where not regulated by this policy, but covered by the group policy Whistleblowing Policy (available at: https://itellicloud.sharepoint.com/sites/CorporateComplianceManagementPortal/SitePages/Whistleblowing-Policy.aspx), the reporting party may submit a report through it.

1. Follow-up actions – actions taken to assess the truthfulness of the information provided in the Report and to counteract the violation of the law that is the subject of the Report, in particular:

• verification of the Application;
• conducting explanatory proceedings, including further communication with the Whistleblower, collecting and analysing evidence, talking to witnesses or the person indicated in the Report as the perpetrator of the Irregularity;
• providing feedback to the Signaller;
• taking remedial measures.

2. Group – the capital group of NTT DATA Business Solutions AG, to which the Company belongs (NTT DATA Business Solutions Sp. z o.o.).

3. Irregularity – irregularities referred to in Article 3 of the Act of 14 June 2024 on the Protection of Whistleblowers, which, as of the date of announcement of the Procedure, include an action or omission that is unlawful or intended to circumvent the law, concerning:

• Corruption;
• Public procurement;
• Financial services, products and markets;
• Combating money laundering and terrorism financing;
• Product safety and compliance;
• Transport safety;
• Environmental protection;
• Radiological protection and nuclear safety;
• Food and feed safety;
• Animal health and welfare;
• Public health;
• Consumer protection;
• Protection of privacy and personal data;
• Security of networks and IT systems;
• Financial interests of the State Treasury of the Republic of Poland, local government units and the European Union;
• The European Union internal market, including public law rules on competition and state aid and corporate taxation;
• Constitutional freedoms and rights of man and citizen – occurring in relations of an individual with public authorities.

4. Team – persons authorized by the Company, responsible for conducting Follow-up Actions. The authorization form is Annex 1 to the Procedure.

5. Procedure – this document – Procedure for Reporting Irregularities.

6. Person Receiving the Notification – means the person or persons authorized by the Company, described in point II paragraph 2 of this Procedure. The authorization form constitutes Annex 1 to the Procedure.

7. Company – “ NTT DATA Business Solutions” Sp. z o.o.

8. Whistleblower – a natural person referred to in art. 4 of the Act of 14 June 2024 on the protection of whistleblowers, who has reported Irregularities. In particular, employees, persons performing work on a basis other than an employment relationship, including on the basis of a civil law contract, members of the bodies of a legal person.

9. Remedies – measures that may be applied by the Company in the event of finding an Irregularity, including disciplinary measures, corrective and preventive actions.

10. Reporting – providing information about Irregularities via internal reporting channels.

11. External Report – means a Report of information about a breach of law submitted to the Ombudsman or a public authority and – where appropriate – to the institutions, bodies or offices of the European Union.

1. Any person entitled to be a Whistleblower who has become aware of or has a reasonable suspicion of the occurrence of an Irregularity may submit a Report.

2. Applications can be submitted in the following ways:

a) via email: [email protected] ,

b) via the group-wide Corporate hotline Ethics Help Line +81 (0)5026066672

c) via the form on the website: https://nttdata-solutions.com/pl/o-nas/compliance/

d) through your local Compliance Coordinator or Information Security Officer.

3. The report should include all information available to the Whistleblower regarding the Irregularity, e.g.:

a) details of any person or persons who were involved in or were alleged to be involved in an incident of irregularity;

b) the nature of the irregularity;

c) any available evidence or witnesses to support the allegation of irregularities;

d) a description of the documents concerned by the case of irregularity; and

e) the time frame (time and place and company name) in which the alleged infringement is believed to have occurred.

4. If the Whistleblower has any materials that may constitute evidence of the Irregularity, he or she should attach them to the Report, if possible.

5. In the event of an oral report (including by telephone), with the whistleblower’s consent, a recording of the conversation or a detailed record of the conversation is made. The whistleblower may check, correct and approve the transcript or record.

6. In the event of becoming aware of an Irregularity, the Whistleblower should not take any remedial measures on his/her own, unless the lack of action taken to eliminate the Irregularity:

a. creates a risk of violating the essential rights and freedoms of third parties, or

b. may result in irreparable damage.

7. In the case indicated in paragraph 6 above, the Whistleblower shall take only the necessary actions to remove the Irregularities.

1. The role of the Person Receiving the Notification is performed by persons designated by the Group, in accordance with point II.2 of the Procedure.

2. If the Report is received by other persons, in particular a superior or a person supervising the work of the establishment, they are obliged to forward the Report to the Person Receiving the Notification.

3. The Person Receiving the Notification is obliged to accept the Report, register it and, if possible, confirm receipt of the report to the Whistleblower.

4. In the event of receiving a signal that meets the characteristics of the Report, the Whistleblower will receive confirmation of receipt of the Report within a maximum of 7 days from the date of its receipt, unless the Whistleblower did not provide a contact address to which confirmation should be sent. The Person Receiving the Notification, upon receiving the Report, shall, while maintaining confidentiality, immediately, within a maximum of 1 business day from the receipt of the Report,
forward the Report to the Team.

5. In the event of receiving a signal that does not meet the characteristics of the Report, the reporting party will receive a confirmation that the Report has not been accepted for consideration, unless the Whistleblower has not provided a contact address to which confirmation should be sent.

6. The Company also accepts anonymous Reports. As a rule, anonymous Reports are considered in the same manner as non-anonymous Reports , taking into account their specificity.

1. After receiving the Report from the Person Receiving the Notification, the Team conducts an initial verification of the Report in order to determine its validity and plan further actions. The Team is obliged to verify the Report impartially.

2. If the Report clearly does not constitute Irregularity Reporting (e.g. it does not meet the criteria of the Act of 14 June 2024 on the Protection of Whistleblowers, it constitutes a mass mailing – SPAM or it is only a collection of unrelated letters / characters), the Team does not take further action and, if possible, informs the person who made the Report about the termination of the activities.

3. In the event of a positive verification of the validity of the Report, i.e. it is found that the Report raises a reasonable suspicion that an Irregularity may have occurred, the Team shall immediately take follow-up actions.

4. If conducting Follow-up Actions requires specialist knowledge, it is possible to use the assistance of people operating within the organisation or external entities, e.g. a law firm or accounting specialists.

5. After conducting the explanatory proceedings, if justified by the circumstances of the case, the Team presents the Company with recommendations regarding further proceedings.

6. The Company decides on the method of removing the Irregularity.

7. Follow-up actions should be carried out within a maximum period of 3 months from the date of confirmation of receipt of the Report or, if confirmation is impossible, 3 months from the expiry of 7 days from the date of making the Report. After their completion, if possible, the Whistleblower is provided with feedback on the proceedings conducted and the actions taken to eliminate the Irregularities.

1. If the occurrence of Irregularities is confirmed, the Company takes appropriate steps to eliminate the Irregularities and prevent their occurrence in the future.

2. The Company may also decide to apply appropriate disciplinary measures or other actions provided for in applicable regulations to the person who committed the Irregularity. This also includes the possibility of notifying the appropriate authorities or initiating civil proceedings.

1. Each Notification is subject to entry in the register of notifications maintained by the Company in electronic form.

2. The following data is collected in the notification register:

a. subject of the infringement;

b. personal data of the Whistleblower (if provided) and the person concerned by the Report, necessary to identify these persons;

c. contact address of the Whistleblower;

d. date of submission of the Application;

e. information about follow-up actions taken;

f. date of completion of the case.

1. The Company takes all measures to ensure that the Whistleblower, as well as persons assisting in making the Report and persons associated with the Whistleblower, are protected against retaliatory, repressive, discriminatory or other types of unfair treatment.

2. In connection with making a Report, the Whistleblower may not be subject to retaliatory action, in particular by:

a. refusal to enter into an employment relationship;

b. notice of termination or termination without notice of employment;

c. lowering the amount of remuneration for work,

d. withholding promotion or being passed over for promotion,

e. transferring an employee to a lower job position,

f. negative evaluation of work results or negative opinion about work,

g. imposition or application of a disciplinary measure, including a financial penalty, or a measure of a similar nature.

3. The above prohibition also covers an attempt or threat to perform the activities listed in paragraph 2.

4. The Company is always obliged to independently and reliably assess whether the actions taken against the Whistleblower referred to in paragraph 2 constitute retaliatory actions and/or are related to the submission or content of the Report.

5. In addition, all Whistleblowers, as well as persons assisting in making a Report and persons associated with the Whistleblower, are protected under generally applicable provisions of law.

6. Any retaliatory actions against the Whistleblower, a person assisting in making a Report or a person associated with the Whistleblower may be the subject of disciplinary proceedings initiated by the Company.

1. The controller of personal data contained in the register referred to in this procedure is the Company.

2. Personal data collected as part of the performance of activities indicated in the Procedure are protected in accordance with applicable provisions and internal regulations in force in the Company regarding the protection of personal data.

3. The Whistleblower’s personal data enabling his/her identity to be established shall not be disclosed to unauthorised persons unless he/she has given his/her express consent.

4. The provision contained in point 3 above shall not apply where disclosure is a necessary and proportionate obligation under the law in connection with explanatory proceedings conducted by public authorities or preparatory or judicial proceedings conducted by courts, including in order to guarantee the rights of defence of the person concerned by the report (legal basis: art. 8 sec. 2 of the Act of 14 June 2024 on the protection of whistleblowers and art. 6 sec. 1 letter c) of the GDPR).

5. The Company, upon receiving the notification, processes personal data to the extent necessary to accept the Notification or take any further action. Personal data that is not relevant to considering the Notification is not collected, and in the event of accidental collection, it is immediately deleted. Such data is deleted within 14 days from the moment it is determined that it is not relevant to the case.

6. Personal data processed in connection with the receipt of a Report or taking follow-up action and documents related to that Report are stored for a period of 3 years after the end of the calendar year in which the follow-up actions resulting from it were completed or after the completion of the proceedings initiated by those actions.

1. Regardless of making a Report using internal reporting channels, which the Company encourages, the Whistleblower may also make an external Report, i.e. a Report to the Commissioner for Human Rights or public authorities and – where appropriate – to institutions, bodies or organizational units of the European Union.

2. Making an external report does not deprive the whistleblower of protection.

3. An external report can be made without prior submission of a Report via internal channels.

4. External reports are made in accordance with separate Procedures provided by individual public authorities.